Tails support? #646

Cwtch is already being promoted in anarchist communities, and these communities primarily rely on Whonix and Tails. I would argue that the users that would benefit the most from what Cwtch provides will be using Tails.

My understanding is that until the issues opened by nyxnor are closed, Cwtch isn't working on Whonix Workstation no matter the "Advanced Tor Configuration" settings (this understanding is based on this forum post).

Would Cwtch work on Tails between now and when those issues are closed? If so, what should the "Advanced Tor Configuration" be? Stream isolation in Tails also uses an implementation of onion-grater. If the only problem with Tails use is Stream Isolation, this could be mitigated by using Cwtch in a dedicated Tails session.

Hi,

Thanks for opening this.

Would Cwtch work on Tails between now and when those issues are closed? If so, what should the "Advanced Tor Configuration"

I'm not sure as I don't think anyone has tested this and reported back - but my assumption would be that it won't currently work without some external configuration change, but I could be wrong - it is definitely work testing.

One of the main strands of work I have planned prior to the release of 1.12 is to get Cwtch to the point where it works seamlessly on Whonix (https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues?q=whonix&type=all&state=open&labels=197&milestone=0&assignee=0&poster=0) / Qubes (cwtch.im/cwtch#492) and, indeed, Tails.

There are basically two main pieces of work that need to be done:

Changes to connectivity to allow it to detect when it is in an environment with a system Tor that has additional restrictions like onion-grater.
Setting up dedicated test environments for those environments.

I am planning on getting to this work sometime in the next month or so. I'll update this thread when there is a nightly release available for testing.

Small update on this: I have Cwtch working on Tails: https://mastodon.social/@sarahjamielewis/110142886772978466

The changes needed:

an onion grater config / give Cwtch access to the tails auth cookie
A small code change to Bine to allow it to parse ProxyAddress properly - for some reason Tor on Tails passes back a result that doesn't work. I have a fix for this: https://git.openprivacy.ca/openprivacy/bine/src/branch/tails will be rolling it in this week.
Setting up Tor Config in Cwtch to properly connect to Tor on tails (CookieAuth / Control Port) etc. I'm planning on adding a command line switch to automate this.

With any luck I'll have a nightly available to test later this week.

Draft Walkthrough of running on Tails is now published here: https://docs.cwtch.im/docs/platforms/tails

This requires the changes in the 2023-04-05-18-28-v1.11.0-7-g0290 nightly: https://docs.cwtch.im/blog/availability-status-profile-attributes#downloading-the-nightly

As noted in the docs, the configuration can likely be tightened, and we likely want to make some additional changes (#550) to better handle the ProxyAddress - but hopefully this is a useful start and any feedback you (or anyone else reading this) can provide would be great!.

So exciting!

On the current version of Tails (5.12), running the command exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch, gave the output:

my_application.cc: using aot_library_path or '/home/amnesia/.local/lib/cwtch/libapp.so'

** (cwtch:10571): WARNING **: 00:00:54.807: Failed to start Flutter renderer: Unable to create a GL context

Attached a screenshot.

cwtch.cleaned.png

14 KiB

Thanks for testing. It looks like you have run into a current Flutter bug - I've seen one ad-hoc report of this recently, but it was assumed to be software/hardware issues. It looks like this might need a flutter SDK update on our end.

In the meantime, can you try launching with LIBGL_ALWAYS_SOFTWARE=1 as well? This should bypass the GL issue.

(Debugging note, this looks like it might be related to a long standing flutter issue related to graphics drivers https://github.com/flutter/flutter/issues/76178#issuecomment-1356657603)

Launching with LIBGL_ALWAYS_SOFTWARE=1 as well outputs:

my_application.cc: using aot_library_path or '/home/amnesia/.local/lib/cwtch/libapp.so'

** (cwtch:11522): CRITICAL **: 18:29:43.405: Failed to read XDG desktop portal settings: GDBus.Error:org.freedesktop.portal.Error.NotFound: Requested setting not found

After this message, it starts as you would expect. However, I noticed that the Tor icon does not have the checkmark. In the Tor network status page, it says "Tor status: 0% - rebooting". The Reset button doesn't do anything. Perhaps this is expected behavior using the system Tor?

Connecting with another Cwtch contact (me from another device) doesn't succeed. The contact appears to be offline when they are not (waited around 30 minutes, restarted the Tor circuit on the contact Cwtch instance, exited and reopened both Cwtch instances).

I think that once Cwtch is stable, Tails really needs it in default software. Currently, encrypted messaging is limited to PGP email or Pidgin XMPP.

The highest likelihood of this happening is if Cwtch approaches the Tails team directly, so I thought I would link some GitLab issues here that are relevant to packaging and other considerations:

Tails is very conservative about which software to include in Tails by default. One of their reasonings is that once a software is included in Tails people get used to it, after which removing it is a big UX cost. So to include software in Tails, they want it to be good, stable, user-friendly, and overall the right choice over other similar software, in order to avoid the UX cost of removing it from Tails in the years following its addition.
Tails reaaally prefers to include software that is already maintained as a Debian package. This is also true about Whonix, though to a lesser extent (https://www.whonix.org/wiki/Dev/Default_Application_Policy). The issue of maintaining a Debian package for messaging software is a complex one, as intrigeri (a Tails maintainer) said on https://gitlab.tails.boum.org/tails/tails/-/issues/15200, "I think that at least some of the messaging client ecosystem won’t fit into the Debian packaging/release model, for various cultural and technical reasons. This general situation makes me sad [...]". There was some discussion at some point about making it possible to include Flatpaks in Tails, I'm not sure where these discussions are at.
A few links that might be of interest:
- Tails "mobile_messaging" wiki page https://gitlab.tails.boum.org/tails/blueprints/-/wikis/mobile_messaging, which discusses several instant messaging software, presumably with the goal of studying their inclusion in Tails. Cwtch is not in the list. Notably, one of the strategic goals for the next three years is " better interoperability with tools like mobile messaging apps..."
- A closed issue from two years ago about including Briar in Tails https://gitlab.tails.boum.org/tails/tails/-/issues/17715. It looks like the proposal was refused because of technical incompatibilities between Briar and Tails system Tor.
- An open issue from two years ago about including an OTRv4 client in Tails https://gitlab.tails.boum.org/tails/tails/-/issues/17832.

I think that once Cwtch is stable, Tails really needs it in default software. Currently, encrypted messaging is limited to PGP email or Pidgin XMPP. The highest likelihood of this happening is if Cwtch approaches the Tails team directly, so I thought I would link some GitLab issues here that are relevant to packaging and other considerations: - Tails is very conservative about which software to include in Tails by default. One of their reasonings is that once a software is included in Tails people get used to it, after which removing it is a big UX cost. So to include software in Tails, they want it to be good, stable, user-friendly, and overall the right choice over other similar software, in order to avoid the UX cost of removing it from Tails in the years following its addition. - Tails reaaally prefers to include software that is already maintained as a Debian package. This is also true about Whonix, though to a lesser extent (https://www.whonix.org/wiki/Dev/Default_Application_Policy). The issue of maintaining a Debian package for messaging software is a complex one, as intrigeri (a Tails maintainer) said on https://gitlab.tails.boum.org/tails/tails/-/issues/15200, "I think that at least some of the messaging client ecosystem won’t fit into the Debian packaging/release model, for various cultural and technical reasons. This general situation makes me sad [...]". There was some discussion at some point about making it possible to include Flatpaks in Tails, I'm not sure where these discussions are at. - A few links that might be of interest: - Tails "mobile_messaging" wiki page https://gitlab.tails.boum.org/tails/blueprints/-/wikis/mobile_messaging, which discusses several instant messaging software, presumably with the goal of studying their inclusion in Tails. Cwtch is not in the list. Notably, one of the strategic goals [for the next three years](https://tails.boum.org/news/report_2023_01/) is " better interoperability with tools like mobile messaging apps..." - A closed issue from two years ago about including Briar in Tails https://gitlab.tails.boum.org/tails/tails/-/issues/17715. It looks like the proposal was refused because of technical incompatibilities between Briar and Tails system Tor. - An open issue from two years ago about including an OTRv4 client in Tails https://gitlab.tails.boum.org/tails/tails/-/issues/17832.

Ok I loaded up Tails this morning and found two issues in the latest nightly. The main problem looks like the GETINFO oniongrater config is too restrictive, a provisional working version is here: d6571d6ca4/linux/cwtch-tails.yml (part of this PR: #669)

With that fix and reloaded, I can get Cwtch up and running on my tails environment.

I thought I would link some GitLab issues here that are relevant to packaging and other considerations:

Thanks for this list. One of our major threads of work this next few months is packaging, and having this all in one place is helpful.

As a note: debian packaging is definitely high on our priority list.

With that fix and reloaded, I can get Cwtch up and running on my tails environment.

Yay, for me too!

Is backing up $HOME/.cwtch totally equivalent to exporting a profile through the GUI, or does it back up data that the export feature doesn't?

Yay, for me too!

Awesome!

Is backing up $HOME/.cwtch totally equivalent to exporting a profile through the GUI, or does it back up data that the export feature doesn't?

Backing up $HOME/.cwtch will back up all profiles, global app settings e.g. themes / experiments / language info etc. (and on other systems Tor config/data).

Export profile only backups up individual profile information.