debian-12-minimal packages has unwanted extraneous packages installed

[adrelanos]

Qubes OS release

R4.2

Brief summary

Unwanted extraneous packages installed by default in the debian-12-minimal template.

Steps to reproduce

sudo qvm-template --enablerepo=qubes-templates-itl-testing install debian-12-minimal

Start Template.

dpkg -l | grep firefox

Expected behavior

Packages such as firefox not being installed. Also keepassxc, network-manager-gnome, thunderbird are installed.

Actual behavior

Packages such as firefox are installed.

Additional information

Also potentially other unwanted extraneous packages might be installed.

• affects Whonix: yes, likely.
• effect on Whonix: Since the Whonix template is based on Debian minimal template, these packages are also installed in Whonix-Gateway, which is unwanted.

This is a regression.

It is likely unintentional because file https://github.com/QubesOS/qubes-builder-debian/blob/main/template_debian/packages_bullseye_minimal.list wasn't modified.

The bug might have been introduced by qubes-builder version 1 to version 2 migration?

[Nurmagoz]

This behavior is very peculiar. The chain of trust already expanded from:

Packages from different sources -> Debian -> Whonix -> User

to:

Packages from different sources -> Debian -> Qubes-Debian -> Whonix -> User

As a Whonix developer and as a user, I expect Qubes-Debian to remain as close as possible to the original Debian in terms of code and packages on which Whonix is based. Otherwise, Whonix can no longer be considered truly based on Debian, which would impact its overall quality (which also happened).

Therefore, there are two potential solutions to consider:

1. Clean approach: Make Debian as similar as possible to the official Debian version. Debian offers official minimal builds based on XFCE, available in CD versions or netinst, which could help simplify matters.

Or

2. Isolation approach: Provide Whonix with its own separate build of Debian directly from the official Debian sources. This would ensure that conflicts between Qubes-Debian and Whonix-Debian models are avoided.

If neither option 1 nor option 2 is taken into consideration, we need to reconsider what Qubes-Whonix is evolving into and how valuable it is to provide the same level of quality that we claim it should offer.

[marmarek]

@fepitre it seems now packages are installed from both builder-debian/template_debian/packages_bookworm.list and builder-debian/template_debian/packages_bookworm_minimal.list.
See build log at https://raw.githubusercontent.com/QubesOS/build-logs42/main/build-fedora42/log_2023-07-01_21-45-57:

2023-07-01 21:55:03.176393 +0000 build-fedora42: output: + info ' Installing extra packages in script_bookworm/packages.list file'
2023-07-01 21:55:03.176443 +0000 build-fedora42: output: + output 'INFO:  Installing extra packages in script_bookworm/packages.list file'
...
2023-07-01 21:55:03.238294 +0000 build-fedora42: output: + debug 'Installing extra packages from: /builder/sources/builder-debian/template_debian/packages_bookworm.list'
2023-07-01 21:55:03.238302 +0000 build-fedora42: output: + output 'DEBUG: Installing extra packages from: /builder/sources/builder-debian/template_debian/packages_bookworm.list'
...
2023-07-01 22:02:51.973357 +0000 build-fedora42: output: + debug 'Installing extra packages from: /builder/sources/builder-debian/template_debian/packages_bookworm_minimal.list'
2023-07-01 22:02:51.973443 +0000 build-fedora42: output: + output 'DEBUG: Installing extra packages from: /builder/sources/builder-debian/template_debian/packages_bookworm_minimal.list'

For minimal template, it should be only the latter.

[adrelanos]

Resolved. The newly built Qubes-Whonix 17 Templates no longer have this issue.