DistroWatch Weekly, Issue 697, 30 January 2017

Feature Story (by Jesse Smith)

Subgraph OS 2016.12.30 Alpha



The Internet can seem a scary place, full of organizations monitoring our every on-line move and waves of attackers trying to gain access to our systems. A number of projects have been created with the aim of making Linux distributions safer and protecting our privacy. Tails, for example, routes Internet connections through the Tor anonymizing network to make it more difficult to track its users. The Qubes OS project isolates tasks, helping the user to essentially compartmentalize their applications and data.



Another Linux distribution which tries to protect the user and their files is Subgraph OS. The Subgraph distribution is based on Debian and includes several security features to keep the operating system locked down and our on-line browsing anonymous. The following excerpts from the Subgraph website give us a taste of the project's features: Subgraph OS ships with a kernel hardened with Grsecurity, the best set of Linux kernel security enhancements available. Grsecurity includes PaX, a set of patches to make both the userland and the kernel more resistant to exploitation of memory corruption vulnerabilities. * * * * * Subgraph OS's application containment mechanism creates sandboxes around at-risk applications, such as the browser, e-mail client, PDF viewer, and IM client. The objective of this is to contain the impact of a successful attack against these applications, preventing compromise of the entire system. Each application within a container has a limited view of the host system and limited set of capabilities such as limiting access to the file system or the network. Subgraph OS's application containment mechanism creates sandboxes around at-risk applications, such as the browser, e-mail client, PDF viewer, and IM client. The objective of this is to contain the impact of a successful attack against these applications, preventing compromise of the entire system. Each application within a container has a limited view of the host system and limited set of capabilities such as limiting access to the file system or the network. * * * * * Subgraph OS includes features to enforce application network policies such as Subgraph Metaproxy and the application firewall. Subgraph OS includes features to enforce application network policies such as Subgraph Metaproxy and the application firewall. * * * * * Metaproxy is configured to redirect outgoing connections to the Tor network based on a white-list of approved applications. Each application is automatically relayed through a proxy that will use a different Tor circuit. Metaproxy is configured to redirect outgoing connections to the Tor network based on a white-list of approved applications. Each application is automatically relayed through a proxy that will use a different Tor circuit. * * * * * The application firewall will restrict which applications can connect to the network based on the name of the application or the destination. Users will be prompted to set temporary or permanent policies as outgoing connections are made. The application firewall will restrict which applications can connect to the network based on the name of the application or the destination. Users will be prompted to set temporary or permanent policies as outgoing connections are made. * * * * * Subgraph OS users who install the operating system must have encrypted file systems. It is not optional in Subgraph OS. Subgraph OS users who install the operating system must have encrypted file systems. It is not optional in Subgraph OS.

Subgraph OS 2016.12.30 -- Running the Tor web browser

(full image size: 478kB, resolution: 1366x768 pixels)



Subgraph OS is available for 64-bit x86 computers exclusively. The ISO I downloaded for Subgraph was approximately 1.3GB in size. Booting from the Subgraph installation media brings up a menu asking us if we would like to start the distribution's live desktop mode, run a system installer or start a graphical installer.



I experimented with running Subgraph in a VirtualBox virtual machine first. When trying to launch the live mode in VirtualBox, the distribution displayed a graphical boot screen for a while, then switched to a text screen where I could watch status messages scroll by. The system eventually locked up, displaying a series of blinking messages which all read "Started Session # of user user."



I next tried to install Subgraph in VirtualBox. The distribution did install successfully, but once Subgraph was installed, trying to boot the distribution in VirtualBox resulted in the same issue with Subgraph displaying flashing text (this time the final, flickering boot message indicated Subgraph was trying to start the GNOME display manager) and failing to reach a login screen.





Subgraph OS 2016.12.30 -- Launching software from GNOME's Activities menu

(full image size: 433kB, resolution: 1366x768 pixels)



I then tried running Subgraph on a laptop computer. On the laptop, booting from the installation media and selecting the live environment loaded the GNOME desktop environment. The desktop was responsive and I noticed sound was muted by default. I found my wireless card was properly detected and everything seemed to be working well in the live environment so my next step was to install the distribution. There does not appear to be a way to launch the distribution's system installer from the live environment, but we can reboot and select the Install or Graphical Install options from the boot menu.



Subgraph uses the Debian system installer. I used the graphical installer which walks us through selecting our preferred language and our region. We can then confirm our computer's keyboard layout and create a password for our user account. Disk partitioning comes next, which is a little cumbersome. Subgraph offered to set itself up with a LVM volume by default, but I changed this and opted for install the distribution on a ext4 partition. Subgraph's packages are then installed on our hard drive and we are given the option of installing the GRUB boot loader. When the installer is finished, it automatically reboots the computer.



Subgraph's default desktop environment is GNOME 3.22. The desktop is mostly empty with a panel across the top of the display. The left side of the panel contains the Activities menu where we can launch applications and search for programs. Over on the right side of the panel is a system tray and user's menu. From the tray we can configure networking, manage the firewall, access system settings and logout.



On my laptop, Subgraph ran smoothly. The desktop was responsive, my hardware was properly detected, my screen was set to use its full resolution and the operating system was stable. The distribution, when logged into GNOME, used a modest 350MB of memory.





Subgraph OS 2016.12.30 -- Exploring options in the settings panel

(full image size: 187kB, resolution: 1366x768 pixels)



By default, Subgraph disabled GNOME's history logging and turned off location services. All network traffic, even to specific local network addresses, is routed through the Tor network. Using Tor to anonymize traffic means it is harder (though not impossible) for others to track us on-line, but it also means our network connection is slower. Websites tended to take anywhere from five to ten times longer to load when I was using Subgraph. Speaking of web browsing, Subgraph uses the Tor web browser which includes some nice security features and defaults to using DuckDuckGo as the primary search engine.



Subgraph ships with the Icedove e-mail client, which is a re-branded version of Thunderbird. Icedove's ability to auto-detect server configuration settings while create new e-mail accounts has been disabled to avoid leaking identifying information. This means we need to manually configure our e-mail account. The version of Icedove which ships with Subgraph features Enigmail, a tool which makes encrypting messages and reading encrypted messages straight forward. Enigmail will run automatically when we set up our first account and launches a wizard to help set up our encryption keys.





Subgraph OS 2016.12.30 -- Creating encryption keys with Enigmail

(full image size: 144kB, resolution: 1366x768 pixels)



Icedove is not the only application that has extra security features. The file manager has two additional features baked into it. The first scrubs selected files of identifying meta-data when we right-click on a document. I tested this function and it seemed to mostly work, but there was some remaining exif data left behind in images.



A second feature the file manager gives us the opportunity to share files with other people over the network using a service called OnionShare. When we right-click on a file and opt to share it, a window opens and gives us the chance to share the selected files over the Tor network. When we click a button OnionShare should provide us with a unique URL which we can then send to other people. Those people can then use the URL to download the files we share, at which point the OnionShare service stops sharing those files in order to prevent others from finding the link and downloading the data too. I tried using OnionShare on a few files, but the service was never able to supply me with a unique URL which meant I could not provide a link to my files to anyone else.



Another feature which I suspect will come in handy is the virtual keyboard. Having a virtual keyboard can be helpful if we either want to work with an on-screen keyboard on a touch screen or if we want to side-step equipment which could be logging our keystrokes.





Subgraph OS 2016.12.30 -- Using the on-screen keyboard

(full image size: 104kB, resolution: 1366x768 pixels)



I noticed printing services were not available in Subgraph. Selecting the printer module in the distribution's settings panel displays a message indicating the CUPS printer service is not available. We could install CUPS from the project's software repositories. Connecting to a local network printer probably will not work as our network traffic is redirected through Tor, but I have not tested this idea.



One feature of Subgraph I appreciated a lot was the firewall. When we try to connect to the Internet using the Icedove e-mail client or the Tor web browser, the connection goes through as expected. But most other applications, when they try to connect to a remote server, cause a warning to be displayed on the desktop. Outgoing connections are blocked and we are given the chance to allow the application to talk to remote servers either just for the duration of our current session or permanently. I have encountered several people over the years who want an application-focused firewall on Linux with an easy to use GUI and Subgraph provides this service.





Subgraph OS 2016.12.30 -- Filtering network traffic from applications

(full image size: 120kB, resolution: 1366x768 pixels)



One final application I found intriguing was the Ricochet messaging service. Ricochet looks a bit like other instant messaging programs, like Pidgin. However, Ricochet provides users with an anonymous, randomly generated handle we can share with others. I did not get into using Ricochet to chat with others, but I like the concept of a semi-anonymous chat service with connections redirected through Tor.





Subgraph OS 2016.12.30 -- The Ricochet messaging application

(full image size: 109kB, resolution: 1366x768 pixels)



Apart from the applications mentioned previously, Subgraph ships with a fairly standard collection of GNOME software and the LibreOffice productivity suite. The distribution also includes systemd 232 and version 4.8.15 of the Linux kernel. Should we wish to install additional software we can use the package manager to draw in new packages from the Debian Stretch repositories. Some extra packages are provided by a custom Subgraph repository.



Conclusions



The Subgraph distribution is still in an alpha state and I think it is worth keeping that in mind when attempting to evaluate the project's usefulness. The distribution has a few rough edges, for example the OnionShare service did not work for me. I also had trouble running the distribution in a VirtualBox environment. However, apart from those issues, Subgraph worked well for me. The distribution played well with my laptop's hardware and the Tor network and web browser worked for me.



I think Subgraph ships with several interesting features that people will find useful. The application level firewall worked really well for me and I liked that I was able to allow or block outgoing connections as they happened. This dynamic, user friendly approach to managing the firewall was easy to use and I think it will appeal to people coming from a Windows background especially. I also liked the way Enigmail is integrated with Icedove and the extra functions built into the file manager.



I think what impressed me most about using Subgraph was that, apart from the reduced network performance, using the distribution was much the same as using mainstream Linux distributions which ship with the GNOME desktop. Running Subgraph feels approximately the same as using Debian or Fedora in the way things are arranged. The performance and ease of use are fairly similar too. Often times security-focused distributions are more difficult to use or put up barriers the user needs to work with or around. With Subgraph there are few hurdles, but some nicely integrated security features I think privacy-minded people will enjoy. * * * * * Hardware used in this review



My physical test equipment for this review was a de-branded HP laptop with the following specifications: Processor: Intel i3 2.5GHz CPU

Display: Intel integrated video

Storage: Western Digital 700GB hard drive

Memory: 6GB of RAM

Wired network device: Realtek RTL8101E/RTL8102E PCI Express Fast

Wireless network device: Realtek RTL8188EE Wireless network card

Miscellaneous News (by Jesse Smith)

Arch to phase out 32-bit, Solus to use Qt for Budgie development, Linux Mint testing updated LMDE media



Barttomiej Piotrowski has announced through the Arch Linux developer mailing list that the popular rolling release distribution will be phasing out support for computers running 32-bit CPUs. " Due to the decreasing popularity of i686 among the developers and the community, we have decided to phase out the support of this architecture. The decision means that February's ISO will be the last that allows to install 32-bit Arch Linux. The next 9 months are deprecation period, during which i686 will be still receiving upgraded packages. Starting from November 2017, packaging and repository tools will no longer require that from maintainers, effectively making i686 unsupported. " The discussion can be found on the Arch Linux mailing list. * * * * * The Solus project, home of the Budgie desktop environment, is looking to make some significant changes to the technology underlying Budgie. The Budgie desktop is currently integrated with GNOME and GNOME's applications. However, as GNOME evolves the Budgie developers have had to adjust their software to match. Ikey Doherty explains: " Originally, Budgie intended to integrate with GNOME applications. What actually happened is that it then fully integrated into the GNOME stack. We got our integration, but at a heavy cost. Over time, as GNOME has evolved, every single major release of GNOME has caused issues for Budgie. This is from 3.10, when Budgie first began, all the way through to GNOME 3.22. Whether it's API or ABI changes, components eating other components (such as Mutter folding in cogl and clutter), many, many theme and widget breakages, GdkScreen APIs no longer functioning the same, or even segfaults caused due to the behaviour of GSettings relocatable schemas being changed.. You get the idea. Let it be known, this post is not designed to insult or belittle GNOME. The fact of the matter is, as a project, I have tremendous respect for GNOME. They have a vision and intend to see it through. Unfortunately, this has made it difficult for a project with the complexity of Budgie to then reuse those same components of GNOME. " Looking ahead, the Budgie project will migrate to the Qt framework for future development. Qt is a popular toolkit for desktop development and is currently used by the KDE Plasma, Lumina and LXQt desktop environments. * * * * * The Linux Mint project maintains several editions of its distribution, most of them based on packages provided by Ubuntu. However, the Linux Mint team maintains a separate branch based on Debian Stable which is appropriately called Linux Mint Debian Edition (LMDE). Linux Mint Debian Edition, version 2, was released back in 2015 and is based on Debian 8 "Jessie". The Mint team is working on updated installation media for LMDE 2 to make installing and updating new copies of the distribution easier. The new media, labelled LMDE 2-Beta, is not a new version of the Debian-based operating system, but presents users with installation media that has been updated with available security fixes. " LMDE 2 received many updates in the last two years, including many improvements which were ported from Linux Mint as well as all the new versions of MATE, Cinnamon and the Xapps. This release provides a new set of installation images for LMDE 2 which includes all these updates. " People who are already running LMDE 2 can get the same security updates through their package manager. * * * * * These and other news stories can be found on our Headlines page.





Tips and Tricks (by Jesse Smith)

Running Ubuntu Touch on an Android phone



Last year I got my hands on an Ubuntu phone, specifically a Meizu Pro 5, and spent a few weeks with the device to see how the Ubuntu Touch operating system compared to other mobile platforms, particularly Android. Following my review and follow-up Questions and Answers column, I alternated between using the Ubuntu phone and my Android phone. I liked the design of the Ubuntu Touch operating system with its quick messaging replies, informative scopes and lack of advertisements. On the other hand, the Ubuntu device would occasionally wake up and vibrate in the night and I experienced some connection problems with mobile networks. I reported these issues to the developers and, about once or twice a month, I'd switch phones to keep up to date with developments.



By late 2016 the Ubuntu developers had fixed the issues I was experiencing with the Pro 5. Meanwhile I was becoming increasingly frustrated whenever I used the Android Moto G phone. The regular nag screens, advertisements and pop-ups asking me to update components made the platform more cluttered and distracting than I would have liked. I found myself regarding the Android device as something that made my mobile experience more complicated while the Ubuntu device was making my life easier. As a result, for the past two months I have been using the Ubuntu phone exclusively.



At this point I have grown to like using the Ubuntu phone and other people who have seen it in action usually express an interest in the device, but there is a big barrier to people getting their hands on an Ubuntu phone: no one is currently selling them. There is some good news though, it is possible to take some existing Android phones and install Ubuntu on them, much the same way many of us purchase a laptop bundled with Windows and install our preferred Linux distribution on it. One project which strives to make installing Ubuntu on mobile devices a better experience is UBports. The UBports project works to get Ubuntu running on phones and provides install images and instructions for getting Ubuntu running on a small number of Android devices. I decided to explore the process, see what steps are involved and how well the UBports software works.



I purchased a Nexus 5, one of the three devices currently listed as supported on the UBports website. The Nexus 5 was second-hand and arrived in the mail with a rubber bumper and about 60% battery charge. No USB cable or charger was included.



The Nexus 5 arrived in its factory reset state, running Android 6.0.1. I used the phone with its default Android operating system for a while to establish a base-line for how well the phone worked. For the most part, the Nexus 5 performed well. It ran smoothly and all its functions worked. The battery drained a little quicker than I'm used to, but not too badly. The one unwelcome quirk was that it sometimes took four or five taps on the power button to get the phone to start once it had been powered off. The power button would activate the screen when the phone was sleeping on the first try and the power button issue only seemed to manifest on cold boots. Not a big problem for me as I rarely turn off phones, but the power button was a minor annoyance.





Android 6.0 -- The Settings screen

(full image size: 95kB, resolution: 1080x1920 pixels)



Using the Nexus 5 with Android quickly reminded me why I planned to wipe the phone and install a different operating system. Between the initial set up and launching three applications, the device showed me six nag screens to sign up for services or provide my e-mail address, plus a notification asking me to install software updates. I was eager to get started with my experiment.



UBports provides brief installation instructions and an install image for the Nexus 5. The code name for the install image is Hammerhead. The project indicates the functions of the Nexus 5 should all work, with the exception of Bluetooth.



The installation instructions can be performed from any computer running a recent version of Ubuntu Desktop or one of its derivatives, such as Ubuntu MATE or Linux Mint. The install steps can be performed from either an installed copy of the operating system or a live medium. This means if we have Ubuntu 16.04 on a USB thumb drive, we can use it to install Ubuntu Touch on a phone.



The installation steps on the UBports website make a few assumptions and I want to address those. For example, the UBports documentation assumes our desktop operating system is a modern derivative of Ubuntu and has the Universe repository enabled. The tools we install require the Universe repository to be activated, which can be handled in Ubuntu's Software & Updates application. The UBports documentation also assumes we have already unlocked our phone. If you have not done this ahead of time, the installation of Ubuntu Touch will fail. I will cover these extra steps below.



To recap, we need the following to install Ubuntu on the Nexus 5 (or similar phone): A computer running Ubuntu 16.04 (or newer). We can also use a derivative of Ubuntu and the desktop operating system can be running from live media, it does not need to be installed on the hard drive.

A USB cable to connect the phone to the computer.

The phone, in my case a Nexus 5. The phone should have a full battery charge. The first thing we need to do is unlock the phone. On the Nexus 5, this can be done by booting the phone into its Android operating system. Then go into the Settings panel and scroll down to the bottom entry, About Phone. On the About Phone settings page, near the bottom, is an entry labelled Build Number. Tap the Build Number label six times, this will enable Developer Options. Go back a page to the main Settings screen. There will be a new entry called Developer Options. Go into Developer Options and turn on the USB Debugging switch.



Next we switch over to the desktop computer. From the desktop environment, launch the Software & Updates application. Make sure the Universe repository is enabled and close the window. Next, open a virtual terminal and run the following two commands: sudo apt-get update

sudo apt-get install ubuntu-device-flash phablet-tools The above commands will download approximately 49MB of packages and set up the necessary tools on your computer. Now, reboot the Nexus 5 and (as the device powers on) hold down the power button and the Volume Up and Volume Down buttons. (The UBports instructions mention the power button and Volume Up, but the Volume Down button must be held too.)



This should cause the Nexus 5 to boot into fastboot mode. We will see a menu come up with boot options. Plug the phone into the computer, via the USB cable. Then run the following command from the computer's virtual terminal: sudo fastboot oem unlock The phone should now display a prompt asking if we want to unlock its boot loader. On the phone, press the Volume Up or Volume Down button to select "Yes". Then press the power button to confirm the action. The phone should now be unlocked. From here, we can run a single (though long) command to download a new installation image and copy it to the phone: sudo ubuntu-device-flash --server=http://system-image.ubports.com touch --channel=ubuntu-touch/stable --device=hammerhead --bootstrap The above command downloads the Nexus 5 image, called Hammerhead, copies the operating system to the phone and attempts to reboot the phone. If all goes well, the Ubuntu logo (or the UBports logo) should appear on the phone's screen, followed by a reboot. The process takes a few minutes and, if it is interrupted, the installation will fail. The first time I tried this process, something went wrong when files were copying to the phone and the ubuntu-device-flash command reported a problem pushing files to the device. Re-running the above command fixed the issue.





Ubuntu Touch -- Apps scope

(full image size: 302kB, resolution: 1080x1920 pixels)



After a few minutes, the phone will reboot and display the Ubuntu loading screen. The Ubuntu first run wizard will then appear on the phone and walk us through connecting to a wireless network, selecting our location and choosing our time zone. We are then shown the Ubuntu Apps scope and the Unity 8 desktop environment. Additional applications and scopes can be accessed through the App Store icon at the bottom of the screen and settings can be accessed via a drop-down panel at the top of the screen. Should we wish to install new software or check for package updates we will need an Ubuntu account.



The Nexus 5 was fairly responsive when running Ubuntu, offering similar performance to when it was running Android 6. The model I purchased has 16GB of internal storage and had 12GB of space left over after the installation was finished. The device offers about 1.8GB of RAM, 1GB of which was used by Ubuntu. These resource consumption numbers matched my experience running Ubuntu on the Meizu Pro 5.



Up to this point we have covered how to get Ubuntu Touch on an Android phone, but what works and what doesn't? The answer is a bit complicated because there are actually multiple branches of UBport's installation media. There are three development (Devel) branches, an RC branch and a Stable branch. What works and what does not will vary depending on which installation image we use.



When I tried running the Stable and RC branches, the phone properly connected to wireless networks, Bluetooth didn't work and (according to reports I read on UBport's forum) receiving phone calls will not work. The phone's settings panel, installing new applications and using scopes all worked. The camera worked and the device could detect and use its SIM card. I found that trying to launch the default web browser (or any other web browser I installed) would cause the browser to immediately crash. The inability to browse the web appears to be the result of a security feature working a little too well.



When I ran the various development branches, I found the web browser would work, but I was unable to connect to password protected wireless networks. Open networks could be accessed, but no encrypted wi-fi networks. When I ran the Stable branch the phone would not shut off completely and the screen would glow, slowly draining the battery. When running the Devel branches, the phone powered off all the way. Everything else appeared to work the some under both the Stable and Devel branches.



For people who want to try alternative images to the default, Stable image, change the name of the channel parameter in the ubuntu-device-flash command during the installation. So instead of sudo ubuntu-device-flash --server=http://system-image.ubports.com touch --channel=ubuntu-touch/stable --device=hammerhead --bootstrap Use this: sudo ubuntu-device-flash --server=http://system-image.ubports.com touch --channel=ubuntu-touch/devel_rc-proposed --device=hammerhead --bootstrap

Ubuntu Touch -- Settings panel

(full image size: 151kB, resolution: 1080x1920 pixels)



After playing with the various install images for the Nexus 5, I had to conclude the Ubuntu Touch port was not quite ready for daily use. Most of the desired functionality is present, but a few key pieces are missing. As the UBports website shows, the project has most of the features working. The phone suspends, the touch screen works, the device detects mobile and wi-fi networks. Screen rotation works as do the camera and GPS. These are all important features and it is good to see the small UBports team has made so much progress. Unfortunately, the phone's installation branches make the user decide between accessing protected wireless networks and being able to browse the web. And, with the older images at least, receiving calls appears to be an issue. Bluetooth capabilities are detected by the operating system, but not usable yet.



The work UBports has done is impressive, but right now the Nexus 5 port is only close to being usable on a day-to-day basis. Almost all the pieces are in place, but there are still a few key pieces missing, whichever installation channel we use. The port continues to progress and, hopefully, the final few rough edges will be polished in a few months.



The Nexus 5 is not the only port in the works. The Fairphone 2 and OnePlus One devices also have mostly working ports and it looks as though the Fairphone can already be used to make calls. (I contacted the Fairphone project and asked if I could test their device, but they did not have any phones to spare at the time and I could not find any to purchase.)



At this point I wouldn't recommend using UBports on a person's main phone, but if you have a spare device lying around and want to test Ubuntu on it, the project is making installing Ubuntu Touch fairly easy. The entire process of unlocking the phone and installing Ubuntu takes about 15 minutes. At the current rate of development, I think the UBports images may be complete enough to use on a primary mobile device later this year.



As for the Nexus 5 I was using, I'm considering putting a fresh install of Ubuntu Touch on the device and auctioning it off if there is any interest. Please leave a comment if the idea of having an experimental Ubuntu phone appeals to you. * * * * * Additional tips and tricks can be found in our Tips and Tricks archive.





Released Last Week

Torrent Corner

Upcoming Releases and Announcements

Opinion Poll

Running alternative phone operating systems



Many of us like to tinker with operating systems and are as likely to place an alternative operating system on our phone as we are to install a new distribution on our desktop computer. This week we would like to explore whether our readers install alternative or custom operating systems on their smart phones. If you do, please leave us a comment mentioning which operating systems you have installed on your mobile device.



You can see the results of our previous poll on running desktop applications remotely here. All previous poll results can be found in our poll archives.



Running alternative phone operating systems



I stick with the default OS: 1037 (67%) I install an alternative OS on my main phone: 312 (20%) I install an alternative OS on a spare phone: 199 (13%)

DistroWatch.com News