Comparison_with_Others.mw

{{Header}}
{{Title|title=
Security Operating System Comparison - {{project_name_short}} vs Debian
}}
{{#seo:
|description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability, and hardening by default.
|image=Kicksecure_versus_Debian.png
}}
{{tech_intro_mininav}}
[[File:Kicksecure_versus_Debian.png|thumb|150px]]
{{intro|
This page contains a detailed overview and comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults, and usability.
}}

= Introduction =

This wiki page compares the security-focused, hardened defaults of {{project_name_short}} against upstream [https://www.debian.org Debian]. The differences are comprehensively detailed in several tables and visually highlighted below. The aspects considered are security hardening, several privacy aspects, and usability aspects. ([[Comparison_with_Others#Table_of_Contents|Table of Contents]])

= Security Hardening by Default =

== Account & Privilege Management ==

{| class="wikitable"
|+ ''Account & Privilege Management Features''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

<!-- Account & Privilege Management -->
! [[sysmaint|<code>user-sysmaint-split</code>]]
| Separate daily and admin accounts by default
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits
| Due to above.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! Holistic administrative ("[[root]]") account protection
|
* [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]]
* [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]]
* Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]]
* [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]]
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
| Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]]
| Make symlink attacks and other <code>/tmp</code> based attacks harder or impossible.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]]
| Permission Lockdown enforces strong user separation by restricting access to other users' home directories using strict file permissions.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]]
| Restrictive <code>umask</code> to tighten file system permissions for newly created files.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening
| Console lockdown reduces the attack surface for console based attacks.
| {{Yes}}
| {{No}}
|-

<!-- Account & Privilege Management -->
! [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]]
| [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]]
| {{Yes}}
| {{No}}
|-

|}

== Package & Binary Security ==

{| class="wikitable"
|+ ''Package & Binary Hardening Features''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

<!-- Package & Binary Security -->
! [[SUID Disabler and Permission Hardener]]
| Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.
| {{Yes}}
| {{No}}
|-

<!-- Package & Binary Security -->
! Default package selection
| Minimal by default, therefore reduced attack surface from optional services such as <code>exim</code> / <code>samba</code> / <code>cups</code> <ref>
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
</ref> by default
| {{Yes}} <ref>
See also: [[About#Default security software|Default package selection]]
</ref>
| {{BlueBackground}} Depends. <ref>
Debian package selection depends on installer choices and tasks. For example, Exim is commonly installed in some Debian setups. See: [https://wiki.debian.org/Exim Debian Exim wiki page].
</ref>
|-

<!-- Package & Binary Security -->
! Secure APT sources
| HTTPS APT sources are used by default
| {{Yes}}
| {{BlueBackground}} Depends. <ref>See footnote: [[About#Secure_Package_Sources_Configuration]].</ref>
|-

<!-- Package & Binary Security -->
! [https://github.com/{{project_name_short}}/security-misc <code>security-misc</code>]
| Kernel hardening, kernel module restrictions, entropy, mount options, brute-force protection, [[panic-on-oops]]
| {{Yes}}
| {{No}}
|-

|}

== Network Security ==

{| class="wikitable"
|+ ''Network Security Features''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

<!-- Network Security -->
! Protection against targeted, malicious software upgrades
| Anonymous (<code>Tor</code>ified) software upgrades (<code>APT</code> upgrades run over Tor) by default
| {{Yes}} <ref>[[About#torified_updates|See Torified Updates]]</ref>
| {{No}}
|-

<!-- Network Security -->
! [[tirdad|TCP ISN randomization (tirdad)]]
| TCP Initial Sequence Numbers Randomization: mitigates a reported TCP ISN based information leak side channel; see footnote. <ref>
<blockquote>The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.</blockquote>
</ref>
| {{Yes}}
| {{No}}
|-

<!-- Network Security -->
! Secure network time synchronization / Protection from [[Time Attacks]]
| Uses authenticated web-date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]]
| {{Yes}} ([[sdwdate]])
| {{No}} (NTP)
|-

<!-- Network Security -->
! [https://github.com/{{project_name_short}}/open-link-confirmation open-link-confirmation]
| This is enabled by default and prevents links from being unintentionally opened in supported browsers.
| {{Yes}}
| {{No}}
|-

<!-- Network Security -->
! No open server ports by default
| All unsolicited incoming connections are blocked
| {{Yes}}
| {{BlueBackground}} Depends. <ref>
Debian's default listening services and open ports depend on installation choices and configuration. See also: [https://www.debian.org/doc/manuals/securing-debian-manual/ch12.en.html Securing Debian Manual FAQ] and [[Debian_Tips#Open_Ports|Debian Open Ports]].
</ref>
|-

<!-- Network Security -->
! Network stack hardening by default
| Hardened networking defaults including anti-spoofing protections, safer ICMP and ARP handling, SYN flood mitigations, reduced information leaks, and other kernel-level network hardening.
| {{Yes}}
| {{No}}
|-

<!-- Network Security -->
! Bluetooth Hardening
| Bluetooth is enabled in the kernel but disabled by default; private MAC addresses, limited discoverability timeout, and manual user activation required.
| {{Yes}} <ref>
* [https://github.com/Kicksecure/security-misc?tab=readme-ov-file#bluetooth-hardening Bluetooth Hardening]
* [https://github.com/Kicksecure/security-misc/blob/master/etc/bluetooth/30_security-misc.conf See security-misc Bluetooth settings]
</ref>
| {{No}}
|-

<!-- Network Security -->
! Hardened SSH client and server configuration
|
* <u>Client hardening:</u> Secure defaults for SSH client cryptography, key exchange, MACs, and host key algorithms.
* <u>Server hardening:</u> Restrictive authentication defaults, strong cryptography, and reduced attack surface.
| {{Yes}} <ref>Settings are maintained as part of the security-misc package, see {{Github_link
|gituser=Kicksecure
|repo=security-misc
|path=/blob/master/etc/ssh
|text=<code>/etc/ssh</code> folder
}}.</ref>
| {{No}}
|-

|}

== Encryption & Data Protection ==

{| class="wikitable"
|+ ''Encryption & Data Protection Features''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

<!-- Encryption & Data Protection -->
! Strong Entropy Generation
| Ensures secure cryptographic operations by improving early boot entropy collection and reducing reliance on CPU and bootloader supplied entropy. See also [[Dev/Entropy]].
| {{Yes}}
| {{No}}
|-

<!-- Encryption & Data Protection -->
! [[Full Disk Encryption|{{Fde}}]]
| Enabled by default in the installer
| {{Yes}}
| {{BlueBackground}} Depends
|-

<!-- Encryption & Data Protection -->
! Improved Full Disk Encryption (FDE) installer defaults
| The Calamares installer offers improved, more secure default Full Disk Encryption (FDE) settings. <ref>
https://forums.kicksecure.com/t/iso-cryptsetup-full-disk-encryption-fde-set-more-secure-default-encryption-settings/588
</ref>
| {{Yes}}
| {{BlueBackground}} Depends
|-

<!-- Encryption & Data Protection -->
! [[Ram-wipe|ram-wipe]]
| Wipes RAM at shutdown and reboot to prevent information extraction from memory.
| {{Yes}}
| {{No}}
|-

<!-- Encryption & Data Protection -->
! Sensitive crash artifact reduction
| Reduces leakage of sensitive information by disabling coredumps and PStore, and by clearing kernel symbol data such as <code>System.map</code>.
| {{Yes}}
| {{No}}
|-

<!-- Encryption & Data Protection -->
! [[USBGuard]] enabled by default
| Provides policy-based USB device authorization framework to protect against malicious USB devices.
| {{Yes}}
| {{No}}
|-

<!-- Encryption & Date Protection -->
! [[emerg-shutdown|Emergency shutdown]]
| 
* Forcibly powers off the system if the boot drive is removed.
* Forcibly powers off the system via a "panic key sequence" (default: {{Keypress|Ctrl|Alt|End}}).
* Can be triggered by running: <code>sudo /run/emerg-shutdown --instant-shutdown</code>
| {{Yes}}
| {{No}}
|-

! Email encryption and signing support
| Communications (email) can be end-to-end encrypted and digitally signed with [[OpenPGP]].
| {{Yes}}
| {{Yes}}
|-

|}

== System Hardening ==

{| class="wikitable"
|+ ''System Hardening Features''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

! [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit
| [[systemcheck]]
| {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]])
| {{No}}
|-

! Kernel hardening by default
| Extensive kernel hardening via hardened <code>sysctl</code> settings, boot parameters, ASLR improvements, safer defaults for risky kernel features, and reduced kernel attack surface.
| {{Yes}}
| {{No}}
|-

! CPU vulnerability mitigations in strict mode
| Uses strict kernel boot mitigations for known CPU vulnerabilities such as Spectre, Meltdown, L1TF, MDS, Retbleed, GDS, RFDS, and related issues, rather than relying only on generic automatic mitigation defaults.
| {{Yes}}
| {{No}}
|-

! Kernel module attack surface reduction
| Blacklists and disables a wide range of risky, legacy, or unnecessary kernel modules to reduce attack surface, with optional hardening to disable loading of new modules after boot.
| {{Yes}}
| {{No}}
|-

! [[Recovery#Recovery_Mode|Recovery Mode Lockdown]]
| Disables Recovery Mode by default and restricts fallback recovery shells.
| {{Yes}}
| {{No}}
|-

! [[Thumbnails|Thumbnails]] protection
| Thumbnails and previews are disabled by default in supported file managers because malicious files can sometimes exploit bugs in thumbnailing or preview code leading to remote code execution.
| {{Yes}}
| {{No}}
|-

! [[File_indexing|File indexing attack surface reduction]]
| No indexing service is installed by default because malicious files can sometimes exploit bugs in the indexing software leading to remote code execution. <ref>
[[Dev/GNOME#1-Click_RCE_on_GNOME_(CVE-2023-43641)_in_file_indexing_service|1-Click RCE (Remote Code Execution) on GNOME (CVE-2023-43641) in file indexing service]]
</ref>
| {{Yes}}
| {{BlueBackground}} Depends
|-

|}

== Build Integrity & Transparency ==

{| class="wikitable"
|+ ''Build Integrity & Transparency Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-

<!-- Build Integrity & Transparency -->
! [[deep_scan_ready|Deep scan ready]]
| Can be inspected from a trusted external system without booting the suspect {{os}}, enabling offline or detached scanning of all storage and boot components.
| {{Yes}}
| {{Yes}}
|-

<!-- Build Integrity & Transparency -->
! {{anchor|show=true|unicode}} Protects its in-house source code from malicious [[unicode]]
| [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.]
| {{Yes}} <ref>
* {{Github_link|
https://github.com/Kicksecure/developer-meta-files/blob/master/usr/bin/dm-check-unicode
}}
* https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29
</ref>
| {{No}} <ref>
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention]
* This issue has been discussed publicly, but implementations and mitigations vary by project.
</ref>
|-

! Protection from supply chain attacks
| Mandates digital signature verification at all stages of development. This includes source code commits, git tags, the build process, and final downloads. Execution or deployment of unsigned code is strictly forbidden. The policy helps prevent supply chain attacks by ensuring the authenticity and integrity of software throughout its development and distribution.
| {{Yes}} <ref>
[[Digital_Signature_Policy|Digital Signature Policy]]
</ref>
| {{No}} <ref>
Debian's live-build has an open, security-tagged bug about authenticating all files it downloads as of December 2025. Debian bug report: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225 live-build should authenticate files it downloads]
</ref>
|-

<!-- Build Integrity & Transparency -->
! [[Trust#canary|Warrant canary]]
| Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust.
| {{Yes}}
| {{No}}
|-

<!-- Build Integrity & Transparency -->
! [[Dev/Build Documentation|build documentation]]
| Building your own images is encouraged, made as secure and easy as possible, with free user support being provided in the forums.
| {{Yes}}
| {{Yes}}
|-

|}

= Security Tools =
{| class="wikitable"
|+ ''Security Tools''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

| [[Protection_Against_Physical_Attacks#grub-pwchange|<code>grub-pwchange</code>]]
| <code>grub-pwchange</code> is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]].
| {{Yes}}
| {{No}}
|-

| [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed
| [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed
| {{Yes}}
| {{No}}
|-

| [[Login#Configuring_Passwords|<code>pwchange</code>]]
| Terminal-based tool for secure password changes using the command line.
| {{Yes}}
| {{No}}
|-

| <code>crypt-pwchange</code>
| Utility for changing LUKS-encrypted volume passwords securely.
| {{Yes}}
| {{No}}
|-

|}

= Usability =

{| class="wikitable"
|+ ''Usability and Convenience''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

! Better download and installation instructions
| Clearer guidance for downloading and installing the operating system, reducing user mistakes during installation and first boot.
| {{Yes}}
| {{No}}
|-

! [[Live Mode]]
| Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.
| {{Yes}}
| {{No}}
|-

! [[System Maintenance Panel]] (<code>sysmaint-panel</code>)
| GUI tool for common administrative tasks: software updates, package installation, account management, password changes, keyboard layout configuration, system checks, and more.
| {{Yes}}
| {{No}}
|-

! Calamares installer with improved UX
| Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.
| {{Yes}}
| {{BlueBackground}} Depends. <ref>Debian Live uses Calamares; regular D-I does not</ref>
|-

! Functional APT sources list
| Pre-configured and working APT sources to ensure package updates and installations function out of the box.
| {{Yes}} <ref>See also: [[Debian Tips]]</ref>
| {{BlueBackground}} Depends.
|-

! sudo pre-configured
| sudo is ready to use without additional setup, allowing safe privilege escalation by default.
| {{Yes}} <ref>See [[Root#Root_Account_Management|Root Account Management]]</ref>
| {{BlueBackground}} Depends.
|-

! bash-completion, Zsh shell
| Command-line enhancements like tab completion and Zsh shell for improved terminal usability.
| {{Yes}}
| {{No}}
|-

! [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist]
| Provides virtual machine usability improvements such as auto mounting shared folders, setting a sensible screen resolution, automatic screen resizing, and integration helpers for common VM environments.
| {{Yes}}
| {{No}}
|-

! [https://github.com/{{project_name_short}}/usability-misc usability-misc]
| Miscellaneous usability enhancements.
| {{Yes}}
| {{No}}
|-

! Popular apps pre-installed
| Frequently used applications are pre-installed with secure defaults for convenience and security.
| {{Yes}} [[Software|with secure defaults]]
| {{BlueBackground}} Depends.
|-

! [[chmod-calc]] pre-installed
| Comprehensive File and Directory Inspection Tool
| {{Yes}}
| {{No}}
|-

! Simple system-wide keyboard layout configuration
| A tool is provided for changing the keyboard layout for the labwc display server, as well as system-wide (console, GUI, disk encryption passphrase prompt, GRUB)
| {{Yes}} <ref><code>set-console-keymap</code>, <code>set-labwc-keymap</code>, <code>set-grub-keymap</code>, and <code>set-system-keymap</code> scripts, in package [https://github.com/Kicksecure/helper-scripts helper-scripts]</ref>
| {{No}}
|-

! <code>apt-get-noninteractive</code>
| A wrapper for <code>apt-get</code> that allows for automated, non-interactive package installation and upgrades.
| {{Yes}}
| {{No}}
|-

! <code>dpkg-noninteractive</code>
| A wrapper for <code>dpkg</code> to ensure non-interactive behavior suitable for scripts or automation.
| {{Yes}}
| {{No}}
|-

! [[Configuration_Files#Reset_Configuration_Files_to_Vendor_Default|<code>apt-get-reset</code>]]
| Resets configuration files to vendor defaults, useful for recovery or resolving misconfigurations.
| {{Yes}}
| {{No}}
|-

! [[Grub#Temporary_Kernel_Boot_Parameter_Change|GRUB boot menu with keyboard layout selection sub-menu (<code>set-grub-keymap</code>)
]]
| GRUB bootloader includes a sub-menu for selecting keyboard layouts to support localized access at boot time.
| {{Yes}}
| {{No}}
|-

! [[Recovery#Recovery_Mode|Recovery Mode]] with user-specified keyboard layout (<code>set-system-keymap</code>)
| Recovery Mode supports custom keyboard layouts, enhancing accessibility in emergency scenarios.
| {{Yes}}
| {{No}}
|-

! [[Recovery#Emergency_Recovery_Console|Emergency Recovery Console]] with user-specified keyboard layout (<code>set-system-keymap</code>)
| Emergency console can be used with user-defined keyboard layout for troubleshooting and system repair.
| {{Yes}}
| {{No}}
|-

|}

* todo: [[browser-choice]] + hp

= Platform Support =
{| class="wikitable"
|+ ''Platform Support''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

! Extensive architecture support
| Availability of support across multiple processor architectures, such as x86_64 ([[Intel_AMD64|Intel / AMD64]]), [[ARM64|ARM]], [[PPC64|PPC]], [[RISCV64|RISCV]] and others.
| {{RedBackground}} Limited. See [[Architecture Support]].
| {{Yes}}
|-

! Major Virtualizer Support
| Availability of official images for virtualizers.
| [[VirtualBox]], [[Linux|VirtualBox Linux installer]], [[KVM]], [[Qubes]]
| OpenStack, QEMU, Amazon EC2 / AWS Marketplace, Microsoft Azure / Azure Marketplace.
|-

! Extensive desktop environment support
| GNOME, KDE, LXQt, MATE, Cinnamon and [https://wiki.debian.org/DesktopEnvironment more]
| {{No}}, see [[Other Desktop Environments]].
| {{Yes}}
|-

|}

= General =

{| class="wikitable"
|+ ''General Comparison''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

! Open Source distribution
| Freely available source code and licensed under open-source terms.
| {{Yes}}
| {{Yes}}
|-

! Based on Debian
| Built directly on top of Debian for compatibility, stability, and maintainability.
| {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]])
| {{BlueBackground}} N/A
|-

! High quality packaging distribution
| Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]].
| {{Yes}}
| {{Yes}}
|-

! Based on Linux
| Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.
| {{Yes}}
| {{Yes}}
|-

! Pre-installed security tools
| Comes with hardened tools and services for security, privacy, and anonymity.
| [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc]
| Minimal (optional install)
|-

! Secure defaults (network, packages, accounts)
| Defaults favor security: no open ports, limited user privileges, hardened configurations.
| {{Yes}}
| {{No}}
|-

! Target audience
| Designed for users needing strong security and privacy protections.
| Users seeking strong defense
| General-purpose users, servers, desktops
|-

! [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]]
| Applies relevant recommendations from Debian's official security manual by default, adapting and modernizing where necessary.
| {{Yes}}
| {{No}}
|-

! Onion service version of website
| Provides a more secure, end to end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.
| {{Yes}}
| {{Yes}}
|-

! Comprehensive security [[Documentation]]
| In-depth guides and resources to help users understand, implement, and maintain strong security practices.
| {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]])
| {{Yes}} <ref>[https://www.debian.org/doc/manuals/securing-debian-manual/ Securing Debian Manual]</ref>
|-

! Signed downloads
| All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.
| {{Yes}}
| {{Yes}}
|-

! Documentation encourages users to perform digital software signature verification
| [[Verifying Software Signatures]] is consistently pointed out in documentation for software installation and updating (not only for the ISO), and detailed verification instructions are provided where feasible.
| {{Yes}} <ref>
[[Digital_Signature_Policy|Digital Signature Policy]]
</ref>
| {{BlueBackground}} Depends. <ref>
Debian provides verification guidance and links (for example, checksum and signature links on the download page and a dedicated ISO verification guide), but this is not always presented as an explicit step-by-step verification requirement across all documentation pages. See: [https://www.debian.org/download Downloading Debian], [https://www.debian.org/distrib/ Download Debian], and [https://www.debian.org/CD/verify Verifying authenticity of Debian images].
</ref>
|-

|}

= Freedom and Transparency =

{| class="wikitable"
|+ ''Freedom and Transparency''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-

! Open Source
| Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits.
| {{Yes}}
| {{Yes}}
|-

! Freedom Software
| Includes software that adheres to Free Software Foundation (FSF) approved licenses.
| {{Yes}}
| {{Yes}}
|-

! Security hardening research and implementation focus
| Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement.
| {{Yes}}
| {{No}}
|-

! Fully Auditable
| All software is open for inspection and verification by independent developers and researchers worldwide.
| {{Yes}}
| {{Yes}}
|-

! Complete respect for privacy and user freedom
| No user tracking, no advertising integrations, and no personal data harvesting.
| {{Yes}}
| {{Yes}}
|-

! No user freedom restrictions such as [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|administrative rights refusal]]
|
| {{Yes}}
| {{Yes}}
|-

! No tivoization / no vendor lock-in
|
| {{Yes}}
| {{Yes}}
|-

! Obey user settings as a project value and development goal
|
| {{Yes}}
| {{Yes}}
|-

! Malware analysis / malicious backdoor and rootkit hunting possible reasonably easily
| Not a design that simplifies implementation of [[Backdoor#The_Perfect_Malicious_Backdoor|The "Perfect" Malicious Backdoor]]. ([[deep_scan_ready|deep scan ready]])
| {{Yes}}
| {{Yes}}
|-

|}

= Opt-in and Testers =
TODO

= Upcoming =

{| class="wikitable"
|+ ''Planned Features (Not Yet Implemented)''
|-

! Feature
! Description
! Status
|-

! [https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128 Related forum thread]
| Discussion about potential improvements for screen locking and shutdown behavior.
| {{No}} ''Planning/Discussion''
|-

! [[Verified_Boot#Protecting_the_Kernel_Command_Line|Protecting the Kernel Command Line]] <ref>https://forums.kicksecure.com/t/protecting-the-kernel-command-line/1251</ref>
| Enhanced protection for kernel boot parameters to prevent tampering.
| {{No}} ''Planned''
|-

! [[Sovereign Boot]]
| Integration with [[Sovereign Boot]] for verifiable system boot integrity.
| {{No}} ''Planned''
|-

|}

= Development =

{| class="wikitable"
|+ ''Development Tools and Debugging''
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

! [[Recovery#Serial_Console|Easy setup of Serial Console]]
| [https://github.com/{{project_name_short}}/serial-console-enable serial-console-enable]: simplifies enabling a serial console for debugging purposes.
| {{Yes}}
| {{No}}
|-

! [[debug-misc]]
| [https://github.com/{{project_name_short}}/debug-misc debug-misc]: Simplifies enabling settings required for troubleshooting and debugging.
| {{Yes}}
| {{No}}
|-

|}

= Attribution =

* <u>Not anti-Debian:</u> This article should not be misunderstood as hatred toward [https://www.debian.org Debian].
* <u>Lineage:</u> [[Based on Debian|Kicksecure is based on Debian]].
* <u>Fork friendly:</u> Debian welcomes [https://en.wikipedia.org/wiki/Fork_(software_development) software forks], meaning anyone can create a new project by copying Debian under the respective licenses and developing it in their own way. See also {{whonix_wiki
|wikipage=Dev/Operating_System#Debian_is_Fork_Friendly
|text=Debian is Fork Friendly
}}.
* <u>Gratitude:</u> Without Debian, Kicksecure would not exist. Gratitude is expressed to the Debian project and its contributors.
* <u>Innovation:</u> Debian continues to innovate. <ref>
https://forums.whonix.org/t/reproducible-builds-innovation/23057
</ref>

{{quotation
|quote=[https://github.com/kpcyrd/repro-threshold repro-threshold], which implements an APT transport that “defines a threshold of at least X of my N trusted rebuilders need to confirm they reproduced the binary” before installing Debian packages.
|context=[https://reproducible-builds.org/reports/2025-11/ Reproducible Builds News]
}}

{{quotation
|quote=We stand on the shoulders of giants - Kicksecure and many other Libre software projects are only made possible because people invested in writing code that is kept accessible for the public benefit.
|context=[[Reasons_for_Freedom_Software|Reasons for Freedom Software / Open Source]]
}}

{{quotation
|quote=Debian - the best parent one can have
|context=[https://puri.sm/posts/what-is-pureos-and-how-is-it-built/ PureOS]
}}

{{quotation
|quote=Reasons for being based on Debian:
|context={{whonix_wiki
|wikipage=Dev/Operating_System#Debian
|text=chapter Debian - Security-Focused Operating System Comparison as Base for Whonix
}}
}}

= See Also =

* [[About#Hardening_by_Default|Hardening by Default]]
* [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]]
* [[Full Disk Encryption]]
* [[sysmaint]]
* [[Debian Tips]]

= Table of Contents =
__TOC__

= Footnotes =
<references />
[[Category:Documentation]]
{{Footer}}