On 10/12/2016 10:58 PM, entr0py wrote:
Manuel Amador (Rudd-O):
On 10/12/2016 07:58 PM, Chris Laprise wrote:
This requirement is already satisfied in the Qubes VPN doc:
The scripts will stop non-VPN traffic and make sure that DNS operates
through the VPN instead of going around it.
True, technically, someone reading an anatomy manual /could/ succeed in
I prefer to release software that solves the issue without the user
having to cobble together scripts and whatnot, which has more of an
opportunity to allow for (fatal, in some cases) error. Furthermore,
user scripts that people put on a VM once and forgot about them, are
bound to remain unmaintained, whereas with packaged software, there's
the opportunity for me to release updates that work with future Qubes OS
That doc is also like 20 pages long when printed out. It's a really
long set of instructions. Why not a drop-in package, and then a config
file, and off to the races we go? Seems much simpler to me.
Thanks to both of you for your contributions. (Almost) everything Manuel said is correct.
It's also true that Chris has unfairly been a target of criticism for his documentation
which is really no more verbose than is necessary. His instructions allowed me to
"perform surgery" :) many months before the availability of a drop-in solution.
Regarding Manuel's last point about simplicity: A package may be easier to
install than a lengthy step-by-step but not necessarily easier to understand.
For a certain subset of Qubes users who require knowing what changes are being
made to their system, a package requires reading (sometimes complex) code,
while a list of iptables rules are rather self-explanatory.
That said, following Chris' guide was a great learning experience. I look
forward to studying Manuel's repo as well.
There's really no reason why the VPN doc solution can't be packaged. No
one was asking for that, and I was actually getting berated for not
creating an experience that was educational enough (my sin was in
supplying working scripts with comments instead of just the comments).
But Marek is clearly very receptive to the idea of packaging VPN helper
code, so I shall channel myself in that direction. I am all for reducing
human error, which is why I insisted on a fully scripted solution
against protests that users should write their own and hard code their
Also, I really don't think its appropriate to take a security-critical
issue like this and ignore the existing (working) solution on the basis
of 'OMG no package! Hey kids, add my repository to your template!'
Someone offering technical solutions here is presumed to be
knowledgeable, not ignorant, so its puzzling to see someone dismissing a
working solution in such a manner.
Finally, I have posted some concerns about Manuel's package that you
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.