On Sat, 25 Oct 2025 01:22:19 +0200 Marek Marczykowski-Górecki <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Fri, Oct 24, 2025 at 06:15:24PM -0500, Aaron Rainbolt wrote: > > There's probably a substantial Qubes R4.3 userbase that doesn't have > > qubes-core-admin-addon-kicksecure installed yet. Anyone who installs > > the kicksecure-18 template is going to get a deluge of > > notifications, similar to the issue described in [1]. As a > > workaround, I documented how to manually install > > qubes-core-admin-addon-kicksecure, restart qubesd, and then re-sync > > qvm-features from the kicksecure-18 template by source'ing all the > > scripts under /etc/qubes/post-install.d. [2] > > > > This is workable, and most users will probably not run into this > > issue, but is there possibly a way to work around this, so that > > when a user installs qubes-core-admin-addon-kicksecure for the > > first time, the appropriate features are automatically set? The > > only "correct" way I can think of to do this would be to boot every > > single not-yet-booted template, run all of its post-install.d > > scripts in the same shell, then shut down the template if it wasn't > > booted at addon install time. That sounds very painful though, and > > like something that should be avoided if at all possible. The other > > option I can think of would be to scan for templates with a name > > matching the regex "kicksecure-\d+" and adding any necessary > > features to them, but that risks both false positives and false > > negatives. > > The qubes-core-admin-addon-kicksecure package will get automatically > installed[1]. Ah, I didn't realize it would end up installed on R4.3 systems installed from an earlier rc ISO. In that instance the chances of this happening are pretty slim (I previously thought everyone who installed from an rc1 or rc2 ISO was going to run into this). > And template's post-install scripts will run at the next template > update. So, _if_ user runs into this issue, they simply need to apply > updates, no need to manually call any scripts. True. There may still be edge cases where a user might run into this problem and just updating isn't enough (i.e. if they somehow installed all updates in the Kicksecure template before qubes-core-admin-addon-kicksecure got installed or before qubesd was restarted), but the number of users who will hit that edge case are probably near zero. So never mind on my initial request, there probably isn't anything additional worth doing here. -- Aaron > [1] https://github.com/QubesOS/qubes-core-admin/commit/460b40c9 > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > -----BEGIN PGP SIGNATURE----- > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmj8CisACgkQ24/THMrX > 1yxAJQf+PksW1kD3NQ/n7JPefczU+L9FKWjpiG7JlEwLgnKcgL9Bh9I2NfZUa5OE > H+xHWiiw21MRFQd1g6mCoRubrigVkTwqyj+4pHdRugCHoXBXKBh0irESCP1N9/xu > V43PXmuVT1QFINIeJ5j2BDdoy/svey9KbWNBg5LW2rSThhmRxdz1HF0RStAf2Nny > ESmIPjf9cyFwpxMyhHwqv9x9y7amMc1UUdMNgCcTm7NWFuJJFSMcL4nYyVF1XvJP > 2cVdzKiHqWURDxZ60jwPdB71L9nKRGmRxWakA+/IBAFBT76C29OXEt5UOwwYreRf > TImcOPpFXUZKiMxrEDjsw+R7YvSj0A== > =7DYI > -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/20251025205840.5fe9a466%40kf-m2g5.
pgpBBfPAEOU6G.pgp
Description: OpenPGP digital signature
