On Friday, 28 September 2018 14:14:55 UTC+1, unman wrote: > On Fri, Sep 28, 2018 at 01:56:41PM +0100, unman wrote: > > On Fri, Sep 28, 2018 at 01:02:22PM +0100, unman wrote: > > > On Fri, Sep 28, 2018 at 03:15:22AM -0700, OutdoorAcorn wrote: > > > > On Friday, 28 September 2018 10:48:19 UTC+1, unman wrote: > > > > > On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users > > > > > wrote: > > > > > > > > > > > > > > > > > > OutdoorAcorn: > > > > > > > I've just installed Qubes OS 4.0 on my old laptop to get the hang > > > > > > > of it before I (hopefully) make my leap over from Windows! > > > > > > > > > > > > > > I wanted to install some new software in the personal and work > > > > > > > domains so I went to the "Qubes Menu -> Template: fedora-26 -> > > > > > > > fedora-26: Software" and clicked the Install button for an app > > > > > > > however it only ever displayed pending. I opened up the Qubes > > > > > > > Manager and noticed that no NetVM was assigned to any of the > > > > > > > templates. I opened the settings and assigned it sys-firewall > > > > > > > which then allowed me to install programs. > > > > > > > > > > > > > > On the https://www.qubes-os.org/doc/software-update-vm/ page > > > > > > > under "Notes on trusting your TemplateVM(s)" heading it says: > > > > > > > > > > > > > > "Only install packages from trusted sources – e.g. from the > > > > > > > pre-configured Fedora repositories. All those packages are signed > > > > > > > by Fedora, and we expect that at least the package’s installation > > > > > > > scripts are not malicious. This is enforced by default (at the > > > > > > > firewall VM level), by not allowing any networking connectivity > > > > > > > in the default template VM, except for access to the Fedora > > > > > > > repos." > > > > > > > > > > > > > > This no longer seems the case in Qubes OS 4.0 - no NetVM is > > > > > > > attached to the TemplateVMs and no default firewall rules. Okay, > > > > > > > onto the questions: > > > > > > > > > > > > > > 1) Have these defaults been missed out from the Qubes OS 4.0 > > > > > > > install? > > > > > > > 2) Or is the documentation out of date and it's now recommended > > > > > > > to do something else? > > > > > > > 3) How should I go about installing/updating apps in the > > > > > > > TemplateVMs? > > > > > > > 3a) permanently attach sys-firewall and create firewall rules to > > > > > > > only allow trusted repos as the docs currently suggest > > > > > > > 3b) or only attach sys-firewall when updating/installing and > > > > > > > disconnect afterwards? > > > > > > > > > > > > The docs are right, but what they mean is that you can't use the > > > > > > "Software" > > > > > > application to install apps in templates. You should leave NetVM on > > > > > > (none) > > > > > > on the templates and instead use dnf on Fedora or apt on Debian. > > > > > > > > > > To put a bit more flesh on that: > > > > > 1. The mechanism has changed in Qubes 4.0, so the old defaults no > > > > > longer > > > > > apply. > > > > > Instead of using restricted access to a netvm, in Qubes 4.0 the update > > > > > proxy is reached by qrexec calls. This provides better insulation for > > > > > the template. > > > > > You should not attach a TemplateVM to a netVM. > > > > > 2. The docs should be clarified. > > > > > 3. Open a terminal in the TemplateVM and run 'sudo dnf' or appropriate > > > > > package manager, as awokd says. > > > > > 3a. For reason above do not do this in Qubes 4.0 > > > > > 3b. For reason above do not do this in Qubes 4.0 > > > > > > > > > > > > > > > If you want to install software not already packaged, then download > > > > > (and > > > > > verify) it in a online qube and qvm-move it to the TemplateVM. Be > > > > > aware > > > > > of the additional risks involved. > > > > > > > > > > unman > > > > > > > > > > > > Thanks for the response awokd and unman. I can confirm that this works > > > > as expected using dnf and apt. Reading further down on that page it > > > > explains in more detail how this is done via the qubes-update-proxy > > > > service. > > > > > > > > If you can't install apps via the "Software" gui app how come it is > > > > listed in "Qubes Menu -> Template: fedora-26"? It seems like this is > > > > just going to lead newbies like myself down a dead end. > > > > > > > > You could go as far to say that the "Software" app isn't useful and > > > > should be removed. It can only be used in an AppVM or DVM (with an > > > > attached NetVM) and in the case of the AppVM the installed app would be > > > > removed on reboot. > > > > > > > > Thanks again for clearing this up for me. > > > > =) > > > > > > > > > > I'm not a Fedora user, but I would have expected the Software gui to > > > work. The proxy use is set in dnf config and it would be surprising if > > > the GUI program didn't honour that. > > > Certainly in Debian based Ubuntu all the dpkg based package managers use > > > the same config settings and honour the proxy. > > > > > > > It seems to be an extremely long running issue with Gnome Software tool. > > There is a suggestion that setting ProxyHTTP in > > /etc/PackageKit/PackageKit.conf may fix this, and Qubes does that by > > default, but it doesnt seem to work. > > I'm not a Fedora user (or Gnome really), but maybe someone else has > > suggestion? > > > > There's an open issue for this (#3815): > https://github.com/QubesOS/qubes-issues/issues/3815
Thanks for digging into this unman and providing the issue. I'll see if I can find some time to create a PR to update the documentation. =) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25da93bd-45cc-428c-a804-0ea1313d7c62%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
