Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-20 19:15, haxy wrote: >> On 2017-01-19 16:21, haxy wrote: > On 2017-01-18 18:00, haxy wrote: On 2017-01-16 13:22, haxy wrote: >>> On 2017-01-14 20:04, haxy wrote: Qubes onion repos have >>> just been implemented. Minimal documentation available >>> here: >>> >>> https://www.qubes-os.org/doc/hidden-service-repos/ >>> >>> First of all, thanks for making the onion repos >>> available! >>> >>> Following directions to onionize repositories I made a >>> mistake inputting the onion address. Re-running the >>> commands, dom0 example, "sudo sed -i >>> 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat >>> still shows the input made with the incorrect onion >>> repo. Tried using "sudo sed -i >>> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" with the same >>> results.' >>> >>> (Noticed the command from the whonix wiki differs >>> slightly from the qubes wiki command. "qubes-yum" vice >>> "yum" before the onion address.) >>> >>> Was able to get the debian and fedora repos functioning >>> by manually inputting the correct onion address in >>> their respective files but am unable to do that in >>> Dom0. How can I correct this issue in Dom0? >>> You can do it the same way in dom0: by manually editing the file. For example: $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, and close.) > > Thanks Andrew. Using vim worked. :) Do you know why re-running the command, "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the first incorrect address entry? Curious if it's reproducible or something on my end only? > > It's possible that 'yum.qubes-os.org' was no longer present in the > text and therefore couldn't be found in order to be replaced. > Also, a couple of other questions. 1. Seems there are 2 distinct onion addresses that can be used for the qubes repos, "qubesos4z6n4.onion" or "whonix kk63ava6.onion". Is there any reason to prefer one over the other? > > No, both point to the same server. > 2. Which onion address should be used for Qubes website access? "http://qubesos4z6n4.onion/"; or "http://qubesosmamapaxpa.onion/";? Looks like the "qubesosmamapaxpa" site is not up to date. > > http://qubesos4z6n4.onion/ should be used. We don't have any > control over http://qubesosmamapaxpa.onion/ (it appears to be > updated only infrequently). > >> >> > > > >>> Do you know why re-running the command, "sudo sed -i >>> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite >>> the first incorrect address entry? Curious if it's >>> reproducible or something on my end only? >>> >> It's possible that 'yum.qubes-os.org' was no longer present in >> the text and therefore couldn't be found in order to be >> replaced. > > I'm not sure what you mean by this. Why would "yum.qubes-os.org" > not have been present in the text? I re-ran the command several > times using both onion addresses with the same result. > >> >> Above, you wrote, "Following directions to onionize repositories I >> made a mistake inputting the onion address." You didn't specify your >> mistake, so as far as I know, it's possible that your mistake altered >> the content of the file such that "yum.qubes-os.org" was no longer >> present in the text. >> > >>> 1. Seems there are 2 distinct onion addresses that can be used >>> for the qubes repos, "qubesos4z6n4.onion" or "whonix >>> kk63ava6.onion". Is there any reason to prefer one >>> over the other? >>> >> No, both point to the same server. > > Thanks! > > >>> 2. Which onion address should be used for Qubes website >>> access? "http://qubesos4z6n4.onion/"; or >>> "http://qubesosmamapaxpa.onion/";? Looks like the >>> "qubesosmamapaxpa" site is not up to date. >>> >> http://qubesos4z6n4.onion/ should be used. We don't have any >> control over htt
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-20 19:15, haxy wrote: > On 2017-01-19 16:21, haxy wrote: On 2017-01-18 18:00, haxy wrote: >>> On 2017-01-16 13:22, haxy wrote: >> On 2017-01-14 20:04, haxy wrote: Qubes onion repos have >> just been implemented. Minimal documentation available >> here: >> >> https://www.qubes-os.org/doc/hidden-service-repos/ >> >>> >>> >> First of all, thanks for making the onion repos >> available! >> >> Following directions to onionize repositories I made a >> mistake inputting the onion address. Re-running the >> commands, dom0 example, "sudo sed -i >> 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat >> still shows the input made with the incorrect onion >> repo. Tried using "sudo sed -i >> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" with the same >> results.' >> >> (Noticed the command from the whonix wiki differs >> slightly from the qubes wiki command. "qubes-yum" vice >> "yum" before the onion address.) >> >> Was able to get the debian and fedora repos functioning >> by manually inputting the correct onion address in >> their respective files but am unable to do that in >> Dom0. How can I correct this issue in Dom0? >> >>> >>> You can do it the same way in dom0: by manually editing the >>> file. >>> >>> For example: >>> >>> $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, >>> save, and close.) >>> >>> Thanks Andrew. Using vim worked. :) >>> >>> Do you know why re-running the command, "sudo sed -i >>> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite >>> the first incorrect address entry? Curious if it's >>> reproducible or something on my end only? >>> It's possible that 'yum.qubes-os.org' was no longer present in the text and therefore couldn't be found in order to be replaced. >>> Also, a couple of other questions. >>> >>> 1. Seems there are 2 distinct onion addresses that can be >>> used for the qubes repos, "qubesos4z6n4.onion" or >>> "whonix kk63ava6.onion". Is there any reason to >>> prefer one over the other? >>> No, both point to the same server. >>> 2. Which onion address should be used for Qubes website >>> access? "http://qubesos4z6n4.onion/"; or >>> "http://qubesosmamapaxpa.onion/";? Looks like the >>> "qubesosmamapaxpa" site is not up to date. >>> http://qubesos4z6n4.onion/ should be used. We don't have any control over http://qubesosmamapaxpa.onion/ (it appears to be updated only infrequently). > > >> Do you know why re-running the command, "sudo sed -i >> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite >> the first incorrect address entry? Curious if it's >> reproducible or something on my end only? >> > It's possible that 'yum.qubes-os.org' was no longer present in > the text and therefore couldn't be found in order to be > replaced. I'm not sure what you mean by this. Why would "yum.qubes-os.org" not have been present in the text? I re-ran the command several times using both onion addresses with the same result. > > Above, you wrote, "Following directions to onionize repositories I > made a mistake inputting the onion address." You didn't specify your > mistake, so as far as I know, it's possible that your mistake altered > the content of the file such that "yum.qubes-os.org" was no longer > present in the text. > >> 1. Seems there are 2 distinct onion addresses that can be used >> for the qubes repos, "qubesos4z6n4.onion" or "whonix >> kk63ava6.onion". Is there any reason to prefer one >> over the other? >> > No, both point to the same server. Thanks! >> 2. Which onion address should be used for Qubes website >> access? "http://qubesos4z6n4.onion/"; or >> "http://qubesosmamapaxpa.onion/";? Looks like the >> "qubesosmamapaxpa" site is not up to date. >> > http://qubesos4z6n4.onion/ should be used. We don't have any > control over http://qubesosmamapaxpa.onion/ (it appears to be > updated only infrequently). That's strange. I thought that was the o
Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-19 16:21, haxy wrote: >> On 2017-01-18 18:00, haxy wrote: > On 2017-01-16 13:22, haxy wrote: On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just been implemented. Minimal documentation available here: https://www.qubes-os.org/doc/hidden-service-repos/ > > First of all, thanks for making the onion repos available! Following directions to onionize repositories I made a mistake inputting the onion address. Re-running the commands, dom0 example, "sudo sed -i 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows the input made with the incorrect onion repo. Tried using "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" with the same results.' (Noticed the command from the whonix wiki differs slightly from the qubes wiki command. "qubes-yum" vice "yum" before the onion address.) Was able to get the debian and fedora repos functioning by manually inputting the correct onion address in their respective files but am unable to do that in Dom0. How can I correct this issue in Dom0? > > You can do it the same way in dom0: by manually editing the > file. > > For example: > > $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, > save, and close.) > >> >> > Thanks Andrew. Using vim worked. :) > > Do you know why re-running the command, "sudo sed -i > 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite > the first incorrect address entry? Curious if it's > reproducible or something on my end only? > >> >> It's possible that 'yum.qubes-os.org' was no longer present in the >> text and therefore couldn't be found in order to be replaced. >> > Also, a couple of other questions. > > 1. Seems there are 2 distinct onion addresses that can be > used for the qubes repos, "qubesos4z6n4.onion" or > "whonix kk63ava6.onion". Is there any reason to > prefer one over the other? > >> >> No, both point to the same server. >> > 2. Which onion address should be used for Qubes website > access? "http://qubesos4z6n4.onion/"; or > "http://qubesosmamapaxpa.onion/";? Looks like the > "qubesosmamapaxpa" site is not up to date. > >> >> http://qubesos4z6n4.onion/ should be used. We don't have any >> control over http://qubesosmamapaxpa.onion/ (it appears to be >> updated only infrequently). >> >>> >>> >> >> >> Do you know why re-running the command, "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the first incorrect address entry? Curious if it's reproducible or something on my end only? >>> It's possible that 'yum.qubes-os.org' was no longer present in >>> the text and therefore couldn't be found in order to be >>> replaced. >> >> I'm not sure what you mean by this. Why would "yum.qubes-os.org" >> not have been present in the text? I re-ran the command several >> times using both onion addresses with the same result. >> > > Above, you wrote, "Following directions to onionize repositories I > made a mistake inputting the onion address." You didn't specify your > mistake, so as far as I know, it's possible that your mistake altered > the content of the file such that "yum.qubes-os.org" was no longer > present in the text. > >> 1. Seems there are 2 distinct onion addresses that can be used for the qubes repos, "qubesos4z6n4.onion" or "whonix kk63ava6.onion". Is there any reason to prefer one over the other? >>> No, both point to the same server. >> >> Thanks! >> >> 2. Which onion address should be used for Qubes website access? "http://qubesos4z6n4.onion/"; or "http://qubesosmamapaxpa.onion/";? Looks like the "qubesosmamapaxpa" site is not up to date. >>> http://qubesos4z6n4.onion/ should be used. We don't have any >>> control over http://qubesosmamapaxpa.onion/ (it appears to be >>> updated only infrequently). >> >> That's strange. I thought that was the original qubes onion >> address? If you (meaning qubes admin/dev) don't have control over >> "http://qubesosmamapaxpa.onion/";, who does? >> > > Yes, it was initially set up by a Qubes contributor named "Hakisho > Nukama," who suddenly disappeared a long time ago. (I ho
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-19 16:21, haxy wrote: > On 2017-01-18 18:00, haxy wrote: On 2017-01-16 13:22, haxy wrote: >>> On 2017-01-14 20:04, haxy wrote: Qubes onion repos have >>> just been implemented. Minimal documentation available >>> here: >>> >>> https://www.qubes-os.org/doc/hidden-service-repos/ >>> >>> First of all, thanks for making the onion repos >>> available! >>> >>> Following directions to onionize repositories I made a >>> mistake inputting the onion address. Re-running the >>> commands, dom0 example, "sudo sed -i >>> 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat >>> still shows the input made with the incorrect onion >>> repo. Tried using "sudo sed -i >>> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" with the same >>> results.' >>> >>> (Noticed the command from the whonix wiki differs >>> slightly from the qubes wiki command. "qubes-yum" vice >>> "yum" before the onion address.) >>> >>> Was able to get the debian and fedora repos functioning >>> by manually inputting the correct onion address in >>> their respective files but am unable to do that in >>> Dom0. How can I correct this issue in Dom0? >>> You can do it the same way in dom0: by manually editing the file. For example: $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, and close.) > > Thanks Andrew. Using vim worked. :) Do you know why re-running the command, "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the first incorrect address entry? Curious if it's reproducible or something on my end only? > > It's possible that 'yum.qubes-os.org' was no longer present in the > text and therefore couldn't be found in order to be replaced. > Also, a couple of other questions. 1. Seems there are 2 distinct onion addresses that can be used for the qubes repos, "qubesos4z6n4.onion" or "whonix kk63ava6.onion". Is there any reason to prefer one over the other? > > No, both point to the same server. > 2. Which onion address should be used for Qubes website access? "http://qubesos4z6n4.onion/"; or "http://qubesosmamapaxpa.onion/";? Looks like the "qubesosmamapaxpa" site is not up to date. > > http://qubesos4z6n4.onion/ should be used. We don't have any > control over http://qubesosmamapaxpa.onion/ (it appears to be > updated only infrequently). > >> >> > > > >>> Do you know why re-running the command, "sudo sed -i >>> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >>> /etc/yum.repos.d/qubes-dom0.repo && cat >>> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite >>> the first incorrect address entry? Curious if it's >>> reproducible or something on my end only? >>> >> It's possible that 'yum.qubes-os.org' was no longer present in >> the text and therefore couldn't be found in order to be >> replaced. > > I'm not sure what you mean by this. Why would "yum.qubes-os.org" > not have been present in the text? I re-ran the command several > times using both onion addresses with the same result. > Above, you wrote, "Following directions to onionize repositories I made a mistake inputting the onion address." You didn't specify your mistake, so as far as I know, it's possible that your mistake altered the content of the file such that "yum.qubes-os.org" was no longer present in the text. > >>> 1. Seems there are 2 distinct onion addresses that can be used >>> for the qubes repos, "qubesos4z6n4.onion" or "whonix >>> kk63ava6.onion". Is there any reason to prefer one >>> over the other? >>> >> No, both point to the same server. > > Thanks! > > >>> 2. Which onion address should be used for Qubes website >>> access? "http://qubesos4z6n4.onion/"; or >>> "http://qubesosmamapaxpa.onion/";? Looks like the >>> "qubesosmamapaxpa" site is not up to date. >>> >> http://qubesos4z6n4.onion/ should be used. We don't have any >> control over http://qubesosmamapaxpa.onion/ (it appears to be >> updated only infrequently). > > That's strange. I thought that was the original qubes onion > address? If you (meaning qubes admin/dev) don't have control over > "http://qubesosmamapaxpa.onion/";, who does? > Yes, it was initially set up by a Qubes contributor named "Hakisho Nukama," who suddenly disappeared a long time ago. (I hope you're still ok out there, Nukama!) - -- Andrew David Wong (Axon) Community Ma
Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-18 18:00, haxy wrote: >> On 2017-01-16 13:22, haxy wrote: > On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just > been implemented. Minimal documentation available here: > > https://www.qubes-os.org/doc/hidden-service-repos/ > >> >> > First of all, thanks for making the onion repos available! > > Following directions to onionize repositories I made a > mistake inputting the onion address. Re-running the > commands, dom0 example, "sudo sed -i > 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still > shows the input made with the incorrect onion repo. Tried > using "sudo sed -i > 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" with the same results.' > > (Noticed the command from the whonix wiki differs slightly > from the qubes wiki command. "qubes-yum" vice "yum" before > the onion address.) > > Was able to get the debian and fedora repos functioning by > manually inputting the correct onion address in their > respective files but am unable to do that in Dom0. How can I > correct this issue in Dom0? > >> >> You can do it the same way in dom0: by manually editing the file. >> >> For example: >> >> $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, >> and close.) >> >>> >>> >> Thanks Andrew. Using vim worked. :) >> >> Do you know why re-running the command, "sudo sed -i >> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the >> first incorrect address entry? Curious if it's reproducible or >> something on my end only? >> > > It's possible that 'yum.qubes-os.org' was no longer present in the > text and therefore couldn't be found in order to be replaced. > >> Also, a couple of other questions. >> >> 1. Seems there are 2 distinct onion addresses that can be used for >> the qubes repos, "qubesos4z6n4.onion" or "whonix >> kk63ava6.onion". Is there any reason to prefer one over >> the other? >> > > No, both point to the same server. > >> 2. Which onion address should be used for Qubes website access? >> "http://qubesos4z6n4.onion/"; or >> "http://qubesosmamapaxpa.onion/";? Looks like the >> "qubesosmamapaxpa" site is not up to date. >> > > http://qubesos4z6n4.onion/ should be used. We don't have any > control over http://qubesosmamapaxpa.onion/ (it appears to be updated > only infrequently). > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYgCMuAAoJENtN07w5UDAwGMsQAJ/eqXk4yOOssNyYvokwkJs+ > zvFR4xaX4LillkIceHroYy3yDhl7o7QergoDUPkUZqLhBrl+zakabJjWrPw9jDMV > LWgmldy2vq4mM/1jlU5wfHM9aja/497lpm7kgkMfYSZRHdgeY2eX96h/v3qg6Sqa > L9Xe3K9w5PMMpN4e2QeqNtPj1OMNGF96xx06Z4Kd0kN5fuVDEmf9t5UIjYp21nUD > DtPBS/nJzCcempxPKFsDbKWHrDvNV/kB+hXfzc7OyqlnM69aJPrNyxjsGKQTF7j6 > 0wQGtDUY3/1dRq4QZgOblMvRUO8KhixnHxgbXg2qXd39WEqPvlc0f5GsNIhaNlYK > 6OhrbnABPjOCb7qWLCNDudSjVlBORb+kYHF67R5mwXK09P7on87sbz6pjrTCgZuv > oYR1mPIB+k0xbZc1/+L4fDmvUjg3jLSvY5qvZpG77xzOJhklS1aEpJL69z43Hpkq > nxWynqKGuvpoq1+oeAlICwiaC3pQXPWgPdmcKJLQ7kKDZixF9UL1D5Pq21jnrT0/ > nrKNRYDwCVNLbs7oYbIdXTnY9TSR6JLkzQmgXLG17uYRMFRf1yEquCdOgH2cecZx > 7+mvxlQBWALcerfe3py5/qYcd9srnaO+eNDadYnNc7AN5p9B1XXrvBMy5ZWtTh27 > QuwsQhFCJ0laMXPz0rOP > =BU76 > -END PGP SIGNATURE- > > >> Do you know why re-running the command, "sudo sed -i >> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the >> first incorrect address entry? Curious if it's reproducible or >> something on my end only? >> > It's possible that 'yum.qubes-os.org' was no longer present in the > text and therefore couldn't be found in order to be replaced. I'm not sure what you mean by this. Why would "yum.qubes-os.org" not have been present in the text? I re-ran the command several times using both onion addresses with the same result. >> 1. Seems there are 2 distinct onion addresses that can be used for >> the qubes repos, "qubesos4z6n4.onion" or "whonix >> kk63ava6.onion". Is there any reason to prefer one over >> the other? >> > No, both point to the same server. Thanks! >> 2. Which onion address should be used for Qubes website access? >> "http://qubesos4z6n4.onion/"; or >> "http://qubesosmamapaxpa.onion/";? Looks like the >> "qubesosmamapaxpa" site is not up to date. >> > http://qubesos4z6n4.onion/ should be used. We don't have any > control over http://qubesosmamapaxpa.onion/ (it appears to be updated > only infrequently). That's strange. I thought that was the original qub
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-18 18:00, haxy wrote: > On 2017-01-16 13:22, haxy wrote: On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just been implemented. Minimal documentation available here: https://www.qubes-os.org/doc/hidden-service-repos/ > > First of all, thanks for making the onion repos available! Following directions to onionize repositories I made a mistake inputting the onion address. Re-running the commands, dom0 example, "sudo sed -i 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows the input made with the incorrect onion repo. Tried using "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" with the same results.' (Noticed the command from the whonix wiki differs slightly from the qubes wiki command. "qubes-yum" vice "yum" before the onion address.) Was able to get the debian and fedora repos functioning by manually inputting the correct onion address in their respective files but am unable to do that in Dom0. How can I correct this issue in Dom0? > > You can do it the same way in dom0: by manually editing the file. > > For example: > > $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, > and close.) > >> >> > Thanks Andrew. Using vim worked. :) > > Do you know why re-running the command, "sudo sed -i > 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the > first incorrect address entry? Curious if it's reproducible or > something on my end only? > It's possible that 'yum.qubes-os.org' was no longer present in the text and therefore couldn't be found in order to be replaced. > Also, a couple of other questions. > > 1. Seems there are 2 distinct onion addresses that can be used for > the qubes repos, "qubesos4z6n4.onion" or "whonix > kk63ava6.onion". Is there any reason to prefer one over > the other? > No, both point to the same server. > 2. Which onion address should be used for Qubes website access? > "http://qubesos4z6n4.onion/"; or > "http://qubesosmamapaxpa.onion/";? Looks like the > "qubesosmamapaxpa" site is not up to date. > http://qubesos4z6n4.onion/ should be used. We don't have any control over http://qubesosmamapaxpa.onion/ (it appears to be updated only infrequently). - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYgCMuAAoJENtN07w5UDAwGMsQAJ/eqXk4yOOssNyYvokwkJs+ zvFR4xaX4LillkIceHroYy3yDhl7o7QergoDUPkUZqLhBrl+zakabJjWrPw9jDMV LWgmldy2vq4mM/1jlU5wfHM9aja/497lpm7kgkMfYSZRHdgeY2eX96h/v3qg6Sqa L9Xe3K9w5PMMpN4e2QeqNtPj1OMNGF96xx06Z4Kd0kN5fuVDEmf9t5UIjYp21nUD DtPBS/nJzCcempxPKFsDbKWHrDvNV/kB+hXfzc7OyqlnM69aJPrNyxjsGKQTF7j6 0wQGtDUY3/1dRq4QZgOblMvRUO8KhixnHxgbXg2qXd39WEqPvlc0f5GsNIhaNlYK 6OhrbnABPjOCb7qWLCNDudSjVlBORb+kYHF67R5mwXK09P7on87sbz6pjrTCgZuv oYR1mPIB+k0xbZc1/+L4fDmvUjg3jLSvY5qvZpG77xzOJhklS1aEpJL69z43Hpkq nxWynqKGuvpoq1+oeAlICwiaC3pQXPWgPdmcKJLQ7kKDZixF9UL1D5Pq21jnrT0/ nrKNRYDwCVNLbs7oYbIdXTnY9TSR6JLkzQmgXLG17uYRMFRf1yEquCdOgH2cecZx 7+mvxlQBWALcerfe3py5/qYcd9srnaO+eNDadYnNc7AN5p9B1XXrvBMy5ZWtTh27 QuwsQhFCJ0laMXPz0rOP =BU76 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/41262301-b580-a5b6-77de-aa68ee6e908f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-16 13:22, haxy wrote: >> On 2017-01-14 20:04, haxy wrote: >> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: >>> Going back to the first post. >>> >>> "Qubes repository will allow changing the "http" to >>> "https" in the qubes entry /etc/apt/sources.list.d/." >>> >>> How would one implement that on a qubes-fedora template? >>> >>> Looking at Installing and updating software in VMs >>> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; >>> >>> It looks like https mirrors are used for fedora and that >>> other entries in yum.repos.d including qubes-*.repo could >>> be changed from http to https. >>> >>> Would that work? Although onion service would be >>> preferred, might be a bit better than clearnet after exit >>> node. >>> >>> >> Yes, that will work as you think. The benefits are >> marginal. >> >> >> > Thanks Unman. A marginal benefit is still a benefit. > Especially if easily done. Would be nice if the devs could > make that change in an upcoming update, at least until onion > service repos are implemented. > >> >> Qubes onion repos have just been implemented. Minimal >> documentation available here: >> >> https://www.qubes-os.org/doc/hidden-service-repos/ >> >>> >>> >> First of all, thanks for making the onion repos available! >> >> Following directions to onionize repositories I made a mistake >> inputting the onion address. Re-running the commands, dom0 >> example, "sudo sed -i >> 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows >> the input made with the incorrect onion repo. Tried using "sudo >> sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" with the same results.' >> >> (Noticed the command from the whonix wiki differs slightly from the >> qubes wiki command. "qubes-yum" vice "yum" before the onion >> address.) >> >> Was able to get the debian and fedora repos functioning by >> manually inputting the correct onion address in their respective >> files but am unable to do that in Dom0. How can I correct this >> issue in Dom0? >> > > You can do it the same way in dom0: by manually editing the file. > > For example: > > $ sudo vim /etc/yum.repos.d/qubes-dom0.repo > (Edit the file, save, and close.) > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYfiA1AAoJENtN07w5UDAwjqgQAM167NqJu3SsyrI5BnkQBzg4 > g5/O1TI0lT/z0HUmMB6130I21hMpYUb7OJQjpo/M7Cfh/3G2D/7EzIXD/jebgexH > gUgEdoPaa7zMWXOAETFeD+AT4rdj8DSARsAZhtWV897IvPaT7GitOpPay6a8+v4+ > UYYIf3Wb/EQjaDB1SuEXAdT3cXYyIKhlTtLRHOF0WSPdF91BOUgjNVKaKthXTH0D > HmZbGlpPjAQL3kVzFGIqulPTPWI+KM6Dg5MC5aiNokzMrm6o2buN0Ig2w6OWYug9 > ys/Hmlxb4GI4VGMcZ9gk4U30ARXieMDgwVD1Vrgx4qcN7i71hXPJtmQDCKmipae7 > KlPdQKM2QN4XiEqBXIFpb9zy9uuqoxPEgl0wAzmjz0QrZedAzHrMBnhx2sQj4BXB > T6NlvuIpSRrRMCJV54lw0OhStDPyJVO9MQJLaHdb83Pg1/u6y+gplQIP4440gLay > mgymvV6aVBBafJ3CB0RFRePjQpPhhx6LxLRlDkK52deXRIwFJcQDzc3tuMQw9b/4 > cC93aivanCdGOtEYis0pOciST7eRw6g+ObTBvV3y1fk/fQYjSNpxYIsty/64UsvY > C4bJ/BjV4h07IlJq48RQsI5zRtf5fPNW4mudrFCig07Y4ongpnJsX7zoP0bP0M1O > MjkWAImlnvdFfLwosh6U > =gdX0 > -END PGP SIGNATURE- > > Thanks Andrew. Using vim worked. :) Do you know why re-running the command, "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the first incorrect address entry? Curious if it's reproducible or something on my end only? Also, a couple of other questions. 1. Seems there are 2 distinct onion addresses that can be used for the qubes repos, "qubesos4z6n4.onion" or "whonix kk63ava6.onion". Is there any reason to prefer one over the other? 2. Which onion address should be used for Qubes website access? "http://qubesos4z6n4.onion/"; or "http://qubesosmamapaxpa.onion/";? Looks like the "qubesosmamapaxpa" site is not up to date. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/842d9913afb8a11eb59de9fd794ab121.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-16 13:22, haxy wrote: > On 2017-01-14 20:04, haxy wrote: > On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: >> Going back to the first post. >> >> "Qubes repository will allow changing the "http" to >> "https" in the qubes entry /etc/apt/sources.list.d/." >> >> How would one implement that on a qubes-fedora template? >> >> Looking at Installing and updating software in VMs >> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; >> >> It looks like https mirrors are used for fedora and that >> other entries in yum.repos.d including qubes-*.repo could >> be changed from http to https. >> >> Would that work? Although onion service would be >> preferred, might be a bit better than clearnet after exit >> node. >> >> > Yes, that will work as you think. The benefits are > marginal. > > > Thanks Unman. A marginal benefit is still a benefit. Especially if easily done. Would be nice if the devs could make that change in an upcoming update, at least until onion service repos are implemented. > > Qubes onion repos have just been implemented. Minimal > documentation available here: > > https://www.qubes-os.org/doc/hidden-service-repos/ > >> >> > First of all, thanks for making the onion repos available! > > Following directions to onionize repositories I made a mistake > inputting the onion address. Re-running the commands, dom0 > example, "sudo sed -i > 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows > the input made with the incorrect onion repo. Tried using "sudo > sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" with the same results.' > > (Noticed the command from the whonix wiki differs slightly from the > qubes wiki command. "qubes-yum" vice "yum" before the onion > address.) > > Was able to get the debian and fedora repos functioning by > manually inputting the correct onion address in their respective > files but am unable to do that in Dom0. How can I correct this > issue in Dom0? > You can do it the same way in dom0: by manually editing the file. For example: $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, and close.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYfiA1AAoJENtN07w5UDAwjqgQAM167NqJu3SsyrI5BnkQBzg4 g5/O1TI0lT/z0HUmMB6130I21hMpYUb7OJQjpo/M7Cfh/3G2D/7EzIXD/jebgexH gUgEdoPaa7zMWXOAETFeD+AT4rdj8DSARsAZhtWV897IvPaT7GitOpPay6a8+v4+ UYYIf3Wb/EQjaDB1SuEXAdT3cXYyIKhlTtLRHOF0WSPdF91BOUgjNVKaKthXTH0D HmZbGlpPjAQL3kVzFGIqulPTPWI+KM6Dg5MC5aiNokzMrm6o2buN0Ig2w6OWYug9 ys/Hmlxb4GI4VGMcZ9gk4U30ARXieMDgwVD1Vrgx4qcN7i71hXPJtmQDCKmipae7 KlPdQKM2QN4XiEqBXIFpb9zy9uuqoxPEgl0wAzmjz0QrZedAzHrMBnhx2sQj4BXB T6NlvuIpSRrRMCJV54lw0OhStDPyJVO9MQJLaHdb83Pg1/u6y+gplQIP4440gLay mgymvV6aVBBafJ3CB0RFRePjQpPhhx6LxLRlDkK52deXRIwFJcQDzc3tuMQw9b/4 cC93aivanCdGOtEYis0pOciST7eRw6g+ObTBvV3y1fk/fQYjSNpxYIsty/64UsvY C4bJ/BjV4h07IlJq48RQsI5zRtf5fPNW4mudrFCig07Y4ongpnJsX7zoP0bP0M1O MjkWAImlnvdFfLwosh6U =gdX0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ada-529c-b021-91b8-10ebd07030b3%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-14 20:04, haxy wrote: >>> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: Going back to the first post. "Qubes repository will allow changing the "http" to "https" in the qubes entry /etc/apt/sources.list.d/." How would one implement that on a qubes-fedora template? Looking at Installing and updating software in VMs "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; It looks like https mirrors are used for fedora and that other entries in yum.repos.d including qubes-*.repo could be changed from http to https. Would that work? Although onion service would be preferred, might be a bit better than clearnet after exit node. >>> Yes, that will work as you think. The benefits are marginal. >>> >>> >>> >> Thanks Unman. A marginal benefit is still a benefit. Especially if >> easily done. Would be nice if the devs could make that change in an >> upcoming update, at least until onion service repos are >> implemented. >> > > Qubes onion repos have just been implemented. Minimal documentation > available here: > > https://www.qubes-os.org/doc/hidden-service-repos/ > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYe2LFAAoJENtN07w5UDAw0VcP/0Qgpe1KvjrG2pYs80Eia1u/ > D7+eJSA0bT3WiUcUVNgwGglO08QRccdMaPEvENk4L32QvROXKyVbn8LQrGn+8Lvh > /zV414BkjpdL9PkZmHb0zujV324VdidU+EymWr6/p0MsTIrux/Ht+oLcleH9WUuc > nJwQaTsNLiGImip0smGuEZGTQPlQOPTnGU0x1mH8dArft5WOp5v76/Llll3QY9PQ > JbQt1+9iAGq0umYrMKD9RiWgBNMj6TaHbvtda9CJ2pUznP09nNGsLhAdUpowChA/ > 7G/ccgYdtBCo+RMIai4+zIrL8SGDOrnm4QKFV9wF4/ljkifqp7YvCu4ff8YbS4q0 > 0LJit4Hhw2NAQzzsuOujXTDehOzd3STRV5LdQqT7Jc97PczjdXxYGDuH2V4rLzqZ > mYjDvbiAHuN7LJee0P+EL2/loiE12vHZwTvHlWtandluOJ1Zo6kPwLtCdwA9cM3o > W/hiSoUfhOBbkFZ+hOFN2hz8Va3fbgmJMPkV8IBoivjNel2ar3itPt2JZitu4Od8 > bWjmiz6jxiDit4k5rIBEDYkeXwk2bjk6pLjIJBfIMAkrZKYZiWC9UNG7Knovw+RF > 5jNxFMwu/MO5TV8yrQna9kJf3WL6zUCsTajZG5VewdWrRbMp97ZsEdk73IHqRNXB > gYUH7foKfjmmEVEJZite > =r6qK > -END PGP SIGNATURE- > > First of all, thanks for making the onion repos available! Following directions to onionize repositories I made a mistake inputting the onion address. Re-running the commands, dom0 example, "sudo sed -i 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows the input made with the incorrect onion repo. Tried using "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" with the same results.' (Noticed the command from the whonix wiki differs slightly from the qubes wiki command. "qubes-yum" vice "yum" before the onion address.) Was able to get the debian and fedora repos functioning by manually inputting the correct onion address in their respective files but am unable to do that in Dom0. How can I correct this issue in Dom0? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fc2281deb11246f08bce9130654ce345.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-14 20:04, haxy wrote: >> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: >>> Going back to the first post. >>> >>> "Qubes repository will allow changing the "http" to "https" in >>> the qubes entry /etc/apt/sources.list.d/." >>> >>> How would one implement that on a qubes-fedora template? >>> >>> Looking at Installing and updating software in VMs >>> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; >>> >>> It looks like https mirrors are used for fedora and that other >>> entries in yum.repos.d including qubes-*.repo could be changed >>> from http to https. >>> >>> Would that work? Although onion service would be preferred, >>> might be a bit better than clearnet after exit node. >>> >>> >> Yes, that will work as you think. The benefits are marginal. >> >> >> > Thanks Unman. A marginal benefit is still a benefit. Especially if > easily done. Would be nice if the devs could make that change in an > upcoming update, at least until onion service repos are > implemented. > Qubes onion repos have just been implemented. Minimal documentation available here: https://www.qubes-os.org/doc/hidden-service-repos/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYe2LFAAoJENtN07w5UDAw0VcP/0Qgpe1KvjrG2pYs80Eia1u/ D7+eJSA0bT3WiUcUVNgwGglO08QRccdMaPEvENk4L32QvROXKyVbn8LQrGn+8Lvh /zV414BkjpdL9PkZmHb0zujV324VdidU+EymWr6/p0MsTIrux/Ht+oLcleH9WUuc nJwQaTsNLiGImip0smGuEZGTQPlQOPTnGU0x1mH8dArft5WOp5v76/Llll3QY9PQ JbQt1+9iAGq0umYrMKD9RiWgBNMj6TaHbvtda9CJ2pUznP09nNGsLhAdUpowChA/ 7G/ccgYdtBCo+RMIai4+zIrL8SGDOrnm4QKFV9wF4/ljkifqp7YvCu4ff8YbS4q0 0LJit4Hhw2NAQzzsuOujXTDehOzd3STRV5LdQqT7Jc97PczjdXxYGDuH2V4rLzqZ mYjDvbiAHuN7LJee0P+EL2/loiE12vHZwTvHlWtandluOJ1Zo6kPwLtCdwA9cM3o W/hiSoUfhOBbkFZ+hOFN2hz8Va3fbgmJMPkV8IBoivjNel2ar3itPt2JZitu4Od8 bWjmiz6jxiDit4k5rIBEDYkeXwk2bjk6pLjIJBfIMAkrZKYZiWC9UNG7Knovw+RF 5jNxFMwu/MO5TV8yrQna9kJf3WL6zUCsTajZG5VewdWrRbMp97ZsEdk73IHqRNXB gYUH7foKfjmmEVEJZite =r6qK -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd25a0aa-ec90-9906-92e4-e28b7fbb3882%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: >> Going back to the first post. >> >> "Qubes repository will allow changing the >> "http" to "https" in the qubes entry /etc/apt/sources.list.d/." >> >> How would one implement that on a qubes-fedora template? >> >> Looking at Installing and updating software in VMs >> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; >> >> It looks like https mirrors are used for fedora and that other entries >> in >> yum.repos.d including qubes-*.repo could be changed from http to https. >> >> Would that work? >> Although onion service would be preferred, might be a bit better than >> clearnet after exit node. >> >> > Yes, that will work as you think. The benefits are marginal. > > > Thanks Unman. A marginal benefit is still a benefit. Especially if easily done. Would be nice if the devs could make that change in an upcoming update, at least until onion service repos are implemented. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba911d4c9ae83c66a0116d05b3f57af3.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: > Going back to the first post. > > "Qubes repository will allow changing the > "http" to "https" in the qubes entry /etc/apt/sources.list.d/." > > How would one implement that on a qubes-fedora template? > > Looking at Installing and updating software in VMs > "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; > > It looks like https mirrors are used for fedora and that other entries in > yum.repos.d including qubes-*.repo could be changed from http to https. > > Would that work? > Although onion service would be preferred, might be a bit better than > clearnet after exit node. > > Yes, that will work as you think. The benefits are marginal. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170114203251.GD14174%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Updates, security
Going back to the first post. "Qubes repository will allow changing the "http" to "https" in the qubes entry /etc/apt/sources.list.d/." How would one implement that on a qubes-fedora template? Looking at Installing and updating software in VMs "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; It looks like https mirrors are used for fedora and that other entries in yum.repos.d including qubes-*.repo could be changed from http to https. Would that work? Although onion service would be preferred, might be a bit better than clearnet after exit node. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fcd1f8e782a906fb5d9b1430ee885e7.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/17/16 17:50, Unman wrote: > On Sat, Dec 17, 2016 at 06:18:41PM -, johnyju...@sigaint.org wrote: >> While updates are signed, so even if they come over the wire in cleartext, >> the fact that they often are sent in the clear (even from debian.net) >> allows a snooper to know what packages your scanning for metadata or >> installing. It reveals a lot about the state of your system. >> >> Updating over Tor or a VPN helps a bit. Updating to debian's hidden >> service is even more ideal, no https in between with >> state-actor/CA-forgeable certificates possible, etc.. >> >> However, Qubes updates aren't available via Tor. >> >> I do notice, however, that the qubes repository will allow changing the >> "http" to "https" in the qubes entry /etc/apt/sources.list.d/. (You'd >> have to install "apt-transport-https" too.) >> >> Do the Qubes folks have a problem with this? It'd put extra load on the >> servers, so I thought I'd ask. >> >> I might suggest it would make a good default, if the load wouldn't be >> unacceptable. >> >> Cheers, >> >> -d >> > This has been under discussion in qubes-issues for some time. > apt-transport-https is installed by default, so you can change that if > you want. > > There was a proposal to make debian updates use https by default. It > wasnt accepted. Debian security updates aren't available by https so > that part will always come plain. > You can change the rest to use https. > The benefits of doing this are almost entirely illusory. It's pretty > trivial to identify packages being transferred under https, so a > competent snooper wouldn't be hampered. > > I assume you mean that Qubes updates aren't available as an onion > service. Indeed, it is already possible to download all updates (dom0 + templates) over Tor, but there are no onion services yet for most parts. Nonetheless, the main benefits of downloading updates over Tor still hold: 1. Network attackers can't target you with malicious updates or selectively block you from receiving certain updates. Instead, they're forced to either block everyone or serve everyone with the same malicious update in the hope that you're among those affected. This makes it much more likely that someone will spot the attack. 2. Downloading all updates through Tor preserves your privacy, since it prevents your ISP and package repositories from tracking which packages you install. > I offered to set this up some time back but it wasnt thought a > priority. Since one of the core tenets of Qubes is that we distrust the infrastructure, (i.e., we focus on securing the endpoints before securing the middle), it makes sense that this would be a lower priority. Nonetheless, I think it would be fantastic to have this. > There used to be such a service but it's long out of date > now. We had an onion service (back then a "hidden service") mirror of the website, but I don't think we ever had an onion service package repo (at least, not that I'm aware of). - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYVe/jAAoJENtN07w5UDAwVGsP/R+bwiXp01nhuVE6TDHE1Rdc bWd074Lw6V87qiDf2LpAOTZ1BKPqAtWNr7zRuWIjfQwbhl1iCiOlFTPWohEULkDf HvmWUzsOlMokiVPKnydzEVJ+ehMJ/uXdm6s6jbqbCE7Zo6ivdybyMdExNk9igKIJ lfgvIM5kBUxnHuecS74S0/VZn5f9XOe/IITX2RyWAB478ze7S8SCMIKfnb3wOAey knOOtSN22vooB3fKZ2y+T6R1mS6beP5TLsqHA7f63r983llP8ttduM8hZBu98g75 +pP7btNgC1DBUJYQcAmZnW7VXlk33atlZanl+3i3Kf6QBY9XXAqrVQ01htrKFmKc Ac58JFK5JSw6johyZuxoyuHYA/Uaq7SoG//qV6jt28Db6fwUNIdLQ1A6buUjj17G zJlnk2ihQAotPPVYICqO440gjwfGtkF2ourBqJA1CPheBozDvyyqjNJZNBueuePj RN30f3X0Zx/HJIcje+SWglm7Vc4TpG4G/pKM+4xD1ODUE0ozZEj1HQJzCdrOfqWl 2A3wDOHpIPuXomEK++l5XZ7vviOCx9cmWdHR3Y5K3bKYqodA/YJVA0dZWe8vEoXf mLjQfSBeB5ZAGsnPvX6R/Z6blHMvAl6dTUhhkoc5jwf2An/BXFdcOdVZxCbgf9cX 1Tz3X5KDxR7My05U8JWT =PAw/ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/52e5fb3c-df2c-065b-cf92-b9134aaaf754%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
On Sat, Dec 17, 2016 at 06:18:41PM -, johnyju...@sigaint.org wrote: > While updates are signed, so even if they come over the wire in cleartext, > the fact that they often are sent in the clear (even from debian.net) > allows a snooper to know what packages your scanning for metadata or > installing. It reveals a lot about the state of your system. > > Updating over Tor or a VPN helps a bit. Updating to debian's hidden > service is even more ideal, no https in between with > state-actor/CA-forgeable certificates possible, etc.. > > However, Qubes updates aren't available via Tor. > > I do notice, however, that the qubes repository will allow changing the > "http" to "https" in the qubes entry /etc/apt/sources.list.d/. (You'd > have to install "apt-transport-https" too.) > > Do the Qubes folks have a problem with this? It'd put extra load on the > servers, so I thought I'd ask. > > I might suggest it would make a good default, if the load wouldn't be > unacceptable. > > Cheers, > > -d > This has been under discussion in qubes-issues for some time. apt-transport-https is installed by default, so you can change that if you want. There was a proposal to make debian updates use https by default. It wasnt accepted. Debian security updates aren't available by https so that part will always come plain. You can change the rest to use https. The benefits of doing this are almost entirely illusory. It's pretty trivial to identify packages being transferred under https, so a competent snooper wouldn't be hampered. I assume you mean that Qubes updates aren't available as an onion service. I offered to set this up some time back but it wasnt thought a priority. There used to be such a service but it's long out of date now. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161218015011.GB3954%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
johnyju...@sigaint.org: > While updates are signed, so even if they come over the wire in cleartext, > the fact that they often are sent in the clear (even from debian.net) > allows a snooper to know what packages your scanning for metadata or > installing. It reveals a lot about the state of your system. > > Updating over Tor or a VPN helps a bit. Updating to debian's hidden > service is even more ideal, no https in between with > state-actor/CA-forgeable certificates possible, etc.. > > However, Qubes updates aren't available via Tor. > WIP: https://forums.whonix.org/t/onionizing-qubes-whonix-repositories/3265 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfa5428c-74d2-9933-ad7c-ef62ce4f5bc1%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Updates, security
While updates are signed, so even if they come over the wire in cleartext, the fact that they often are sent in the clear (even from debian.net) allows a snooper to know what packages your scanning for metadata or installing. It reveals a lot about the state of your system. Updating over Tor or a VPN helps a bit. Updating to debian's hidden service is even more ideal, no https in between with state-actor/CA-forgeable certificates possible, etc.. However, Qubes updates aren't available via Tor. I do notice, however, that the qubes repository will allow changing the "http" to "https" in the qubes entry /etc/apt/sources.list.d/. (You'd have to install "apt-transport-https" too.) Do the Qubes folks have a problem with this? It'd put extra load on the servers, so I thought I'd ask. I might suggest it would make a good default, if the load wouldn't be unacceptable. Cheers, -d -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/617051ede5374543bb82e5f406e1cee9.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.