Re: [qubes-users] Using Windows 7 vm from R3.2
Hi Chris, On 1/7/19 9:04 PM, Chris Laprise wrote: > A Windows 7 vm I restored from R3.2 can boot. However I wanted to update > it with the new Qubes Windows Tools and it won't recognize the > --qubes-windows-tools volume. I also tried 'qvm-block attach' on the qwt > iso directly and Windows still won't see it. I just tried to start some of my windows vms with --install-windows-tools but it triggers a bsod at boot time, while the vms work fine otherwise. Setting a loop device in dom0 with the windows tools iso and attaching it to a running win vm doesn't trigger a bsod but the disk that shows up in the disk manager is empty (17MB unallocated disk). You could try to copy the iso to the VM and mount it with an emulator. > Is there a way to get the Windows 7 vm fully updated Qubes drivers? Or > is it better to reinstall Windows instead (IIRC getting all the Windows > updates was difficult so I'd rather not repeat installation.) After spending way too much time with win VMs I'd advise you not to loose time with re-installation and newer Qubes Windows Tools; windows update'ing a new install takes at least half a day with multiple reboots (+ qvm-clone before each boot because it's not even sure that the VM will still boot after the last batch of windows updates). I never managed to update any of my win7 VMs - imported from R3.2 or created on R4.0 - that were running QWT 3.x with QWT 4.x. Comments in the huge QWT issue [1] show I'm not alone. FWIW I've been using Win7 VMs imported from R3.2 as well as Win7 VMs installed under R4.0 without any problem except the issues listed in [1] but I can live with them (note: the VMs created under R4.0 have QWT 3.x because I created them before Marek uploaded the newer version). You could also try the newer QWT with win10 instead of win7 but according to Marek they're a hit-or-miss too [2]. [1] https://github.com/QubesOS/qubes-issues/issues/3585 [2] https://github.com/QubesOS/qubes-doc/pull/752#pullrequestreview-185336141 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a09f7800-eeb4-53a0-7508-adf5f5351e3a%40maa.bz. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Fedora 29 TemplateVM available for Qubes 4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, A new Fedora 29 TemplateVM is now available for Qubes 4.0. We previously announced that Fedora 27 reached EOL [1] and encouraged users to upgrade to Fedora 28. Fedora 28 is still supported by the Fedora Project, so users may now choose either Fedora 28 or 29 (or both) depending on their needs and preferences. Instructions are available for upgrading from Fedora 28 to 29 [2]. We also provide fresh Fedora 29 TemplateVM packages through the official Qubes repositories, which you can get with the following commands (in dom0). Standard Fedora 29 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-29 Minimal [3] Fedora 29 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-29-minimal After upgrading to a Fedora 29 TemplateVM, please remember to set all qubes that were using the old template to use the new one. This can be done in dom0 either with the Qubes Template Manager [4] or with the `qvm-prefs` [5] command-line tool. [1] https://www.qubes-os.org/news/2018/11/30/fedora-27-eol/ [2] https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/ [3] https://www.qubes-os.org/doc/templates/fedora-minimal/ [4] https://www.qubes-os.org/doc/templates/#how-to-switch-templates-40 [5] https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-prefs.html This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/01/07/fedora-29-template-available/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlw0HzcACgkQ203TvDlQ MDADmQ/9EWZs8+2wx/yN4gHSGHPBd79EtpF3oN3FoXB6Edhl0dniOjuenyhuWhEv Q//xzuv5x31WjbbPNdf3NzPC3tEDU5Hg2E274tt9ETbjsyyEfLdG5HSa6xQ7NRGi uQzdbP+1wjWEaR5xfQjSDY6QZvQl7Jw2HvkAowa6NXMSad/RComviApA0lhk1qUf YfZxJx/8dxzFquwx7HTTBEFcG5AcmqYSlLkeARKAbWb32EvEe8+j2fJT4DN/IHK/ +J+z2B3UCmC6O68l6JsnJbUSpLdiZqHM37Q4oskmEstAtDZ/JoGOUiMH9gnf0WyQ 198LK7Zi46YqiqEbWfH2sBCLTVszX5PBRJJ5jUR1jgSBHCD+z1W9k0N59lFrPDTr JZ4De+Jwyq/u36IFh0aLb38dNOtmnC+B+iSURrNcLn+QKzTiBhq0BmRZd2UKS8aP nV8g9tF1PHa6G248kht0lhymjnN8XfvBWwxAefbD43YlIFNWQ0vixPaenu3YGHHV R+53u3f0X+CmEjXg5Q4mZ2Vy5+4PTIY1X4Cu/39OOxyHPPmraXOOiI3OBpFCcliJ EcSERu8sb6SnJjMJVwf5MhC2vH9WfqlacKfrIc1MqTLGLjAPAVBs5Mqqn5HLc6jZ py123u/vzt3k6Rdpe7Cd5QxAkroz0CnzjGbZmEJLZfLg5dyfAxc= =/Jtg -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7e686799-ff60-af7d-bf98-aa31316fb83f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
22...@tutamail.com: I just had another Dom0 update today...just tried the "sun icon" again and the behaviour was a little different in that it launched my sys-whonix vm this time for an update. Notes: 1) Prior to my dom0 update today, the "sun icon" had always given me a "nothing to do" with out ever starting sys-whonix (I don't start this VM with start-ups of Qubes) 2) I played with the sun icon again after the Dom0 update today and noticed that it just clocked after starting sys-whonix. When I update using the Qubes Manager I start my sys-whonix manually before I click on "update qubes" on my templates. I tried starting sys-whonix before I clicked on the "sun icon" process and it appeared to update my template..at least the down arrow in the state column of my qubes manager disappeared (fedora template was being updated) When you say "settings point to sys-whonix" the only setting that point there are in Qubes Manager->System->Global Settings->Dom0). I believe I also changed to update my templates using sys-whonix when I installed whonix-14(quite sure this is the case as sys-whonix is launched when I update my templates). Are there other settings I should point to sys-whonix...I'd like to keep all critical updates via sys-whonix? I'll try the "sun icon" update process more and see if the behaviour changes...again the update to Dom0 today might have changed things... Interesting, thank you. That's a logical test; I'll try it too. I only meant those two settings- qubes-prefs and templates. You can double-check your template update settings in /etc/qubes-rpc/policy/qubes.UpdatesProxy. You want target=sys-whonix on everything, but note it's only first match that matters. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b39efebc-4a99-04e6-947e-c9d9f3f66dc4%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
I just had another Dom0 update today...just tried the "sun icon" again and the behaviour was a little different in that it launched my sys-whonix vm this time for an update. Notes: 1) Prior to my dom0 update today, the "sun icon" had always given me a "nothing to do" with out ever starting sys-whonix (I don't start this VM with start-ups of Qubes) 2) I played with the sun icon again after the Dom0 update today and noticed that it just clocked after starting sys-whonix. When I update using the Qubes Manager I start my sys-whonix manually before I click on "update qubes" on my templates. I tried starting sys-whonix before I clicked on the "sun icon" process and it appeared to update my template..at least the down arrow in the state column of my qubes manager disappeared (fedora template was being updated) When you say "settings point to sys-whonix" the only setting that point there are in Qubes Manager->System->Global Settings->Dom0). I believe I also changed to update my templates using sys-whonix when I installed whonix-14(quite sure this is the case as sys-whonix is launched when I update my templates). Are there other settings I should point to sys-whonix...I'd like to keep all critical updates via sys-whonix? I'll try the "sun icon" update process more and see if the behaviour changes...again the update to Dom0 today might have changed things... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/45d97c4c-f3c4-4125-a11c-3a75388c2cbc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] fail to install qubes-template-fedora-29 "Failed writing body"
On Thursday, January 3, 2019 at 4:51:12 PM UTC-8, 799 wrote: > Am Fr., 4. Jan. 2019, 01:46 hat pixel fairy geschrieben: > $ sudo qubes-dom0-update qubes-template-fedora-29 > [...] > > Downloading Packages: > > [MIRROR] qubes-template-fedora-29-4.0.1-201812091508.noarch.rpm: Curl error > (23): Failed writing received data to disk/application for > https://mirrors.edge.kernel.org/qubes/repo/yum/r4.0/templates-itl/rpm/qubes-template-fedora-29-4.0.1-201812091508.noarch.rpm > [Failed writing body (8615 != 16384)] > > [FAILED] qubes-template-fedora-29-4.0.1-201812091508.noarch.rpm: Curl error > (23): Failed writing received data to disk/application for > https://mirrors.edge.kernel.org/qubes/repo/yum/r4.0/templates-itl/rpm/qubes-template-fedora-29-4.0.1-201812091508.noarch.rpm > [Failed writing body (8615 != 16384)] > [...] > > > Do you have enough free space in sys-firewall (df -h) > > > - O That was the problem. made a clone of the template, gave it more system storage, and used that for sys-firewall, which worked. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ed02210-2cad-495b-82b6-77ab8c8ab50a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] missing a dom0-update-download file?
On Monday, January 7, 2019 at 5:57:45 PM UTC-7, awokd wrote: > seshu wrote on 1/7/19 10:38 PM: > > I think I screwed something up :) as I was trying to reinstall the > > xorg-x11-nouveau driver. > > > > When I rebooted, the qubes manager doesn't work, my usb mouse doesn't work > > and when I try to reinstall packages with qubes-dom0-update I get an error > > message saying that the following file is missing: > > > > /usr/lib/qubes/qubes-dom0-update-download or something like this. I'm > > going from memory. > > > > It seems to be a file got erased that would handle downloads for the > > dom0-updater? > > > > Any way to fix this or do I need to re-install the OS? > > > > Thanks! > > > When you uninstalled the driver, it probably took some critical Qubes > packages with it. If you can, check your dnf log in dom0's /var/log and > you might be able to tell which. You'd have to download the package and > copy it over manually and install. If my backups were recent, I'd just > reinstall Qubes instead. Ok thanks. I was working with 4.0.1rc2 and the system isn't production for me yet. I'm still learning, which is why I was playing with the video drivers. I do have some backups which will be a good way to practice working with that as well. Good learning opportunity :) I'll reinstall Qubes. Thanks for the heads up about where the log files are. I'll take a look at that just to learn. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7273869f-cbae-4e38-80f5-4f099dc69f79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
799 wrote on 1/4/19 12:22 AM: On Thu, 3 Jan 2019 at 22:57, <22...@tutamail.com> wrote: After a recent update to Dom0 an icon appeared on the top right. [...] Any thoughts or suggestions on how to use/configure this feature? I have also recognized some problems as the Update Icon keeps telling me that there are updates for some of my templates. But when I launch the updates via "NEXT" I get the message under Details: "SKIP (nothing to do)" But the icon keeps telling me that Updates are available. As this is something new, it seems to me that this was introduced via a dom0 update. Maybe opening "Qubes Global Settings" and clicking on "Disable checking for updates for all Qubes" might be a temporary fix? - O 22rip, where did you see that Update icon always used sys-net? Doesn't seem like it should, if your other settings point to sys-whonix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3384bc3d-c772-17de-4307-50c1bd5220b4%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Windows Standalone WM not connecting to sys-whonix
hasnz wrote on 1/3/19 4:56 PM: Hello, I have a networking issue with a Windows 7 Standalone VM not connecting to sys-whonix. I already confirmed that the Windows VM connects to non tor connection even on a vpn. https://www.whonix.org/wiki/Other_Operating_Systems states that sys-whonix could be used on a configured windows 7 network by changing the IPv4 settings. IP address 10.152.152.50 Subnet netmask 255.255.192.0 Default gateway 10.152.152.10 Preferred DNS server 10.152.152.10 However, after doing all this I am still unable to get any connection via sys-whonix. There is multiple addresses that are being listed in ifconfig on sys-whonix, and windows. Also the qubes settings lists another set of addresses. Could I addressing the IPv4 wrong? My knowledge is limited sorry hopefully someone could point me the right direction. Check the Networking section of your anon-whonix VM. You should be able to copy those settings to your Windows VM and have it work. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf17d617-d515-f265-6a30-83722e8531da%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Smart cards, split GPG, and timing attacks
Demi Obenour wrote on 1/7/19 3:16 PM: Looking through the GPG CVE list, it appears that GPG has a fantastic security record. This seems to jus Most of the recent vulnerabilities have been side-channel attacks. Is it useful to use split-GPG with a hardware token to prevent side-channel attacks? I am far from a cryptographer, but IIRC those side channel attacks get the key by observing decryption leaks. So a hardware token wouldn't affect that either way, because once the key is unlocked it still gets processed the same. Also, is it best to use one signing key per project one is working on? Again, not a crypto expert but if you're using the same development workflow for all projects, don't see much security gain from separate keys. If some demand a different, potentially less secure workflow, those might benefit from subkeys. Hopefully someone experienced has more insight! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/caa9d5ae-5c45-2f54-326d-a1a69a801aa6%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] missing a dom0-update-download file?
seshu wrote on 1/7/19 10:38 PM: I think I screwed something up :) as I was trying to reinstall the xorg-x11-nouveau driver. When I rebooted, the qubes manager doesn't work, my usb mouse doesn't work and when I try to reinstall packages with qubes-dom0-update I get an error message saying that the following file is missing: /usr/lib/qubes/qubes-dom0-update-download or something like this. I'm going from memory. It seems to be a file got erased that would handle downloads for the dom0-updater? Any way to fix this or do I need to re-install the OS? Thanks! When you uninstalled the driver, it probably took some critical Qubes packages with it. If you can, check your dnf log in dom0's /var/log and you might be able to tell which. You'd have to download the package and copy it over manually and install. If my backups were recent, I'd just reinstall Qubes instead. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69b98918-0738-354a-4514-e1ee5cf84abf%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Document change request
unman wrote on 1/7/19 11:31 PM: On Tue, Jan 08, 2019 at 12:03:46AM +0100, Achim Patzner wrote: Hi! Would someone please update https://www.qubes-os.org/doc/bind-dirs/ and add that in 4.0 and on /usr/lib/qubes/bind-dirs.sh has moved to /usr/lib/qubes/init? Achim It is, of course, still linked as /usr/lib/qubes/bind-dirs.sh Achim, why did you think it was init? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef35144c-63b5-b89b-5986-23e2ac3091fb%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Document change request
On Tue, Jan 08, 2019 at 12:03:46AM +0100, Achim Patzner wrote: > Hi! > > Would someone please update https://www.qubes-os.org/doc/bind-dirs/ and > add that in 4.0 and on /usr/lib/qubes/bind-dirs.sh has moved to > /usr/lib/qubes/init? > > > Achim It is, of course, still linked as /usr/lib/qubes/bind-dirs.sh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107233126.q4adtyeh6gb7lb54%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] missing a dom0-update-download file?
I think I screwed something up :) as I was trying to reinstall the xorg-x11-nouveau driver. When I rebooted, the qubes manager doesn't work, my usb mouse doesn't work and when I try to reinstall packages with qubes-dom0-update I get an error message saying that the following file is missing: /usr/lib/qubes/qubes-dom0-update-download or something like this. I'm going from memory. It seems to be a file got erased that would handle downloads for the dom0-updater? Any way to fix this or do I need to re-install the OS? Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/733a8c22-e31d-4a9f-b8ee-882028448010%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Using Windows 7 vm from R3.2
On 01/07/2019 02:04 PM, Chris Laprise wrote: A Windows 7 vm I restored from R3.2 can boot. However I wanted to update it with the new Qubes Windows Tools and it won't recognize the --qubes-windows-tools volume. I also tried 'qvm-block attach' on the qwt iso directly and Windows still won't see it. ...I meant to type '--install-windows-tools' here. Is there a way to get the Windows 7 vm fully updated Qubes drivers? Or is it better to reinstall Windows instead (IIRC getting all the Windows updates was difficult so I'd rather not repeat installation.) -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/606b8d98-f3a4-e23b-9aa4-56da56fa15a2%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Using Windows 7 vm from R3.2
A Windows 7 vm I restored from R3.2 can boot. However I wanted to update it with the new Qubes Windows Tools and it won't recognize the --qubes-windows-tools volume. I also tried 'qvm-block attach' on the qwt iso directly and Windows still won't see it. Is there a way to get the Windows 7 vm fully updated Qubes drivers? Or is it better to reinstall Windows instead (IIRC getting all the Windows updates was difficult so I'd rather not repeat installation.) -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/423392e9-60b5-b006-8ea1-d00572b24b3b%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Salt orchestration
On 1/4/19 3:08 PM, Brian C. Duggan wrote: > 2. Salt should ensure that service VMs are running before Salt applies > states to their client VMs. For example, I have a service VM that > exports gpg-agent's SSH socket through Qrexec. This VM needs to be > running so that the client VM can clone git repos using keys on the > serivce VM. > I did some more testing. Of course, Qubes starts halted VMs when another VM makes a Qrexec RPC call to it. The calling process on the client VM will block until the service VM starts and the RPC call returns. So this isn't really a valid use case for orchestration. At first, I thought the SSH authentication attempts failed because the service VM wasn't started yet. After more testing, I can see that the systemd socket service just doesn't work at the stage during initial boot that Salt runs. The socket file exists at this stage, though. SSH authentication succeeds during subsequent Salt runs after the VM is booted. But I've also noticed that sometimes a new app VM's grain ID is still the template's ID when Salt processes templates. This can be a problem when both dom0 and app VMs need the same pillar data: pillar/app/client-vm-1.sls: app: client-vm-1: server-name: server-vm-1 pillar/app/client-vm-2.sls: app: client-vm-2: server-name: server-vm-1 pillar/top.sls: base: dom0,client-vm-1: - match: list - app.client-vm-1 dom0,client-vm-2: - match: list - app.client-vm-2 dom0 needs the combined app data to set RPC policies between the clients and their servers. The clients need their own data to configure which service VM to send their RPC to. It's convenient for clients to find it through pillar['app'][grains['id']]. Maybe there's a better way of constructing this pillar data? Is there a way to delay Salt execution on VMs until they are fully booted? For the curious, I'm using a Salt formula to set up access to gpg-agent on a service VM from client VMs through Qrexec: https://gitlab.com/bcduggan/qrexec-gpg-agent-formula Thanks, Brian -- Brian C. Duggan he/him/his -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3f8ee12-8498-d0b5-4537-abc2f8e3e8ee%40dugga.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] signal-desktop?
On Sun, 2019-01-06 at 23:14 +0100, haaber wrote: It's running fine for me from a flatpak --user install ... has the advantage that the template only needs flatpak and all signal is in the appVM only. Joh On Fri, 2019-01-04 at 18:57 -0600, Sven Semmler wrote: Hi, I just installed signal-desktop (in the template) and now try to run it in the appVM. The app starts and I can see the window border, but nothing inside the window. Haven't done much diagnosis yet. Just wondering if someone here recently installed signal-desktop on a debian-9 based qube and has some hints for me. I tested & get same problem as Sven. Could you please explain the flatpak approach, Joh? Besides the usage for signal-desktop this may be helpful in other cases as well! Thank you, Bernhard https://flatpak.org/. You install flatpak in you template VM (using the usual tools). After that you fire up a AppVM for Signal (for example) and on it's CLI run 'flatpak install --user flathub org.signal.Signal' & afterwards fire it up in the same AppVM using 'flatpak run org.signal.Signal'. Skype also is manageable this way as are others: https://flathub.org/apps Thank you. You lose that way all signatures right? For skype the is not worrisome (all traffic is monitored anyways), for signal (meant to be secure) this is more embarrassing. Any thoughts on this? The "--disable-gpu" parameter works perfectly for the debian-install and the signed package form the signal website. Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/41dd10f2-e9fb-b344-1ebd-d22745f40b4a%40web.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Smart cards, split GPG, and timing attacks
Looking through the GPG CVE list, it appears that GPG has a fantastic security record. This seems to jus Most of the recent vulnerabilities have been side-channel attacks. Is it useful to use split-GPG with a hardware token to prevent side-channel attacks? Also, is it best to use one signing key per project one is working on? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJEMUN9e6RC%3Dgfsf5%2Bk3Y0RWMa9Cu%2BOuHhFyFN8-1pYpuV0a9w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: my dom0 is not updating since before 4.01
On Mon, Jan 07, 2019 at 06:06:21AM -0800, Sergio Matta wrote: > Em segunda-feira, 7 de janeiro de 2019 10:42:25 UTC-2, unman escreveu: > > On Sun, Jan 06, 2019 at 07:48:00PM -0800, Sergio Matta wrote: > > > Em domingo, 6 de janeiro de 2019 13:25:17 UTC-2, simon@gmail.com > > > escreveu: > > > > On Sunday, January 6, 2019 at 1:32:45 PM UTC, Sergio Matta wrote: > > > > > I think I have a problem with yum file configuration. Fedora 25 looks > > > > > like ok but Qubes never finds data: > > > > > > > > > > Fedora 25 - x86_64 - Updates 1.0 MB/s | 24 MB > > > > > 00:24 > > > > > Fedora 25 - x86_64 2.0 MB/s | 50 MB > > > > > 00:25 > > > > > Qubes Dom0 Repository (updates) 86 B/s | 169 B > > > > > 00:01 > > > > > Qubes Community Templates repository 84 B/s | 169 B > > > > > 00:02 > > > > > Qubes Templates repository 116 B/s | 169 B > > > > > 00:01 > > > > > Qubes Templates repository 116 B/s | 169 B > > > > > 00:01 > > > > > Failed to synchronize cache for repo 'qubes-dom0-current', ignoring > > > > > this repo. > > > > > Failed to synchronize cache for repo 'qubes-templates-sommunity', > > > > > ignoring this > > > > > repo. > > > > > Failed to synchronize cache for repo 'qubes-templates-itl', ignoring > > > > > this repo. > > > > > Failed to synchronize cache for repo 'qubes-templates-itl-testing', > > > > > ignoring this repo. > > > > > Last metadata expiration check: 0:00:09 ago on Sun Jan 6 10:12:44 > > > > > 2019. > > > > > Dependencies resolved. > > > > > Nothing to do. > > > > > Complete! > > > > > No packages downloaded > > > > > > > > https://github.com/QubesOS/qubes-issues/issues/3737 > > > > > > > > https://www.qubes-os.org/doc/releases/4.0/release-notes/#upgrading > > > > > > > > change your repo from http to https > > > > > > Thank you Simon but it is not the protocol. I already had tried. I > > > changed the qubes-dom0.repo with the rpmnew too. It looks like url error > > > but I checked the url with firefox and it is ok. > > > Now, I had a idea to change the r$releasever variable with the string > > > v4.0 and it works! But there is something wrong in my Qubes. Why there is > > > no $releasever variable? I think I need another fresh installation! > > > Thank you to make me think! > > > > > There's no need to reinstall, which wont solve your problem. > > This is a known issue that has been covered on the list before, and > > relates to your choice of updateVM. Try passing in --releasever=4.0 as > > option in qubes-dom0-update. > > There is a fix in testing, I think. maybe already reached stable, but as > > you cant update that's not relevant to you. (Although you could manually > > download it, copy it to dom0, check signature in dom0 with rpm -K, and > > then install.) > > Thank you Unman. You save me lot of time with reinstalling and reconfiguring > a fresh install! > Glad I caught you in time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107150447.w2q75xfjznrsa7l4%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qube max storage size
On Mon, Jan 07, 2019 at 07:52:25AM -0600, Stuart Perkins wrote: > > > On Sun, 6 Jan 2019 07:41:35 -0800 (PST) > Plex wrote: > > >On Sunday, January 6, 2019 at 3:20:08 PM UTC, Plex wrote: > >> Is there a technical limitation/reason why a qube private max storage size > >> can only go to 1048576MiB in qube manager? Is this a limitation with the > >> qube itself or qube manager? > >> > >> TIA > > > >I should RTFM > > > >https://www.qubes-os.org/doc/resize-disk-image/ > > > > but..asking questions introduces the topic to the rest of the mailing list, > and does indeed serve a purpose. :) > And I had assumed you *had* RTFM and it was that that raised the question. Why IS there this limitation in the manager? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107150256.tpeyecrdqio6gqy2%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: my dom0 is not updating since before 4.01
Em segunda-feira, 7 de janeiro de 2019 10:42:25 UTC-2, unman escreveu: > On Sun, Jan 06, 2019 at 07:48:00PM -0800, Sergio Matta wrote: > > Em domingo, 6 de janeiro de 2019 13:25:17 UTC-2, simon@gmail.com > > escreveu: > > > On Sunday, January 6, 2019 at 1:32:45 PM UTC, Sergio Matta wrote: > > > > I think I have a problem with yum file configuration. Fedora 25 looks > > > > like ok but Qubes never finds data: > > > > > > > > Fedora 25 - x86_64 - Updates 1.0 MB/s | 24 MB > > > > 00:24 > > > > Fedora 25 - x86_64 2.0 MB/s | 50 MB > > > > 00:25 > > > > Qubes Dom0 Repository (updates) 86 B/s | 169 B > > > > 00:01 > > > > Qubes Community Templates repository 84 B/s | 169 B > > > > 00:02 > > > > Qubes Templates repository 116 B/s | 169 B > > > > 00:01 > > > > Qubes Templates repository 116 B/s | 169 B > > > > 00:01 > > > > Failed to synchronize cache for repo 'qubes-dom0-current', ignoring > > > > this repo. > > > > Failed to synchronize cache for repo 'qubes-templates-sommunity', > > > > ignoring this > > > > repo. > > > > Failed to synchronize cache for repo 'qubes-templates-itl', ignoring > > > > this repo. > > > > Failed to synchronize cache for repo 'qubes-templates-itl-testing', > > > > ignoring this repo. > > > > Last metadata expiration check: 0:00:09 ago on Sun Jan 6 10:12:44 2019. > > > > Dependencies resolved. > > > > Nothing to do. > > > > Complete! > > > > No packages downloaded > > > > > > https://github.com/QubesOS/qubes-issues/issues/3737 > > > > > > https://www.qubes-os.org/doc/releases/4.0/release-notes/#upgrading > > > > > > change your repo from http to https > > > > Thank you Simon but it is not the protocol. I already had tried. I changed > > the qubes-dom0.repo with the rpmnew too. It looks like url error but I > > checked the url with firefox and it is ok. > > Now, I had a idea to change the r$releasever variable with the string v4.0 > > and it works! But there is something wrong in my Qubes. Why there is no > > $releasever variable? I think I need another fresh installation! > > Thank you to make me think! > > > There's no need to reinstall, which wont solve your problem. > This is a known issue that has been covered on the list before, and > relates to your choice of updateVM. Try passing in --releasever=4.0 as > option in qubes-dom0-update. > There is a fix in testing, I think. maybe already reached stable, but as > you cant update that's not relevant to you. (Although you could manually > download it, copy it to dom0, check signature in dom0 with rpm -K, and > then install.) Thank you Unman. You save me lot of time with reinstalling and reconfiguring a fresh install! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ad4833c-f1f3-443a-b301-e5a873f46d22%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qube max storage size
On Sun, 6 Jan 2019 07:41:35 -0800 (PST) Plex wrote: >On Sunday, January 6, 2019 at 3:20:08 PM UTC, Plex wrote: >> Is there a technical limitation/reason why a qube private max storage size >> can only go to 1048576MiB in qube manager? Is this a limitation with the >> qube itself or qube manager? >> >> TIA > >I should RTFM > >https://www.qubes-os.org/doc/resize-disk-image/ > but..asking questions introduces the topic to the rest of the mailing list, and does indeed serve a purpose. :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107075225.11bcc26e%40D620Debian9. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Which parts of qubes-builder are guaranteed to work/supported?
On Sun, Jan 06, 2019 at 11:23:03PM +, Robert Rettig wrote: > > Right now I'm not even getting to centos-7: > > > > make get-sources get-sources-extra qubes-vm is stopping at > > > > -> Installing core RPM packages... > > error: Failed dependencies: > > glibc = 2.28-9.fc29 is needed by > > glibc-all-langpacks-2.28-9.fc29.x86_64 > > glibc-common = 2.28-9.fc29 is needed by > > glibc-all-langpacks-2.28-9.fc29.x86_64 > > make[1]: *** > > [/home/user/qubes-builder/qubes-src/builder-rpm/Makefile-legacy.rpmbuilder:35: > > > > /home/user/qubes-builder/chroot-fc29/home/user/.prepared_base] Error 1 > > make: *** [Makefile:217: vmm-xen-vm] Error 1 > > Different environment. Started with a generic/fedora29 box (see > https://app.vagrantup.com/generic/boxes/fedora29 ) > > Got same error but different reason > https://pastebin.com/raw/Efi5JQKU > > ``` > E: Failed to fetch > https://deb.debian.org/debian/pool/main/r/reprepro/reprepro_4.16.0-1_amd64.deb > GnuTLS recv error (-54): Error in the pull function. > > E: Unable to fetch some archives, maybe run apt-get update or try with > --fix-missing? > make[1]: *** > [/home/vagrant/qubes-builder/qubes-src/builder-debian/Makefile.debian:176: > /home/vagrant/qubes-builder/chroot-jessie/home/user/.prepared_base] Error 100 > ``` > > How can I resume the broken build? > Obviously you have had some network issue, so downloads have failed for jessie.(Why Jessie? Latest Whonix is based on stretch.) It doesnt look as if you built much (anything) so you should be able to just start the build again. I recommend breaking the build down to separate distros, rather than building all at once. Also, you can use make qubes-vm and make template as separate step. If you use a caching proxy upstream from the build device then this helps to mitigate the pain, and also dramatically speeds up template updates. Since you are downloading to update templates anyway, why download again to build (vice versa) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107131044.gllv2fnwk3ft2wo4%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] signal-desktop?
On Sun, 2019-01-06 at 23:14 +0100, haaber wrote: > > It's running fine for me from a flatpak --user install ... has the > > advantage that the template only needs flatpak and all signal is in > > the > > appVM only. > > > > Joh > > > > On Fri, 2019-01-04 at 18:57 -0600, Sven Semmler wrote: > > > Hi, > > > > > > I just installed signal-desktop (in the template) and now try to > > > run > > > it in the appVM. The app starts and I can see the window border, > > > but > > > nothing inside the window. > > > > > > Haven't done much diagnosis yet. Just wondering if someone here > > > recently installed signal-desktop on a debian-9 based qube and > > > has > > > some hints for me. > > I tested & get same problem as Sven. Could you please explain the > flatpak approach, Joh? Besides the usage for signal-desktop this may > be > helpful in other cases as well! Thank you, Bernhard https://flatpak.org/. You install flatpak in you template VM (using the usual tools). After that you fire up a AppVM for Signal (for example) and on it's CLI run 'flatpak install --user flathub org.signal.Signal' & afterwards fire it up in the same AppVM using 'flatpak run org.signal.Signal'. Skype also is manageable this way as are others: https://flathub.org/apps HTH, Joh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3394ebcc0618dd355c94c5e64761d760c6a4a00.camel%40graumannschaft.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: my dom0 is not updating since before 4.01
On Sun, Jan 06, 2019 at 07:48:00PM -0800, Sergio Matta wrote: > Em domingo, 6 de janeiro de 2019 13:25:17 UTC-2, simon@gmail.com > escreveu: > > On Sunday, January 6, 2019 at 1:32:45 PM UTC, Sergio Matta wrote: > > > I think I have a problem with yum file configuration. Fedora 25 looks > > > like ok but Qubes never finds data: > > > > > > Fedora 25 - x86_64 - Updates 1.0 MB/s | 24 MB > > > 00:24 > > > Fedora 25 - x86_64 2.0 MB/s | 50 MB > > > 00:25 > > > Qubes Dom0 Repository (updates) 86 B/s | 169 B > > > 00:01 > > > Qubes Community Templates repository 84 B/s | 169 B > > > 00:02 > > > Qubes Templates repository 116 B/s | 169 B > > > 00:01 > > > Qubes Templates repository 116 B/s | 169 B > > > 00:01 > > > Failed to synchronize cache for repo 'qubes-dom0-current', ignoring this > > > repo. > > > Failed to synchronize cache for repo 'qubes-templates-sommunity', > > > ignoring this > > > repo. > > > Failed to synchronize cache for repo 'qubes-templates-itl', ignoring this > > > repo. > > > Failed to synchronize cache for repo 'qubes-templates-itl-testing', > > > ignoring this repo. > > > Last metadata expiration check: 0:00:09 ago on Sun Jan 6 10:12:44 2019. > > > Dependencies resolved. > > > Nothing to do. > > > Complete! > > > No packages downloaded > > > > https://github.com/QubesOS/qubes-issues/issues/3737 > > > > https://www.qubes-os.org/doc/releases/4.0/release-notes/#upgrading > > > > change your repo from http to https > > Thank you Simon but it is not the protocol. I already had tried. I changed > the qubes-dom0.repo with the rpmnew too. It looks like url error but I > checked the url with firefox and it is ok. > Now, I had a idea to change the r$releasever variable with the string v4.0 > and it works! But there is something wrong in my Qubes. Why there is no > $releasever variable? I think I need another fresh installation! > Thank you to make me think! > There's no need to reinstall, which wont solve your problem. This is a known issue that has been covered on the list before, and relates to your choice of updateVM. Try passing in --releasever=4.0 as option in qubes-dom0-update. There is a fix in testing, I think. maybe already reached stable, but as you cant update that's not relevant to you. (Although you could manually download it, copy it to dom0, check signature in dom0 with rpm -K, and then install.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190107124221.fok5z2hfehea73km%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: my dom0 is not updating since before 4.01
On 1/7/19 5:48 AM, Sergio Matta wrote: > Em domingo, 6 de janeiro de 2019 13:25:17 UTC-2, simon@gmail.com > escreveu: >> On Sunday, January 6, 2019 at 1:32:45 PM UTC, Sergio Matta wrote: >>> I think I have a problem with yum file configuration. Fedora 25 looks like >>> ok but Qubes never finds data: >>> >>> Fedora 25 - x86_64 - Updates 1.0 MB/s | 24 MB 00:24 >>> Fedora 25 - x86_64 2.0 MB/s | 50 MB 00:25 >>> Qubes Dom0 Repository (updates) 86 B/s | 169 B 00:01 >>> Qubes Community Templates repository 84 B/s | 169 B 00:02 >>> Qubes Templates repository 116 B/s | 169 B 00:01 >>> Qubes Templates repository 116 B/s | 169 B 00:01 >>> Failed to synchronize cache for repo 'qubes-dom0-current', ignoring this >>> repo. >>> Failed to synchronize cache for repo 'qubes-templates-sommunity', ignoring >>> this >>> repo. >>> Failed to synchronize cache for repo 'qubes-templates-itl', ignoring this >>> repo. >>> Failed to synchronize cache for repo 'qubes-templates-itl-testing', >>> ignoring this repo. >>> Last metadata expiration check: 0:00:09 ago on Sun Jan 6 10:12:44 2019. >>> Dependencies resolved. >>> Nothing to do. >>> Complete! >>> No packages downloaded >> >> https://github.com/QubesOS/qubes-issues/issues/3737 >> >> https://www.qubes-os.org/doc/releases/4.0/release-notes/#upgrading >> >> change your repo from http to https > > Thank you Simon but it is not the protocol. I already had tried. I changed > the qubes-dom0.repo with the rpmnew too. It looks like url error but I > checked the url with firefox and it is ok. > Now, I had a idea to change the r$releasever variable with the string v4.0 > and it works! But there is something wrong in my Qubes. Why there is no > $releasever variable? I think I need another fresh installation! > Thank you to make me think! The OP in the ML post below had the same issue: https://groups.google.com/d/msg/qubes-users/Whaa_OR6j6U/B4vwzYSqBgAJ It's rather old though, not sure you have the same problem -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b413dca8-9b80-6968-89e5-d0fcff1c6e68%40maa.bz. For more options, visit https://groups.google.com/d/optout.
