date:20161012

Also, here are the hashes of the files I used to update my BIOS to
1.18 without ever booting windows following the procedure described
here: 
http://www.floccinaucinihilipilification.net/blog/2011/10/2/updating-the-bios-of-a-thinkpad-x220-using-linux.html

$ sha256sum geteltorito.pl x1carbon-bios-1.18/*
378a6305edb9397978e60b7908a85dd8c2546f2808cb845552d5e4a8ba9baab3  geteltorito.pl
0e13111e41f0ae79c0941865ee9647a19b698368ae71d1fca81f35a837463b85
x1carbon-bios-1.18/n1fuj12w.exe
c10ed88917a7f8779059a07e9f517b925a2ba714040518f019293728bbe4b0eb
x1carbon-bios-1.18/n1fuj12w.txt
e15fa987b0285254519cfb755667d7174374c75b1323343f69f9fc0670bc875f
x1carbon-bios-1.18/n1fur12w-extracted.img
eb08c3723293d82dd5f0f953de16d7f995b70b4abc6c7ab9144b620941a658f8
x1carbon-bios-1.18/n1fur12w.iso
bebf6bce6ff99ed66737f6fbad958f949a06b3df7173941ff6062f76c7c2f8e3
x1carbon-bios-1.18/n1fur12w.txt

If you get an x1 and yours differ I would *really* like to know!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_Ch%2BJE%3DBfsSGWLvZVY84W3BZRFgTL4r72z%3Di91GK4nCSA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

If you're going to get one, I'd say definitely go with 16gb ram, and
know that NVMe vs traditional SSDs appear to be equally well
supported.

The idea of a WWAN module (w/ accompanying free-to-do-whatever
baseband) in a laptop is a scary proposition and highly
un-recommended, and so are the vPro-labeled NICs (because AMT) but it
appears you can't get the model with the fastest processor without
one. You can "permanently disable AMT" via a bios option, but in
reality who knows if that actually means anything.

A note about placing orders: be sure that you haven't inadvertently
selected a back-ordered component. The order page lead time should say
5-7 days. If it says 10-12 days, they're lying, that's just their
hard-coded "longer than 5-7 days" time. I had a >1 month delay due to
the disk (which I only found out by contacting support after 12 days
and asking wtf was up), and I ended up canceling my order and placing
a new one with different components. (Or perhaps my delays were simply
because the [A-Z]{3} interdiction and implanting facility had a
backlog of work to do... who knows ^_^)

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CABQWM_B3aorrp7GmheHneNnrt5mVxDNT0jfxz9kGB%3DYm%3D01cJA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

On Wed, Oct 12, 2016 at 8:17 PM,   wrote:
> Can you let me know how things function under 3.2? Any improvements? I am 
> keen to get the X1 4th generation but I want to make sure it has full Qubes 
> compatibility since that will be it's primary purpose.

3.2 is no different from 3.2-rc3 from an x1 hardware-support perspective.

Some things I've discovered since my original post:

The laptop fails to resume about once a day and requires a
hold-the-power-button reset. So far this has not caused any corruption
that I've noticed (perhaps I'm just lucky) and has been only mildly
annoying (or more-than-mildly annoying when forced to re-type my disk
password in a not-so-private environment as a side-effect of
rebooting).

I'm hoping that newer kernels fix this (dom0 currently on 4.4.14-11),
but I have yet to get around to actually trying it. Unfortunately I
have more pressing things to work on than rebasing the qubes kernel
patches and rebooting all day. Perhaps I'll get around to it some
weekend in the not-so-distant future if somebody doesn't beat me to
it...

Battery life for normal browsing, text editing, and the occasional
compile seems to be roughly 6-8 hours.

The super-high-dpi screen IMO turned out to actually be rather
annoying due to insufficient maturity of high-dpi support and my eyes
not having built-in magnifying glasses, so I'm running it at
globally-reduced resolution (scaled w/ xrandr in dom0). That's kinda
lame, but oh well.

Overall I would recommend it. It's been my primary machine for the
past few weeks. Support is good enough right now, and will only
improve with time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_AwAV1pL2SNC8iX%2Bqx8x4rPzr8wEe_19OFd1k23W-NCFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

On 10/13/2016 03:13 AM, Chris Laprise wrote:
> Here is a rundown of initial concerns...
>
> * Routing tables should not be manipulated when VPN clients will
> surely do this as well

The program prohibits OpenVPN from manipulating routing tables.

>
> * Unknown side-effects with different VPN topologies (i.e. atypical
> routing commands pushed down to the VPN client)

Almost no routing instructions are obeyed.  Those which are obeyed, are
applied to routing table 78, which prevents malicious server
manipulation of ProxyVM routing tables.

>
> * Interdependent packet marking, detection and routing rules are
> needlessly complex

FWMARK was the only way to get blackholing to work reliably without
interference from the Qubes OS firewalling system.

>
> * Hardly a model for 'fail closed': Instead of being steady-state,
> blocking is dependent on state transitions in fw/routes (even worse,
> ones that are initiated by OpenVPN events). Blocking should not
> require active measures initiated by client software.

Check the code again.  Blocking happens way before VPN and Qubes
Firewall starts.  If there's a failure in the VPN, even if the
re-blackholing fails, no   traffic from the VMs will be routed, simply
because everything is FWMARKed to go to routing table 78, which is dead
by the time VPN fails.

>
> * Specific to Fedora template and hard-coded for OpenVPN

Yes, this is specific to Fedora and hard-coded for OpenVPN.  OpenVPN is
the standard these days.  I welcome pull requests to enhance it for
other VPN solutions.

>
> * Not /rw based; Adds more services to template

Partially true.  Config goes in /rw as it should.  Services are optional
and need to be specifically enabled.

Frankly, much better than an instruction manual, or putting all of the
stuff in /rw/config/firewall stuff, because it being a package, it can
be updated regularly, given a repo containing the packages.

>
> * Not tested with Whonix/Tor

True.  Then again, Whonix has its own "VPN" solution called TOR.

>
> * Uncommented code
>

There are a few comments now.  Surely not enough to satisfy your
standards, but I welcome pull requests.

> * A full throttle busy-wait loop in 'qubes-vpn-forwarding.in'

Please point out the line of code where that happens.  I don't think I
have done that.

>
> * Marketing hyperbole like "leak-proof" should be replaced with terms
> like "anti-leak"

If you think it's possible to have this VPN leak, then prove you can
cause a leak, and — if you succeed — I will plug the leak.

>
> * Critique of existing solution stops at 'No packaging'[1]; Oddly,
> nothing pertaining to anti-leak abili

Sorry, gotta go to bed.  I have a suggestion: I think we will
collaborate better w.r.t bringing a standardized leak-proof solution to
Qubes, if we approach the issue in a non-confrontational and
collaborative way.  I'm happy to have criticisms because they tend to
improve the software, but I fail to see valid criticisms here, which
makes me feel like you jumped to critiquing without trying what you were
critiquing.  Let's get some more solid criticisms based on facts and not
on opinions or hunches.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7c01ccc-7a85-e86d-b1d8-97a8bfc3b101%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

On 10/13/2016 12:00 AM, Chris Laprise wrote:
> On 10/12/2016 06:18 PM, Marek Marczykowski-Górecki wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Wed, Oct 12, 2016 at 09:35:45PM +, Manuel Amador (Rudd-O) wrote:
>>> It gives me great pleasure to release the first iteration of the
>>> leakproof Qubes VPN.
>>>
>>> https://github.com/Rudd-O/qubes-vpn
>>>
>>> This package allows you to set up a leakproof OpenVPN VM on your Qubes
>>> OS system. All VMs attached to the VPN VM are automatically and
>>> transparently routed through the VPN. DNS requests do not hit the NetVM
>>> they get routed through the VPN instead.
>>>
>>> Users and developers welcome to contribute to the project in any way
>>> you
>>> can!
>> Nice! I've briefly reviewed it and it looks good :)
>>
>> I think it would be good to have it in standard repository. See
>> "Packaging 3rd-party software" message on qubes-devel I just sent.
>>
>> - -- 
>
> Although I like a packaged solution, I think anyone should be wary of
> manipulating routing tables to create a "leak-proof" environment.
> Hyperbole aside, VPN clients frequently change routing tables directly.

My program directs openvpn not to change any routing tables and, in
fact, tells openvpn to run in unprivileged mode where openvpn cannot
change any routing tables itself.

>
> The firewall is more reliable for this application. It makes sense to
> package the existing solution since we know its relatively client
> agnostic and more importantly fills Patrick's requirements for Tor
> isolation.

Though I do not understand what you mean by "the firewall is more
reliable", as my program runs under a ProxyVM fine, that solution should
be packaged too, perhaps under a different name.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/571c7c4c-28c2-fcea-14f1-6b2bdaec06ff%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

On 10/12/2016 10:18 PM, Marek Marczykowski-Górecki wrote:
> On Wed, Oct 12, 2016 at 09:35:45PM +, Manuel Amador (Rudd-O) wrote:
> > It gives me great pleasure to release the first iteration of the
> > leakproof Qubes VPN.
>
> > https://github.com/Rudd-O/qubes-vpn
>
> > This package allows you to set up a leakproof OpenVPN VM on your Qubes
> > OS system. All VMs attached to the VPN VM are automatically and
> > transparently routed through the VPN. DNS requests do not hit the NetVM
> > they get routed through the VPN instead.
>
> > Users and developers welcome to contribute to the project in any way you
> > can!
>
> Nice! I've briefly reviewed it and it looks good :)
>
> I think it would be good to have it in standard repository. See
> "Packaging 3rd-party software" message on qubes-devel I just sent.
>
Thank you.  You may want to review the new update I just made.  Gained
new features and improved security.
-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/021e8b58-491a-4efa-dbe9-a7f6c6aef439%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 11:37 PM, Chris Laprise wrote:
>
> Its 6 pages, 4 if you only count the iptables/script section. And its
> mostly cut-and-paste, so calling it "surgery" is another whopper.

It's full of opportunities for people to make mistakes.

>
> But I do agree about the packaging... you could have packaged the
> existing solution, perhaps?

I packaged something better.  My option has user notifications for
connection and disconnection, as well as full blackholing as soon as the
VM starts, so no chance for any leak at any point.  My option is also
compatible with ProxyVM firewall rules.

>
> If it does work, then is it preferable to withhold the solution known
> to you (but 'complicated') so you can tell people to wait while you
> whip something else up?

I don't understand.  Mind rephrasing?


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39cd29c5-792e-a948-d48f-1b200ba45827%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Tracking changes to which packages are installed by default

Hello,

Is there a recommended way to track default-installed packages on an
already-installed system?

I just independently re-discovered the fix for the un-muting problem
[1][2] and the hard way because the fix [3][4] (patch to
qubes-installer-qubes-os) appears to not have propagated to my machine
via qubes-dom0-update.

In hindsight this makes sense, because the change was to the list of
packages installed by the installer, and I have not reinstalled.
However... there must be a better way than re-installing or manual
vigilance to keep my system closer to upstream.

Am I missing something here? Is there not some meta-package of qubes
deps which should take care of this?

Thanks,
Jean-Philippe

[1]: https://github.com/QubesOS/qubes-issues/issues/2291
[2]: https://github.com/QubesOS/qubes-issues/issues/2321
[3]:
https://github.com/marmarek/qubes-desktop-linux-xfce4/commit/612e955ae98123e377424a827c65efe503248d30
[4]:
https://github.com/marmarek/qubes-installer-qubes-os/commit/4d1a47140278afeeda80fe6bfa8fe57fd7d754d5

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CABQWM_BPiwQrhLDLepgEPZ8H_saSYbxJ7aP_wOxHbtk9VhakWw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 10:58 PM, entr0py wrote:

Manuel Amador (Rudd-O):

On 10/12/2016 07:58 PM, Chris Laprise wrote:

This requirement is already satisfied in the Qubes VPN doc:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

The scripts will stop non-VPN traffic and make sure that DNS operates
through the VPN instead of going around it.

True, technically, someone reading an anatomy manual /could/ succeed in
performing surgery.

I prefer to release software that solves the issue without the user
having to cobble together scripts and whatnot, which has more of an
opportunity to allow for (fatal, in some cases) error. Furthermore,
user scripts that people put on a VM once and forgot about them, are
bound to remain unmaintained, whereas with packaged software, there's
the opportunity for me to release updates that work with future Qubes OS
versions.

That doc is also like 20 pages long when printed out. It's a really
long set of instructions. Why not a drop-in package, and then a config
file, and off to the races we go? Seems much simpler to me.

@Chris @Manuel:
Thanks to both of you for your contributions. (Almost) everything Manuel said is correct.
It's also true that Chris has unfairly been a target of criticism for his documentation
which is really no more verbose than is necessary. His instructions allowed me to
"perform surgery" :) many months before the availability of a drop-in solution.

Regarding Manuel's last point about simplicity: A package may be easier to
install than a lengthy step-by-step but not necessarily easier to understand.
For a certain subset of Qubes users who require knowing what changes are being
made to their system, a package requires reading (sometimes complex) code,
while a list of iptables rules are rather self-explanatory.

That said, following Chris' guide was a great learning experience. I look
forward to studying Manuel's repo as well.

There's really no reason why the VPN doc solution can't be packaged. No
one was asking for that, and I was actually getting berated for not
creating an experience that was educational enough (my sin was in
supplying working scripts with comments instead of just the comments).

But Marek is clearly very receptive to the idea of packaging VPN helper
code, so I shall channel myself in that direction. I am all for reducing
human error, which is why I insisted on a fully scripted solution
against protests that users should write their own and hard code their
IP addresses.

Also, I really don't think its appropriate to take a security-critical
issue like this and ignore the existing (working) solution on the basis
of 'OMG no package! Hey kids, add my repository to your template!'
Someone offering technical solutions here is presumed to be
knowledgeable, not ignorant, so its puzzling to see someone dismissing a
working solution in such a manner.

Finally, I have posted some concerns about Manuel's package that you
should consider:

https://groups.google.com/d/msgid/qubes-users/b9227f71-03cd-6271-5801-4f55eac043fe%40openmailbox.org

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/85a1750c-aa9a-6044-ad8a-e45f1fe2655b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Bug or Feature? DispVM inherits settings from calling VM

2016-10-12 Thread raahelps



feature.  I use to make menu shortcuts to launch programs in dispvms inheriting 
firewall rules.  But xfce only lets you edit already existing rules,  not 
create new ones :(   editing a config file is a little too much effort for me 
lol.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a261a02f-9900-44f2-9dba-3c7528e7b8bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

2016-10-12 Thread raahelps

On Wednesday, October 12, 2016 at 10:44:06 PM UTC-4, raah...@gmail.com wrote:
> On Tuesday, October 11, 2016 at 9:50:23 PM UTC-4, nezn...@xy9ce.tk wrote:
> > i readed that proprietary driver better than free driver. Because with free 
> > driver you'll get hot laptop and because free driver can't adjust rotate of 
> > the fan and etc..
> > How i can add the repo? Can you write me? Because i'm not sure. And about 
> > gpg-keys.. Did you something with it? maybe you use --nogpgcheck or 
> > something?
> 
> I find I only need proprietary drivers for gaming, to play like cs:go or 
> dota2 on steam on linux.   But other then that nvidia open source drivers are 
> great on linux desktop with my gtx 650.  in fact with the newer KDE  I found 
> extremely buggy with the opengl set(screen flickers, artifacts),  but found 
> open source to work perfectly and cooler then the proprietary ones.  Same 
> issue with ubuntus unity.  I would assume its the same for all linux 
> environments now.  Also linux compared to my windows has always run cooler.  
> If you have a really new graphics driver you might have problems.  But if its 
> already a year or two old man,  you probably don't need to worry about it.

I mean if you have a very new *Card you might have problems.  but otherwise it 
should run fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c4f11d15-91b3-4ea8-9231-64861dcdbb65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

2016-10-12 Thread raahelps

On Tuesday, October 11, 2016 at 9:50:23 PM UTC-4, nezn...@xy9ce.tk wrote:
> i readed that proprietary driver better than free driver. Because with free 
> driver you'll get hot laptop and because free driver can't adjust rotate of 
> the fan and etc..
> How i can add the repo? Can you write me? Because i'm not sure. And about 
> gpg-keys.. Did you something with it? maybe you use --nogpgcheck or something?

I find I only need proprietary drivers for gaming, to play like cs:go or dota2 
on steam on linux.   But other then that nvidia open source drivers are great 
on linux desktop with my gtx 650.  in fact with the newer KDE  I found 
extremely buggy with the opengl set(screen flickers, artifacts),  but found 
open source to work perfectly and cooler then the proprietary ones.  Same issue 
with ubuntus unity.  I would assume its the same for all linux environments 
now.  Also linux compared to my windows has always run cooler.  If you have a 
really new graphics driver you might have problems.  But if its already a year 
or two old man,  you probably don't need to worry about it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/192be28b-8472-402d-8a50-6c4ae836c66b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

On Thursday, 13 October 2016 13:12:20 UTC+11, nezn...@xy9ce.tk  wrote:
> > Then set up the Repos.
> Pls tell me how you did it?

Since 18 repos aren't around on the live server any more, you need to find the 
archive link from fedora.
Since I'm not at home I don't have it right infront of me at the moment.
If you haven't found them by the time I get home I'll get the repos links and 
post them up.

But it's the same way as any other repos, so it's not hard to set up, just hard 
to find them since they moved them to archive/storage.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2cac8b11-667d-4992-a1a4-b15190887e06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ReactOS instead of Win7?

On Thursday, 13 October 2016 07:48:24 UTC+11, Gaiko Kyofusho  wrote:
> I haven't seen much mention of ReactOS on the list but was thinking it 
> *might* be worth trying a ReactOS AppVM as an alternative to a MS Windows 
> AppVM but before I put myself through the frustration I thought I'd ask #1 
> The wisdom (or not) of the idea and #2 If its been tried already and doesn't 
> work yet.
> 
> Thx

Qubes tools will NOT work. ROS is only 32 bit. It's still only 2003/XP based.
I'm looking at doing something with the Qubes Tools to enable at least 
copy/paste/qrexec.

But at this time, it just won't have that option available if you use ReactOS.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5a1f4e4d-847f-4562-b6dd-30507ecc6ff2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

2016-10-12 Thread neznaika


> Then set up the Repos.
Pls tell me how you did it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8f28b595-fa04-4659-9f63-663e18596b70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is there any hope for Wayland?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 12, 2016 at 07:55:54PM +, Manuel Amador (Rudd-O) wrote:
> On 10/12/2016 04:05 PM, Alex wrote:
> > On 10/12/2016 06:04 PM, Manuel Amador (Rudd-O) wrote:
> >> On 10/12/2016 01:38 PM, Marek Marczykowski-Górecki wrote:
> >>>
> >>> AFAIR this particular problem was fixed (not sure if in xen 4.6 or
> >>> 4.7).
> >>>
> >> Is there support for upgrading dom0 to Fedora 24?

No. But if you really like, you can try building it yourself (set
DIST_DOM0=fc24 in builder.conf).

> > The main problem is, does the qubes-gui facility support Wayland?
>
> F25 will let X clients such as GUID on dom0 connect transparently to
> Wayland via a local X server blitting to Wayland.

I *guess* dom0 part should just work in such setup (using such X->Wayland
"proxy").

> As for the domU side, I do not know but I presume clients shipping in
> F25 all can detect whether to use X or Wayland based on their environment.

And here may be a problem: if any client will use Wayland, those windows
will probably be unreachable to qubes-gui-agent using X.

> This is yet to be tested.
> 
> >
> 
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/u11AAoJENuP0xzK19csczcH/iQTBohuEG5Oz6Hij+MVLL8H
qpWt3KAUCaXsw83FDyM/c1nEWr+8cgROfwSglrReDAOfynse/12PPUVLXNCsq++S
hLyWqI4b1vHXaRCqdWWKejPgjdWIA/fV6cJ2P6TQoYNsjK/cIIPPlvulshVOJRgP
Ze6mJC/ZUzhdIL+yfycAQFNYVnb4/KlofwbLHnjQbILW02J3DMrpW5rtceCU2bsT
vMcXTiScV8erApBg69S7PDN3lcnOjeh5CGbBT6DB2bUYiNQx1bZtwudrO0QeMqOX
CcRHJiFihZGtmQJ7ouLoDZufrrsUNBZvZ7qZwiHmrmEZEJH+TajqMP5SJ5Y9A0o=
=5Yx7
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161013021207.GL15776%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ReactOS instead of Win7?

On Thursday, 13 October 2016 07:48:24 UTC+11, Gaiko Kyofusho  wrote:
> I haven't seen much mention of ReactOS on the list but was thinking it 
> *might* be worth trying a ReactOS AppVM as an alternative to a MS Windows 
> AppVM but before I put myself through the frustration I thought I'd ask #1 
> The wisdom (or not) of the idea and #2 If its been tried already and doesn't 
> work yet.
> 
> Thx

I didn't think that ReactOS was based on the same technology as Windows 7.

Thus it would most likely be incompatible, unless they moved past the NT 
technology base?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a217d36-9bb3-4180-8316-478bf7208b75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Thoughts about installed software

On Thursday, 13 October 2016 00:39:04 UTC+11, Manuel Amador (Rudd-O)  wrote:
> On 10/12/2016 05:25 AM, Drew White wrote:
> >
> > So what do those packages require as dependancies though? 
> > The dependancies are also required for full integration.
> > Just saying, there is more than just "qubes-*" to be thinking about.
> 
> Are you trolling me with this question?  Installing those qubes* packages:
> 
> * automatically shows you the dependencies on screen
> * automatically installs the dependencies
> 
> The recursive dependency information is trivial to discover.


Yes it does, but what else does it need that I have installed that it won't 
tell me BECAUSE the things are ALREADY INSTALLED?

That's the rest of it...
I want to know what it all is, not just what I don't have.

Does that make sense now?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c9b79c20-d748-46d7-aca9-bb77a3a386cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

On Thursday, 13 October 2016 04:23:56 UTC+11, nezn...@xy9ce.tk  wrote:
> https://www.qubes-os.org/doc/install-nvidia-driver/:
> "You will need any Fedora 18 system to download and build packages. You can 
> use Qubes AppVM for it, but it isn’t necessary."
> 
> i'm going here https://www.qubes-os.org/doc/templates/fedora-minimal/ and try 
> create the template:
> 
> sudo qubes-template-fedora-23-minimal
> 
> but with 18 instead 23.
> "command no found." the end =/

Command not found because that isn't a command.
Are you trying to install the template?
If so... run, as root, 

qubes-dom0-udpate --enablerepo=qubes*templates fedora-23-minimal



Maybe just install Fedora 18.
Then set up the Repos.
Then build the drivers.
That's what I did.

"any Fedora 18 system"
I had a fedora 18 system that I used at the time, I still have it around here 
somewhere, even still have the Live DVD's too.
It worked fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27046003-f823-4c6d-a2f2-ae4cfb9263c9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 4th gen X1 Carbon graphics issues

2016-10-12 Thread equi488

Do these issues persist under the latest release of Qubes 3.2? I am interested 
in buying a X1 4th generation. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3fc78aa3-81b0-42a4-8ef9-20292d8ac862%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-10-12 Thread equi488

Can you let me know how things function under 3.2? Any improvements? I am keen 
to get the X1 4th generation but I want to make sure it has full Qubes 
compatibility since that will be it's primary purpose. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7fe10dc2-64d9-41cb-a4a6-887c4149f252%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] USB over IP (Network Gateway)

2016-10-12 Thread equi488

Very interested to know if any reason why a USB network gateway software would 
not work in Qubes? 

For anyone interested, a USB network gateway provides USB functionality to a 
client over IP. USB network gate by Eltima has Linux, Windows, Mac OS X  and 
android client applications 
(http://www.eltima.com/products/usb-over-ip-linux/). 

I want to make the switch to Qubes. I have a VPS (Mac Pro) that I will access 
through a client (e.g. RDP) on Qubes laptop. I need to be able to sync & backup 
my iPod touch remotely. 

Any ideas as to whether this will work? Anyone interested in checking it out 
please post feedback. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8607d12-b2ff-455e-8ea8-c89fe5cce341%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN


On 10/12/2016 06:18 PM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 12, 2016 at 09:35:45PM +, Manuel Amador (Rudd-O) wrote:

It gives me great pleasure to release the first iteration of the
leakproof Qubes VPN.

https://github.com/Rudd-O/qubes-vpn

This package allows you to set up a leakproof OpenVPN VM on your Qubes
OS system. All VMs attached to the VPN VM are automatically and
transparently routed through the VPN. DNS requests do not hit the NetVM
they get routed through the VPN instead.

Users and developers welcome to contribute to the project in any way you
can!

Nice! I've briefly reviewed it and it looks good :)

I think it would be good to have it in standard repository. See
"Packaging 3rd-party software" message on qubes-devel I just sent.

- -- 


Although I like a packaged solution, I think anyone should be wary of 
manipulating routing tables to create a "leak-proof" environment. 
Hyperbole aside, VPN clients frequently change routing tables directly.


The firewall is more reliable for this application. It makes sense to 
package the existing solution since we know its relatively client 
agnostic and more importantly fills Patrick's requirements for Tor 
isolation.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e6fcda3-c2bb-8a91-aac1-4ce877e2d74d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 05:40 PM, Manuel Amador (Rudd-O) wrote:

On 10/12/2016 07:58 PM, Chris Laprise wrote:

This requirement is already satisfied in the Qubes VPN doc:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

The scripts will stop non-VPN traffic and make sure that DNS operates
through the VPN instead of going around it.

True, technically, someone reading an anatomy manual /could/ succeed in
performing surgery.

That doc is also like 20 pages long when printed out. It's a really
long set of instructions. Why not a drop-in package, and then a config
file, and off to the races we go? Seems much simpler to me.

Its 6 pages, 4 if you only count the iptables/script section. And its
mostly cut-and-paste, so calling it "surgery" is another whopper.

But I do agree about the packaging... you could have packaged the
existing solution, perhaps?

If it does work, then is it preferable to withhold the solution known to
you (but 'complicated') so you can tell people to wait while you whip
something else up?

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/efd843f8-49b1-110b-0cfd-f44c8550d6b6%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Low memory, starting machines & assigning devices

2016-10-12 Thread pleomati

Changing default memory assign values for dom0 and appVM may also help.Default 
value for that is up 4GB which is huge amount of RAM and it work corectly on 1 
GB or lower.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78b4b350-a71b-4fb0-a5bb-41bd73b3b6dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Upgraded to 3.2 - now my desktop is wrong

2016-10-12 Thread Qubed One

galt...@gmail.com:
> I upgraded to 3.2 by backing up in 3.1 and restoring in 3.2.


Did you back up dom0 in 3.1? That is where such configs are.


> I was using xfce in 3.1 and had 4 workspaces (or activities) and each had its 
> own background image and I had different icons placed on each one. Now in 3.2 
> there are 4 workspaces but no icons and the same background. If I add an icon 
> it gets added to all four workspaces.
> 
> Also, under the system tools menu is a menu item for every shortcut in every 
> VM. For example Systemm Tools->work: Files
> 
> Other than this, everything seems to work as before and I cant see anything 
> new.
> 
> I've done the install and restore twice and it was the same both times. 
> 
> Have I done something wrong in the restore? Should I go back to 3.1?
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a3d9603-8936-d472-07b2-3f93c3747cb6%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Low memory, starting machines & assigning devices

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 12, 2016 at 06:23:25PM -, johnyju...@sigaint.org wrote:
> Hi, Qubers:
> 
> Wonder if someone could tell me if this is normal/expected behaviour. 
> (3.2rc3):
> 
> If I have a few AppVM's running, at some point, the manager will refuse to
> start any more VM's, complaining about low memory.  Similarly, assigning
> devices to running VM's will fail.  (Most annoying.)
> 
> However, if I close a few apps in the VM's (a big Firefox or two will
> typically do it), then I'm able to fire up a new VM & assign devices to
> the running ones, and am THEN able to relaunch the memory-hungry app/apps
> in the existing running VM's with no problem.
> 
> (Typically at this point, swap is used a bit in dom0 and sometimes the
> VM's, but things still work.  Swap being required to hold the new
> situation may be the distinguishing factor...?)
> 
> The fact app-close -> start-another-vm -> app-restart works while simply
> starting the start-another-vm fails, seems a bit odd to me.
> 
> In fact, I've modified my habits when using Qubes to fire up all the
> AppVM's I might need, right at boot time, so I won't have trouble starting
> them later when apps are running.  That just doesn't seem right, and
> having to restart apps can cause bottlenecks in one's workflow.
> 
> Thoughts?  Anything further I can check to help track down the reason for
> this?  Anything I can do memwriter/mem-balancing wise to help things?

qmemman / meminfo-writer setup things to avoid swap usage, this is
intentional. How it works is documented here:
https://www.qubes-os.org/doc/qmemman/

If you really want to change this, try /etc/qubes/qmemman.conf -
especially cache-margin-factor. You can try setting it to something less
than 1.0. But don't be surprised by some out of memory errors later...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/sKdAAoJENuP0xzK19csX3kH/0CjJ+/AN+L09YJAEtaX7FmS
v/YKVhX7pUsnRFk33SG0PBBNDoNrljvHI3sJBNyydCgLYNWdzrSq3Tn4cxjY+bGK
LTF++baDWEfKMUS7E7svEcNP7x6x+3gnyBKP0X6MDpzJ/rq0kr+uMYZjyyUVX0ZH
OpCtHcu+gg2kYM1FLJxiG32pIdPvn8C2zriYsUkEoB9KXHWFes9PWmBnYWYUdIn2
5Q7QmtjnJx6hh1yS3YwYWVNatqRoLxLolnM7Ay0/0NNNm7XLfM2CrH8mZVFyvbxj
/jShsVNrs9/QTv2Xcix1WfGpZd5i1TkYuQ7p33D+AML9cG09cee57/Y1WOw05lI=
=JaVn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161012230919.GJ15776%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Upgraded to 3.2 - now my desktop is wrong

2016-10-12 Thread Gal Thop

I used whatever versions of xfce that come with qubes 3.1 and 3.2. I didn't
install or update any extra versions.

On 12 Oct 2016 22:55, "Andrew David Wong"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-10-12 00:56, galt...@gmail.com wrote:
> > I upgraded to 3.2 by backing up in 3.1 and restoring in 3.2. I was using
> xfce in 3.1 and had 4 workspaces (or activities) and each had its own
> background image and I had different icons placed on each one. Now in 3.2
> there are 4 workspaces but no icons and the same background. If I add an
> icon it gets added to all four workspaces.
> >
>
> Were you using the same version of Xfce before? If not, this might be due
> to a difference between different versions of Xfce.
>
> > Also, under the system tools menu is a menu item for every shortcut in
> every VM. For example Systemm Tools->work: Files
> >
>
> This one is a known issue:
>
> https://github.com/QubesOS/qubes-issues/issues/2217
>
> > Other than this, everything seems to work as before and I cant see
> anything new.
> >
> > I've done the install and restore twice and it was the same both times.
> >
> > Have I done something wrong in the restore? Should I go back to 3.1?
> >
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJX/rE0AAoJENtN07w5UDAwvXAQAKU1KAmqmtLbRVdXli1KrOTU
> o4GSArumy6KehTxA/5dxU5oRoK68rPca0bJT6USWoWKvziwEHgAoPKQiBfLRgW5V
> iTY7ifOVrvqQIfU87HG5BrsUeh1I4yDl2sLjg3HAjH/sQ/OWJ53mAYeWTkNeLTh0
> jqBGN/TTMerZHPzv74nO4hx38ZoY++8+MgkCxauz9mOux6XbqRiyxAtSnMqTahMj
> NOFgN5pw6EUJZMFW6t0fAj9eVhqEST2mQog5XxZRn0upL0GCaHlRb+3zaTSyQBT2
> /04LIaBKsbsC/2dtrk5E74CUM2SmJ5trLKVk+3FD9+MJUUOi3UKsJjfDw3dTsXZp
> hupsU/h7CQJUrjb8YSswjqLpZTgvX2THYERDGxkUXQ1UGfcOsVnS2JSkDJIHbTGJ
> +o9Swjr5wBgYeNZfapkeUCFUylr8ExCAOJ4ZCNHOoQyNTCIv86Ys9/xjvOM3EOuV
> FC52YyliTPgZZ7qWbC2vJnBD6qjIH7m+Mwm37w5pmXTLsBlO+bQ01KgwCECWExYX
> YXnt/2Rm5GeNcE0/rIYryA2sUrVlTjoxsc8GqSBpxZkdT4lGqxS7C0mVcFdAVDOT
> YyfkmBuGtFoYHYLyOu+4ETm9Ml4kasr11hc5uUlsgiOAFD7sNSDUBuFZWBsAlwGV
> mlpTEBu1LVriUOwP+2rV
> =sO65
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABVAHnTnwBzCR5iKZbZ7MJ13aV5Jv%3DjN5h%2BtvhmDDNi5CX_9UQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 12, 2016 at 09:35:45PM +, Manuel Amador (Rudd-O) wrote:
> It gives me great pleasure to release the first iteration of the
> leakproof Qubes VPN.
> 
> https://github.com/Rudd-O/qubes-vpn
> 
> This package allows you to set up a leakproof OpenVPN VM on your Qubes
> OS system. All VMs attached to the VPN VM are automatically and
> transparently routed through the VPN. DNS requests do not hit the NetVM 
> they get routed through the VPN instead.
> 
> Users and developers welcome to contribute to the project in any way you
> can!

Nice! I've briefly reviewed it and it looks good :)

I think it would be good to have it in standard repository. See
"Packaging 3rd-party software" message on qubes-devel I just sent.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/rbOAAoJENuP0xzK19csrj0H+wXOEA0dvApo1TCQynJ1LImc
+IPUu3cm8PrWa86+RQ5UsL7YKO+vhAjB2eW9KzCObKimWwd3UhGpXHQdlc4keEdy
d8SLr7ipZm4Yl9L3ap/z/TMzf/tO9gGpNfNAloH8BJrlCh7Lf8+xhLqQ7ryFlplZ
cxg+cXxpanxQbqc4ty395sfAznvLB040maxgJ9HX5zMi1hKBtdbfNcdGaHEsy3RI
MdCvNr7JETj49InUuLbgSXhUZFyyZccN3EnZcSRhnRZ+VaGSTAEuFrczv7SA8GnF
qYY1Te2pziMVOJwZA4ccm4MVXV8utRCjBygJe8MWBEDuAFZZF4W4myjP1sLAW8Q=
=kxUp
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161012221855.GI15776%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bug or Feature? DispVM inherits settings from calling VM

2016-10-12 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-10-12 01:50, Robert Mittendorf wrote:
> If I use /usr/bin/qvm-run to open an application in an disposible VM, the 
> dispVM inherits some setings from the calling VM
> 
> example: I use
> 
> /usr/bin/qvm-run --dispvm firefox
> 
> In work-VM. My work-VM is configured to allow intranet IPs only. The starting 
> dispVM is blue like the work VM, even though normal DispVMs are red.
> 
> Also the firewall rules (intranet only) are inherited from the work VM.
> 
> 
> mit freundlichem Gruß,
> 
> Robert Mittendorf
> 

Yes, these are intentional DispVM design decisions.

However, there are also plans to allow DispVMs to inhert the NetVM of the 
calling VM without also inheriting its firewall rules:

https://github.com/QubesOS/qubes-issues/issues/1296

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX/rG6AAoJENtN07w5UDAwEbIP/1V6cb+BIbJwF1Mpw30bC5T6
ObOJozl40vJN+CZIA1PKEKJV2ELqPgWg+SO9xaawPPz4YvzRiBhi+oxhBUTekCpx
NRMpqWHAJU4Vr6KHM/H7K0XRN8UexFDYF9giyVgaboBupNs/k+bOpyeio6Ak1KVc
6vW1gL91ea84UxupNqZcDeDUn4fFvQ9H/ULLvzhbcyOHXh/LIH1JnFfpnLpnRICH
h5moGm+NX5Ssq8A+oO9uigpo7mpqvFstUVbTqL6htvdxPZ2RxlAL2Q8dk51nGmMN
N9SRJUDGqdB1a6A8UOWSS6SVy+6/V7mTwM2tZbKtr+J2XsFTqgu1SuuMEW4IOax0
Zg/7h3ritkixrxh2l8Ll4uREYlS9rCVnwjWGYJ1PmVMmg/0G37RTKpHnlsCPT/sT
9lD14UCYo2nuZGJYJpoc+d1UwICJpIoWw/84XC1V3Z0LaZ+UVDJ7a46s5I+EVWYL
2P9RK8HFlaAIQbWMfGMjc7Thi99SMg8KNNpS7ndOLzc7l/sQvjQ1ZbrCSPYQfF0t
+YlJYv4IkT3+bAKAuj1ra0ftiL7aCugOWMM+bcL2slGDTBEDkB3H8XEFGMVJYvlJ
XU5/cbWdIDi41sJgdql1fvMcp2jHAQ6W48Myq+5uA0DARfprQSHH+TNRkZbMDr7U
BYu3KN8wyiAdsvmgR0+p
=O5PZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f4415cd-3188-5ac7-0e53-82a284670b16%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Upgraded to 3.2 - now my desktop is wrong

2016-10-12 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-10-12 00:56, galt...@gmail.com wrote:
> I upgraded to 3.2 by backing up in 3.1 and restoring in 3.2. I was using xfce 
> in 3.1 and had 4 workspaces (or activities) and each had its own background 
> image and I had different icons placed on each one. Now in 3.2 there are 4 
> workspaces but no icons and the same background. If I add an icon it gets 
> added to all four workspaces.
> 

Were you using the same version of Xfce before? If not, this might be due to a 
difference between different versions of Xfce.

> Also, under the system tools menu is a menu item for every shortcut in every 
> VM. For example Systemm Tools->work: Files
> 

This one is a known issue:

https://github.com/QubesOS/qubes-issues/issues/2217

> Other than this, everything seems to work as before and I cant see anything 
> new.
> 
> I've done the install and restore twice and it was the same both times. 
> 
> Have I done something wrong in the restore? Should I go back to 3.1?
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX/rE0AAoJENtN07w5UDAwvXAQAKU1KAmqmtLbRVdXli1KrOTU
o4GSArumy6KehTxA/5dxU5oRoK68rPca0bJT6USWoWKvziwEHgAoPKQiBfLRgW5V
iTY7ifOVrvqQIfU87HG5BrsUeh1I4yDl2sLjg3HAjH/sQ/OWJ53mAYeWTkNeLTh0
jqBGN/TTMerZHPzv74nO4hx38ZoY++8+MgkCxauz9mOux6XbqRiyxAtSnMqTahMj
NOFgN5pw6EUJZMFW6t0fAj9eVhqEST2mQog5XxZRn0upL0GCaHlRb+3zaTSyQBT2
/04LIaBKsbsC/2dtrk5E74CUM2SmJ5trLKVk+3FD9+MJUUOi3UKsJjfDw3dTsXZp
hupsU/h7CQJUrjb8YSswjqLpZTgvX2THYERDGxkUXQ1UGfcOsVnS2JSkDJIHbTGJ
+o9Swjr5wBgYeNZfapkeUCFUylr8ExCAOJ4ZCNHOoQyNTCIv86Ys9/xjvOM3EOuV
FC52YyliTPgZZ7qWbC2vJnBD6qjIH7m+Mwm37w5pmXTLsBlO+bQ01KgwCECWExYX
YXnt/2Rm5GeNcE0/rIYryA2sUrVlTjoxsc8GqSBpxZkdT4lGqxS7C0mVcFdAVDOT
YyfkmBuGtFoYHYLyOu+4ETm9Ml4kasr11hc5uUlsgiOAFD7sNSDUBuFZWBsAlwGV
mlpTEBu1LVriUOwP+2rV
=sO65
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2bc3c550-4b31-57a6-98b2-057a6dc631ce%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

2016-10-12 Thread 7v5w7go9ub0o




On 10/12/2016 09:35 PM, Manuel Amador (Rudd-O) wrote:

It gives me great pleasure to release the first iteration of the
leakproof Qubes VPN.

https://github.com/Rudd-O/qubes-vpn

This package allows you to set up a leakproof OpenVPN VM on your Qubes
OS system. All VMs attached to the VPN VM are automatically and
transparently routed through the VPN. DNS requests do not hit the NetVM
they get routed through the VPN instead.

Users and developers welcome to contribute to the project in any way you
can!



(Nice documentation!)

TU, Sir!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f182d02e-b143-ad31-7d93-b1f4076baf2f%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 07:58 PM, Chris Laprise wrote:
>
> This requirement is already satisfied in the Qubes VPN doc:
>
> https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
>
>
> The scripts will stop non-VPN traffic and make sure that DNS operates
> through the VPN instead of going around it.

True, technically, someone reading an anatomy manual /could/ succeed in
performing surgery.

I prefer to release software that solves the issue without the user
having to cobble together scripts and whatnot, which has more of an
opportunity to allow for (fatal, in some cases) error.  Furthermore,
user scripts that people put on a VM once and forgot about them, are
bound to remain unmaintained, whereas with packaged software, there's
the opportunity for me to release updates that work with future Qubes OS
versions.

That doc is also like 20 pages long when printed out.  It's a really
long set of instructions.  Why not a drop-in package, and then a config
file, and off to the races we go?  Seems much simpler to me.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6311d51d-daaa-e4de-e838-7fa319ba0b01%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

ANN: leakproof Qubes VPN (was Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?)

On 10/12/2016 06:02 PM, balooney wrote:
> how can I force my appvm to not connect to the internet of my sys-firewall 
> and  only with the vpn ?
As promised:

https://github.com/Rudd-O/qubes-vpn

This package allows you to set up a leakproof OpenVPN VM on your Qubes
OS system. All VMs attached to the VPN VM are automatically and
transparently routed through the VPN. DNS requests do not hit the NetVM 
they get routed through the VPN instead.

Users and developers welcome to contribute to the project in any way you
can!

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c42bb5c2-f34d-5784-a811-387fbb8494fc%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ANN: Leakproof Qubes VPN

It gives me great pleasure to release the first iteration of the
leakproof Qubes VPN.

https://github.com/Rudd-O/qubes-vpn

This package allows you to set up a leakproof OpenVPN VM on your Qubes
OS system. All VMs attached to the VPN VM are automatically and
transparently routed through the VPN. DNS requests do not hit the NetVM 
they get routed through the VPN instead.

Users and developers welcome to contribute to the project in any way you
can!

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9f52529-10df-b397-a45c-9f09056d874b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to force AppVm to only use Proxy-VPN connection ?

2016-10-12 Thread pleomati

Maybe try this 

sudo gedit /etc/NetworkManager/dispatcher.d/vpn-up
 
 
#! /bin/bash
REQUIRED_CONNECTION_NAME="VM uplink eth0" ##or change to your conection name
VPN_CONNECTION_NAME="example.vpn.com"
default_conn=$(nmcli con show --active | grep "${REQUIRED_CONNECTION_NAME}")
vpn_conn=$(nmcli con show id | grep "${VPN_CONNECTION_NAME}")
if [ "${default_conn}" -a ! "${vpn_conn}" ];
then
nmcli con up id "${VPN_CONNECTION_NAME}"
fi
 
 
  change VPN_CONNECTION_NAME to vpn domain
 
Save it
chmod 755 vpn-up
 
 
gedit /etc/NetworkManager/system-connections/"example.vpn.com_"
 
If password type authentification change this section
 
[vpn]

connection-type=password
password-flags=0

[vpn-secrets]
password=your_password
 
Save it



After reboot it connects automaticaly.But its not the best way bcs the password 
is in plain and script is 755 privilages.But it works.

Then you shold edit firewall settings 
VPN> VM settings > firewall > 
add ip:port vpn
add ip vms
add localhost 
rest tafiic deny


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5875883c-e29e-45eb-afdf-2197a754cd08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ReactOS instead of Win7?

2016-10-12 Thread Gaiko Kyofusho

I haven't seen much mention of ReactOS
on the list but was thinking it
*might* be worth trying a ReactOS AppVM as an alternative to a MS Windows
AppVM but before I put myself through the frustration I thought I'd ask #1
The wisdom (or not) of the idea and #2 If its been tried already and
doesn't work yet.

Thx

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxNzRgQRCkgvao_LRHBkDiwNprfuFg2t865A50cLaoJ%2BCA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 02:35 PM, Manuel Amador (Rudd-O) wrote:

On 10/12/2016 06:02 PM, balooney wrote:

the basic network is sys-net which is connected to sys-firewall

if you connect your AppVm 'personal' with it you ll
use your original IP adress.
sys-net < sys-firewall < personal

thats why I created a ProxyVM named 'vpn'

my AppVm 'Personal' has this ProxyVM named 'vpn' selected as NetVM
sys-net < sys-firewall < vpn < personal

if I do an IP check I get the IP from the vpn server I selected in my
'vpn' network manager.

PROBLEM
my real IP gets shown if I do not connect to any vpn server in my 'vpn'

that means my 'personal' appVM connects with the sys-firewall if im not
connected to any vpn server. (the proxyVM 'vpn' is still running)

how can I force my appvm to not connect to the internet of my sys-firewall and
only with the vpn ?

I have a solution for this. Gimme a second until I upload it to Github.

This requirement is already satisfied in the Qubes VPN doc:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

The scripts will stop non-VPN traffic and make sure that DNS operates
through the VPN instead of going around it.

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/bb3dfe5f-28bd-da71-960e-bfce0710d2e3%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Loaded ethernet device modules in dom0, sound

2016-10-12 Thread johnyjukya

(Accidentally posted this to the tail of another thead; I assumed a
subject change would create a new thread. Whoops. Reposting.)

Why is it that the linux module for my ethernet device is loaded in dom0?
There's obviously no networking, /proc/net/dev and ifconfig only show
localhost.

The module is also loaded in, and provides the device to sys-net, of course.

Seemed odd to even have networking device Linux modules (existing) in dom0
at all. It's slightly uncomfortable to see, lol. Is there a reason for
this?

Also, where audio has reportedly been used for exfiltration of data by
even air-gapped machines, it's always a good idea to disable audio in VM's
that don't need them (net, firewall). It's also a waste of memory/CPU (on
startup at least), to load pulseaudio and its dependencies.

The System Tools -> Pulse Volume Control (and the other Pulse menu items)
give you finer control over per-VM audio device access. Similarly,
turning off input audio device access for most VM's is probably a good
idea too.

Is there perhaps a way using the VM's services tab to disable the
pulseaudio server on a per-VM basis?

Also, what's the PC Speaker driver in the VM's? Can it arbitrarily play
tones on the sound card in dom0? Again, slight risk of data exfiltration
on air-gapped machines, if so. I leave my speaker disconnected, but
again, it's still using a bit of memory/CPU to load an unnecessary driver.
I don't need beeps from sys-net/sys-firewall.

Are there any thoughts of moving sound cards out of dom0? Where the VM's
much forward their audio to dom0 and its sound card, can this instead be
directed to a separate VM which is assigned the PCI sound card?

Thanks.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e63f92bbc5fc49ae6bbb484ba0cbdec0.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to force AppVm to only use Proxy-VPN connection ?

On 10/12/2016 06:02 PM, balooney wrote:
> the basic network is sys-net which is connected to sys-firewall
>
> if you connect your AppVm 'personal' with it you ll
> use your original IP adress.
> sys-net < sys-firewall < personal
>
>
>
> thats why I created a ProxyVM named 'vpn'
>
> my AppVm 'Personal' has this ProxyVM named 'vpn' selected as NetVM
> sys-net < sys-firewall < vpn < personal
>
> if I do an IP check I get the IP from the vpn server I selected in my 
> 'vpn' network manager.
>
>
> PROBLEM
>  my real IP gets shown if I do not connect to any vpn server in my 'vpn' 
>
>
>
> that means my 'personal' appVM connects with the sys-firewall if im not 
> connected to any vpn server. (the proxyVM 'vpn' is still running)
>
>
>
> how can I force my appvm to not connect to the internet of my sys-firewall 
> and  only with the vpn ?
>

I have a solution for this.  Gimme a second until I upload it to Github.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af516726-4166-cf98-4e9c-0f3ba068fc44%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Low memory, starting machines & assigning devices

2016-10-12 Thread johnyjukya

Hi, Qubers:

Wonder if someone could tell me if this is normal/expected behaviour.
(3.2rc3):

If I have a few AppVM's running, at some point, the manager will refuse to
start any more VM's, complaining about low memory. Similarly, assigning
devices to running VM's will fail. (Most annoying.)

However, if I close a few apps in the VM's (a big Firefox or two will
typically do it), then I'm able to fire up a new VM & assign devices to
the running ones, and am THEN able to relaunch the memory-hungry app/apps
in the existing running VM's with no problem.

(Typically at this point, swap is used a bit in dom0 and sometimes the
VM's, but things still work. Swap being required to hold the new
situation may be the distinguishing factor...?)

The fact app-close -> start-another-vm -> app-restart works while simply
starting the start-another-vm fails, seems a bit odd to me.

In fact, I've modified my habits when using Qubes to fire up all the
AppVM's I might need, right at boot time, so I won't have trouble starting
them later when apps are running. That just doesn't seem right, and
having to restart apps can cause bottlenecks in one's workflow.

Thoughts? Anything further I can check to help track down the reason for
this? Anything I can do memwriter/mem-balancing wise to help things?

Thanks.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2a7f939668c64b529ba119152914ceb7.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to force AppVm to only use Proxy-VPN connection ?

2016-10-12 Thread balooney

the basic network is sys-net which is connected to sys-firewall

if you connect your AppVm 'personal' with it you ll
use your original IP adress.
sys-net < sys-firewall < personal



thats why I created a ProxyVM named 'vpn'

my AppVm 'Personal' has this ProxyVM named 'vpn' selected as NetVM
sys-net < sys-firewall < vpn < personal

if I do an IP check I get the IP from the vpn server I selected in my 
'vpn' network manager.


PROBLEM
 my real IP gets shown if I do not connect to any vpn server in my 'vpn' 



that means my 'personal' appVM connects with the sys-firewall if im not 
connected to any vpn server. (the proxyVM 'vpn' is still running)



how can I force my appvm to not connect to the internet of my sys-firewall and  
only with the vpn ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a73a1d9b-2862-4a7a-85d8-bef9067d55e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes for running virtual servers

On 08/23/2016 04:07 PM, darren...@redskiesgroup.com wrote:
> How does Qubes perform as the host OS in a virtualised server environment?
>
> I'm thinking of a configuration where the host OS is Qubes with VM's running 
> for things like a virtualised email server, IDS server, perhaps a Tor relay 
> etc. I've used Qubes as a desktop host, I'm just curious about whether it's a 
> practical host for virtualised serviers?
>

This should help: https://github.com/Rudd-O/qubes-network-server


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb4c36d9-c69b-4354-6d04-a46e72336617%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes server?

On 07/31/2016 12:04 AM, Manuel Amador (Rudd-O) wrote:
> Hello!
>
> I want to roll my own Qubes server — software-defined networking, remote
> VM management, all the goodies that come with Qubes like volatile VMs
> and VM templates — but I have had real trouble writing code to "undo"
> some of the features of Qubes that make routing and firewalling
> essentially client-only.
>
> Is there someone working on this, on upstreaming the improvements, and
> on remote management?

For people coming through search engines:

https://github.com/Rudd-O/qubes-network-server


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83aa5568-5d2b-4c93-0a1f-32819ab68ef5%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Qubes network server

Update:

I have dramatically enhanced the documentation of the project:

* https://github.com/Rudd-O/qubes-network-server
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20your%20first%20server.md
*
https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20an%20SSH%20server.md

This project is now ready and documented enough to be useful to users of
Ansible Qubes who want to remotely manage clusters of Qubes OS machines:

*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Remote%20management%20of%20Qubes%20OS%20servers.md
*
https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Enhance%20your%20Ansible%20with%20Ansible%20Qubes.md

I strongly welcome anyone who tries this and shares their experiences. 
It is my goal to get this to be a key part of the Qubes OS strategy.

-- 

Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84da766a-df3c-b85c-95a9-04ecd6c63805%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why is whonix-ws necessary?

2016-10-12 Thread entr0py

jkitt:
> Wouldn't an appvm, with the tor browser, and netvm set to sys-whonix do the 
> same thing?
> 

No. You can see which differences are applicable to you here:
https://www.whonix.org/wiki/Other_Operating_Systems#Security_Comparison:_Whonix-Download-Workstation_vs._Whonix-Custom-Workstation

Some of the more notable things include:
* no Tor-over-Tor (for Tor Browser Bundle)
* stream isolation
* fingerprinting defenses
* secure time sync

Whonix is under continual development. Ongoing projects include defending 
against side-channel attacks and obfuscating keystroke fingerprinting.

If all you want is an isolated gateway to transparently torrify your traffic, 
then you can use any OS you prefer as your workstation. (with TBB configured 
not to launch Tor). In any case, it's advisable to avoid easily fingerprintable 
(ie leaky) distributions like Ubuntu or Windows.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fcdf657-50ed-dea0-9d2a-358eaac8a883%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why it's so big secret?

2016-10-12 Thread neznaika

https://www.qubes-os.org/doc/install-nvidia-driver/:
"You will need any Fedora 18 system to download and build packages. You can use 
Qubes AppVM for it, but it isn’t necessary."

i'm going here https://www.qubes-os.org/doc/templates/fedora-minimal/ and try 
create the template:

sudo qubes-template-fedora-23-minimal

but with 18 instead 23.
"command no found." the end =/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e4b5f4c-54ec-4756-bdee-57520a41a258%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why it so big secret?

2016-10-12 Thread neznaika

>This should be here: https://www.qubes-os.org/doc/install-nvidia-driver/
>Have you tried that?

well...  i'm stuck on line "You will need any Fedora 18 system to download and 
build packages. You can use Qubes AppVM for it, but it isn’t necessary."

i'm going here https://www.qubes-os.org/doc/templates/fedora-minimal/ and try 
create template:
sudo qubes-template-fedora-23-minimal 
with 18 instead 23

command no found. the end.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c156d954-e72f-4020-9508-dc7354d94ee9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes on a dedicated server

On 09/30/2016 01:05 PM, Patrick Schleizer wrote:
> Does anyone ever try this?
>
> Did it work? Any experiences?
>

I wrote software for this purpose:


https://github.com/Rudd-O/qubes-network-server


Enjoy!

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b1c5a6ad-be78-2f11-98c6-dd4c1f162b5b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is there any hope for Wayland?

2016-10-12 Thread Alex

On 10/12/2016 06:04 PM, Manuel Amador (Rudd-O) wrote:
> On 10/12/2016 01:38 PM, Marek Marczykowski-Górecki wrote:
>> 
>> 
>> AFAIR this particular problem was fixed (not sure if in xen 4.6 or
>> 4.7).
>> 
> 
> Is there support for upgrading dom0 to Fedora 24?
> 
The main problem is, does the qubes-gui facility support Wayland?

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99707858-29b8-73b6-32b3-b1126a83ee42%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] SMB mount point location

On 10/12/2016 12:55 PM, John Maher wrote:
> Hello,
>
> I'm trying to access file on the command line through an SMB mount point that 
> is created in the GUI. I'm using a debian-8 AppVM and connecting to an SMB 
> share in a Files window, but I cannot find a mount point for the share. I 
> would expect it to be in /run/users/1000/.gvfs, but there's nothing there. 
>
> Can anyone point out where I would find that mount point?

By default, GVFS won't actually mount it — it just appears in the Files
window.  I believe the first time you attempt to activate (open) a file
on the share, GVFS does the mount.  It used to be different, I know, I
just hit this issue myself a few days ago.

This is more a GNOME upstream thing.

Do your files show on the file manager?


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/646f76d8-a370-e3ab-c97c-0ce0e8ab7ed7%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is there any hope for Wayland?

On 10/12/2016 01:38 PM, Marek Marczykowski-Górecki wrote:
>
>
> AFAIR this particular problem was fixed (not sure if in xen 4.6 or 4.7).
>

Is there support for upgrading dom0 to Fedora 24?

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cddce369-31c5-f36e-8cbb-3546ca2d250b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Is there any hope for Wayland?

On 09/13/2016 05:52 AM, Vít Šesták wrote:
> Well, the points you have mentioned are also dubious for mainstream Linux 
> environment, not only for Qubes, because they suppose a malicious app already 
> installed in the system.

They do not presuppose that.  They merely presuppose an app has been
compromised by an attacker.  This presupposition is valid in mainstream
Linux, and invalid in Qubes dom0.  See the difference?

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c1be755c-9344-e94c-eeea-06f9de801cae%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Thoughts about installed software

On 10/12/2016 08:50 AM, Robert Mittendorf wrote:
> Well, the discussion leaves the focus I intended it to have.
> It is surely worth thinking about what a minimum templates needs to have.
> Nevertheless I think Qubes is about "I know I can get exploited, so
> just protect the other parts of the system". Afaik a normal Qubes
> template has only the root user, so after an exploit the attacker is
> root in that VM right?
>
> My thoughts are more about continuing the attack to other QubesVMs or
> even other systems by means of installed Software like a VNC client.
>

>From a perspective of the current minimal template, the template needs:

* NetworkManager
* NetworkManager-wifi
* network-manager-applet

My manifest here says you must delete
NetworkManager-config-connectivity-fedora.  I don't remember what that
package does.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/473ce3b5-994f-9087-0f0e-725544387a37%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thoughts about installed software

2016-10-12 Thread 7v5w7go9ub0o

On 10/12/2016 02:22 PM, Robert Mittendorf wrote:

Am 10/12/2016 um 04:00 PM schrieb 7v5w7go9ub0o:

On 10/11/2016 09:30 AM, Robert Mittendorf wrote:
Software that you don't need is a security risk as it imposes
additional attack surface - we all know that.
Besides exploits those tools might cause additional threat (e.G.
RDP- VNC-, SSH-Clients)

So you better do not install non-universal software* in a template VM.
*software that is not needed in every VM which is based on that
template

So where to put non-universal software?

- user-space: allows malware to persist easily, because of
persistent write rights. And does not allow usage of standard
repositories
- other (cloned) TemplateVM: You need to make sure that you keep all
templates up-to-date for security reasons, you need much more
storage space and cause more ssd aging

Interesting!!

Since r2.x, I've run each of my user apps in individual, dedicated,
dynamically-configured DispVMs; using scripts that: start up a new
DispVM, copies the application-specific files from the vault into the
DispVM; runs the application, copies any updated data (data only)
back from the DVM to the folder in the vault; discards the DVM. Of
course the vault remains offline, and programs are never invoked
within the vault; it is used exclusively to store data that is
accessed safely in dispvms.

If a DVM becomes compromised or corrupted I simply dispose of the
DispVM and start anew. No worries about quiet infections of appvm
user files, as only updated data (in most cases txt files) is
retained from the DispVM back to the vault.

After your OP, it dawns on me that one could devise similar scripts
to start up a "barebones" DVM, dynamically modify it to be a
dedicated application DVM by copying both the application files AND
the necessary system (app) files into that DVM. Run the app; copy any
updated data (data only) back into the vault, and discard the DVM.
(This is trivial with some apps; e.g. keepassx; but could be involved
with big complicated apps)

This would keep the DispVMs smaller, and as you point out, with fewer
attack surfaces.

This would require two AppVMs: a "barebones" DVM (As per Rudd-O's
"minimal" point, I'll likely use the Qubes default with Firefox
system and FF "user" files installed), and a second AppVM containing
and maintaining the system and user application files - it would be
brought online only for the purpose of package manager updating.

I plan on testing/configuring this way with r4.x. Thank You for the OP.

Interesting idea. However I would not use the "move to VM" command
like this, as I experienced those requests getting lost One time files
were actually deleted, since that time I always use copy instead of move.
This is a problem with Linux (package based setup, dependency hell) -
in Windows you can run most Tools from their folder which you can
place anywhere you like. They may create files in other places (like
the registry), but they mostly run on a system they are copied to.

Depending on how you copy malware still might be able to persist. I
think about a browser extension, for example.

Robert

Dang! Right you are - I miss-wrote! I do indeed copy; e.g.:

qvm-run -q --pass-io vault 'tar -c -f - keepass' | qvm-run --pass-io $x
'tar -x -f -'

(where $x is the newly-created DispVM.)

So I'll add an additional, similar command that would copy the system
executable (e.g. keepassx) to the DVM, and instead of executing an
installed app - which I do now:

qvm-run -q $x 'keepassx /home/user/keepass/keepass.kdb' &

I'd start executing a recently-copied app; e.g. something like (./ may
not be needed):

qvm-run -q $x './home/user/keepass/keepassx
/home/user/keepass/keepass.kdb' &

Don't know how much this will save me, as I don't have a lot of "stuff"
installed, but it should reduce DVM size and attack surface(at the
acceptable cost of dynamically creating DVMs before executions).

In terms of browser extensions, I think they *ARE* an issue, and I
routinely copy only places.sqlite back to the vault; the rest of the DVM
is discarded.

IF I do want to update extensions, then I'll start the FF DVM, update
extensions, ublock, etc.; copy the whole shebang back to the vault; and
then shutdown - without exposing FF to anything else.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/eb54e356-fb48-a64c-e6dc-dd8d0146841b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why it so big secret?

2016-10-12 Thread Mathew Evans

On Tuesday, 11 October 2016 23:37:33 UTC+1, Desobediente  wrote:
> Additionaly, the Bumblebee howto is here: 
> https://fedoraproject.org/wiki/Bumblebee

There is nothing new about these and frankly anyone could have found them via 
google just looking, if you managed to get Nvidia working on Q3.2 id be 
interested. my experience hasn't been successful. Ive had issue with XOrg with 
Nvidia drivers being unable to find my screens.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e2684d3-a161-4e61-aeb3-ada27150108e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thoughts about installed software

2016-10-12 Thread Rusty Bird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Robert,

> However I would not use the "move to VM" command like this, as I 
> experienced those requests getting lost One time files were 
> actually deleted, since that time I always use copy instead of 
> move.

Sounds troubling. Do you remember the last Qubes release version
where you experienced this kind of data loss?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX/kvQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfZA0P/0vw2dBijUk6vZtmWgsGzL/B
3l+H7KcVXu7zPzjEMwQAdufC0gn2JG8NVWH7HHe6ru42iME07JNww1RoOvwImq4h
/u8DojH7PYeO88TlmCquH9J9nxF7W6+LC0nEtsTAbEF0dxUUfHFL9MyOKGoU/nq+
JU78lKBfFstUCtcqib1J0ENAsRbY6oPj+XaAqkOGvX9uTqWPslUmncEstn4KXzIy
M8b86Vql3WJ0fJgYdVxrLzuFgbMHUIjk4vfv2dNGwQHaDYXA25wM9jdV9FbED0mk
pL6VTMwRHA5SCnXaTjHRJzS7+x/vOEGhNiwkyR5bpXiaHrxer3MmszC+oIgXuiXC
yWthLHJ/fqrZjSjClrLYlQbCiD5gz6tWsul8KSzAGh56vMVsfXghHs4QIcNv61xp
tfnQg4ESBtHLc3+LuDQRax6kkJVMCwX4s1KQQ3v6t8os7w/HBIBdkVHWkRBVKywu
8d/L2meN76DYyTsopjN5EfVOQ+/53dbTiUf+FTsl2ENM0yb6D8FcdgPm44XP9iE/
5eiWcKazFvFYs9wOxXrs+Ej8aw6WW5mBTeoRoC+jSxTmA4nPoTAjHT6aSwwnCTvM
MMtWk68WPbHic4ISDLl8X3OJCUjD6Yiar6Q5DoWWfwVGQZek/EVs/LwoCRhkSMn6
4E8tGXUwqvA9ADx9k/cL
=tp0q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40b2c885-364c-766f-6bff-c0505d20626a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thoughts about installed software

2016-10-12 Thread Robert Mittendorf

Am 10/12/2016 um 04:00 PM schrieb 7v5w7go9ub0o:

So you better do not install non-universal software* in a template VM.
*software that is not needed in every VM which is based on that template

So where to put non-universal software?

- user-space: allows malware to persist easily, because of persistent
write rights. And does not allow usage of standard repositories
- other (cloned) TemplateVM: You need to make sure that you keep all
templates up-to-date for security reasons, you need much more storage
space and cause more ssd aging

Interesting!!

Since r2.x, I've run each of my user apps in individual, dedicated,
dynamically-configured DispVMs; using scripts that: start up a new
DispVM, copies the application-specific files from the vault into the
DispVM; runs the application, copies any updated data (data only) back
from the DVM to the folder in the vault; discards the DVM. Of course
the vault remains offline, and programs are never invoked within the
vault; it is used exclusively to store data that is accessed safely in
dispvms.

If a DVM becomes compromised or corrupted I simply dispose of the
DispVM and start anew. No worries about quiet infections of appvm user
files, as only updated data (in most cases txt files) is retained from
the DispVM back to the vault.

After your OP, it dawns on me that one could devise similar scripts to
start up a "barebones" DVM, dynamically modify it to be a dedicated
application DVM by copying both the application files AND the
necessary system (app) files into that DVM. Run the app; copy any
updated data (data only) back into the vault, and discard the DVM.
(This is trivial with some apps; e.g. keepassx; but could be involved
with big complicated apps)

This would keep the DispVMs smaller, and as you point out, with fewer
attack surfaces.

This would require two AppVMs: a "barebones" DVM (As per Rudd-O's
"minimal" point, I'll likely use the Qubes default with Firefox system
and FF "user" files installed), and a second AppVM containing and
maintaining the system and user application files - it would be
brought online only for the purpose of package manager updating.

I plan on testing/configuring this way with r4.x. Thank You for the OP.

Interesting idea. However I would not use the "move to VM" command like
this, as I experienced those requests getting lost One time files were
actually deleted, since that time I always use copy instead of move.
This is a problem with Linux (package based setup, dependency hell) - in
Windows you can run most Tools from their folder which you can place
anywhere you like. They may create files in other places (like the
registry), but they mostly run on a system they are copied to.

Depending on how you copy malware still might be able to persist. I
think about a browser extension, for example.

Robert

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d5a4c26b-0d78-dbbd-3a2e-6b26d0ee97fa%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thoughts about installed software

2016-10-12 Thread 7v5w7go9ub0o

So you better do not install non-universal software* in a template VM.
*software that is not needed in every VM which is based on that template

So where to put non-universal software?

- user-space: allows malware to persist easily, because of persistent
write rights. And does not allow usage of standard repositories
- other (cloned) TemplateVM: You need to make sure that you keep all
templates up-to-date for security reasons, you need much more storage
space and cause more ssd aging

Interesting!!

Since r2.x, I've run each of my user apps in individual, dedicated,
dynamically-configured DispVMs; using scripts that: start up a new
DispVM, copies the application-specific files from the vault into the
DispVM; runs the application, copies any updated data (data only) back
from the DVM to the folder in the vault; discards the DVM. Of course the
vault remains offline, and programs are never invoked within the vault;
it is used exclusively to store data that is accessed safely in dispvms.

If a DVM becomes compromised or corrupted I simply dispose of the DispVM
and start anew. No worries about quiet infections of appvm user files,
as only updated data (in most cases txt files) is retained from the
DispVM back to the vault.

After your OP, it dawns on me that one could devise similar scripts to
start up a "barebones" DVM, dynamically modify it to be a dedicated
application DVM by copying both the application files AND the necessary
system (app) files into that DVM. Run the app; copy any updated data
(data only) back into the vault, and discard the DVM. (This is trivial
with some apps; e.g. keepassx; but could be involved with big
complicated apps)

This would keep the DispVMs smaller, and as you point out, with fewer
attack surfaces.

This would require two AppVMs: a "barebones" DVM (As per Rudd-O's
"minimal" point, I'll likely use the Qubes default with Firefox system
and FF "user" files installed), and a second AppVM containing and
maintaining the system and user application files - it would be brought
online only for the purpose of package manager updating.

I plan on testing/configuring this way with r4.x. Thank You for the OP.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/84df6c4b-4849-a3ae-fa55-8bd62c79f7c4%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is there any hope for Wayland?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 12, 2016 at 01:30:30PM +, Manuel Amador (Rudd-O) wrote:
> On 09/09/2016 12:44 AM, Dima Puntus wrote:
> > Hi,
> >
> > After testing Qubes for a few weeks (3.1, 3.2-rc1,2&3), here's my 2 cents:
> >
> > It's a great OS in many aspects but still unusable outside of the
> > small group of the "terminal only" ppl. Reason # 1 is graphics. In
> > this day and age it's expected for any OS to at least have basic video
> > rendering without glitches. AFAIK, Qubes is still using the old Fedora
> > 20 video drivers (even for Intel IGPs), while Fedora 25, Wayland
> > enabled is only 2 months away. I thought this was a Xen+Fedora
> > limitation, so I installed Fedora 24 + Xen, Ubuntu 16.04+Xen, Debian 8
> > + Xen, - and they all work ok with decent drivers. So, I guess, in
> > order to conform to certain security requirements, the Qubes team was
> > forced to "tweak" the X server and/or drivers.
> >
> > So what's the current status on video drivers in Qubes? Is Wayland on
> > its way or are we hooped? Any insights? This is not just my personal
> > question (though I'd love to switch to Qubes as my primary OS) but
> > also many of my colleagues in the IT/IS world.
> 
> There was a problem getting Xen to compile in Fedora 24.  Search for
> those words in the mailing list.

AFAIR this particular problem was fixed (not sure if in xen 4.6 or 4.7).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX/jy2AAoJENuP0xzK19cspcwH/jxzJhzH866ebVh3OevNTDpU
mPs0eIg8K5z2bELh16FO40bIGQ0i6nVUxqhaWwHkp+2EKK6CLQ7kqOFC2I9qG3lP
eeBPqLVa9wSzc9Eblmf5qMoKz0zn0DaJH9/A+YrLO77vu9gV9D7su2naQoEz8nV8
SEF17jePb4O7Q3ot/Bzh0aATh12nBTIhjnBUUXlkyWi9r9OVan6C9TE7riHu/skt
iSeqDBdFZwU16Tn4W6EEBOvNghD3r/KYv4ZGUDcbxFX9oq5KWN1Pw8xMzfhyhDlv
dYPkmSXKqVektHY8K/8CEb/hzzczwKXnlwcc6UlvmvuqCmEQM6BCKG+pwheglNc=
=+Iva
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161012133800.GG15776%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is there any hope for Wayland?