On 5/10/19 12:16 PM, Marc Griffiths wrote:
Hi everyone. Nice critique John. To throw in my perspective as an
experienced Linux user switching to Qubes as sole laptop OS a few months
back. Primary usecase for me is #1 increased security when using crypto
exchanges and #2 the feeling of spinning up an environment that I have
confidence in being private, for the writing of personal notes and
The concept is awesome, perfectly designed for protection against
malicious applications, websites and devices. Although it offers no
protection against Intel Management Engine.
There is much more to low-level vulnerabilities than IME: PortSmash,
Foreshadow, Rowhammer, etc. Overall, AMD processors appear to be less
vulnerable than Intel.
My experience of installing on a Lenovo Yoga 720 was seamless,
everything worked including the touch screen. However, I experienced a
lot of random browser crashing. Chromium dead birds on a fairly regular
basis. Vivaldi, Chromium, and Firefox browser windows disappearing
without error, on both Fedora and Debian. Upgrading to Fedora 29, and
upgrading dom0 didn't resolve the problem. A few times the desktop
became unresponsive, and while I was able to ctrl+alt+F2 to dom0, it
wasn't clear how I could view processes running on a particular VM.
Sorry to hear about the stability issues. You might try updating your
UEFI firmware to see if that helps.. the precise way that it configures
advanced hardware features (seldom used by other operating systems) does
have an impact on both compatibility and stability. This is also a good
reason to stick with business-oriented computers because vendors take
more care to get advanced features working correctly on them; its one of
the reasons why Thinkpads are so popular among Qubes users.
I'd be interested in knowing what audience Qubes is aimed at. With the
rapidly increasing public awareness on cyber-security and privacy, Qubes
could very easily find itself in high demand. At present though it's
only going to appeal to experienced Linux users, which is a shame,
because it wouldn't be that much work to make it far more accessible.
If the Qubes team is interested in a larger audience, I would suggest:
* Include Ubuntu based VM as default, or at least make the process of
adding a Ubuntu template significantly easier
* Include a brief getting started guide that covers essentials such as
cross VM copy/paste, accessing devices, upgrading software etc
* If we're limited to XFCE, then include guides on customising to be
more like other environments. Most critical for me was adding
shortcuts for switching desktops and moving windows between
desktops: System tools > Window Manager > Keyboard
* A guide on the limitations: what does Qubes protect you from, what
does it not protect you from, what are the next steps to improve
security. Having a colour-coded grid to communicate this would be
You're not limited to XFCE, and in my experience KDE works better.
Next step for me is ordering a T400, which doesn't have Intel Management
Engine, supports Libreboot, and has proven itself as an uncrashable
workhorse. I used to run Windows and SUSE on this laptop back in
2008-2011, it never crashed, despite running a complex J2EE dev
environment. I will miss having 16GB RAM, but the i7 I can happily part
I doubt that Qubes will install or run on a T400. Qubes was initially
developed on Sandy Bridge-era hardware, and the requisite virtualization
features in chipsets was still maturing up to that point.
I feel obliged to mention that if you want to avoid management engines
and a raft of other processor vulns, you should look to the AMD 15h
generation of chips (circa 2013). In the form of a Lenovo G505s A10,
installing Qubes first requires re-flashing the firmware with
Coreboot... an exercise that I'm about to try. :)
Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.