First boot: Package installation

Submitted by rphair on Mon, 09/27/2021 - 14:12

Manual settings & removing security vulnerable software

Select & run Terminal from the list of Activities.

  • Right-click the icon on that list, or where you see it appear on the Dock at the side of the screen, to add it to the list of Favorites to keep it on the Dock... you're going to need it!
  • Commands to type in the Terminal (also called the Shell or "command line") will appear here like this:
type this stuff into Terminal

Check & set time zone

    (optional) If you want to set local UTC time zone, to match timestamps on your node software, for instance):

    sudo timedatectl set-timezone UTC

    Remove standard packages which may be security risks

    Some of these may have side effects and/or security consequences if we ever connect to the Internet.

    (optional) Uninstall snap and remove all snaps

    Snaps are prefabricated images containing all components of an application, including libraries which may supersede the security vetted libraries of the OS itself.  Snaps may contain closed source components.

    • Anyone in favour of installing software this way should please keep in mind that the security breach described in our origin story was also the result of using images assembled from dependencies specified somewhere else... which is pretty much how snap works.

    Specific removal instructions are likely to change with Ubuntu patch levels so please follow instructions here (How do I turn off snap in Ubuntu?) or search the Internet on another machine for a proper installation method.  (This is not urgent so you can wait until the next time you've booted the Frankenwallet.)

    Uninstall CUPS printer management services

    This runs a printer manager service & opens up a web port intended for browser-based administration:

    sudo apt remove cups

    Disable unattended upgrades

    This ensures you'll never be spontaneously checking for packages, even if the software update check settings you made earlier (to the Software & Updates app) are changed or reverted:

    sudo apt remove unattended-upgrades

    System software installation & update

    NOTE for purists who wish to never connect their Frankenwallet to the Internet... not even once, from the baseline Ubuntu software:

    ➤ Please stay tuned near this section… upon popular demand we can also prepare a list of manual downloads which can be run on the host machine, to produce an alternate script which will allow you to add current packages for libreoffice, 7z and secure-delete, and which match the current Ubuntu baseline from the installation media.

    This would allow you to set up your Frankenwallet completely without a single connection to the Internet… not even a single connection under controlled circumstances as suggested below.

    If you're not in the "purist" category, connect your Internet cable now — or turn on your regular WiFi — and get ready to disconnect it again as soon as you get to the end of the instructions on this page.

    Then execute:

    sudo apt update
    • to prepare for all the OS & essential application packages that have come out since the last Ubuntu official release.
    • if you get a message about having to run “sudo dpkg --configure -a” - usually seen after it reports a package glitch during the installation - do so now.
      • This may also happen if system is interrupted in the middle of adding or removing a package.
    sudo apt upgrade
    • to do all those installations (answer Y and get used to taking a look at what it’s upgrading)

    Essential added package: secure file deletion

    sudo apt install secure-delete
    • makes sure you can delete original key files in a way that zero-writes their file data, and randomises the directory entries before deleting them

    Q: Why would we ever need to do this on the Frankenwallet, on which all the files are encrypted?

    • A: You don't need this for Frankenwallet files… it's for the Frankenwallet to use on files on the host computer which may be accidentally written there unencrypted or improperly encrypted!

    ➤ What you'd do in that case: as soon as possible (before rebooting into that computer), random-write and then zero-write that file, as well as the directory entry pointing to it, to be sure it can never be accessed on the host machine even through unclaimed disk space:

    srm mySecretFile

    Essential added packages: AES encrypting document / spreadsheet editor & file archiver

    The greatest benefit of the Frankenwallet is to use LibreOffice and the 7z archive for encrypted storage of keys and passphrases, or other confidential material about your transactions, private addresses, etc... given that you now have an environment on which to cold-encrypt these documents:

    sudo apt install libreoffice p7zip-full p7zip-rar

    Now you can disconnect again from the Internet, and leave it unconnected indefinitely… until if and when you need to download any CLI software or install network dependent applications for a "cool" environment.

    Reboot (for the first time)

    Suggestion, especially for those with older or slower USB drives:

    ➤ Don't reboot by typing sudo reboot, or with reboot or shutdown -h now at a root prompt.

    • The system is more likely to have type to sync the pending disk write (important to avoid having the fsck when booting) if you shut down via the GNOME interface.
    • Therefore, click Power Off from the upper-right GNOME menu just to give it time to sync & unmount the root partition gracefully.
    Page created: 27 September 2021 14:12 UTC
    Last updated: 03 October 2021 12:55 UTC