[qubes-users] (neo)mutt/mailhandling best Practises in Qubes

[799]

Hello,

I have moved most of my email workflow in Qubes to a dedicated Email-AppVM.
It has DavMail and Thunderbird + neomutt installed to access our Corporate
Exchange Server.

(Thunderbird is only used when I need to paste screenshots into an email,
for example for troubleshooting/howtos etc)

I'd like to know how other users have configured their mailcap-file in
(neo)mutt to handle file attachments.
Currently I am opening HTML attachments/mails in a disposable VM which
fires up qutebrowser and I tried to handle docx/xlsx/PPT/pdf attachments
the same way.
Can someone share their mailcap-file file to get an impression what should
be in there?

Another topic:
I'd also like to use a dedicated Key Combination to open a file in my
work-appVM.

The workflow I came up with:

1) Check Mail with neomutt (plain text power)
2) open attachments in disposable VMs
3) if I need to work on an attachments, after checking it, open it in my
Work-AppVM (which is separated from my workmail-AppVM)

Does this makes sense from a security perspective or is it overcomplicated
and I should merge mail and document editing into one VM (browsing the web
is always done on another Work-Internet-AppVM).

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vFpMdHv076y%2BgeUMdJGie3vx5-9JG6n_utrgaN_qn7cQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Unable to remove TemplateVM from application menu

[sevas]

Try doing a search for your template name 
$ find / debian-9
Delete everything you find. 

$ lvs
$ lvremove debian-9 debian-9-root debian-9-swap #(I think!, double check me)
$ systemctl disable debian-9

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ed1d8ad6-1b2d-4696-b6fe-57ba8ac9c4ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Unable to remove TemplateVM from application menu

['Xaver' via qubes-users]

I've successfully removed  a few TemplateVMs from my R-4.0 system but one is 
being stubborn. The template is still showing up in Qubes manger and when I run 
qvm-ls.  I went through all the steps in  
https://www.qubes-os.org/doc/remove-vm-manually/  and was only able to 
successfully complete step 1 and 3.

1.   sudo rm -rf /var/lib/qubes/vm-templates/ # command 
successful

2.   qvm-remove --just-db  # qvm-remove: error: unrecognized 
arguments: --just-db

3.   sudo rm ~/.local/share/applications/* # command successful

4.   sudo rm /etc/xdg/menus/applications-merged/* # error : No 
such file or directory

Also tried:

sudo dnf remove qubes-template-

qvm-remove 

Does anyone have a suggestion?

Thanks in advance

Xaver

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/_aNDZS3tv9cin3YjCp_zl1qf_qOZBIKQCzTUaKMwLL6-thT2O19VI-5Hif6OnGarr6jbwI8p2l-ikoLgUHOe0eSBq5-syklB5U7P3c_-7PE%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] update from rc04

[sevas]

Open a terminal in dom0 and type

sudo qubes-dom0-update

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a8c8edf-c050-4f0b-9ad1-52f9b833f1fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Changing colors?

[sevas]

Thats awesome! The colors did change, however the files were not persistent. 

Im going to try writing a script that overwrites the files on startup. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40c5c2d3-6d06-4ba4-a4ac-03329838392c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Best works-out-of-the-box dual-head gfx card?

[Stumpy]

On 09.03.2018 00:57, taii...@gmx.com wrote:

AMD stuff is the best choice, they don't artificially hobble
virtualization on their regular cards and they work out of the box.

The reason things break and you need to re-compile every time you
update your kernel with a new nvidia card in your system is because
they make an effort to slow down the nouveau project and in the case
of their brand new cards entirely block it via hardware code signing
enforcement and not even providing any firmware blobs.

There are a variety of single slot half height low power AMD cards but
if you want something newer the only choice is the more expensive
professional series with a fan - the WX4100 for instance is half
height but not passively cooled.

You can obtain a 54xx passively cooled card for around $30-50 but that
is a quite old chipset (although you can install openradeonbios on it)


Ok, 4.0 Qubes is out so I am more motivated than ever before. I took a 
look at the WX4100 which looks fantastic, but perhaps is more than I 
need (and more than I can afford).


I can do without the passively cooled part, esp if it will bring the 
price down a bit (I am hoping for something in the low 100s USD).


In terms of requirements, I suppose (to simplify things) the main 
criteria I have are low 100s USD, low profile, and at least two ports, 
though 4 would like the WX4100 would of course be awesome. I am totally 
open to used, and am not looking for bleeding edge.


Thoughts? Please!! :)

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20a8de6a0b18d73efc2e8e22960e8429%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Onionizing

[coinshark340]

rpc policy


## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

## whonix default
whonix-ws $default allow,target=sys-whonix
whonix-ws $anyvm deny
whonix-gw $default allow,target=sys-whonix
whonix-gw $anyvm deny

## whonix 14 default
whonix-14-ws $default allow,target=sys-whonix-14
whonix-14-ws $anyvm deny
whonix-14-gw $default allow,target=sys-whonix-14
whonix-14-gw $anyvm deny

##fedora cant connect to Tor...
OG-fedora-26 $default allow,target=sys-net
OG-fedora-26 $anyvm deny
fedora-26 $default allow,target=sys-net
fedora-26 $anyvm deny

## whonix & whonix 14 updates
$type:TemplateVM $default allow,target=sys-whonix-14
$type:TemplateVM $default ask,target=sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix-14
$tag:whonix-updatevm $default ask,target=sys-whonix
$tag:whonix-updatevm $anyvm deny

## Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-whonix-14

$anyvm $anyvm deny

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a41db4d5-4d0c-4a4a-a8d3-e34cb4ffb00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Onionizing

[coinshark340]

Hi. Im want to onionize qubes

I installed whonix 14 and I have edited my sources like this.


qubes.r4.list
# Main qubes updates repository
#deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main
#deb-src http://deb.qubes-os.org/r4.0/vm stretch main
#deb [arch=amd64] http://deb.qubesos4z6n4.onion/r4.0/vm stretch main
deb [arch=amd64] 
http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion 
stretch main

have also tried removing [arch=amd64] and changing source to 
http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion



I get error

Err:4 http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion 
stretch/main amd64 Packages
  404  Not Found
W: The repository 
'http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion 
stretch Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore 
potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration 
details.
E: Failed to fetch 
http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/dists/stretch/main/binary-amd64/Packages
  404  Not Found
E: Some index files failed to download. They have been ignored, or old ones 
used instead.

Is there a reason? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/112f46c5-6c2c-40ba-a934-741fd87e0b62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How do I load firmware-atheros into Qubes 4.0 R5?

[Chris Laprise]

On 03/28/2018 05:02 PM, Ringo wrote:

Greetings.  I have a Purism 15v3 laptop with an Atheros AR9462 wi-fi card.  The card 
works under Qubes but it's slow, with bit-rate of only 6/mpbs.  I had this issue before, 
on the same laptop when it was first shipped with the PureOS distribution (a debian 
distribution) and was able to fix it by installing a firmware package found at  
https://packages.debian.org/buster/firmware-atheros.   However, I'm not able to install 
this same "firmware driver" under Qubes, since it's in debian format and not 
fedora.

I downloaded a tool called "alien" which was able to convert the package into RPM format 
but then when I tried to install it using DNF in the SYS-NET cube, I received an error saying 
"firmware-atheros-20170823-2.noarch" conflicts with package 
linux-firmware-201771215-82.git2451bb.fc26.noarch.

I'm thinking perhaps I should uninstall this conflicting package in order to 
install the atheros one that I know worked under PureOS, but frankly, I'm a bit 
out of my depth at this point and wondering if this makes sense to you all or 
might have other advice.  Appreciate any thoughts you may have to assist.

Warm Regards, Ringo



I'd suggest using a Debian template for your sys-net; It takes time to 
download but its fairly simple. You may want to try using the 
Debian-supplied firmware first to see if that resolves the issue:


sudo apt-get install firmware-atheros

If that's not new enough you can follow Debian directions for installing 
from a newer repository (e.g. Buster).


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2442522-0575-fa82-2b5a-ab8d66df2b7e%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How do I load firmware-atheros into Qubes 4.0 R5?

[Ringo]

Greetings.  I have a Purism 15v3 laptop with an Atheros AR9462 wi-fi card.  The 
card works under Qubes but it's slow, with bit-rate of only 6/mpbs.  I had this 
issue before, on the same laptop when it was first shipped with the PureOS 
distribution (a debian distribution) and was able to fix it by installing a 
firmware package found at  https://packages.debian.org/buster/firmware-atheros. 
  However, I'm not able to install this same "firmware driver" under Qubes, 
since it's in debian format and not fedora. 

I downloaded a tool called "alien" which was able to convert the package into 
RPM format but then when I tried to install it using DNF in the SYS-NET cube, I 
received an error saying "firmware-atheros-20170823-2.noarch" conflicts with 
package linux-firmware-201771215-82.git2451bb.fc26.noarch.

I'm thinking perhaps I should uninstall this conflicting package in order to 
install the atheros one that I know worked under PureOS, but frankly, I'm a bit 
out of my depth at this point and wondering if this makes sense to you all or 
might have other advice.  Appreciate any thoughts you may have to assist. 

Warm Regards, Ringo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80c102b3-cb7c-44a8-bcca-dcf5c742bb08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Steam In-Home Streaming for games to a Qubes VM

[gluvfox]

I've been using Steam's In-Home Streaming for years and it's worked well. 
Recently though, I tried to get a Steam client running on a Debian 9 virtual 
machine in Qubes Q4-rc5 to stream from a Win 10 PC on the same network 
(Ethernet) that would run the games. However; I cannot get the two machines to 
see each other. Any advice would be appreciated.

More info:
I set up "Port forwarding to a qube from the outside world" based on The Qubes 
Firewall documentation. Basically, I set up forwarding of udp 27031, udp 27036, 
tcp 27036, and tcp 27037 traffic from the Win 10 PC to the Qubes Debian 9 VM. I 
tested the tcp forwarding with telnet/putty, which worked; but was not sure how 
to test the udp ports.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b014e7c-d99d-42c4-8bbf-f30a6870709e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] update from rc04

[inqubator]

On Sunday, March 25, 2018 at 9:07:07 PM UTC+2, awokd wrote:
> On Sun, March 25, 2018 6:17 pm, Roy Bernat wrote:
> > Hi all
> >
> >
> >
> > should i install the new version or can update from rc04
> 
> Either should work. If you aren't sure, they always say in the release
> notes too.

And how does one upgrade?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52356bda-7075-460b-a59d-ad055566d252%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-announce] Qubes OS 4.0 has been released!

[robótico]

We sincerely appreciate *your* patience. Thank *you* for sticking with 
*us*.
This stable release never would have been possible without *your* 
enormous efforts.
*Your* involvement makes Qubes a truly open-source project. *Your* 
energy, skill,
and good will make this project a joy to work with. *We* are lucky to 
have QUBES.


\ö/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/63497ad1e9ebd9a2ec6d0bd73184ded7%40posteo.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes OS 4.0 has been released!

[shiftedreality]

Great news, thanks! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f036c828-bf2b-4b4c-b7c7-2b65c24a8f44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-announce] Qubes OS 4.0 has been released!

['Trisimix' via qubes-users]

Woo

Sent from ProtonMail Mobile

On Wed, Mar 28, 2018 at 1:36 PM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 After nearly two years in 
> development and countless hours of testing, we're pleased to announce the 
> stable release of Qubes OS 4.0! Major changes in version 4.0 
>  Version 4.0 includes several fundamental 
> improvements to the security and functionality of Qubes OS: * The Qubes Admin 
> API [01] * Qubes Core Stack version 3 [02] * Fully virtualized VMs for 
> enhanced security [03] * Multiple, flexible Disposable VM templates [04] * A 
> more expressive, user-friendly Qubes RPC policy system [05] * A powerful new 
> VM volume manager that makes it easy to keep VMs on external drives [06] * 
> Enhanced TemplateVM security via split packages [07] and network interface 
> removal [08] * More secure backups with scrypt for stronger key derivation 
> [09] and enforced encryption * Rewritten command-line tools with new options 
> [10] This release delivers on the features we promised in our announcement of 
> Qubes 4.0-rc1 [11], with some course corrections along the way, such as the 
> switch from HVM to PVH for most VMs in response to Meltdown and Spectre [03]. 
> For more details, please see the full Release Notes [12]. The Qubes 4.0 
> installation image is available on the Downloads [13] page, along with the 
> complete Installation Guide [14]. Current 4.0 release candidate users 
> === In our Qubes 4.0-rc5 announcement [15], 
> we explained that if the testing of 4.0-rc5 did not reveal any major 
> problems, we would declare it to be the stable 4.0 release without any 
> further significant changes and that, in this scenario, any bugs discovered 
> during the testing process would be fixed in subsequent updates. This is, in 
> fact, what has occurred. We found that, with the fifth release candidate, 4.0 
> had finally reached a level of stability that met our standards such that we 
> were comfortable designating it the stable release. Accordingly, current 
> users of 4.0-rc5 can upgrade in-place by downloading the latest updates from 
> the *stable* repositories in both dom0 [16] and TemplateVMs [17]. We know 
> that this stable release has been a long time in coming for many you. We 
> sincerely appreciate your patience. Thank you for sticking with us. We're 
> especially grateful to all of you who have contributed code [18] and 
> documentation [19] to this release, tested [20] release candidates, and 
> diligently reported bugs [21]. This stable release would not have been 
> possible without your efforts. Your involvement makes Qubes a truly 
> open-source project. Your energy, skill, and good will make this project a 
> joy to work on. We are lucky to have you. The past and the future 
> === Since first announcing extended support for Qubes 3.2 
> [22], we determined that users would be better served by having a version of 
> Qubes 3.2 with updated TemplateVMs and a newer kernel. We've designated this 
> release Qubes 3.2.1. As the name suggests, this is a point release for Qubes 
> 3.2 that does not contain any major changes, and it is this release to which 
> the extended support period will apply. We intend for Qubes 3.2.1 to be a 
> viable alternative to version 4.0 for those who wish to use Qubes on hardware 
> that does not meet the system requirements for Qubes 4.0 [23]. While our 
> standard policy [24] is to support each Qubes release for six months after 
> the next major or minor release, the special extension for 3.2.1 raises this 
> period to one full year. Therefore, the stable release of Qubes 4.0 sets the 
> EOL (end-of-life) date for Qubes 3.2.1 at one year from today on 2019-03-28. 
> We expect 3.2.1 to be available soon, after Kernel 4.9 testing is completed. 
> Looking forward, our work on Qubes 4.x has only just begun. Our sights are 
> now set on Qubes 4.1, for which we have a growing list [25] of planned 
> enhancements to nearly every aspect of Qubes OS. Whether you're new to Qubes 
> or have been here for years, we welcome you to join us and get involved [26]. 
> We've personally chosen to devote our time and skills to making Qubes freely 
> available to the world because we believe that being open-source is essential 
> to Qubes being trustworthy and secure. If Qubes is valuable to you, we ask 
> that you please consider making a donation [27] to the project. With your 
> support, we can continue to make reasonable security a reality for many years 
> to come. [01] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ [02] 
> https://www.qubes-os.org/news/2017/10/03/core3/ [03] 
> https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt 
> [04] https://github.com/QubesOS/qubes-issues/issues/2253 [05] 
> https://www.qubes-os.org/doc/qrexec3/#extra-keywords-available-in-qubes-40-and-later
>  [06] 

[qubes-users] Qubes OS 4.0 has been released!

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

After nearly two years in development and countless hours of testing,
we're pleased to announce the stable release of Qubes OS 4.0!


Major changes in version 4.0


Version 4.0 includes several fundamental improvements to the security
and functionality of Qubes OS:

 * The Qubes Admin API [01]
 * Qubes Core Stack version 3 [02]
 * Fully virtualized VMs for enhanced security [03]
 * Multiple, flexible Disposable VM templates [04]
 * A more expressive, user-friendly Qubes RPC policy system [05]
 * A powerful new VM volume manager that makes it easy to keep VMs on
   external drives [06]
 * Enhanced TemplateVM security via split packages [07] and network
   interface removal [08]
 * More secure backups with scrypt for stronger key derivation [09] and
   enforced encryption
 * Rewritten command-line tools with new options [10]

This release delivers on the features we promised in our announcement of
Qubes 4.0-rc1 [11], with some course corrections along the way, such as
the switch from HVM to PVH for most VMs in response to Meltdown and
Spectre [03]. For more details, please see the full Release Notes [12].
The Qubes 4.0 installation image is available on the Downloads [13]
page, along with the complete Installation Guide [14].


Current 4.0 release candidate users
===

In our Qubes 4.0-rc5 announcement [15], we explained that if the testing
of 4.0-rc5 did not reveal any major problems, we would declare it to be
the stable 4.0 release without any further significant changes and that,
in this scenario, any bugs discovered during the testing process would
be fixed in subsequent updates. This is, in fact, what has occurred. We
found that, with the fifth release candidate, 4.0 had finally reached a
level of stability that met our standards such that we were comfortable
designating it the stable release. Accordingly, current users of 4.0-rc5
can upgrade in-place by downloading the latest updates from the *stable*
repositories in both dom0 [16] and TemplateVMs [17].

We know that this stable release has been a long time in coming for many
you. We sincerely appreciate your patience. Thank you for sticking with
us. We're especially grateful to all of you who have contributed code
[18] and documentation [19] to this release, tested [20] release
candidates, and diligently reported bugs [21]. This stable release would
not have been possible without your efforts. Your involvement makes
Qubes a truly open-source project. Your energy, skill, and good will
make this project a joy to work on. We are lucky to have you.


The past and the future
===

Since first announcing extended support for Qubes 3.2 [22], we
determined that users would be better served by having a version of
Qubes 3.2 with updated TemplateVMs and a newer kernel. We've designated
this release Qubes 3.2.1. As the name suggests, this is a point release
for Qubes 3.2 that does not contain any major changes, and it is this
release to which the extended support period will apply. We intend for
Qubes 3.2.1 to be a viable alternative to version 4.0 for those who wish
to use Qubes on hardware that does not meet the system requirements for
Qubes 4.0 [23]. While our standard policy [24] is to support each Qubes
release for six months after the next major or minor release, the
special extension for 3.2.1 raises this period to one full year.
Therefore, the stable release of Qubes 4.0 sets the EOL (end-of-life)
date for Qubes 3.2.1 at one year from today on 2019-03-28. We expect
3.2.1 to be available soon, after Kernel 4.9 testing is completed.

Looking forward, our work on Qubes 4.x has only just begun. Our sights
are now set on Qubes 4.1, for which we have a growing list [25] of
planned enhancements to nearly every aspect of Qubes OS. Whether you're
new to Qubes or have been here for years, we welcome you to join us and
get involved [26]. We've personally chosen to devote our time and skills
to making Qubes freely available to the world because we believe that
being open-source is essential to Qubes being trustworthy and secure. If
Qubes is valuable to you, we ask that you please consider making a
donation [27] to the project. With your support, we can continue to make
reasonable security a reality for many years to come.


[01] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
[02] https://www.qubes-os.org/news/2017/10/03/core3/
[03] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt
[04] https://github.com/QubesOS/qubes-issues/issues/2253
[05] 
https://www.qubes-os.org/doc/qrexec3/#extra-keywords-available-in-qubes-40-and-later
[06] https://github.com/QubesOS/qubes-issues/issues/1842
[07] https://github.com/QubesOS/qubes-issues/issues/2771
[08] https://github.com/QubesOS/qubes-issues/issues/1854
[09] https://www.qubes-os.org/doc/backup-emergency-restore-v4/
[10] https://www.qubes-os.org/doc/tools/4.0/
[11] 

Re: [qubes-users] Re: Enigmail v2.0 broke split-gpg

[mossy]

Michael Carbone:
> 
> 
> On 03/27/2018 01:58 PM, 'TFQOS' via qubes-users wrote:
>> On 27 March 2018 5:40 PM, cubit  wrote:
>>
>>> 27. Mar 2018 09:45 by mich...@qubes-os.org:
>>>
 couldn't figure out a fast solution so I downgraded back to v1.9.9 for
 the time being.

 You can do the same by downloading v1.9.9 and manually installing in
 thunderbird (and unchecking "update addons automatically"):

 https://www.enigmail.net/download/release/1.9/enigmail-1.9.9-sm+tb.xpi?type=application/octet-stream

 I will email Enigmail mailing list so that they are aware.
>>>
>>> Is anyone else who downgraded back to 1.9.9 getting stuck with a big 
>>> autocrypt header being displayed and a missing email body when receiving 
>>> emails from enigmail 2.0 users?
>>>
>>> Any persons got the workaround listed here: 
>>> https://github.com/QubesOS/qubes-issues/issues/3750 to work in 3.2?   Is 
>>> there a particular line it needs to be done on.When I add it to the 
>>> file, all that happens is my work VM connects to my vault VM and I get a 
>>> blank email no decrypted message
>>
>> Workaround proposed in
> https://github.com/QubesOS/qubes-issues/issues/3750 works for me in R3.2
>> I added a well formatted patch in the comments.
>>
>> TFQOS - Thanks For Qubes OS
>>
> 
> Hi all,
> 
> Just to update/close the thread, Marek pushed some patches into all
> testing repos and closed the issue:
> 
> https://github.com/QubesOS/qubes-issues/issues/3750
> 
> You can apply the patches immediately by enabling the testing repos:
> 
> https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories
> https://www.qubes-os.org/doc/software-update-vm/#testing-repositories
> 
> or wait for them to land in stable/current.
> 
> The underlying bug is upstream of Enigmail in GnuPG, which Enigmail was
> trying to work around:
> 
> https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-March/004870.html
> https://dev.gnupg.org/T2019
> 
> Thanks all for the contributions and for the quick patches Marek.
> 
> Michael
> 
> 

Thanks to you and Marek for such a quick turnaround on this!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fbe356e7-5e95-9dc2-aa47-b7965a62e13f%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Enigmail v2.0 broke split-gpg

[Michael Carbone]

On 03/27/2018 01:58 PM, 'TFQOS' via qubes-users wrote:
> On 27 March 2018 5:40 PM, cubit  wrote:
> 
>> 27. Mar 2018 09:45 by mich...@qubes-os.org:
>>
>>> couldn't figure out a fast solution so I downgraded back to v1.9.9 for
>>> the time being.
>>>
>>> You can do the same by downloading v1.9.9 and manually installing in
>>> thunderbird (and unchecking "update addons automatically"):
>>>
>>> https://www.enigmail.net/download/release/1.9/enigmail-1.9.9-sm+tb.xpi?type=application/octet-stream
>>>
>>> I will email Enigmail mailing list so that they are aware.
>>
>> Is anyone else who downgraded back to 1.9.9 getting stuck with a big 
>> autocrypt header being displayed and a missing email body when receiving 
>> emails from enigmail 2.0 users?
>>
>> Any persons got the workaround listed here: 
>> https://github.com/QubesOS/qubes-issues/issues/3750 to work in 3.2?   Is 
>> there a particular line it needs to be done on.When I add it to the 
>> file, all that happens is my work VM connects to my vault VM and I get a 
>> blank email no decrypted message
>
> Workaround proposed in
https://github.com/QubesOS/qubes-issues/issues/3750 works for me in R3.2
> I added a well formatted patch in the comments.
>
> TFQOS - Thanks For Qubes OS
>

Hi all,

Just to update/close the thread, Marek pushed some patches into all
testing repos and closed the issue:

https://github.com/QubesOS/qubes-issues/issues/3750

You can apply the patches immediately by enabling the testing repos:

https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories
https://www.qubes-os.org/doc/software-update-vm/#testing-repositories

or wait for them to land in stable/current.

The underlying bug is upstream of Enigmail in GnuPG, which Enigmail was
trying to work around:

https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-March/004870.html
https://dev.gnupg.org/T2019

Thanks all for the contributions and for the quick patches Marek.

Michael


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad250449-d141-ea54-d789-b080be609f9e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL- Notebook/Laptop MSI GE72 6QD

[Ninguém =X]

Hi after some trouble installing  Qubes I've finally make it work. I'm
kindda newbie in linux world, but I'm learning and also loving Qubes :D.

*I had trouble with*:

- Nouveau, I needed to add "nouveau.modeset=0" in the begining of
installation(with tab in install qubes option)

-Things made in windows 10 didn't worked(bootable usb made with rufus
software, also tried to burn a dvd in windows but it didn't worked) ---
without "nouveau.modeset=0", discovered this "trick" latter.

-Tried to make usb bootable with dd command using ubuntu, didn't worked
either --- without "nouveau.modeset=0", discovered this "trick" latter .

*What worked*:

Legacy mode, Vt-D and virtual stuff in bios turned on, also secure boot
disabled.
In the beginning of installation I needed to add a command to installation
pressing tab in the option I want and adding before "---"
"nouveau.modeset=0"

Installed with a DVD.


*Until now I've done somethings*:
Installed(all in personal) -- Opera, Chrome, Tixati torrent client. All
with .rpm package(dunno if it's called like that o.0)
Updated all Template vms, dom0 and kernel(using sys-net and sys-whonix).

Watched some stuff in netflix(with chrome, other browsers even that I
installed flash plugin in fedora 26 didn't work).

Sorry about some english mistakes I've made, I'm Brazillian and rarely
spoke or write stuff in english =/ .

Hope that this can help someone.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAKvuX%2BzaghPZ5K9KeDtRS47Uc6XotEm4E%2B2mcZU5ZWW8RbzvGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-Micro_Star_International_Co___Ltd_-GE72_6QD-20180328-140601.yml
Description: application/yaml

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-28 12:14, G wrote:

You're right. So the no ME no TPM rule probably apply only when using
the stock bios. I just noticed coreboot recently pushed a commit
fixing a problem in TPM activation
https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d
maybe that's the issue with my x220. I'm rebuilding my rom to check if
something changes with that commit, i'll give an update soon.

Giulio


I just flahed the latest commit: still no luck. By checking the source 
code I think that the init_tpm() function is actually being called:


From file coreboot/src/northbridge/intel/sandybridge/romstage.c:
  120   if (IS_ENABLED(CONFIG_LPC_TPM)) {
  121   init_tpm(s3resume);
  122   }

From my config:
CONFIG_LPC_TPM=y
CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y

I think i'll try opening an issue in coreboot about this.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef7fef774ffe5d7df56fdc0daa33a4c3%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-28 11:42, 'awokd' via qubes-users wrote:

On Wed, March 28, 2018 8:13 am, G wrote:



I looked into adding a secondary TPM, maybe in the ExpressCard slot 
but
it looks like no such piece of hardware exist. Or maybe there's a way 
to
use the integrated TPM without the Intel ME but i don't have the 
skills to

research in that direction.


It looks like they are cleaning ME and still using the TPM?
http://osresearch.net/Installing-Heads


You're right. So the no ME no TPM rule probably apply only when using 
the stock bios. I just noticed coreboot recently pushed a commit fixing 
a problem in TPM activation 
https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d 
maybe that's the issue with my x220. I'm rebuilding my rom to check if 
something changes with that commit, i'll give an update soon.


Giulio

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d8676aecdf0d84210818138c892c8508%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

['awokd' via qubes-users]

On Wed, March 28, 2018 8:13 am, G wrote:

>
> I looked into adding a secondary TPM, maybe in the ExpressCard slot but
> it looks like no such piece of hardware exist. Or maybe there's a way to
> use the integrated TPM without the Intel ME but i don't have the skills to
> research in that direction.

It looks like they are cleaning ME and still using the TPM?
http://osresearch.net/Installing-Heads


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27b46445c2fb22d6395ae24523c78d8c.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

['awokd' via qubes-users]

On Wed, March 28, 2018 2:09 am, berto0...@gmail.com wrote:
>> It's in a bit of an indeterminate state right now:
>> https://github.com/QubesOS/qubes-issues/issues/2971. Did regenerating
>> initramfs with host only fix it for you, or did you just leave the
>> keyboard setting on US on the reinstall?
>
> Actually, I just pressed the keys as on an imaginary US keyboard after
> realizing one key was in a different position. That's a quite common
> method for non-US users -- you just need to be aware that you are dealing
> with a moved key in the first place. And there is no feedback when typing
> a password as first task on a new OS, obviously.

Sounds like that linked issue's not resolved. If you have a Github
account, mind commenting on it with your experience and pinging
@andrewdavidwong? I can do it later too, if you don't. If you get a chance
to regenerate with -H, I'm curious if that fixes it too. Shouldn't (TM)
hurt anything.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/abe3399de4a4e93b05d67f38a7751174.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Is Template concept unique to Qubes?

[pixel fairy]

On Sunday, March 25, 2018 at 8:08:19 PM UTC-7, franc...@tutamail.com wrote:
> Security considerations aside, it's so convenient having shared root 
> filesystems that can be updated once for multiple child-VMs.  Is this feature 
> unique to Qubes or is something like this often replicated when using other 
> hypervisor systems?
> 
> Specifically, I want to run a **not**-secure bleeding edge testbox that has 
> gpu acceleration in dom0. (Example: archlinux + KVM). I know 
> thin-provisioning (COW?) will allow one copy of OS on the filesystem to be 
> re-used but is it possible to base multiple VM's on a single template like 
> Qubes? Thanks for reading.

docker and vagrant come to mind. you could also do this yourself the same way 
qubes does it with a root template and machine specific home disk, or some 
shared storage if that doesnt work. vagrant has a way to update and rebox 
existing vagrant boxes so you dont have to rebuild it every time you want to 
update. so theres that, or scripting it yourself with virsh or one of its 
bindings.

heres some notes on using kvmgt with libvirt, 
https://github.com/TobleMiner/KVMGT

if you do this, dont forget to make a usb canary, and maybe use the iommu to 
wall of other scary ports.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c5337ef-1020-4d99-9549-e07785ca3524%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-27 22:17, awokd wrote:


PS Have you seen Heads? http://osresearch.net/


Nope i didn't know it. By the overview it looks like a very good idea 
but i have yet to understand all the details.
Still the problem is that currently one has to choose between keeping 
the Intel ME active or have a working TPM.


I tried starting a discussion on the tradeoffs of both 
https://groups.google.com/forum/#!topic/qubes-users/JEEaDRZpnpA and as 
other users pointed out, while it stills depend on your threat model, 
the Intel ME pose a potential remote threat while the TPM should help 
notice a physical attack (given coreboot is flashed with write 
protection).


I looked into adding a secondary TPM, maybe in the ExpressCard slot but 
it looks like no such piece of hardware exist. Or maybe there's a way to 
use the integrated TPM without the Intel ME but i don't have the skills 
to research in that direction.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c346292aa1c1a38b6a92abbe79e7facc%40anche.no.
For more options, visit https://groups.google.com/d/optout.