On 10/12/2016 10:58 PM, entr0py wrote:
Manuel Amador (Rudd-O):
On 10/12/2016 07:58 PM, Chris Laprise wrote:
This requirement is already satisfied in the Qubes VPN doc:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


The scripts will stop non-VPN traffic and make sure that DNS operates
through the VPN instead of going around it.
True, technically, someone reading an anatomy manual /could/ succeed in
performing surgery.

I prefer to release software that solves the issue without the user
having to cobble together scripts and whatnot, which has more of an
opportunity to allow for (fatal, in some cases) error.  Furthermore,
user scripts that people put on a VM once and forgot about them, are
bound to remain unmaintained, whereas with packaged software, there's
the opportunity for me to release updates that work with future Qubes OS
versions.

That doc is also like 20 pages long when printed out.  It's a really
long set of instructions.  Why not a drop-in package, and then a config
file, and off to the races we go?  Seems much simpler to me.

@Chris @Manuel:
Thanks to both of you for your contributions. (Almost) everything Manuel said is correct. 
It's also true that Chris has unfairly been a target of criticism for his documentation 
which is really no more verbose than is necessary. His instructions allowed me to 
"perform surgery" :) many months before the availability of a drop-in solution.

Regarding Manuel's last point about simplicity: A package may be easier to 
install than a lengthy step-by-step but not necessarily easier to understand. 
For a certain subset of Qubes users who require knowing what changes are being 
made to their system, a package requires reading (sometimes complex) code, 
while a list of iptables rules are rather self-explanatory.

That said, following Chris' guide was a great learning experience. I look 
forward to studying Manuel's repo as well.

There's really no reason why the VPN doc solution can't be packaged. No one was asking for that, and I was actually getting berated for not creating an experience that was educational enough (my sin was in supplying working scripts with comments instead of just the comments).

But Marek is clearly very receptive to the idea of packaging VPN helper code, so I shall channel myself in that direction. I am all for reducing human error, which is why I insisted on a fully scripted solution against protests that users should write their own and hard code their IP addresses.

Also, I really don't think its appropriate to take a security-critical issue like this and ignore the existing (working) solution on the basis of 'OMG no package! Hey kids, add my repository to your template!' Someone offering technical solutions here is presumed to be knowledgeable, not ignorant, so its puzzling to see someone dismissing a working solution in such a manner.

Finally, I have posted some concerns about Manuel's package that you should consider:
https://groups.google.com/d/msgid/qubes-users/b9227f71-03cd-6271-5801-4f55eac043fe%40openmailbox.org


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85a1750c-aa9a-6044-ad8a-e45f1fe2655b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to