2025 04 27 | Sun Apr 27 12:40:00 AM UTC 2025 | automatic backup

Author: server

About.mw

@@ -309,17 +309,23 @@ While developed with security-focused design goals, {{project_name_short}} remai
 
 ! scope="row"| Debian Usability Fixes 
 |
+* Better download and instalation instructions.
+* Better usability installer. Uses Calamares by default. <ref>
+Debian default download link uses D-I.
+
+Debian Live uses Calamares.
+</ref>
 * Functional default APT sources configuration. <ref>
 Debian comes with a broken <code>/etc/apt/sources.list</code> file by default.
 
 * Debian default <code>/etc/apt/sources.list</code> comes with a broken <code>deb cd-rom:</code> line.
 * Debian default <code>/etc/apt/sources.list</code> comes with <code>http</code> instead of <code>https</code> by default.
 * Debian default <code>/etc/apt/sources.list</code> has only the <code>debian-security</code> repository enabled by default but not the <code>debian</code> repository. As a result, no packages are installable until the user figures out how to add that line to APT sources.
 
-When using Debian Installer (not Calamares), installing while not using a network mirror, Debian default <code>/etc/apt/sources.list</code> comes empty except fora broken <code>deb cd-rom:</code> line.
+When using Debian Installer (D-I) (not Calamares), installing while not using a network mirror, Debian default <code>/etc/apt/sources.list</code> comes empty except for a broken <code>deb cd-rom:</code> line.
 </ref>
 * <code>sudo</code> pre-configured by default. <ref>
-On Debian, the user must run after a new installation <code>su</code> followed by <code>/usr/bin/adduser user sudo</code> and reboot (or re-login) to be able to user <code>sudo</code>.
+On Debian, when installing using D-I (Debian Installer), when setting a root password during installation, the user must run after a new installation <code>su</code> followed by <code>/usr/bin/adduser user sudo</code> and reboot (or re-login) to be able to user <code>sudo</code>.
 </ref>
 * <code>bash-completion</code> installed by default so for example by typing <code>sudo apt install libreo</code> followed by the TAB key a word completion to <code>libreoffice</code> will be suggested.
 * <code>zsh</code> installed as default shell that supports TAB word completion, colorful output, etc.
@@ -330,7 +336,9 @@ On Debian, the user must run after a new installation <code>su</code> followed b
 * Package [https://github.com/{{project_name_short}}/vm-config-dist shared folder help] simplifies shared folder set up for virtual machines. <ref>
 It currently only assists with using shared folders in VirtualBox. Other virtualizers -- such as KVM shared folder setup -- might be possible in the future.
 </ref>
-* Package [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] is installed by default, increasing flexibility and providing numerous, miscellaneous usability features. <ref>Such as creating default folders, allowing commands to be run without a password, simplifying the running of OpenVPN as an unpriveleged user, and much more.</ref>
+* Package [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] is installed by default, increasing flexibility and providing numerous, miscellaneous usability features. <ref>
+Such as creating default folders, allowing commands to be run without a password, simplifying the running of OpenVPN as an unpriveleged user, and much more.
+</ref>
 |-
 
 ! scope="row"| Popular applications

Boot_Clock_Randomization.mw

@@ -17,19 +17,29 @@ Randomizes clock at boot time. Moves clock a few seconds and nanoseconds to past
 {{mbox
 | type    = notice
 | image   = [[File:Ambox_notice.png|40px|alt=Info]]
-| text    = Disabling of Boot Clock Randomization is discouraged because it is not usually required. However, it may be useful for offline (vault) VMs.
+| text    = Disabling Boot Clock Randomization is discouraged because it is not usually required. However, it may be useful for offline (vault) VMs.
 }}
 
-Run the following command. Note:
+'''1.''' Platform specific notice.
 
 * Qubes: Use a StandaloneVM or a separate Template.
 * Non-Qubes: No extra steps are required.
 
+'''2.''' {{Open a product ws terminal}}
+
+'''3.''' Disable Boot Clock Randomization.
+
+Run the following command.
+
 {{CodeSelect|code=
 sudo systemctl mask bootclockrandomization
 }}
 
-Boot Clock Randomization will no longer occur after reboot.
+Boot Clock Randomization will no longer be applied after reboot.
+
+'''4.''' Optional. Consider disabling [[sdwdate]].
+
+The user might also be interested in disabling [[Sdwdate#Disable_Autostart|Disable sdwdate Autostart]].
 
 = See Also =
 * [[Dev/TimeSync|TimeSync: {{project_name_long}} Time Synchronization Mechanism]]

Design.mw

@@ -65,6 +65,7 @@ Technical Design and Conception of {{project_name_short}}
 <div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 <small>
 * [[Dev/Developer_Portal|Developer Portal]]
+* [[First_Time_Source_Code_Contributor_Policy|First-Time Source Code Contributor Policy]]
 * [[Dev/image_creation|Development of System Image Creation and Bootstrapping Tools]]
 * [[Dev/git|Git branches]]
 * [[Dev/repository|Debian APT Repository on the Blockchain?]]

Dev%2FDefault_Browser.mw

@@ -1074,6 +1074,15 @@ Cons:
 * Still in early development, not generally usable and very likely has security issues in its current state of development.
 * May be usable in the future, once mature and packaged for Debian. Will likely require multiple years more development before it is secure and usable.
 
+== Orion Browser ==
+* Orion Browser by Kagi
+* https://kagi.com/orion/
+* not Open Source at time of writing:
+** https://help.kagi.com/orion/faq/faq.html#oss
+** https://orionfeedback.org/d/3882-open-source-the-browser
+** https://orionfeedback.org/d/3882-open-source-the-browser/42
+* https://youtube.com/watch?v=oyF21g5YI1o
+
 == Customized Settings Projects ==
 There are a number of projects that provide customized settings for Firefox. It is unlikely that most of these projects will be useful to Kicksecure, since they may enable settings that are potentially dangerous or disable settings that users need enabled, thus adding extra risk and support burden to the project. They are listed together here since they are not really web browsers, simply different ways of configuring existing browsers.
 

Dev%2FDeveloper_Portal.mw

@@ -9,6 +9,7 @@
 <div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 <small>
 * <u><b>[[Contribute| Contribute]]
+* [[First_Time_Source_Code_Contributor_Policy|First-Time Source Code Contributor Policy]]
 * [https://forums.{{project_clearnet}}/c/development Development Forum]
 </b></u>
 * [[Dev/git|Introduction into {{project_name_short}} simple git branch model]]

Dev%2Fboot.mw

@@ -17,6 +17,40 @@ Boot Process Related Development Notes
 * See also [[Verified Boot]] chapter [[Verified_Boot#Keys|Keys]].
 
 = GRUB =
+== GRUB Slow Upstream ==
+{{quotation
+|quote=We all know and love GRUB2. It is a good boot loader. It is also big, complex, rich, massive and tends to move slow on the development side.
+|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
+}}
+
+{{quotation
+|quote=The openSUSE package for this boot loader contains more than 200 patches. Some of those patches are there for the last 5, 6 … 10 years. That is both an indication of the talent of the maintainers, but also can signal an issue in how slow the upstream contribution process can be.
+|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
+}}
+
+== GRUB Feature Richness ==
+{{quotation
+|quote=GRUB2 supports all the relevant systems, including mainframes, arm or powerpc. Multiple types of file systems, including btrfs or NTFS. It contains a full network stack, an USB stack, a terminal, can be scripted … In some sense, it is almost a mini OS by itself.
+|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
+}}
+
+== GRUB Full Disk Encryption ==
+{{quotation
+|quote=Kicksecure doesn’t use GRUB to unlock encrypted disks. This is because we use Debian’s GRUB, and Debian’s GRUB only has very bad LUKS support (only supports LUKS1, can’t handle non-US keyboard layouts, ugly, slow, only gives you one shot to unlock the drive, and then the Linux kernel has to unlock the drive again once it boots). Instead, we use an unencrypted /boot partition and let the initramfs handle decrypt. This lets us use more secure encryption, provides a better user interface for decryption, works with multiple keyboard layouts, and works faster.
+|context=https://forums.kicksecure.com/t/installing-fde-luks-with-detached-luks-header-option/907/2
+}}
+
+See also:
+
+* [https://forums.kicksecure.com/t/iso-change-to-unencrypted-boot-if-using-full-disk-encryption/420 ISO: Change to unencrypted /boot if using Full Disk Encryption]
+
+== GRUB Upstream Contributions ==
+* [https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00000.html Determining when paging is and isn't enabled in GRUB]
+* [https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00050.html DRAFT PATCH 0/1 - Add Xen command line parsing]
+* [https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00051.html DRAFT PATCH 1/1 - Add Xen command line parsing]
+* [https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00247.html PATCH 0/1 - Add Xen command line parsing]
+* [https://lists.gnu.org/archive/html/grub-devel/2025-04/msg00248.html PATCH 1/1 - Add Xen command line parsing]
+
 == grub-install command responsibility ==
 
 Who should run the <code>grub-install</code> command? SystemBuildTools or Debian package maintainer scripts?
@@ -119,7 +153,7 @@ Related Debian pull requests:
 === grub-efi and grub-pc ===
 * Debian for grub-pc with grub-efi co-install-ability feature request: [https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=904062 Allow concurrent installation of grub-pc and grub-efi-amd64]
 
-== Bootloader-related Kicksecure and Whonix packages ==
+= Bootloader-related Kicksecure and Whonix packages =
 The following packages directly affect the bootloader or bootloader configuration used by Kicksecure.
 
 === live-config-dist ===
@@ -226,34 +260,6 @@ derivative-maker sets a custom GRUB configuration for Kicksecure live ISOs. This
 * live-theme/theme.txt
 ** Provides dynamic parts of the GRUB theme. Specifies the colors and positions of UI elements, and includes a progress bar indicating how much time the user has to react before GRUB automatically boots the first boot mode listed in the ISO's boot menu.
 
-= GRUB Upstream =
-== GRUB Slow Upstream ==
-{{quotation
-|quote=We all know and love GRUB2. It is a good boot loader. It is also big, complex, rich, massive and tends to move slow on the development side.
-|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
-}}
-
-{{quotation
-|quote=The openSUSE package for this boot loader contains more than 200 patches. Some of those patches are there for the last 5, 6 … 10 years. That is both an indication of the talent of the maintainers, but also can signal an issue in how slow the upstream contribution process can be.
-|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
-}}
-
-== GRUB Feature Richness ==
-{{quotation
-|quote=GRUB2 supports all the relevant systems, including mainframes, arm or powerpc. Multiple types of file systems, including btrfs or NTFS. It contains a full network stack, an USB stack, a terminal, can be scripted … In some sense, it is almost a mini OS by itself.
-|context=openSUSE blog post [https://news.opensuse.org/2023/12/20/systemd-fde/ Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS] talking about their motivation to add support for systemd-boot
-}}
-
-== GRUB Full Disk Encryption ==
-{{quotation
-|quote=Kicksecure doesn’t use GRUB to unlock encrypted disks. This is because we use Debian’s GRUB, and Debian’s GRUB only has very bad LUKS support (only supports LUKS1, can’t handle non-US keyboard layouts, ugly, slow, only gives you one shot to unlock the drive, and then the Linux kernel has to unlock the drive again once it boots). Instead, we use an unencrypted /boot partition and let the initramfs handle decrypt. This lets us use more secure encryption, provides a better user interface for decryption, works with multiple keyboard layouts, and works faster.
-|context=https://forums.kicksecure.com/t/installing-fde-luks-with-detached-luks-header-option/907/2
-}}
-
-See also:
-
-* [https://forums.kicksecure.com/t/iso-change-to-unencrypted-boot-if-using-full-disk-encryption/420 ISO: Change to unencrypted /boot if using Full Disk Encryption]
-
 = Calamares =
 * [https://github.com/calamares/calamares/pull/2422 Prototype implementation of BIOS+UEFI boot support]
 

Dev%2Ftodo.mw

@@ -16,6 +16,13 @@ TODO
 == grub - secure boot signed fonts ==
 * discuss upstream, file feature request
 
+== wiki editing - First-Time Source Code Contributor Policy ==
+* [[First_Time_Source_Code_Contributor_Policy|First-Time Source Code Contributor Policy]]
+* please review, improve, if applicable
+
+== publish debian live-build security comment ==
+* past private report, time to publish, if sensible
+
 == dracut - hostonly yes versus no ==
 * after above task... should Kicksecure images (in trixie) use a different hostonly mode?
 
@@ -689,15 +696,6 @@ debsums: changed file /etc/machine-id (from dist-base-files package) - issue for
 * Note that the use of apt-get in the binary stage appears to be very baked into live-build's logic. It's pretty unlikely this will change.
 
 = REVIEW PLEASE =
-== grub skin - change text ==
-* Please change from <code>Choose an operating system to start</code> to <code>Choose boot mode</code>.
-** Done:
-*** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arrabolt3/grub-theme
-*** anon-ws-base-files: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arrabolt3/grub-theme
-*** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arrabolt3/grub-theme
-* Ideally, that text would no longer be hardcoded but if it's a high effort or impossible, can hardcoded.
-** Done without hardcoding.
-
 == review and test IPv6 support pull requests ==
 * https://forums.whonix.org/t/add-ipv6-support/19893
 * https://www.whonix.org/wiki/Dev/ipv6
@@ -718,6 +716,15 @@ debsums: changed file /etc/machine-id (from dist-base-files package) - issue for
 * Aaron: Left Daniel some feedback on things that didn't work. If not fixed in a week (so around April 4th), our plan is to merge as-is and fix bugs after.
 
 = ARCHIVED =
+== grub skin - change text ==
+* Please change from <code>Choose an operating system to start</code> to <code>Choose boot mode</code>.
+** Done:
+*** anon-gw-base-files: https://github.com/ArrayBolt3/anon-gw-base-files/tree/arrabolt3/grub-theme
+*** anon-ws-base-files: https://github.com/ArrayBolt3/anon-ws-base-files/tree/arrabolt3/grub-theme
+*** kicksecure-base-files: https://github.com/ArrayBolt3/kicksecure-base-files/tree/arrabolt3/grub-theme
+* Ideally, that text would no longer be hardcoded but if it's a high effort or impossible, can hardcoded.
+** Done without hardcoding.
+
 == sysmaint-panel - add repository-dist-wizard ==
 * todo
 * Implemented: https://github.com/ArrayBolt3/sysmaint-panel/commit/b376aea4a312fcbb83f2dd1801c8081b1575cb6b

Dev%2Fuser-sysmaint-split.mw

@@ -130,8 +130,6 @@ This is documented on the [[unrestricted admin mode]] wiki page.
 
 = Boot Modes Considered Too Unimportant to Be Added to GRUB Default Boot Menu =
 
-'''Currently, we don’t have theoretical boot modes that haven't been implemented.'''
-
 '''DIY Methods to Include Other Entries in the GRUB Boot Menu'''
 
 {{IconSet|h2|A}} Files in the <code>/etc/grub.d/</code> folder could add entries, but they could be non-executable by default. To opt-in, users could run <code>sudo chmod +x /etc/grub.d/somenumber_name-of-boot-mode</code>.
@@ -349,6 +347,65 @@ Future work ideas:
 * '''Warning popups:''' 
 ** When starting Firefox in sysmaint mode, a popup could warn users to avoid browsing the internet unless absolutely necessary.
 
+= Boot Menu Names and Ordering =
+=== Mode First Ordering ===
+Initial implementation.
+
+<pre>
+PERSISTENT Mode | USER Session | For daily activities
+LIVE Mode | USER Session | For disposable use
+PERSISTENT Mode | SYSMAINT Session | For maintenance tasks
+LIVE Mode | SYSMAINT Session | For maintenance testing
+REMOVE sysmaint-user-split | Enable unrestricted admin mode
+</pre>
+
+=== Session First Ordering ===
+
+Potential future implementation based on user feedback.
+
+<pre>
+USER Session | PERSISTENT Mode | For daily activities
+USER Session | LIVE Mode | For disposable use
+SYSMAINT Session | PERSISTENT Mode | For maintenance tasks
+SYSMAINT Session | LIVE Mode | For maintenance testing
+REMOVE sysmaint-user-split | Enable unrestricted admin mode
+</pre>
+
+== Wiki ==
+=== BootEntries ===
+[[Template:BootEntries]]
+
+{| class="wikitable"
+! Code
+! Result
+|-
+
+| <code><nowiki>{{BootEntries|key=userpers}}</nowiki></code>
+| {{BootEntries|key=userpers}}
+|-
+
+| <code><nowiki>{{BootEntries|key=userlive}}</nowiki></code>
+| {{BootEntries|key=userlive}}
+|-
+
+| <code><nowiki>{{BootEntries|key=userpersad}}</nowiki></code>
+| {{BootEntries|key=userpersad}}
+|-
+
+| <code><nowiki>{{BootEntries|key=syspers}}</nowiki></code>
+| {{BootEntries|key=syspers}}
+|-
+
+| <code><nowiki>{{BootEntries|key=syslive}}</nowiki></code>
+| {{BootEntries|key=syslive}}
+|-
+
+| <code><nowiki>{{BootEntries|key=sysremove}}</nowiki></code>
+| {{BootEntries|key=sysremove}}
+|-
+
+|}
+
 = Prior Versions =
 
 [https://www.kicksecure.com/w/index.php?title=Dev/user-sysmaint-split&oldid=87353 Older concept version still containing "SUPERADMIN" and "SECUREADMIN".]