>1. After upgrading templates to fedora-26 and debian-9, there is no way > the installation image will fit on DVD. Right now it takes 4908384256 > bytes. We probably could try to cut it down by eliminating even more > packages from templates, but I think there is no much non-essential > packages left there. For example we no longer ship vim in debian-9. > Right now I see two options: > > - abandon the goal of fitting the image on DVD (I'd go for this) > > - exclude some template from default installation...
A lot of users today may have secure machines from which to build a trusted USB installer out of a larger image. One option could be to offer a single layer DVD image that just discards the debian-9 template, the whonix templates or both, and also offer a larger image with all the goods included. That way someone bootstrapping a trusted environment could use the single layer image to verify the burnt image and install it, then download additional templates, while someone with a trusted environment to burn the installer to a USB can just use the larger image. Another option would be to accept a larger image size but notify users of the DVD approach and simply specify that they will need a double layer DVD. DVDs are more than 15 years old by this point, even double layer discs and burners are inexpensive for someone going to the effort to acquire hardware for verification of a qubes image as well as hardware capable of running qubes in a sufficiently secure mode to justify that effort. >2. grub suck at booting xen.efi (or rather: xen.efi is rather picky > about its environment). On many systems, booting xen.efi without grub > (using rEFInd, EFI shell, or simply by renaming it over BOOTX64.efi) > helps with boot problems. An idea: do not use grub on UEFI installation. > Downside: you loose boot menu - no way to choose or not media > verification, or rescue mode. And no way to adjust boot arguments, > needed on some platforms to workaround UEFI bugs... To do that, you'd > need to edit EFI/BOOT/xen.cfg using some other means. > Alternative: keep grub there, but provide an instruction how to boot > xen.efi directly, in short: > > mount /dev/sdb1 /mnt # assuming /dev/sdb1 is installation USB > mv /mnt/EFI/BOOT/xen.efi /mnt/EFI/BOOT/BOOTX64.efi > mv /mnt/EFI/BOOT/xen.cfg /mnt/EFI/BOOT/BOOTX64.cfg > umount /mnt > > After such operation, media verification would fail, obviously. You could offer this as an installation option, either by booting the installer using EFI directly (the installer itself doesn't need a boot menu, if needed you could just automatically run media verification with a skip prompt instead of making it a boot option), or by offering 2 versions of the installer image, one with GRUB and one that configures the system for direct booting. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/hI1d0zEMMXPQ4niphddAJjL4hBplUXioQ2_weYGAmtmmNaCFx9zWx0xkLm060gFcMZyCCOkcHFibKHmKdv-jVW24299NJjwZ_tCxH4DT5vc%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
