Re: [qubes-users] Minimal builder.conf and template security

2018-08-13 Thread bobthebuilder 
I am using this builder.conf :
# vim: ft=make ts=4 sw=4
# Ready to use config for full build of the lastest Qubes OS (aka "master").
GIT_BASEURL ?= http://github.com GIT_PREFIX ?= 
QubesOS/qubes-NO_SIGN ?= 1USE_QUBES_REPO_VERSION=4.0DEBUG=1VERBOSE=3BRANCH ?= 
release4.0
BACKEND_VMM=xen
DIST_DOM0 ?= fc25 DISTS_VM ?= fc26
MGMT_COMPONENTS = \ mgmt-salt \ mgmt-salt-base \
mgmt-salt-base-topd \   mgmt-salt-base-config \ mgmt-salt-base-overrides \  
mgmt-salt-dom0-qvm \mgmt-salt-dom0-virtual-machines \   
mgmt-salt-dom0-update
COMPONENTS ?= \ linux-template-builder \builder \   builder-debian

BUILDER_PLUGINS ?= \builder-rpm \   builder-debian \mgmt-salt 
BRANCH_vmm_xen = xen-4.8BRANCH_linux_kernel = stable-4.14
BRANCH_linux_template_builder = masterBRANCH_linux_yum = masterBRANCH_linux_deb 
= masterBRANCH_app_linux_split_gpg = masterBRANCH_app_linux_tor = 
masterBRANCH_app_thunderbird = masterBRANCH_app_linux_pdf_converter = 
masterBRANCH_app_linux_img_converter = masterBRANCH_app_linux_input_proxy = 
masterBRANCH_app_linux_usb_proxy = masterBRANCH_app_yubikey = 
masterBRANCH_builder = masterBRANCH_builder_rpm = masterBRANCH_builder_debian = 
masterBRANCH_builder_archlinux = masterBRANCH_builder_github = 
masterBRANCH_builder_windows = masterBRANCH_infrastructure = 
masterBRANCH_template_whonix = masterBRANCH_linux_pvgrub2 = 
masterBRANCH_linux_scrypt = masterBRANCH_linux_gbulb = 
masterBRANCH_python_xcffib = masterBRANCH_python_sphinx = 
masterBRANCH_python_pillow = masterBRANCH_python_quamash = 
masterBRANCH_intel_microcode = master
TEMPLATE_ROOT_WITH_PARTITIONS = 1
TEMPLATE_LABEL ?=TEMPLATE_LABEL += fc25:fedora-25TEMPLATE_LABEL += 
fc26:fedora-26TEMPLATE_LABEL += fc27:fedora-27TEMPLATE_LABEL += fc28:fedora-28
TEMPLATE_ALIAS ?=TEMPLATE_ALIAS += jessie:jessie+standardTEMPLATE_ALIAS += 
jessie+gnome:jessie+gnome+standardTEMPLATE_ALIAS += 
jessie+minimal:jessie+minimal+no-recommendsTEMPLATE_ALIAS += 
stretch:stretch+standardTEMPLATE_ALIAS += 
stretch+gnome:stretch+gnome+standardTEMPLATE_ALIAS += 
stretch+minimal:stretch+minimal+no-recommends
TEMPLATE_LABEL += fc25+minimal:fedora-25-minimalTEMPLATE_LABEL += 
fc26+minimal:fedora-26-minimalTEMPLATE_LABEL += 
fc27+minimal:fedora-27-minimalTEMPLATE_LABEL += 
fc28+minimal:fedora-28-minimalTEMPLATE_LABEL += 
fc25+xfce:fedora-25-xfceTEMPLATE_LABEL += 
fc26+xfce:fedora-26-xfceTEMPLATE_LABEL += 
fc27+xfce:fedora-27-xfceTEMPLATE_LABEL += 
fc28+xfce:fedora-28-xfceTEMPLATE_LABEL += jessie:debian-8TEMPLATE_LABEL += 
jessie+standard:debian-8TEMPLATE_LABEL += stretch:debian-9TEMPLATE_LABEL += 
stretch+standard:debian-9

about:: @echo "qubes-os-r4.0.conf"


"make qubes" seems to be successful and the xenstore-read error does not look 
critical. But when I then do "make iso" I get an error. I am building on fedora 
28 btw.
/create_template_list.sh: line 13: xenstore-read: command not 
foundCurrently installed 
dependencies:git-2.17.0-1.fc28.x86_64rpmdevtools-8.10-4.fc28.noarchrpm-build-4.14.1-7.fc28.x86_64createrepo-0.10.3-15.fc28.noarchpython2-sh-1.12.14-3.fc28.noarchwget-1.19.4-2.fc28.x86_64python2-pyyaml-3.12-10.fc28.x86_64[user@localhost
 qubes-builder]$ make iso-> Preparing for ISO build...--> Removing old rpms 
from the installer repos...---> Cleaning up repo: dom0-updates...---> Cleaning 
up repo: installer...---> Cleaning up repo: qubes-dom0...make: *** No rule to 
make target 'iso.copy-rpms.builder-debian', needed by 'iso.copy-rpms'.  Stop.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LJm0RK0--3-1%40tutamail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Minimal builder.conf and template security

2018-08-13 Thread bobthebuilder 

"make qubes" will build everything from source but I'd like to skip as much as 
I can to build an iso and mostly rely on packages already present in the yum 
and deb repo. Just building gcc takes more than 12 
hours:https://github.com/QubesOS/qubes-issues/issues/3979 

marmarek instead suggests to remove this component and use 
USE_QUBES_REPO_VERSION = 4.0 to use the package from the mirror.The question is 
what else could be skipped to build the iso?Some other shortcut I found 
was:"COMPONENTS = linux-template-builder builder builder-debian \    
template-whonix 
"fromhttps://groups.google.com/forum/?_escaped_fragment_=msg/qubes-devel/W917Ur9XBVI/CM2bBa8-AQAJ#!msg/qubes-devel/W917Ur9XBVI/CM2bBa8-AQAJ
 


How often are the official templates rebuild?
When I use the below builder.conf "make qubes" seems to be successful (I guess 
the xenstore-read is not critical). But when I then do "make iso" I get an 
error. I'm building on fedora 28.
# vim: ft=make ts=4 sw=4
# Ready to use config for full build of the lastest Qubes OS (aka "master").
GIT_BASEURL ?= http://github.com GIT_PREFIX ?= 
QubesOS/qubes-NO_SIGN ?= 1USE_QUBES_REPO_VERSION=4.0DEBUG=1VERBOSE=3BRANCH ?= 
release4.0
BACKEND_VMM=xen
DIST_DOM0 ?= fc25 DISTS_VM ?= fc26
MGMT_COMPONENTS = \ mgmt-salt \ mgmt-salt-base \
mgmt-salt-base-topd \   mgmt-salt-base-config \ mgmt-salt-base-overrides \  
mgmt-salt-dom0-qvm \mgmt-salt-dom0-virtual-machines \   
mgmt-salt-dom0-update
COMPONENTS ?= \ linux-template-builder \builder \   builder-debian

BUILDER_PLUGINS ?= \builder-rpm \   builder-debian \mgmt-salt 
BRANCH_vmm_xen = xen-4.8BRANCH_linux_kernel = stable-4.14
BRANCH_linux_template_builder = masterBRANCH_linux_yum = masterBRANCH_linux_deb 
= masterBRANCH_app_linux_split_gpg = masterBRANCH_app_linux_tor = 
masterBRANCH_app_thunderbird = masterBRANCH_app_linux_pdf_converter = 
masterBRANCH_app_linux_img_converter = masterBRANCH_app_linux_input_proxy = 
masterBRANCH_app_linux_usb_proxy = masterBRANCH_app_yubikey = 
masterBRANCH_builder = masterBRANCH_builder_rpm = masterBRANCH_builder_debian = 
masterBRANCH_builder_archlinux = masterBRANCH_builder_github = 
masterBRANCH_builder_windows = masterBRANCH_infrastructure = 
masterBRANCH_template_whonix = masterBRANCH_linux_pvgrub2 = 
masterBRANCH_linux_scrypt = masterBRANCH_linux_gbulb = 
masterBRANCH_python_xcffib = masterBRANCH_python_sphinx = 
masterBRANCH_python_pillow = masterBRANCH_python_quamash = 
masterBRANCH_intel_microcode = master
TEMPLATE_ROOT_WITH_PARTITIONS = 1
TEMPLATE_LABEL ?=TEMPLATE_LABEL += fc25:fedora-25TEMPLATE_LABEL += 
fc26:fedora-26TEMPLATE_LABEL += fc27:fedora-27TEMPLATE_LABEL += fc28:fedora-28
TEMPLATE_ALIAS ?=TEMPLATE_ALIAS += jessie:jessie+standardTEMPLATE_ALIAS += 
jessie+gnome:jessie+gnome+standardTEMPLATE_ALIAS += 
jessie+minimal:jessie+minimal+no-recommendsTEMPLATE_ALIAS += 
stretch:stretch+standardTEMPLATE_ALIAS += 
stretch+gnome:stretch+gnome+standardTEMPLATE_ALIAS += 
stretch+minimal:stretch+minimal+no-recommends
TEMPLATE_LABEL += fc25+minimal:fedora-25-minimalTEMPLATE_LABEL += 
fc26+minimal:fedora-26-minimalTEMPLATE_LABEL += 
fc27+minimal:fedora-27-minimalTEMPLATE_LABEL += 
fc28+minimal:fedora-28-minimalTEMPLATE_LABEL += 
fc25+xfce:fedora-25-xfceTEMPLATE_LABEL += 
fc26+xfce:fedora-26-xfceTEMPLATE_LABEL += 
fc27+xfce:fedora-27-xfceTEMPLATE_LABEL += 
fc28+xfce:fedora-28-xfceTEMPLATE_LABEL += jessie:debian-8TEMPLATE_LABEL += 
jessie+standard:debian-8TEMPLATE_LABEL += stretch:debian-9TEMPLATE_LABEL += 
stretch+standard:debian-9

about:: @echo "qubes-os-r4.0.conf"

/create_template_list.sh: line 13: xenstore-read: command not 
foundCurrently installed 
dependencies:git-2.17.0-1.fc28.x86_64rpmdevtools-8.10-4.fc28.noarchrpm-build-4.14.1-7.fc28.x86_64createrepo-0.10.3-15.fc28.noarchpython2-sh-1.12.14-3.fc28.noarchwget-1.19.4-2.fc28.x86_64python2-pyyaml-3.12-10.fc28.x86_64[user@localhost
 qubes-builder]$ make iso-> Preparing for ISO build...--> Removing old rpms 
from the installer repos...---> Cleaning up repo: dom0-updates...---> Cleaning 
up repo: installer...---> Cleaning up repo: qubes-dom0...make: *** No rule to 
make target 'iso.copy-rpms.builder-debian', needed by 'iso.copy-rpms'.  Stop.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LJipWi8--3-1%40tutamail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Minimal builder.conf and template security

2018-08-12 Thread 'awokd' via qubes-users 
On Sun, August 12, 2018 2:09 pm, Unman wrote:
> On Fri, Aug 10, 2018 at 09:01:46PM -, 'awokd' via qubes-users wrote:
>
>> On Fri, August 10, 2018 6:43 pm, bobthebuil...@tutamail.com wrote:
>>
>>> What is the minimal configuration for building qubes? I want to build
>>> a custom iso minus most of the templates so I only need dom0, netvm,
>>> usbvm and whonix. Are there any components that always need to build
>>> or can the whole iso be build from packages and templates in the yum
>>> or deb repository? Are templates in the repositories automatically
>>> rebuild and uploaded so the latest bugfixes are always integrated or
>>> do you need to update the templates yourself?
>>
>> See https://www.qubes-os.org/doc/qubes-r3-building/ for steps on how to
>>  build. You might be able to use Fedora 28 instead of 26, but I haven't
>>  fully tested. From your list of "dom0, netvm, usbvm and whonix", the
>> only template you could exclude is debian-9. All templates and build
>> components get updated to current levels on a full build, so you
>> shouldn't have to update immediately after installing it.
>>
>
> If you want Whonix then you *have* to include debian-9 I think: aren't
> the whonix templates configured off the debian-9 base?

You have to include the debian builder to build Whonix templates, but I'm
not positive about the actual debian-9 template.

> The templates in the repositories are rebuilt, but do not always
> incorporate the latest bugfixes. It's good practice to immediately update
> after installing a new template. (If you roll your own, of course, you
> wont have this issue.)

A full build downloads/syncs everything off Qubes' repos and current
distribution patches. What other bugfixes are there?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0f9806f1e266788760cbcc71212f89f.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Minimal builder.conf and template security

2018-08-12 Thread Unman 
On Fri, Aug 10, 2018 at 09:01:46PM -, 'awokd' via qubes-users wrote:
> On Fri, August 10, 2018 6:43 pm, bobthebuil...@tutamail.com wrote:
> > What is the minimal configuration for building qubes? I want to build a
> > custom iso minus most of the templates so I only need dom0, netvm, usbvm
> > and whonix. Are there any components that always need to build or can the
> > whole iso be build from packages and templates in the yum or deb
> > repository? Are templates in the repositories automatically rebuild and
> > uploaded so the latest bugfixes are always integrated or do you need to
> > update the templates yourself?
> 
> See https://www.qubes-os.org/doc/qubes-r3-building/ for steps on how to
> build. You might be able to use Fedora 28 instead of 26, but I haven't
> fully tested. From your list of "dom0, netvm, usbvm and whonix", the only
> template you could exclude is debian-9. All templates and build components
> get updated to current levels on a full build, so you shouldn't have to
> update immediately after installing it.
> 

If you want Whonix then you *have* to include debian-9 I think: aren't
the whonix templates configured off the debian-9 base?

If you are building an iso from scratch you can include custom templates
that you have built - for example, a minimal debian with additional
networking and usb packages - in preference to the Qubes standards. You
can drop Fedora templates alltogether. Remember to edit the salt
packages appropriately.
Otherwise you can just build a barebones iso, install without
creating any qubes, and then manually configure them using the template
you have included.

The templates in the repositories are rebuilt, but do not always
incorporate the latest bugfixes. It's good practice to immediately
update after installing a new template. (If you roll your own, of
course, you wont have this issue.)

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180812140918.qdoz4ckejoerg77r%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Minimal builder.conf and template security

2018-08-10 Thread 'awokd' via qubes-users 
On Fri, August 10, 2018 6:43 pm, bobthebuil...@tutamail.com wrote:
> What is the minimal configuration for building qubes? I want to build a
> custom iso minus most of the templates so I only need dom0, netvm, usbvm
> and whonix. Are there any components that always need to build or can the
> whole iso be build from packages and templates in the yum or deb
> repository? Are templates in the repositories automatically rebuild and
> uploaded so the latest bugfixes are always integrated or do you need to
> update the templates yourself?

See https://www.qubes-os.org/doc/qubes-r3-building/ for steps on how to
build. You might be able to use Fedora 28 instead of 26, but I haven't
fully tested. From your list of "dom0, netvm, usbvm and whonix", the only
template you could exclude is debian-9. All templates and build components
get updated to current levels on a full build, so you shouldn't have to
update immediately after installing it.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b7e41d57f49e7beb3e0f3e370272b54.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Minimal builder.conf and template security

2018-08-10 Thread bobthebuilder 
What is the minimal configuration for building qubes? I want to build a custom 
iso minus most of the templates so I only need dom0, netvm, usbvm and whonix. 
Are there any components that always need to build or can the whole iso be 
build from packages and templates in the yum or deb repository? Are templates 
in the repositories automatically rebuild and uploaded so the latest bugfixes 
are always integrated or do you need to update the templates yourself?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LJ_8bo8--3-1%40tutamail.com.
For more options, visit https://groups.google.com/d/optout.