On Fri, Sep 28, 2018 at 03:15:22AM -0700, OutdoorAcorn wrote: > On Friday, 28 September 2018 10:48:19 UTC+1, unman wrote: > > On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users wrote: > > > > > > > > > OutdoorAcorn: > > > > I've just installed Qubes OS 4.0 on my old laptop to get the hang of it > > > > before I (hopefully) make my leap over from Windows! > > > > > > > > I wanted to install some new software in the personal and work domains > > > > so I went to the "Qubes Menu -> Template: fedora-26 -> fedora-26: > > > > Software" and clicked the Install button for an app however it only > > > > ever displayed pending. I opened up the Qubes Manager and noticed that > > > > no NetVM was assigned to any of the templates. I opened the settings > > > > and assigned it sys-firewall which then allowed me to install programs. > > > > > > > > On the https://www.qubes-os.org/doc/software-update-vm/ page under > > > > "Notes on trusting your TemplateVM(s)" heading it says: > > > > > > > > "Only install packages from trusted sources – e.g. from the > > > > pre-configured Fedora repositories. All those packages are signed by > > > > Fedora, and we expect that at least the package’s installation scripts > > > > are not malicious. This is enforced by default (at the firewall VM > > > > level), by not allowing any networking connectivity in the default > > > > template VM, except for access to the Fedora repos." > > > > > > > > This no longer seems the case in Qubes OS 4.0 - no NetVM is attached to > > > > the TemplateVMs and no default firewall rules. Okay, onto the questions: > > > > > > > > 1) Have these defaults been missed out from the Qubes OS 4.0 install? > > > > 2) Or is the documentation out of date and it's now recommended to do > > > > something else? > > > > 3) How should I go about installing/updating apps in the TemplateVMs? > > > > 3a) permanently attach sys-firewall and create firewall rules to only > > > > allow trusted repos as the docs currently suggest > > > > 3b) or only attach sys-firewall when updating/installing and disconnect > > > > afterwards? > > > > > > The docs are right, but what they mean is that you can't use the > > > "Software" > > > application to install apps in templates. You should leave NetVM on (none) > > > on the templates and instead use dnf on Fedora or apt on Debian. > > > > To put a bit more flesh on that: > > 1. The mechanism has changed in Qubes 4.0, so the old defaults no longer > > apply. > > Instead of using restricted access to a netvm, in Qubes 4.0 the update > > proxy is reached by qrexec calls. This provides better insulation for > > the template. > > You should not attach a TemplateVM to a netVM. > > 2. The docs should be clarified. > > 3. Open a terminal in the TemplateVM and run 'sudo dnf' or appropriate > > package manager, as awokd says. > > 3a. For reason above do not do this in Qubes 4.0 > > 3b. For reason above do not do this in Qubes 4.0 > > > > > > If you want to install software not already packaged, then download (and > > verify) it in a online qube and qvm-move it to the TemplateVM. Be aware > > of the additional risks involved. > > > > unman > > > Thanks for the response awokd and unman. I can confirm that this works as > expected using dnf and apt. Reading further down on that page it explains in > more detail how this is done via the qubes-update-proxy service. > > If you can't install apps via the "Software" gui app how come it is listed in > "Qubes Menu -> Template: fedora-26"? It seems like this is just going to lead > newbies like myself down a dead end. > > You could go as far to say that the "Software" app isn't useful and should be > removed. It can only be used in an AppVM or DVM (with an attached NetVM) and > in the case of the AppVM the installed app would be removed on reboot. > > Thanks again for clearing this up for me. > =) >
I'm not a Fedora user, but I would have expected the Software gui to work. The proxy use is set in dnf config and it would be surprising if the GUI program didn't honour that. Certainly in Debian based Ubuntu all the dpkg based package managers use the same config settings and honour the proxy. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180928120222.rv3uupvn56aiaxar%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
