[qubes-users] Re: Removing Thunderbird from fedora-29 removes 68 packages (of which 11 qubes packages)

[Foppe de Haan]

On Friday, April 19, 2019 at 10:28:15 PM UTC, tom...@gmail.com wrote:
> Hi guys,
> 
>   I installed Q4.0.1 on USB HDD to see changes from 3.2.
> As I've decided to use fedora-29 for system-related VMs, I wanted to remove 
> large apps like Firefox and Thunderbird from it.
> But running 'dnf remove thunderbird' on f29 template resulted in removal of 
> 67 other packages, which seems important.
> 
> Any idea what's wrong?
> I used latest Qubes ISO and updated dom0 and fedora-29 template before this 
> removal.
> 
> Remove  68 Packages
> {code}
> 
> regards,
>   tom

try dnf remove thunderbird --noautoremove

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60d07299-a902-4be0-b197-f18884a1d0ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] minimal Fedora template as base for sys-net and sys-firewall

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 19/04/2019 9.41 AM, Tim Wolf wrote:
> Hello all,
> 
> I need to save some space on my harddisk, why I would like to use a
> Fedora-29-minimal template as base for system and security related
> VMs.
> 
> Is there a list, what packages have to be added for this task?
> 
> As I'm trying out many unknown and possibly faulty packages in the
>  standard templates, I want to separate both parts.
> 
> Greets,
> 
> Tim
> 

It sounds like this is what you're looking for:

https://www.qubes-os.org/doc/templates/fedora-minimal/#customization

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly6jfEACgkQ203TvDlQ
MDB55RAA0Ezlnn14cwUGlveYmEmwtWSiVwaWmoArOasqu7V9Pi3nLtybYOPrAGcg
Lb+rTrxkACnWssq4vn8z5hDyYF7d6Jw11CE3b+GPiRYIz34YiyBibLMVg+xyyz3N
8W9NMlCK8700ClB4IaoBRbd7vo7rmktqDFGmkeA/tnznJ4LWnsNLqxT1DNHpQZsG
rD0E9maWamrYr/HKOb9dCJVuffhoNUAKAU9BgrD9g8BvDfuEWGjXdDKxDKNXPDuh
w7VP41CZR0W7Pi8T/tCLFrQhyIP3guLPlVBen8JnQkAgFroVguVd1jVxt1ShQBHl
P3p9PBETZt0duPdWIDVCIs+LWuZlThWJL5jT9sml0DzvlISy36CeurWbkaqQPSID
Ev/pUWPLeLDROGDnWZaZ/QryCen1ebVu9kRYG0Q7VTUuV3SY/szJvpitg5ROZHt0
ddgpbYggVQiy64p/Lu9By4H2aDdAddnytDGa2RIHMwiJIn46etqR2E6hb/a0gwEU
VMTYiN/caPciof0Kau58Xeutu+LS8IOFJ6Ad6ff4Ibi71/vGX0fbBDF0K+Xj6Xqo
DtNcNxHJaz7EUyyGnMbeh4bETF5QezvZrMS+f7GFaR5i+txOseh4QqZvm55XY+KP
6u7lDYv05mOIUeZW12rUVk2eMCizJPybBGs1Zql+YWHiXwFgbbw=
=etwv
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/507fbcc5-e191-e891-5311-f9833da5d865%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] minimal Fedora template as base for sys-net and sys-firewall

[unman]

On Fri, Apr 19, 2019 at 04:41:55PM +0200, Tim Wolf wrote:
> Hello all,
> 
> I need to save some space on my harddisk, why I would like to use a
> Fedora-29-minimal template as base for system and security related VMs.
> 
> Is there a list, what packages have to be added for this task?
> 
> As I'm trying out many unknown and possibly faulty packages in the
> standard templates, I want to separate both parts.
> 
> Greets,
> 
> Tim
> 

Have a look at the excellent docs:
https://www.qubes-os.org/doc/templates/fedora-minimal/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190420031203.nl5e5knyrxrkgo6o%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] minimal Fedora template as base for sys-net and sys-firewall

[Tim Wolf]

Hello all,

I need to save some space on my harddisk, why I would like to use a
Fedora-29-minimal template as base for system and security related VMs.

Is there a list, what packages have to be added for this task?

As I'm trying out many unknown and possibly faulty packages in the
standard templates, I want to separate both parts.

Greets,

Tim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67b8f3cc-6962-9901-52a8-b0a50d6aeef5%40network-application.de.
For more options, visit https://groups.google.com/d/optout.


pEpkey.asc
Description: application/pgp-keys

Re: [qubes-users] # !Mistake in the guide - new Qubes v3 onions for Whonix

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 19/04/2019 6.40 AM, qubes-...@tutanota.com wrote:
> Hello all,
> 
> I spotted a mistake in the official announcement/guide for the new v3 Qubes 
> onions. 
> 
> https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/ 
> 
> 
> The part "Whonix templates do not require any action; their onionaddresses 
> are still the same as before" should be replaced with this, as the whonix 
> onionizing *needs* action too: [...]
> 

Thank you for bringing this to our attention. There was a
miscommunication with the Whonix project that led to this error in the
announcement. After consulting with the Whonix project, I have corrected
the announcement to say that the Debian instructions also apply to Whonix.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly6gzIACgkQ203TvDlQ
MDAQGhAAvAHDN87ijMGoTz63J1TE/ex3eGkQ/kXdh0eLB9eKLkC9Jro3wTvegocW
WEkObn2qLr1ea9AsRIvSQLi2LQ6eJuRZVK5ciOc6z+AXEF5cTdvTqOQZxB2QipTM
UtlsD6K3KJVxZPCjaz2y/jpQGjCYoaOiTjRZJU2vjEIdR8Ham8gNYSgnHg60Yze+
Wj8V06QhH3/r+JiWXl/zF7aO/PFR2ofuSxesy4HtOMTzNyErrjjF1ghudVabw25B
9FvF/Akp8ms6LuegtT2NQGRh5ezt+3lvgFlFC3VUKXTfVuR9AhgY+1JQDMfxUutw
4I7ac08m/LYxmdzOVik0AfFWaTKdWofKnN4kOitojxxuEfsU4LdfoiwPcDSTb2iC
f8jr2+8/f+OkPuAkDOeuz8NoSCu/ZrTAXlbDQF5Z9yUUV1SNn0fDhbnVX1S9SOYv
EpSzsInqLyWNSnmE+by+zUVmtV4H2uMnCrNf1dgG6K51wfqHeMfBj3I/zmylqRBm
AudcJT+PIC5sQV4WzmMRcMFdMNHAy97RXGO3XPXsuUFcQthJXGsKzl+n9mPDvbLi
lMUxsiZcZHXDqLfY2xJ6fd6HIPPVmt01JRMnHbYYxLXpNWWmu89YDkz/2iaFQ58C
YpUyi9RmwP5KFBKU03OyDV2o7WkkW5ictthYwe+InO1q2gsWp7g=
=mojp
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4e12145-cd55-5baf-66a8-0ff75eb19919%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: E' DA ARRESTARE SUBITO IL PEDOFILO ED ASSASSINO DANIELE MINOTTI (CRIMINALISSIMO AVV DI RAPALLO E GEN

['Michael Chinnick Mandarin Exof Nazi-MorganStanley' via qubes-users]

DANIELE MINOTTI E' USATO DAI BASTARDI PEDOFILI E STRAGISTI BERLUSCONI PER 
UCCIDERE VIA INTERNET. FARA' LA FINE CHE INTENDE FARE AGLI ALTRI!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ecb43df7-b50d-4316-a0e3-22f37bd7a1ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes source code in Python?

[jrsmiley]

I was looking at the Qubes source recently and was mildly surprised to see that 
much of the Qubes-specific code is written in Python.  As much as that helps 
with productivity, I would have thought that the security risks outweigh the 
benefits.  Doesn’t the runtime engine alone present an attacker with a huge 
surface area compared to C, Rust, Go, and other languages typically used for 
system level development?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/213900ef-2430-456f-8239-eb664df4b459%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[unman]

On Fri, Apr 19, 2019 at 06:38:28PM +, Jon deps wrote:
> On 4/18/19 3:05 AM, Andrew David Wong wrote:
> 
> I could be wrong but personally  I believe  my  Dom0 & Templates are updated
> via sys-whonix-14 but just  *donot  use  the  .onion addresses ...
> 
> anything "wrong" with doing it this way ?
> 

Nothing wrong - doing it this way you are connecting to the normal
servers using Tor. That means you are routing through the Tor network
and leaving it from the exit node to get to the update server.

Using the onion servers you stay within the Tor network all the time.
You can be sure that your connection to the onion site is secure and
encrypted, and you can also be sure that it *is* the site you are trying
to access.
Some of this is provided by TLS, but that depends on a third party
certificate authority, and there are a number of examples where CAs have
been hacked or rogue certificates have been handed out. An onion service
provides its own authentication.

Of course, the fact that the connection is in Tor does *not* validate
the site or the packages served. They must be signed with the relevant
ke, which you have chosen to trust. That's part of the general "distrust
of the infrastructure" - see
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190420004221.ppa67e2fvyfselmk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Removing Thunderbird from fedora-29 removes 68 packages (of which 11 qubes packages)

[unman]

On Fri, Apr 19, 2019 at 03:28:15PM -0700, tom...@gmail.com wrote:
> Hi guys,
> 
>   I installed Q4.0.1 on USB HDD to see changes from 3.2.
> As I've decided to use fedora-29 for system-related VMs, I wanted to remove 
> large apps like Firefox and Thunderbird from it.
> But running 'dnf remove thunderbird' on f29 template resulted in removal of 
> 67 other packages, which seems important.
> 
> Any idea what's wrong?
> I used latest Qubes ISO and updated dom0 and fedora-29 template before this 
> removal.
> 
> Note: I've stripped all but 1st column of output for readability
> {code}
> Removing:
>  thunderbird  
> Removing dependent packages:
>  qubes-vm-recommended  
> Removing unused dependencies:
>  ethtool   
>  fakeroot  
>  fakeroot-libs 
>  js-jquery 
>  libnftnl  
>  libtomcrypt   
>  libtommath
>  mozilla-filesystem
>  nautilus-python   
>  net-tools 
>  nftables  
>  openpgm   
>  pciutils  
>  pciutils-libs 
>  pulseaudio-qubes  
>  python-systemd-doc
>  python2-babel 
>  python2-backports 
>  python2-backports-ssl_match_hostname  
>  python2-backports_abc 
>  python2-cairo 
>  python2-chardet   
>  python2-crypto 
>  python2-futures
>  python2-idna   
>  python2-ipaddress
>  python2-jinja2   
>  python2-markupsafe
>  python2-msgpack   
>  python2-nose  
>  python2-numpy 
>  python2-olefile   
>  python2-pillow
>  python2-psutil
>  python2-pycurl
>  python2-pysocks   
>  python2-pytz  
>  python2-pyyaml
>  python2-qubesimgconverter
>  python2-requests 
>  python2-singledispatch   
>  python2-six  
>  python2-systemd  
>  python2-tornado  
>  python2-urllib3  
>  python2-xpyb 
>  python2-zmq  
>  qubes-core-agent-dom0-updates
>  qubes-core-agent-nautilus
>  qubes-core-agent-network-manager
>  qubes-core-agent-networking 
>  qubes-core-agent-passwordless-root
>  qubes-gpg-split   
>  qubes-img-converter   
>  qubes-input-proxy-sender  
>  qubes-mgmt-salt-vm-connector  
>  qubes-pdf-converter   
>  qubes-usb-proxy   
>  salt  
>  salt-ssh  
>  socat 
>  thunderbird-qubes 
>  tinyproxy 
>  usbutils  
>  web-assets-filesystem 
>  zeromq
> 
> Transaction Summary
> 
> Remove  68 Packages
> {code}
> 
> regards,
>   tom
> 

Nothing wrong.
There's a meta package called qubes-vm-recommended which  pulls in all sort of
qubes features, and useful software.
When you set to remove thunderbird, it removes qubes-thunderbird, which
then removes qubes-vm-recommended, and that removes all dependencies of
*that* package : what you are seeing is the consequence of that.

I'm not that familiar with Fedora, but you need to set the qubes
packages individually to retain them: you can do this with 'dnf mark
install'.
Or, you can set clean_requirements_on_remove to false in
/etc/dnf/dnf.conf. That will break the dependeny requirements.

An alternative approach would be to start with the minimal template and
install the packages you want individually rather than using the meta
package.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190419235309.5cjltefgwdrynigk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Removing Thunderbird from fedora-29 removes 68 packages (of which 11 qubes packages)

[tomhet]

Hi guys,

  I installed Q4.0.1 on USB HDD to see changes from 3.2.
As I've decided to use fedora-29 for system-related VMs, I wanted to remove 
large apps like Firefox and Thunderbird from it.
But running 'dnf remove thunderbird' on f29 template resulted in removal of 67 
other packages, which seems important.

Any idea what's wrong?
I used latest Qubes ISO and updated dom0 and fedora-29 template before this 
removal.

Note: I've stripped all but 1st column of output for readability
{code}
Removing:
 thunderbird  
Removing dependent packages:
 qubes-vm-recommended  
Removing unused dependencies:
 ethtool   
 fakeroot  
 fakeroot-libs 
 js-jquery 
 libnftnl  
 libtomcrypt   
 libtommath
 mozilla-filesystem
 nautilus-python   
 net-tools 
 nftables  
 openpgm   
 pciutils  
 pciutils-libs 
 pulseaudio-qubes  
 python-systemd-doc
 python2-babel 
 python2-backports 
 python2-backports-ssl_match_hostname  
 python2-backports_abc 
 python2-cairo 
 python2-chardet   
 python2-crypto 
 python2-futures
 python2-idna   
 python2-ipaddress
 python2-jinja2   
 python2-markupsafe
 python2-msgpack   
 python2-nose  
 python2-numpy 
 python2-olefile   
 python2-pillow
 python2-psutil
 python2-pycurl
 python2-pysocks   
 python2-pytz  
 python2-pyyaml
 python2-qubesimgconverter
 python2-requests 
 python2-singledispatch   
 python2-six  
 python2-systemd  
 python2-tornado  
 python2-urllib3  
 python2-xpyb 
 python2-zmq  
 qubes-core-agent-dom0-updates
 qubes-core-agent-nautilus
 qubes-core-agent-network-manager
 qubes-core-agent-networking 
 qubes-core-agent-passwordless-root
 qubes-gpg-split   
 qubes-img-converter   
 qubes-input-proxy-sender  
 qubes-mgmt-salt-vm-connector  
 qubes-pdf-converter   
 qubes-usb-proxy   
 salt  
 salt-ssh  
 socat 
 thunderbird-qubes 
 tinyproxy 
 usbutils  
 web-assets-filesystem 
 zeromq

Transaction Summary

Remove  68 Packages
{code}

regards,
  tom

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7a085432-18e4-48b0-869b-2da8276e7f2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: randomizing VPN servers i connect to with my vpnvm?

[Jon deps]

On 4/18/19 12:08 PM, Chris Laprise wrote:

On 4/17/19 8:38 PM, Stumpy wrote:
I was thinking the line "remote random" in my .ovpn file, along with 
the ip addresses would make the VPN VM randomly select different 
servers but that doesnt *seem* to be the case, the bit that was 
included in the .ovpn files that I think is relevant is:


remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3

Is there something else i need to do? I assumed it would either change 
when it reconnects or is restarted but that doesnt seem to be the case.




You also have to specify multiple "remote" lines, one for each address.




is there some howto URL writeup on this , sounds like something I may 
like to try


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/94f73182-0ae9-9d37-cd5e-44a1dd9a82cc%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Icons on my desktop security question?

[jsnow]

22...@tutamail.com:

Rookie question:

1) Why I didn't discover this before I don't know, simply drag the program from the Qubes 
drop down menu onto the desktop i.e. drag "Fedora-dvm-Firefox" or any other app 
program onto the desktop for easy access.

Does this impact my Qubes security? It asked if I want to execute this program the first 
time I use the icon, clicked "Yes"...

Pretty slick feature...


Yea having shortcuts for frequently used apps on my desktop definitely 
helps usability for me too. I can't think of any security implications 
for this, since an attacker shouldn't be able to execute them unless 
they have access to dom0 anyway, but i'm not an expert!


When xfce asks if you want to execute the shortcut you should be able to 
just mark it executable so it doesn't ask again.


--
Jackie

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d543cc42-a302-6aad-35f2-aeaf1b09e8f3%40bitmessage.ch.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Python?

[jrsmiley]

I was looking at the Qubes source recently and was mildly surprised to see that 
much of the Qubes-specific code is written in Python.  As much as that helps 
with productivity, I would have thought that the security risks outweigh the 
benefits.  Doesn’t the runtime engine alone present an attacker with a huge 
surface area compared to C, Rust, Go, and other languages typically used for 
system level development?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/63bcc9e6-3b39-4b9f-943d-a7f9c8017822%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] E' PEDOFILO ED ASSASSINO: PAOLO CARDENÀ (FACEBOOK)! DI CRIMINALISSIMO BLOG VINCITORI E VINTI ( VEDRA

[jrsmiley]

I have reported you.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3a92df1-e75f-44b2-bc6a-3ff0be8e9a49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes using cpu with 8 cores

[jrsmiley]

There is a ton of information about Hyperthreading, use cases that benefit from 
it, use cases that don’t, Security issues, benchmarks, and more just a web 
search away. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8f52e5e9-80aa-4674-a420-77ef2ebfa09f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[Jon deps]

On 4/18/19 3:05 AM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We previously announced that the Qubes Tor onion services were no
longer being maintained due to lack of resources. [1] However, Unman
generously agreed to bring them back, and they're now available once
again!

Here are the new onion service URLs:

Website:  www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Soon, you will be able to get the new, correct repo definitions just by
updating dom0 and your TemplateVMs. However, if you can't wait, you can
edit your repository definitions by following the instructions below.


Instructions


Follow these instructions *only if* you wish to update dom0 and your
TemplateVMs over Tor (via `sys-whonix`). This is an opt-in feature. If,
instead, you wish to update over your regular network connection (aka
"clearnet"), *or if you are not sure*, then *do not* follow these
instructions.

In order to use the new onion services, you must ensure that *every*
line that contains an onion address uses the appropriate *new* address
above. We'll go through this for dom0, Fedora templates, and Debian
templates. Whonix templates do not require any action; their onion
addresses are still the same as before. For additional information, see
"Onionizing Repositories" on the Whonix wiki. [2]


dom0


1. In dom0, open `/etc/yum.repos.d/qubes-dom0.repo` in a text editor.

2. Comment out all the `baseurl = https://yum.qubes-os.org/[...]` and
`metalink` lines.

3. Uncomment all the `baseurl = [...].onion` lines.

4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = 
http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = 
https://yum.qubes-os.org/r$releasever/current/dom0/fc25/repodata/repomd.xml.metalink

5. Open `/etc/yum.repos.d/qubes-templates.repo` in a text editor and
repeat steps 2-4.

6. In *Qubes Global Settings*, set *Dom0 UpdateVM* to `sys-whonix`.


Fedora TemplateVMs
==

1. In the TemplateVM, open `/etc/yum.repos.d/qubes-r4.repo` in a text
editor.

2. Comment out every line that contains `yum.qubes-os.org`.

3. Uncomment every line that contains `.onion`.

4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = 
http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever

5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:

$type:TemplateVM$defaultallow,target=sys-whonix


Debian TemplateVMs
==

1. In the TemplateVM, open `/etc/apt/sources.list.d/qubes-r4.list` in a
text editor.

2. Comment out every line that contains `deb.qubes-os.org`.

3. Uncomment every line that contains `.onion`.

4. Update every `.onion` address to
`deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm stretch main
#deb-src https://deb.qubes-os.org/r4.0/vm stretch main


# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] 
http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm
 stretch main
#deb-src 
http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm
 stretch main

5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:

$type:TemplateVM$defaultallow,target=sys-whonix


[1] 
https://www.qubes-os.org/news/2018/01/23/qubes-whonix-next-gen-tor-onion-services/
[2] https://www.whonix.org/wiki/Onionizing_Repositories

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/

- -- 
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly36YEACgkQ203TvDlQ
MDD+/g//eGzEagElqNLg/6tQdHTUNZaFQQmEZlNYFt7ZU8QhS7TNQqFR77bHpy+W
1Fbwz2tGMcJwUVj/sQ1A7CQXhhKRL96BtxMjDxTYt5ZQVv7oKs7m1MYUc/3I1hg/
GtNsT7qlPjwMb4XZdrmjyeJg96lYp75msKWDXDsHiAp5Nlq/vuw190TCnw+lGfUJ
+1gf99rGUcfwZZLPl8ZaGlOCjAo6e8qb4ysJH01YvYUt04GQhuUKTyS6OJ8Vq9AV
7cQ1L/Mkc8wNq88T+VEXEmiF/wuVZXDijEV4k/JDyDF0V

[qubes-users] # !Mistake in the guide - new Qubes v3 onions for Whonix

[qubes-fan]

Hello all,

I spotted a mistake in the official announcement/guide for the new v3 Qubes 
onions. 

https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/ 


The part "Whonix templates do not require any action; their onionaddresses are 
still the same as before" should be replaced with this, as the whonix 
onionizing *needs* action too:


1. In the TemplateVM whonix-gw-14, open /apt/sources.list.d/qubes-r4.list The 
same do for /apt/sources.list.d/qubes-r4.list.save in a texteditor.

2. Update every .onion address to 
deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion.

3. Comment out every line that contains yum.qubes-os.org.

4. Uncomment every line that contains .onion. 


Lines should look like this:

# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] 
http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm
 

 stretch main
#deb-src 
http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm
 

 stretch main


Repat the same for the TemplateVM whonix-ws-14 in the 
/apt/sources.list.d/qubes-r4.list

Now your updates of Whonix templates are onionized. Whonix will change their 
guide for onionizing updates as well.

Thanks to Lilias from whonix chatroom for his assistance! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LcpORVN--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows 10 Pro HVM does not work with Mirage Firewall

[Claudio Chinicz]

On 19/04/2019 12:05, Thomas Leonard wrote:

On Thursday, April 18, 2019 at 9:53:25 AM UTC+1, Claudio Chinicz wrote:

Hi All,

Once again I turn to the Qubes Community to ask for help.

I have a Mirage Firewall VM that works with HVM (Linux Mint) and
Debian/Fedora template-based PVMs.

My Windows 10 HVM, which works just fine through sys-firewall
(copy/paste and file sharing with other VMs dont, but I can live with it).

I've tried setting up networking manually by adding its IP, mask and
gateway and rebooting but it did not work. It works with DHCP instead
when getting network through sys-firewall.

I've followed all the ideas from here
(https://www.windowscentral.com/how-regain-internet-access-after-installing-update-windows-10)
and it still did not work.

One last piece of information, my Windows 10 Pro was successfully
activated using a key I provided.

Any ideas? This is not critical, since I can continue using
sys-firewall, but would love to free some memory by using Mirage.


There might be clues in the firewall VM's logs. You can see them with Qubes 
Manager (right-click on mirage-firewall and choose Logs -> 
guest-mirage-firewall.log). Open the logs just after booting Windows and seeing 
that networking doesn't work and look at the end.

You can also do "sudo xl console mirage-firewall" in dom0 to follow the logs 
and then boot Windows and watch for new entries.



Hi Thomas,

Thanks in advance. Please see below logs from guest-mirage-firewall.log. 
My Windows VM is 10.137.0.21.


What really surprises me is why I does not work even if I set my 
ip/mask/gateway as it works with Linux Mint? What's different with Windows?


Best Regards,

Claudio

2019-04-18 11:20:10 -00:00: INF [client_net] Client 18 (IP: 10.137.0.21) 
ready
2019-04-18 11:20:10 -00:00: INF [ethernet] Connected Ethernet interface 
00:16:3e:5e:6c:00
2019-04-18 11:20:11 -00:00: INF [client_net] add client vif 
{domid=17;device_id=0}
2019-04-18 11:20:11 -00:00: INF [qubes.db] got rm 
"/qubes-iptables-domainrules/"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-iptables-header" = "# Generated by Qubes Core on Thu Apr 18 
14:20:11 2019\n*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT 
ACCEPT [0:0]\n-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n-A 
INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p 
icmp -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A INPUT -j REJECT 
--reject-with icmp-host-prohibited\n-A FORWARD -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -i vif+ -o vif+ -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-iptables-domainrules/10" = "*filter\n-A FORWARD -s 10.137.0.18 
-j ACCEPT\n-A FORWARD -s 10.137.0.18 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-iptables-domainrules/17" = "*filter\n-A FORWARD -s 10.137.0.21 
-j ACCEPT\n-A FORWARD -s 10.137.0.21 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-iptables-domainrules/14" = "*filter\n-A FORWARD -s 10.137.0.13 
-j ACCEPT\n-A FORWARD -s 10.137.0.13 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-iptables-domainrules/9" = "*filter\n-A FORWARD -s 10.137.0.8 -j 
ACCEPT\n-A FORWARD -s 10.137.0.8 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: "/qubes-iptables" 
= "reload"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/mapped-ip/10.137.0.21/visible-ip" = "10.137.0.21"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/mapped-ip/10.137.0.21/visible-gateway" = "10.137.0.23"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21/" = "action=accept"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21/policy" = "drop"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21" = ""
2019-04-18 11:20:11 -00:00: INF [qubes.db] got rm 
"/qubes-firewall/10.137.0.21/"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21/" = "action=accept"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21/policy" = "drop"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: 
"/qubes-firewall/10.137.0.21" = ""

2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP 0.0.0.0 
in IP packet from 10.137.0.21 (dropping)
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP 
10.137.0.1 in IP packet from 10.137.0.21 (dropping)

2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.21?
2019-04-18 11:20:22 -00:00: INF [client_eth] ignoring request for 
client's own IP
2019-04-18 11:20:22 -00:00: WRN [cli

[qubes-users] Re: Windows 10 Pro HVM does not work with Mirage Firewall

[Thomas Leonard]

On Thursday, April 18, 2019 at 9:53:25 AM UTC+1, Claudio Chinicz wrote:
> Hi All,
> 
> Once again I turn to the Qubes Community to ask for help.
> 
> I have a Mirage Firewall VM that works with HVM (Linux Mint) and 
> Debian/Fedora template-based PVMs.
> 
> My Windows 10 HVM, which works just fine through sys-firewall 
> (copy/paste and file sharing with other VMs dont, but I can live with it).
> 
> I've tried setting up networking manually by adding its IP, mask and 
> gateway and rebooting but it did not work. It works with DHCP instead 
> when getting network through sys-firewall.
> 
> I've followed all the ideas from here 
> (https://www.windowscentral.com/how-regain-internet-access-after-installing-update-windows-10)
>  
> and it still did not work.
> 
> One last piece of information, my Windows 10 Pro was successfully 
> activated using a key I provided.
> 
> Any ideas? This is not critical, since I can continue using 
> sys-firewall, but would love to free some memory by using Mirage.

There might be clues in the firewall VM's logs. You can see them with Qubes 
Manager (right-click on mirage-firewall and choose Logs -> 
guest-mirage-firewall.log). Open the logs just after booting Windows and seeing 
that networking doesn't work and look at the end.

You can also do "sudo xl console mirage-firewall" in dom0 to follow the logs 
and then boot Windows and watch for new entries.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cd71cfb3-05ef-4ce9-b101-d257fac5d439%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes using cpu with 8 cores

[799]

Hello,

katmai karbonellenc  schrieb am Fr., 19. Apr. 2019,
02:29:

> > You almost certainly dont have 8 cores - you probably have a 4 core CPU
> > with hyperthreading.
> > By default Qubes disables hyperthreading for security reasons.
>

I have looked at the output of the commands:

model name : Intel(R) Core(TM) i7-7700K CPU
(...)
cpu cores : 4

and you are referring to the right CPU spec sheet

The specifications of this CPU:
>
> https://www.intel.co.uk/content/www/uk/en/products/processors/core/i7-processors/i7-7700k.html


There you can find the information:

# of Cores = 4
# of Threads = 8
(...)
Intel Hyper-Threading Technology = Yes

As such you only have 4 real cores and Qubes is correct telling you this
information.

Why deactivate Hyperthreading?

QSB #43: L1 Terminal Fault speculative side channel (XSA-273)
https://www.qubes-os.org/news/2018/09/02/qsb-43/

(...) Part of the mitigation is to disable hyper-threading. This halves the
number of CPU cores that the system sees compared to having
hyper-threading enabled, thus reducing system performance.  Since Qubes OS
4.0 uses both PVH and HVM qubes, it is _not_ safe to re-enable
hyper-threading.  If you have previously modified the number of virtual
CPUs assigned to any qube (the "vcpus" property), it may be necessary to
adjust this value in order to account for reduced system performance. (...)

If you are interested in Hyperthreading performance tests, you might be
interesting looking into this article:

Intel Hyper Threading Performance With A Core i7 On Ubuntu 18.04 LTS
https://www.phoronix.com/scan.php?page=article&item=intel-ht-2018&num=1

Regards

- O/799

t .

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s5isb_TdTTgxPPvyjzeD-OY67e89ufFtthbMms8brmYw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.