Prepares path for `sd-whonix` whonix removal by deeplow · Pull Request #1414 · freedomofpress/securedrop-workstation

deeplow · 2025-08-20T20:04:23Z

Towards #456. Adds minimal dependencies to test its client counterpart freedomofpress/securedrop-client#2561. Whonix removal will be in a separate PR.

Test plan

Apply with sdw-admin --apply after installing RPM and then see #456.

Checklist

This change accounts for:

any necessary RPM packaging updates (e.g., added/removed files, see MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec)
any required documentation

legoktm · 2025-08-25T12:40:19Z

Just fixed a small typo in the test, everything should pass now except self._check_service_running(vm, "securedrop-proxy-onion-config") because the client part hasn't been merged yet. Tentatively dropping this into "ready for review" but we might wait until the client PR is also ready (it's close).

Companion PR for client change [1] with the aim of deprecating whonix, in favor of delegating the tor connectivity aspect to sd-proxy running arti. Changes introduced: 1. sd-proxy connects to 'sys-firewall' directly: since sd-proxy is now handling tor connections, it must connect directly to the internet. It keeps the original goal of preventing the client from being able to connect to arbitrary domains. This is also something that sd-whonix did not guarantee (it could connect to arbitrary domains, albeit via Tor). 2. sd-proxy has access to onion service auth key Access done via qubes feature vm-config.SD_PROXY_ORIGIN_KEY [1]: freedomofpress/securedrop-client#2561 Test in ci: openqa

(run in: openqa)

legoktm · 2025-08-26T17:33:28Z

I renamed the service to just securedrop-arti, we'll use it for both the arti systemd service and onion-config. Also I added a test to verify that arti is not running in the sd-app VM.

cfm

Installed via make clone && make dev; passes tests per #1414 (comment). I'll defer to you to merge, @legoktm, both in conjunction with freedomofpress/securedrop-client#2561 and given the following two unrelated tests failing in securedrop_test_dom0:

legoktm · 2025-08-28T20:38:00Z

and given the following two unrelated tests failing in securedrop_test_dom0:

The actual failure is reported in the very next screenshot, https://openqa.qubes-os.org/tests/150723#step/test_dom0/20, which reveals that it's that the securedrop-proxy-onion-config service isn't running, which is expected since it hasn't been merged yet :) once the client part lands, I'll retrigger OpenQA and we can merge once it passes.

deeplow · 2025-09-01T16:08:51Z

and given the following two unrelated tests failing in securedrop_test_dom0:

The actual failure is reported in the very next screenshot, https://openqa.qubes-os.org/tests/150723#step/test_dom0/20, which reveals that it's that the securedrop-proxy-onion-config service isn't running, which is expected since it hasn't been merged yet :) once the client part lands, I'll retrigger OpenQA and we can merge once it passes.

It's merged now, so I have re-triggered the test run. Btw, the unrelated failure is #1411.

deeplow · 2025-09-01T16:56:55Z

It's running into a couple of openQA issues. I'm testing some fixes against this branch here.

After all xvfb is necessary because we're now running the tests in the root console as a fix for [1]. Instead of adding yet another dependency directly in OpenQA, this now just installs whichever dependencies are specified in the workstation repo via the "test-deps" make target. [1]: freedomofpress/securedrop-workstation#1414

deeplow · 2025-09-02T13:47:33Z

There was a transient issue with the above-linked openQA test, which I haven't investigated. But I restarted and it then ran the install well but failed in make test. This is due to missing virtual frame-buffers which were removed as a fix for #1411. I'm now waiting on getting those fixes stable. More context here.

legoktm · 2025-09-02T19:18:35Z

@deeplow is going to re-verify that make test works and then land this.

deeplow · 2025-09-03T11:39:10Z

 sd-base-template-install-securedrop-packages:
  pkg.installed:
    - pkgs:
-      - securedrop-qubesdb-tools


We should leave this line until the next release, per split between 1.4.0 and 1.5.0. The former's goal is to simply do the switch and 1.5.0 to fully remove whonix-related components. The end-goal is to have a rollback path.

Also, we may want to have this forcefully removed as we did with other xpp in the past.

deeplow · 2025-09-03T11:45:27Z

I have now reset --hard HEAD^, basically removing the commit about qubesdb-tools. See rationale here.

deeplow · 2025-09-03T15:39:00Z

I may have messed up the branch with that force-push.. :/ I had forgotten other things were pushed onto it and therefore I cut the head from the version I had. And now I can't restore it since my local git doesn't have the proper remote reflog.

In case @legoktm you still have the original branch locally, would you mind force-pushing? Or any other git-fu you're aware of 🙂

I did replicate the pushed out code and ran make test successfully against it.

legoktm · 2025-09-03T16:08:52Z

I re-pushed 9e39d67 (original state), and then dropped the most recent commit which was the removal of ~~whonix-config~~qubesdb-tools (i.e. keeping ~~whonix-config~~qubesdb-tools for now), getting us to 0944de1.

deeplow · 2025-09-03T16:14:22Z

which was the removal of whonix-config (i.e. keeping whonix-config for now), getting us to 0944de1.

Thanks. Just double-checking this was securedrop-qubesdb-tools and not whonix-config.

legoktm · 2025-09-03T16:23:46Z

Thanks. Just double-checking this was securedrop-qubesdb-tools and not whonix-config.

Yes correct, my bad.

deeplow · 2025-09-03T16:34:05Z

Informally approving @legoktm's changes, since I officially can't as the PR's author. @legoktm are you able to approve it or do we need someone else?

legoktm

Per Cory's previous approval

After all xvfb is necessary because we're now running the tests in the root console as a fix for [1]. Instead of adding yet another dependency directly in OpenQA, this now just installs whichever dependencies are specified in the workstation repo via the "test-deps" make target. [1]: freedomofpress/securedrop-workstation#1414

deeplow added this to SecureDrop Aug 20, 2025

deeplow moved this to In Progress in SecureDrop Aug 20, 2025

deeplow mentioned this pull request Aug 20, 2025

Replace Whonix in favor of arti in sd-proxy freedomofpress/securedrop-client#2561

Merged

18 tasks

deeplow force-pushed the 456-whonix-deprecation branch 6 times, most recently from c1fa7f8 to 0c13d4b Compare August 22, 2025 12:28

deeplow marked this pull request as ready for review August 22, 2025 19:42

deeplow requested a review from a team as a code owner August 22, 2025 19:42

deeplow mentioned this pull request Aug 22, 2025

Remove sd-whonix and whonix-gateway FPF packages and repos #1415

Merged

9 tasks

legoktm force-pushed the 456-whonix-deprecation branch from 2597b62 to 0be1678 Compare August 25, 2025 12:32

legoktm moved this from In Progress to Ready For Review in SecureDrop Aug 25, 2025

nathandyer assigned cfm Aug 25, 2025

deeplow added 2 commits August 26, 2025 13:32

Fix proxy tests in light of sd-whonix role takeover

0944de1

(run in: openqa)

legoktm force-pushed the 456-whonix-deprecation branch from 0be1678 to 9e39d67 Compare August 26, 2025 17:32

cfm moved this from Ready For Review to Under Review in SecureDrop Aug 27, 2025

cfm previously approved these changes Aug 27, 2025

View reviewed changes

cfm assigned legoktm and unassigned cfm Aug 27, 2025

deeplow added this to the 1.4.0 milestone Sep 2, 2025

legoktm assigned deeplow and unassigned legoktm Sep 2, 2025

deeplow commented Sep 3, 2025

View reviewed changes

deeplow dismissed cfm’s stale review via 0c13d4b September 3, 2025 11:43

deeplow force-pushed the 456-whonix-deprecation branch from 9e39d67 to 0c13d4b Compare September 3, 2025 11:43

deeplow mentioned this pull request Sep 3, 2025

Add whonix-config package back freedomofpress/securedrop-client#2664

Closed

3 tasks

legoktm force-pushed the 456-whonix-deprecation branch 2 times, most recently from 9e39d67 to 0944de1 Compare September 3, 2025 16:07

legoktm approved these changes Sep 3, 2025

View reviewed changes

legoktm added this pull request to the merge queue Sep 3, 2025

deeplow merged commit 5f815ef into main Sep 3, 2025
11 of 14 checks passed

github-project-automation bot moved this from Under Review to Done in SecureDrop Sep 3, 2025

legoktm deleted the 456-whonix-deprecation branch September 3, 2025 17:05

deeplow mentioned this pull request Sep 4, 2025

SecureDrop Workstation 1.4.0 #1419

Closed

34 tasks

nathandyer removed this from SecureDrop Sep 23, 2025

deeplow mentioned this pull request Oct 21, 2025

Remove dependency on Whonix and sd-whonix VM #456

Closed

Conversation

deeplow commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test plan

Checklist

Uh oh!

legoktm commented Aug 25, 2025

Uh oh!

legoktm commented Aug 26, 2025

Uh oh!

cfm left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

legoktm commented Aug 28, 2025

Uh oh!

deeplow commented Sep 1, 2025

Uh oh!

deeplow commented Sep 1, 2025

Uh oh!

deeplow commented Sep 2, 2025

Uh oh!

legoktm commented Sep 2, 2025

Uh oh!

deeplow Sep 3, 2025

Choose a reason for hiding this comment

Uh oh!

deeplow Sep 3, 2025

Choose a reason for hiding this comment

Uh oh!

deeplow commented Sep 3, 2025

Uh oh!

deeplow commented Sep 3, 2025

Uh oh!

legoktm commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

deeplow commented Sep 3, 2025

Uh oh!

legoktm commented Sep 3, 2025

Uh oh!

deeplow commented Sep 3, 2025

Uh oh!

legoktm left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

deeplow commented Aug 20, 2025 •

edited

Loading

cfm left a comment •

edited

Loading

legoktm commented Sep 3, 2025 •

edited

Loading