On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users wrote: > > > outdoorac...@gmail.com: > > I've just installed Qubes OS 4.0 on my old laptop to get the hang of it > > before I (hopefully) make my leap over from Windows! > > > > I wanted to install some new software in the personal and work domains so I > > went to the "Qubes Menu -> Template: fedora-26 -> fedora-26: Software" and > > clicked the Install button for an app however it only ever displayed > > pending. I opened up the Qubes Manager and noticed that no NetVM was > > assigned to any of the templates. I opened the settings and assigned it > > sys-firewall which then allowed me to install programs. > > > > On the https://www.qubes-os.org/doc/software-update-vm/ page under "Notes > > on trusting your TemplateVM(s)" heading it says: > > > > "Only install packages from trusted sources – e.g. from the pre-configured > > Fedora repositories. All those packages are signed by Fedora, and we expect > > that at least the package’s installation scripts are not malicious. This is > > enforced by default (at the firewall VM level), by not allowing any > > networking connectivity in the default template VM, except for access to > > the Fedora repos." > > > > This no longer seems the case in Qubes OS 4.0 - no NetVM is attached to the > > TemplateVMs and no default firewall rules. Okay, onto the questions: > > > > 1) Have these defaults been missed out from the Qubes OS 4.0 install? > > 2) Or is the documentation out of date and it's now recommended to do > > something else? > > 3) How should I go about installing/updating apps in the TemplateVMs? > > 3a) permanently attach sys-firewall and create firewall rules to only allow > > trusted repos as the docs currently suggest > > 3b) or only attach sys-firewall when updating/installing and disconnect > > afterwards? > > The docs are right, but what they mean is that you can't use the "Software" > application to install apps in templates. You should leave NetVM on (none) > on the templates and instead use dnf on Fedora or apt on Debian.
To put a bit more flesh on that: 1. The mechanism has changed in Qubes 4.0, so the old defaults no longer apply. Instead of using restricted access to a netvm, in Qubes 4.0 the update proxy is reached by qrexec calls. This provides better insulation for the template. You should not attach a TemplateVM to a netVM. 2. The docs should be clarified. 3. Open a terminal in the TemplateVM and run 'sudo dnf' or appropriate package manager, as awokd says. 3a. For reason above do not do this in Qubes 4.0 3b. For reason above do not do this in Qubes 4.0 If you want to install software not already packaged, then download (and verify) it in a online qube and qvm-move it to the TemplateVM. Be aware of the additional risks involved. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180928094816.otrjj7idp47pkkou%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
