Re: [qubes-users] Move homedir to second drive
On Tuesday, 28 November 2017 03:07:02 CET Andrew David Wong wrote: > On 2017-11-27 16:03, 'Tom Zander' via qubes-users wrote: > > I have a ‘work’ VM which holds a significant amount of user-data > > and as such I want my homedir to be hosted on my spinning-disk > > drive. [snip] > This option works well for me on 3.2 (doesn't require auto-bind): > > https://www.qubes-os.org/doc/secondary-storage/ Thanks for your answer, it seems like this is no longer an option in 4.0 because VMs are no longer directories on the dom0 filesystem. I may be wrong, but I understand they are actually partitions now. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9060708.MLDAJUS7DY%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes for "dummies"
On Tuesday, 28 November 2017 18:33:37 CET Foppe de Haan wrote: > Bottom line IMO these days security can't be done by a layman, Security as a concept is not that black / white, there is no 100% security and likewise I fail to see how "laymen" can't increase their security. As a quick example, in Windows you can download an exe and start it with zero technical knowledge. In Linux a downloaded executable can't be started without the user explicitly marking it "executable". Guiding people into doing the right thing can be done. As long as you don't aim for perfect security (which honestly doesn't exist anyway), you can help people increase their security significantly. In my humble opinion, this is already happening in Qubes. The NetVM is a good example of a standard setup that has become completely transparant to users while isolating them from bad drivers causing security issues for many other linux users. The people that need this most are those that don't have the technical know- how, exactly because they don't understand how opening an executable or PDF from the net can cause any harm. The point I'm trying to make is that those people can already use this software today, but many of the more fun features are impossible to them because they have not been made easy. I'd also like to mention that all things require time to learn, I'd like to set up some firewall rules to let different VMs communicate between themselves. But lacking a nice GUI I have to figure out how to do this at the command line, and I honestly just don't have the time to learn that right now. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1799306.mAIeOnHVnd%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Failed to load Kernel Modules
On Tuesday, 28 November 2017 14:18:44 CET cooloutac wrote: > Of course many feel Qubes is for more advanced users, and apparently that > will become a self fulfilling prophecy in version 4. Looking at the (lack of) UI tools at this time, you can be excused thinking this. I personally think its a focus issue. The core devs are good at security, and that is where their focus is. The people behind Qubes don't have to focus on usability, though. They can focus on an awesome core while others focus on tooling. I'd love to help write some great user interfaces that improve upon the Qubes supplied ones (which is a low bar), and do that in an open source manner which help improve the usability for everyone. As long as I don't have to use python, so the only thing we really need is a good interface which is language-agnostic. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1943595.qdjiYGhS3f%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes for "dummies"
On Tuesday, 28 November 2017 03:38:02 CET Andrew David Wong wrote: > Our position is that reasonable security > via compartmentalization (of which Qubes is an implementation) requires > the user to make informed decisions about how to compartmentalize > various parts of their digital life into separate domains. I fully agree with genevieve on all he said, and I'm not sure if the answer I quoted above is a good answer to his worries. Lets avoid making conclusions about "dummies", I personally would say a lot of people can make a much more secure setup using Qubes even if they are completely inable to use a command line. The trick is to not treat your users like morons but at the same time create usable and well designed (graphical) tools. What is missing currently is support for anything that is not xfce and while genevieve prefers Gnome, I perfer KDE. The GUI tools that Qubes came with in 3.2 are hardly done (many missing features) in 4.0, and thats Ok because they can be done at a later time. Writing usability centric tools is hard. What would be ideal is the opening of the APIs for 3rd party implementation. Naturally, there is an API, but its a python API, which is not exactly the most used API for graphical tools. I would argue that opening up the qubesd interface to users using other languages will open up the playing field to many GUI developers. Maybe even get some KDE / Gnome native integration. I won't speak for the core Qubes devs, but I would not be surprised if they would welcome others helping out with GUI tools because if you are good at security and Xen and stuff, that doesn't mean you enjoy doing GUIs. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/21030661.7mqzxMQjci%40cherry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Move homedir to second drive
I have a ‘work’ VM which holds a significant amount of user-data and as such I want my homedir to be hosted on my spinning-disk drive. I’m more than fine just using a standard btrfs partition there, I really like the snapshotting option there, but this does imply I would need to automatically assign this partition to the VM at vm-start. Probably from dom0. I can write a script and only start the VM that way, but it feels there musts be a better way. Does anyone know of a way to do this auto-bind? Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2513427.0csQtBiJSz%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] which tool alters my etc dir every boot?
Hi, I recently installed 3.2 and got the archlinux template working. I updated it to the latest and got KDE working nicely. One problem I have is that every single time I (re) start the templateVM, a new file is created in /etc/pacman.d/ it is a file that adds a http-proxy address. The result is that pacman stops working, as that proxy address doesn’t respond. So the question I have is which piece of software is responsible for recreating that file every boot. As I’m a developer, I’d like to fix it at least for myself. Any hints appreciated! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/30870866.6Qo8jQmbpd%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] promoting testing packages
Last week I briefly tried 4.0RC2, only to realize that things like the archlinux package was just missing. Since then I learned that it actually is part of the testing repository. This makes me wonder, what is the procedure of promoting something from testing up to current? I mean, if its simply non-functional or missing in current, then should a testing version not be promoted ASAP ? ref; https://github.com/QubesOS/qubes-issues/issues/3185#issuecomment-338627359 -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26995256.BphPtZlHdP%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 RC3 (installation) MEGA-HUGE security flaw! (report the bug below or quit the program)
On Wednesday, 29 November 2017 02:40:01 CET Genevieve Gauthier wrote: > What do you need me to do ? Please expain in a little more detail what versions of the software you were using, what steps we might follow to reproduce the problem. For instance which screen was the last thing that was on before this error popped up. Cheers! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5092306.yHsbj7elGM%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 RC3 (installation) MEGA-HUGE security flaw! (report the bug below or quit the program)
On Wednesday, 29 November 2017 08:51:33 CET '[799]' via qubes-users wrote: > As far as I have understand, the problem is not that the password is > shown, but that the report with this error mistake and the password could > get transferred. I don't want that my password gets transferred in some > part of an error report. Thats not what the guy wrote. He said that it was showing on screen in an error dialog. The problem seems to be that the password is requested from the user and then kept in memory to be passed to specific tools that do the work while the installation is ongoing. Then if the installation goes wrong it prints the log of what has happened so far, and that contains the password. I have seen no indication that the password is kept after the installation has completed and operations are given over to Qubes-OS. I agree its rather sloppy, but as far as I know the installer has no option of reporting issues. I don’t even think you connect to the network at all (did you type your wifi password, I never did). So, lets allow the devs to fix this without making this into a bigger thing than it is. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2706301.yDkeRr7QO1%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Failed to load Kernel Modules
On Thursday, 30 November 2017 03:30:35 CET Unman wrote: > I think I must be missing your point - it might be clearer if you gave > examples of tasks that these user interfaces would serve. I think we have some great examples already which could use more love. The devices app, which allows you to assign drives (partitions really) to qubes. It is currently less than complete. Not only does it have bugs (shutting down a qube and starting it again makes a logical drive never be shown there again). But more importantly it just adds a new device in /devs/ without mounting it. It should allow a user to the first time select a qubes dir to mount it on. The goal; to avoid the user having to use the CLI. But also the Qubes-create-new VM GUI app is rather badly designed. It uses lots of terms like ‘appvm’ and similar, which is Ok. The problem is that none of these terms are explained. You have to go to browse on the internet to find out what those mean. It would be quite easy to add documentation inside the app in order to explain it. Maybe add a graphic-widget that shows not just the list of template VMs, but also which VMs are based on it. Because honestly, what a user wants is likely “make another VM like Work”. But then they have to first find out that “Work” is based on a named template, is an appvm and remember that and open the create-vm screen to base it on the same... In short, the tools are designed by technical people to do what they already know how to do. They are not designed for new users that need to discover the system at the same time as they get tasks done. Ths is just an example or two, I hope it explains my thinking. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1634249.gHXZ37I4Bz%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)
On Thursday, 30 November 2017 11:07:56 CET Joe Hemmerlein wrote: > However, the TPM chip on this hardware works in UEFI boot mode only I think its a known issue that Qubes doesn't support EFI. It ironically creates an efi partition, but the installer doesn't create the right stuff to actually boot from it. And I can confirm that the installer doesn't boot without legacy boot systems either. If your hardware is really incompatible with legacy boots, you are out of luck. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1527351.KGz1QmYuqg%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Yubikey in Challenge Response mode in Qubes 3.2
On Monday, 27 November 2017 06:30:48 CET Yuraeitha wrote: > I wonder how such misunderstandings, or false interpretations, can be > avoided among the people, like me, who are learning about Qubes (and > Linux in general). But that's something for another time and topic, but > an interesting one nonetheless. Personally I’d say that the majority of this problem comes from the mis- design that VMs like debian and even fedora are maintained by DNF/yum. To do a system upgrade by downloading a new RPM makes no sense as that completely destroys all changes made in the template. For instance new software that was installed. If qubes were to disconnect the idea that an RPM of several hundred MBs is the way to download/install/upgrade a VM, it would become much easier to understand. Maybe in Qubes 5 :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1727044.u3lbsDOL5E%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] 3 different rez monitors doable?
On Thursday, 30 November 2017 01:21:40 CET Stumpy wrote: > I don't see why this wouldn't work, but at the same time, I thought > better to be safe than sorry. > > I have two monitors (1920x) hooked up to my comp which has two video out > ports, I wanted to add a 4k monitor and will have to add an extra card. If it works on Xorg, it should work on Qubes. So you can try on any KDE or Gnome forum to get the confirmation you want. I have two screens which works fine. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25211675.hEn0ludk9C%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Suggestions (for forum posts)
On Friday, 1 December 2017 00:37:47 CET Stumpy wrote: > I am not so familiar with google groups but I don't have a google > account For those of us in that section of the population; you can subscribe to the group without having a google account and get 100% of the emails in your email application of choice. The details are here; https://www.qubes-os.org/mailing-lists/ Quoting from it; > Google Groups > > You don’t have to subscribe in order to post to this list. However, > subscribing might nonetheless be desirable, as it ensures that your > messages will not be eaten by the Google Groups spam filter and allows > you to receive messages which were sent directly to the list.> > To subscribe to the list, send a blank email to > qubes-users+subscr...@googlegroups.com.> > Note: A Gmail account is not required. Any email address will > work. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8507827.v5nN5cJd7g%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Windows Menu innaccessable because of Windows Tools.
On Friday, 1 December 2017 06:03:56 CET Drew White wrote: > What can I do (logically) to resolve this issue? Silly idea; make the bottom of both monitors be the same on your Linux side, that may sidestep the issue. If nothing else, you can move the windows taskbar to the left side of your screen and get your start menu button showing top-left. To fix the actual bugs, have you opened an issue on the appropriate github repo? I understand the tool that does this is not open source, so I’m personally not sure where you can report it or if you need to pay to get bugs like this fixed. Others that know may want to reply here as well. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1812918.4pv4icv6SJ%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Monday, 4 December 2017 16:38:12 CET r...@tuta.io wrote: > Vm manager... It has been reduced to a single icon in your system tray. Some features have been moved elsewhere (start menu has a config item per VM) some are command-line only. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3278743.nbyTSUyjSW%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)
On Saturday, 16 December 2017 03:25:46 CET Yuraeitha wrote: > Initially, this is all the reasons I can think of for wanting V-GPU. ... > - Extending a single Qubes machine around the house or company, using > multiple of screens, keyboards/mouses or other thinkable means. This sounds inherently unsafe. Not sure what your usecase is, but there has to be a better way than allowing a multitude of foreign, not-directly-connected hardware from accessing various very security sensitive channels. ... > - Cryptocoin miners who wish to utilize a single machine > for all round purposes. To build a proper crypto-mining rig based on GPUs, you would not run an OS on the machine. It literally drains money out of your system to use it on the same hardware as you main desktop. If you install 8 GPUs on a mainboard, you have to realize that the mainboard ends up costing a fraction of the total. Reusing it for non-mining purposes (while mining) just doesn't make any sense. Both from an economics as well as a security point of view. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8533554.PhlilUoQuC%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)
On Sunday, 17 December 2017 11:59:26 CET Yuraeitha wrote: > f, but from what I understand, complex software is hard to make secure, > compared to well-made hardware minimizing use of software. If Qubes > hypothetically were to adopt these, would the hardware approach be more > secure here? The question isn't really about software vs hardware. The overall design and concept is what is more important. The actual approach of how to do this makes or breaks the security mode. >From that approach follows what parts are required to be in hardware (to still be fast and secure). I claim no expertise in the domain you address in this thread, so apologies for the generic answer. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1828191.tAHdXYOLUq%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Wednesday, 13 December 2017 00:49:14 CET Connor Page wrote: > I’ll disagree with comparison of btrfs to lvm. there is a very significant > difference between btrfs and lvm. btrfs is like a namespace and lvm > volumes are block devices. one can put a namespace on a block device. but > yes, layers and layers of metadata processing required. > > BTW, has anyone started a btrfs driver for storage pools? I think it could > very tricky if at all possible. related; https://github.com/QubesOS/qubes-issues/issues/3334 -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5232241.G1l38BtH0a%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes GUI for v4
Last weeks there was a lot of talk about a lot of us missing the qubes-manager, or frankly any sort of useful graphical user interface. As I’m a long time programmer I decided to just give this a go and try to get something useful going. My approach is one where I talk directly to the Admin-API (at least when running in dom0) from this code which happens to have been written using Qt in C++, the code will be GPL licensed. The GUI is showing some usefulness already, the ‘start’, ‘pause’ and ‘stop’ buttons are functional. I just wanted to show some progress, hope you like it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4703087.nNqGHXKHql%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora 26 VLC/mplayer fullscreen problem
On Sunday, 17 December 2017 19:59:36 CET donoban wrote: > Any idea? If you hit the ‘f’ key to go full screen, or use the application menu, then you end up doing this using the application in the Qube. Try to do it using the menu on the titlebar, which makes the trusted-window- manager be the one to instruct the full-screen option. That tends to work better. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/floweethehub -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11660533.ZimtETrxDG%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
On Monday, 18 December 2017 10:13:48 CET pr0xy wrote: > I am still a bit stuck concerning the Qubes Update Proxy. Where would I > set the environment variables for my corporate proxy so that I could > update dom0, templates and VMs? You should add sys-net to your template VM if you want that since the proxy that is in place today is to avoid your template VM from accessing the intranet or internet outside of your own machine. Then google on where the template operating system (Fedora or Debian etc) sets proxies for doing the command-line update, the configuration is the same as Fedora or Debian etc. I don’t know fedora at all, in archlinux you’ll have a file in /etc/pacman/ which sets the current proxy, in debian you’ll likely have one in /etc/apt/ grep -R -i PROXY /etc/* may be useful too. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/floweethehub -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3673012.sFe5jTk4l6%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
On Tuesday, 19 December 2017 16:33:49 CET Unman wrote: > Tom > > Ive suggested before that if you give this advice you should > clearly state the consequences. Ok, no worries. Here you go: The consequences is that the template, which has no personal or identifying information, can be used to run apps that make outbound connections. Don’t worrry! No inbound connections are possible. In short; * There is no possibility of loss of private data (since there is none). * There is no possibility of a remote hacking attack (b/c no listening services). * There is no possibility of a hacker installing bad software in your template (only you can do that). Bottom line is that there is no additional risk when a user uses a corporate firewall and a http proxy to allow him to download updates. Unman, being paranoid is fine, but making users unable to update their system unless they do it the very complicated way you approve of will not help security. We are dealing with people, lets keep that in mind. Specifically, the result of being too strict on this is that they will end up either not updating (and missing security updates) or maybe just giving up and using the simple route of throwing security out the window and just getting the job done. Perfection is the enemy of good enough. And since I’m being nasty today, lets focus on another illusion in this email. You wrote; > sys-net will not enforce a firewall Basically true, sys-net indeed bypasses sys-firewall. But you are mistaken if you think that sys-firewall adds security. Sys-firewall adds the _option_ of allowing you to _manually_ add security. IF you have the know-how on how to do so. Which most people don’t. sys-firewall allows you to block remote hosts by IP-address, manually. And optionally. Making people believe that having sys-firewall makes them more secure is selling an illusion of security, which is really bad for actual security because it follows that people will believe they are magically secured. In reality the configuration of the firewall is a highly specialized and low- level task that most people without sys-admin-training will simply not do. Security is not about following a rulebook, it is about people first and foremost. Lets not lose focus of that, please. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2682772.EKl5eY0fiO%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes GUI for v4
On Wednesday, 20 December 2017 08:25:44 CET Matteo wrote: > but before you code it you should talk to joanna to be sure it will be > accepted and used. I sent an email to the dev mailinglist at the same time I sent one here (no reply so far) so at minimum she knows about it. But I have to say that I’m programming this for myself and for people that have indicated they want a similar solution. It would be nice if it were packaged in Qubes, but I’m not depending on it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12525626.MbyXGMKWBx%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Attempting to securely wipe drives, running into issue.
On Tuesday, 19 December 2017 22:09:31 CET David wrote: > I'm attempting to wield a command from the archlinux wiki and getting > access denied, even with sudo in front, and even when on dom0 (against > my better judgment). Any thoughts? A complex series like this is best just to run as root in a shell. First run something like; # sudo su which should give you a shell that is owned by root. Type who ami to confirm. Then you can copy/paste the line from the archlinux wiki to do the work. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3256594.W4lDGWArza%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Attempting to securely wipe drives, running into issue.
On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote: > oh, and if you want to securly erase data, use /dev/random, not > /dev/urandom. This is not good advice, your /dev/random device creates true randomness, but it only generates a very small amount of data. Bytes per minute. Creating enough to write to a many gigabytes data would take centuries. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/79673397.0iQst3c43i%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Friday, 8 December 2017 06:09:32 CET Chris Laprise wrote: > What I want > to say is that people that do not like to experiment with computer just > memorize what they are told and always do the same steps just happy that > it works. I fully agree with that and it mirrors my observations. Personally I blame Windows for this as that one breaks so easy, and anyone else that at any time tells a person they are doing something "wrong". Being told (as a non-tech person) you are doing it wrong is literally the worst thing you can do to that person as they will lose their ability to have confidence and subsequently they will lose their will to experiment. An OS like Qubes will lose its objective if it starts telling people they are doing it wrong. Instead, make every effort to show them the right way, and allow experimentation. In other words; enforce correct behaviour and warn against (but do not forbid) possibly bad behaviour. Anyhow, I leared from your post that it was possible to start apps from the old QM, I never knew that, I never tried! :) Thanks for sharing that! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2670504.fyzs8cDxUL%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Friday, 8 December 2017 06:09:32 CET Chris Laprise wrote: > There is the question of whether someone should try porting the original > Qt-based Qubes Manager to R4.0. I mention this since the biggest > complaint so far is not having a _comprehensive_ UI; Updating QM for the > new Qubes API could be the most direct path to addressing that need. > > I'd like to know what people think... I’m a big fan of Qt, but the original was written in python (using the Qt python bindings) which is my least favourite choice in language, and on top of that the original QM had many problems for the user experience. I also know that the “state of the art” in creating user interfaces has moved on and the technology used in the old app is end-of-lifed for some years now. All in all, you’ll get a nicer app if you ignore the code of the old one. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1618250.N4Z28JSqJV%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VM's fail to start after fixing chock-full LVM thinpool
On Friday, 8 December 2017 01:05:32 CET Patrick wrote: > I found the problem! My /var/lib/qubes/qubes.xml file was corrupted, so > it could not be parsed correctly by qubesd. I restored a previous version > from /var/lib/qubes/backup and now I am back in business! Thanks anyway > for checking out my problem. :-) Thanks for reporting this! This looks like a show-stopper bug to me. The system should never be able to corrupt a critical file like that due to disk-full. I reported it to the qubes devs; https://github.com/QubesOS/qubes-issues/issues/3376 -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3429712.PcA1Q6VB4G%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Friday, 8 December 2017 14:56:00 CET Chris Laprise wrote: > > I also know that the “state of the art” in creating user interfaces has > > moved on and the technology used in the old app is end-of-lifed for some > > years now. > > Which end-of-life technology would that be? In Qt5 (released 19 December 2012) the qwidget module was split off onto its own and the APIs in that module have been frozen ever since. This details the module; https://doc.qt.io/qt-5/qtwidgets-index.html Newer applications using Qt are suggested to use the declarative APIs which have the added benefit of using the massive speedups Qt GUIs get from using modern hardware and new architecture. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8505819.xTjMXsjhq2%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VM's fail to start after fixing chock-full LVM thinpool
On Thursday, 7 December 2017 01:53:40 CET Patrick wrote: > However... I immediatelyy found out VM's still did not start on my system. > After looking in journalctl and systemctl, I found out qubesd would not > start: "failed to start Qubes OS daemon". I attached text files of the > error outputs from both commands for all your scrutinizing eyes. Does > anybody got any ideas on what is going wrong? I would hope qubesd logs somewhere else as well, as these files show nothing of use. Just that it failed. Try qvm-run -p -u root ‘ls /usr/log’ and similar commands to check if there are more logs. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3329171.eTUlKB7VhS%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can AppVMs detach or attach block devices?
On Thursday, 7 December 2017 09:41:37 CET qbertq...@gmail.com wrote: > My understanding is that you attach and detach block devices from the dom0 > side, and you mount, umount, and eject from the AppVM side. > > Is it possible to detach and/or attach block devices from the AppVM side, > or is this something that only dom0 can do? Making them available is something only dom0 can do, to make sure that a compromised qube can’t get itself more resources. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4107452.Mjt6kl4oOj%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Thursday, 7 December 2017 14:17:52 CET Franz wrote: > > On another note what would it take ($$$) for someone to create this back > > on 4 as an option for the community (obviously theres quite a few of us) > > that want this to install? > > > > Im not rich by any means living in one bedroom apt and work from home > > but > > this does help me with work and would donate towards getting this done. > > that is an interesting approach, developers can make programs, but > non-developers can pay for others to do it. I offer $5000. Hi guys, I've investigated the possibilities today about how this can be done from a purely technical point of view. It seems possible, and to test this I am writing a very simple app that retrieves the current Qubes and their status from the central qubes system. Just as a proof-of-concept. Looks promising so far! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1572791.jpaFWVJQuq%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Where is ability to backup and restore backups on 4?
On Thursday, 7 December 2017 17:38:15 CET Jean-Philippe Ouellet wrote: > Remember that the "R4" you're speaking of is still just a release > candidate - it is *not* finished! To most people the concept of a "release candidate" is that the software released is possible the final version, if there don't appear to be any show-stoppers. As such, the Qubes devs consider it feature complete. Otherwise it would have been marked as beta. So we have to conclude that missing features (like not having a UI for backups) is not planned for 4.0, maybe for 4.1. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9850192.f46aOWGfkO%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 11:31:22 GMT Connor Page wrote: > templates establish a connection to a proxy running in some netvm defined > in dom0 over a vchan. Would you be able to repeat that in English ? :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1868560.ghOpRHun3K%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
Lots of things changed in Qubes4, and I think I am finding out things lots of others will need to find out at one point too. So for them, as well as for my own memory, I'll write some howto emails. The task; as I run Qubes on a machine with a relatively small SSD and large spinning disk, I want to make my homedir (/home/user) be completely stored on the spinning disk. I have two main Qubes which require storage. A Private and a Work qube. Each gets one partition on my 2TB drive. I assume you already partitioned and did everything you need with the drive, it should be available to dom0. 1) Create and start a Qube "Work". 2) open a terminal in the Work qube. 3) do an ls /dev/xv* 4) Start a terminal for dom0; 5) run in dom0 in a terminal; a) qvm-block this shows a listing of drives with their names. Mine is; "dom0:sdb1" b) qvm-block a --persistent -- Work dom0:sdb1 The 'persistent' part here is a new 4.0 feature, seems undocumented but it means you only ever have to do the add once. Futher reboots and restarts of the Qube will automatically re-attach the drive. 6) in the terminal for Work, rerun the ls from step 3 and check which device was added. Possibly "xvdi" 7) edit (as root) the file /rw/config/rc.local and add this line; mount /dev/xvdi /rw/home/user/ Using the device you found in 6 instead of xvdi should it be different. 8) make the /rw/config/rc.local file executable. You can do this by running; sudo chmod 755 /rw/config/rc.local 9) Now shutdown and restart the Work qube and start a new terminal 10) (optionally) in the terminal type; chown user.user /home/user All done! known issue; it looks like the rc.local isn't always finished executing when the first app is started. This looks like a bug to me. So if your first app is firefox, for instance, you won't get your personal settings (plugins/bookmarks) until you start it the second time :-( My suggestion; make this qube autostart on login. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7417874.HcD3Z0RdmU%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 17:48:45 GMT Unman wrote: > This is a case where "making stuff work a lot nicer" isn't necessarily a > good idea. The "log nicer" is that it is quite a bit faster and error handling is much better. > I don't think you should advise against this without explaining the risks. Can you perhaps explain what you think those risks are? To me it boils down to; don't run any software except for "software upgrades" in your template. I'm wondering if this is a "protect the user from himself" or something real. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4356475.d642LDFU23%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Monday, 11 December 2017 15:10:17 GMT Connor Page wrote: > I hope you do understand that there is no encryption in what you propose. Thats why I wrote; > I assume you already partitioned and did everything you need with the > drive, it should be available to dom0. I cowerdly leave the full-disk encryption details to be done by people before they start the howto :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1813860.0epH4JKW6K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Wednesday, 6 December 2017 16:08:28 CET Unman wrote: > "useful, but wasnt any good" - do you mean buggy or poorly designed? > What 2 features should be implemented/fixed? > > I confess I rarely use the Manager, so don't have a feel for what's wrong > with it. To be clear, the main reason the old one is removed seems to be that it would have had to be reimplemented due to the architecture changes in 4.0 This is relevant to know because that means nobody actively thought "It is not good enough, lets remove it". The removal then, in my own opinion, means we have an opportunity to do better. To support the point of view of "useful but wasn't any good", let me explain what I think such a tool should behave like. The first issue with the old tool, and also with some of the new tools, are that you already have to know how things work in order to be able to use it. For instance the terminology 'appvm', 'templatevm' etc are completely not explained anywhere. You have to go to a website to learn what the mean. A clear success story of Qubes is its networking, abstracting the netVm is done to add security without having any significant impact on usability. Practically speaking, normal users can ignore the whole networking setup as it "just works". This is the level of support that we want. And most tools are nowhere near that just yet. Some examples of things that in 3.2 as well as in 4.0 are clearly in need of a lot of love are; * Which VMs are in which state. If you start something and the netvm/ firewall VM are auto-started, this is not at all clear to the user. If something fails, it gets even worse. * Network communication between Qubes. Routing via the firewallVM. * Port forwarding. FirewallVM again. * Media-management. Hard drives etc. It just barely works today. * Graphical configuration of multiple qubes. Even in 3.2 not being able to open more than one config dialog at a time was silly. This is just a short list based on my experiments over the last month or so. I'm sure others can add wishlist items. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7505248.onY2f5TSTP%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Wednesday, 6 December 2017 17:34:24 CET Elias Mårtenson wrote: > I had a script that updated the templatevms and it was written in Python, > taking advantage of the API. This script stopped working in 4.0. I rewrote > it to use the commandline tools instead. > > Perhaps a new UI could also be based on those tools. Without a need to use > Python, such UI could be implemented in any language. That would be an > interesting project. i was pondering between two options; a) hope that the python APIs are just thin wrappers that send the actual commands to the daemon process via a unix socket and instead write code that uses the protocol on the socket in a language of choice. b) generate an python script for certain calls and then call them in order to call the APIs. the first would be beneficial as that allows us to receive notifications from the daemon (like a new VM starting). My language of choice is Qt/C++ with QML for the GUI. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7085382.B6flgriP1d%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Wednesday, 6 December 2017 08:14:44 CET taii...@gmx.com wrote: > On 12/04/2017 06:34 PM, r...@tuta.io wrote: > > Just read it. Thats fucking stupid. > > Sure is, I am tired of the linux greybeard obsession with the CLI - it > is not always the best choice. > > When it comes to management of many virtual machines a GUI is a must to > speed tasks and avoid 3AM critical mistakes. The creation of GUIs doesn’t have to be done by the Qubes team, in my opinion. I would even argue that the skills required to make fine UX apps are significantly different and we’ll likely get better interaction from people that are further away from the core development. I took a look at this myself and got disengaged when I realized that the core team does all of its APIs in python. Which means that the only way to ask the qubes-daemon something is to either write in python, or emulate the way that python talks to it. This does not make it impossible just significantly harder to write good GUIs for Qubes. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7187767.jv0iuaymnc%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Wednesday, 6 December 2017 19:28:54 CET Unman wrote: > > the main reason the old one is removed seems to be that it > > would have had to be reimplemented due to the architecture changes in > > 4.0 > Tom, this is simply not true. > If you look at issue #2132 That issue actually supports the point, to quote. > the next-gen manager for Qubes 4.0 (which we need to rewrite anyway > because of the changes in the core-ng) But your reply is unnecessarily confrontational, it really doesn't matter what the core devs decide on the GUI front as they also state they have an open API. As it turns out people are interested in a different GUI experience than the one outlined in the quoted issue. It is good to realize that a better GUI will allow a more secure usage. > > * Media-management. Hard drives etc. It just barely works today. > > Not my experience. There are occasional issues, but generally this seems > to work well If you use a larger amount of features, stuff starts to fall apart fast, though. For instance I added a second drive, attached it to a VM. Noticed that the only thing that happened was the appearance of a strangely named file in /dev/ As far as I can tell you need to somehow guess which file to use in /dev and then type a 'mount' command to actually access it. That requires CLI interaction... And thats just the most simple usecase I can come up with. > BUT basic users generally want little more than to load > data from USBs/phones and to backup to disk How do you rate usecases like having your homedir (private partition) on a second drive on a desktop computer? Extremely common setup on desktops when you end up having many gigabytes in your homedir. A multi-TB spinning disk costs a fraction of an ssd. How about the usecase of auto-attaching and auto-mounting several drives on a specific VM startup, every time it starts. For instance a read-only (aka CDRom or Loopback) mountpoint in your homedir of firefox settings shared between some of the VMs. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2225087.MTxVmBMS7p%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
On Wednesday, 6 December 2017 13:02:43 CET Franz wrote: > Sorry for the obviously stupid question, but why is it harder to write it > in python rather than something else? Not at all, its a good question. It is harder to *have* to write it in python instead of any langauge any developer may be actually good at. It limits the pool of available developers, available toolkits/libraries and other such resources quite dramatically. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5129252.mOhMi244ek%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to create DVM Templates in Qubes OS 4?
On Sunday, 10 December 2017 07:09:35 CET qbertq...@gmail.com wrote: > What I don't understand Just want to point out that the 4.0 support for dispVMs is extremely basic and honestly quite broken. The concept works, most of the tools don't or are just shitty. Happy to hear you made it work :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2576609.luoT2bi4Tg%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Tuesday, 12 December 2017 16:18:25 CET Connor Page wrote: > so in short, first create a qubes storage pool > qvm-pool --add In the spirit of a “howto”, can you fill in the actual values to allow one to add a second drive as the ‘private’ (home) partition *only* of a Qube? > if you go for a thin pool, create it first and use volume group and thin > pool names as options for qvm-pool. As the storage pools doc is missing readability, I have to say I have no clue what a “thin pool” is. What a “volume group” is. Last, how does one create a btrfs filesystem on their “home” drive when using this pool concept? > P.S. I’m not sure lvm backend operates properly. File-based backend can > also be used instead. Just mount the secondary drive in dom0 and use the > old trusty file driver if worried. Using a file is going to cause lots of fragmentation and adds an unneeded layer that will just be able to introduce issues. What is the benefit of using pools? Doing a backup of a 1TB homedir can be done without the backup tool too ;) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20728576.2Otm7ilaGg%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB Keyboard thoughts...
On Tuesday, 12 December 2017 16:24:16 CET cooloutac wrote: > well I'm no expert but with ps/2 keyboard it will be the only thing > attached, unlike usb which can have multiple devices on same controller, > spoofed as other devices. Is there a better option? The attack modes are two very different ones. Taiidan is thinking about someone coming in, installing a snooping device and waiting for you to type something critical. In contrary your ps2 solution is one which protects against people at any time entering your OS through compromised (usb) hardware. Either by giving you a pen, or entering the pen themselves. It seems that if you drop usb pens in the parking lot of a mall or company, you have a very very high chance some unsuspecting person will insert it in their machine. With the amount of bad USB drivers in the linux tree (not to mention in Windows) this is a worrying attack allowing the machine to be rooted without the attacker even being physically present. sys-usb limits this attack. > USB to ps/2 adapter works, i apologize if it is a too simple and > practical cheap solution. If you are oldschool you probably have some > laying around the house. I think thats a great solution for the more common attack. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2076848.empXumHRCm%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to create DVM Templates in Qubes OS 4?
On Saturday, 9 December 2017 23:03:38 CET qbertq...@gmail.com wrote: > In Qubes OS 3, the documented way of creating DVM Templates is to use > qvm-create-default-dvm (see > https://www.qubes-os.org/doc/dispvm-customization/) > > qvm-create-default-dvm was removed in Qubes OS 4, so what's the new way to > create DVM Templates (https://www.qubes-os.org/doc/glossary/)? > > I would like to install something in a TemplateVM, configure it in a DVM > Template, and run it in a disposable VM. The documentation is outdated, there is an article that explains the 4.0 way; https://blog.invisiblethings.org/2017/10/03/core3.html See heading; "Disposable VMs redesigned" -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12519664.jrfMYDFmUQ%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Weak connection. Cannot reinstall borked template, download will not resume.
On Wednesday, 27 December 2017 03:02:57 CET dangmad...@gmail.com wrote: > Opted to reinstall template, but I cannot download it without my > connection dropping, and thus timing me out. dnf does not resume the > download, despite it claiming to be saving the download to cache. > > I have put keepcache=true in dnf.conf, with no results. > > > cannot wget from dom0. Should I wget from some other VM? You should definitely be able to install a template you downloaded and copied via whatever means into dom0. Please be aware that download-resumes are a feature on the server as much as on the client. Your wget should be able to tell you if a resume is possible serverside by just testing it (ctrl-c it after 100KB, and use the --continue flag on second try. I ve seen the qubes builder create a script that installs an rpm directly from local file, hence I know it is possible. Just don' t know how. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1947346.PResNbeEAm%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: Mozilla (was: Re: [qubes-users] Password security/disposable vm security)
On Wednesday, 27 December 2017 00:34:38 CET Leo Gaspard wrote: > > I'm more concerned that they tried then how they failed. > > It leaves a bad taste in my mouth. > tl;dr: please do google for “looking glass” and “mozilla” Its good we agree on all the technical details, and I agree intent is tricky to guess about. I definitely will not advice people either way, my opinion is irrelevant and browsers are not my specialty. The situation left a bad taste in my mouth, I had to conclude that their priorities are not aligned with mine. Your millage may vary. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11327008.TsmdWpZAG9%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: new Desktop build recommendation
On Friday, 29 December 2017 19:23:01 CET taii...@gmx.com wrote: > I am sure the massive > markup over parts cost is worth it for a "tested working properly" > system right? Yes. Yes it is. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2639293.tW9BGqeZ3M%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dns in qubes
On Friday, 5 January 2018 15:37:37 GMT Unman wrote: > Look at the nat table in the upstream netvm. > You'll see that sys-net NATs these requests to the NS used by sys-net. Ah, that hint was enough, I didn't expect NAT, thanks! Got it working now. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1933751.YPqAdZ1Hvv%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager
On Friday, 5 January 2018 23:43:58 GMT Zrubi wrote: > > I'll attach two sceenshots of the tool, to give you a bit of an > > idea of what it already does and maybe if its worth your time to > > compile > > Probably this is very subjective, but: > For me, the most important parts/feature of the current Qubes Manager > are (in order of importance): > > - Full overview of the state of the VMs in ONE screen, without clicking. > The new widget is failing on this badly, just as your proposal. My aim has so far been to show which VMs are there, which type they are and if they are running. This is visible in one go. Including even which VM has a high CPU usage. I'm not happy yet with the way that the netVM is visualized, as you say it costs clicks on each VM. > - Changing the NetVM of a given VM. Great idea! > - Starting programs from a given VM. Fully agreed, this is what I added last week. I'm using it all the time. Much more convenient than the start menu. > - start/stop VMs Present :) > - attaching/detaching devices. Yes, definitely. > - reading VM logs. Good to know. > Probably these are only my personal preferences. Hence I have no time > to write a new manager for the Qubes 4.x I just shared my use case. > Feel free to ignore them if you don't like 'em They are excellent ideas, thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11479443.jBHdx6CR7K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] hey, Please confirm we cannot install Qubes 4.0 on DVD, and the minimum on flash drive to install
On Saturday, 6 January 2018 17:42:00 GMT russlyatos...@gmail.com wrote: > hey, Please confirm we cannot install Qubes 4.0 on DVD, and the minimum > on flash drive to install Qubes 4.0 we must have 32GB? thanks Not sure if this is helpful; the minimum size harddrive I've installed Qubes on was 21GiB. But you have to skip the debian and the whonix templates and I turned off swap. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3687512.A40YJjNSdJ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4.0 rc3 (current testing) - power off/ suspend issues.
On Saturday, 6 January 2018 10:56:13 GMT haaber wrote: > 2) Reboots hang systematically at "Reached target shutdown" and has to > be rebooted via a coldboot. I've been seeing this too, although sometimes it goes on after half a minute only to hang at some other point (after loads of messages). I noticed that if I manually shut down all qubes, INCLUDING, sys-net, before logging out then this problem is avoided. Next time you reboot, can you try that and let us know if this isn't just me? That may help with debugging. Cheers! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1691880.VtDucUss21%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] pools, how to use
Hi, I've set up a new qubes install and created two LVM volume groups. I wanted to try and see how this works with qubes and I tried out the pools concept. The problem is that I think I did everything according to the docs, but the qvm-create command gives me an error message. Can someone find out what I did wrong? sudo vgs -a VG #PV #LV #SN Attr VSize VFree Slow 1 1 0 wz--n- 391.51g 391.01g qubes_dom0 1 2 0 wz--n- 59.33g 37.33g sudo lvcreate -L 37g -n systems qubes_dom0 sudo lvcreate -L 390.5g -n data Slow sudo lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert dataSlow -wi-a- 390.50g adminvm qubes_dom0 -wi-ao 22.00g systems qubes_dom0 -wi-a- 37.00g qvm-pool -a qubes_ssd lvm_thin -o volume_group=qubes_dom0,thin_pool=systems,revisions_to_keep=0 qvm-pool -a data lvm_thin -o volume_group=Slow,thin_pool=data,revisions_to_keep=0 qvm-create -P qubes_ssd --template fedora-25 -l green --class AppVM test app: Error creating VM: b' Logical volume qubes_dom0/systems is not a thin pool.\n' Any help appreciated! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2932962.V7N4gufabA%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] pools, how to use
On Sunday, 24 December 2017 02:09:54 CET Marek Marczykowski-Górecki wrote: > > sudo lvcreate -L 390.5g -n data Slow > > You need yo create those as thin pools, not standard volumes. For > example this way: > lvcreate -L 37g --thinpool systems qubes_dom0 Thanks, that fixed it :-) It took some more puzzling and I now have some VMs on LVM pools instead of everything as huge files in my dom0 filesystem. Great success. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2149218.s4zhisSmft%40strawberry. For more options, visit https://groups.google.com/d/optout. signature.asc Description: This is a digitally signed message part.
Re: [qubes-users] qubes app menu keeps old templatevm entries.
On Saturday, 6 January 2018 23:19:54 GMT pixel fairy wrote: > The app menu, top left, keeps entries for old template VMs. is there a way > to get rid of them? You find the data backing this in $HOME/.local/share/qubes-appmenus/ -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1716821.WnKjKGyYoC%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes 4 qvm-trim not exist
On Sunday, 7 January 2018 19:40:27 GMT Yuraeitha wrote: > But there are still some > issues, i.e. no visual interface to show your overall disk space useage > (the other month, you had to pull and combine several commands to make it > show accurately). I'm not sure if this disk space useage reporting issue > has been fixed today though. * https://github.com/QubesOS/qubes-issues/issues/1872 (open) Implement UI Notifications for cases of a Qube disk full * https://github.com/QubesOS/qubes-issues/issues/1053 (open) Improve usability of VM disk space / increasing disk size * https://github.com/QubesOS/qubes-issues/issues/3438 (open) Qubes storage pools of type LVM issues This one is closed, but as I point out in the collection of issues (3438) this is not yet fixed; https://github.com/QubesOS/qubes-issues/issues/2016 (closed) Create dom0 API to detect global disk space available And, yeah, it also still needs a user-interface. The simplest way to get the space usage if you are using a LVM based pool (which requires completely manual setup at the moment) is sudo lvs and you can read under the column "Data%" how much actual usage you reached. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4269306.bpYcQdtx5U%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] how to get the update proxy working again
I needed space on my dom0 (Q4) drive, so I ended up using qvm-clone to copy my fedora25 template, my sys-net & sys-firewall to a different pool. I naturally also copied the setup from the config dialog. Everything seemed to work for a while, so I removed the sys-net /firewall originals. Now I have a problem, updates in templates no longer work. The magic proxy fails me and I can't figure out how that thing actually was designed in order to make it work again. My first thinking was to assign the original IP addresses to the cloned VMs, but qvm-prefs refuses to overwrite the qid property. :-( The docs on the website talk about a service "qubes-yum-proxy" can't find that one, though. I guess its a 3.2 property. Anyone here able to explain how this proxy works? Would make a nice doc on the website too! I'd love some suggestions on how to fix this... Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4020213.iHnCjNg7BT%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: how to get the update proxy working again
On Monday, 8 January 2018 06:53:46 GMT khmartin...@gmail.com wrote: > Is your new net vm different than "sys-net"? This caused me problems too. > One solution is to rename the new net vm to "sys-net" or you can edit > this file in dom0: > > /etc/qubes-rpc/policy/qubes.UpdatesProxy > > In that file there is a line that says target=sys-net. > I changed it to the same name as my net vm. That did the trick! Thanks, I would never have found that... -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5511262.ciHnklDXiN%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] memory management in dom0 ?
I understand that there is a memory-manager to balance the memory between VM spaces. Does anyone know if dom0 is being managed this way? Currently there is 4GB assigned to dom0, of which 1.3 GB is in use. At the same time I have chromium getting out-of-memory errors in an AppVM. I'd like to actually use that 2½GB that dom0 now claims but doesn't use, anyone got ideas how? Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1525819.gA7xBjyaEC%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Upgrading directly from Fedora 23 to 26 ?
On Thursday, 11 January 2018 06:39:02 GMT brutellealexan...@gmail.com wrote: > I don't seem to be able to download the 26 template either... It says all > mirrors have been used and it fails. This is definitely the direction you want to go, download the template from dom0 using sudo qubes-dom0-update qubes-template-fedora-26 after it installed the new template, you should start a terminal in iit and run the following inside of that template; sudo yum upgrade --best --allowerasing more info; https://www.qubes-os.org/news/2018/01/06/fedora-26-upgrade/ If that faiils, please specify what you did and how it failed, this avoids guessing on our side :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2669430.f8Qn7f0c1A%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Thursday, 11 January 2018 03:42:11 GMT Andrew David Wong wrote: > On 2018-01-10 12:53, 'Tom Zander' via qubes-users wrote: > > I poked the Qubes guys about providing a separate dir on the website to > > make it clear what is 3.x and what is 4.x specific, but they stated we > > should instead put notices about exceptions in the document pages. > > That's not exactly right. Please see: .. > > In other words, do not just add notices in the text about exceptions. > Instead, make clearly-labeled sections for 3.x and 4.x so that users > can easily find the right information no matter which version of Qubes > they're using. > > > So I guess things like ProxyVMs should be mentioned to be old and AppVM > > is the new. Ok, I am having problem seeing your solution and my explanation of it as any different, in practice. Maybe I'm missing the obvious, I'm just not seeing it. In this specific case of the VPN page. https://www.qubes-os.org/doc/vpn/ * in v.4 there is no "NetVM". * There is no "ProxyVM" * The create qubes screenshot is considerably different. * adding 'meminfo-writer' and 'network-manager' are not needed (AFAIK). * does not use iptables anymore. Ok, going to stop now. I got to half the page and some 80% of the text and screenshots are wrong for v4. How would you solve that in line with the QubesOS policy? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15007549.cTkGlXaZ1X%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: memory management in dom0 ?
On Thursday, 11 January 2018 14:07:57 GMT Vít Šesták wrote: > For your case, I have few questions: > > * What's dom0 swap usage? Qmemman includes this amount in memory > requirements. My dom0 has no swap, I didn't disable it, it just never had any. I guess thats because in the installer I didn't assign any swap partition. > * Where does your “1.3 GB is in use” claim come from? Top :) The "in use" is what top claims. Add the "buff/cache" amount (1MB) to it and the "free" amount (1.6MB) and I do get to the total reported in both top and xentop. > * How much of memory does the AppVM use? I looked at it at the time I got repeated crashes, it had some 800MB assigned to it. > What is the memory limit for the > AppVM? See VM settings » Advanced » Initial memory. The settings are 1GB initial and 4GB max. I "solved" it by closing some VMs and my chromium got more space assigned. - The qmemman has some more room for growth. For instance I have one "Work" VM where I compile C++ code. I assigned it 16GB of memory and then qmemman came and only gave me 2GB. I start a compile (8 cores times 0.6GB of mem used) and maybe 10 seconds later I get out-of-memory issues. To my annoyance xentop shows me that there is still >10 GB free, unallocated. For some reason it just doesn't seem to allow growth of memory fast enough, regardless of my settings. I "solved" that by turning off memory management for that VM and just setting it to 12GB always :( -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1851645.2lrfOOeRYL%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Tweak Tool not working as expected after upgrade to Fedora 26
On Thursday, 4 January 2018 02:11:16 GMT Mark Malcom wrote: > I downloaded fedora-26 template and after that my gnome-tweak-tool is > completely ignored: no themes, no windows scaling anymore. Not just the > Tweak Tool, but if I try to change the scale factor with gnomesettings, > that is also ignored. Lets check if its an environment issue; if you start a terminal on a VM. In that terminal do an; export GDK_SCALE=2.3 and then start something like chromium or any gtk app. does that work? If yes, then you know its most likely a problem with environment variables in your VM in one way or another. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1643950.2kKg6ph7nQ%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] dns in qubes
I'm trying to figure out how this works, and I am stuck. In every qube (except sys-net) there is a resolv.conf that points to two name servers. 10.139.1.1 and .2 This raises two questions; * how does sys-net handle these requests on this odd address. No 'ip ad' network seems to listen on this address. * how can I change this in indidivual qubes in the correct matter. I have some qubes routing through sys-vpn and I adjusted the vpn VM to find the DNS, but users of the vpn can't find any DNS service now. Any help appreciated. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65877894.cAG3c6iG4f%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Graphic Tablet Compatibility (basic features)
On Tuesday, 9 January 2018 01:54:40 GMT Fabrizio Romano Genovese wrote: > Hello all, > This looks like an old issue: > https://github.com/QubesOS/qubes-issues/issues/2715 > > I'd be interested in using only the basic tablet features (essentially > moving the mouse and clicking around using the tablet would be enough). > In the issue linked above it is said that > > "this in theory should be easy (a matter adding proper metadata - min/max > - to the protocol handshake, and filtering events based on this info)" > > I'd like to help with this, but I am no coder. I just know a bit of bash > scripting and trying to check the code in > > https://github.com/QubesOS/qubes-app-linux-input-proxy/blob/master/src/pro > tocol.h#L17-L28 > > didn't really help. I understand that developers are quite busy with much > more hardcore problems to solve, but if someone could at least point me > to the right research direction I could try to investigate this by > myself. From; http://linuxwacom.sourceforge.net/index_old.php/howto/theory > Initially at least, the USB Wacom tablet is an HID compliant device, and > when first connected to the computer, will identify itself as such. > Unfortunately, this is not what you want because in this mode, you will > not get any of the fancy features. The hid-core.c, mousedev.c, and > usbmouse.c kernel drivers contain exceptions for the wacom; when the > device is detected, they ignore the tablet. So maybe you can use that website to find out how to configure your wacom to just be a HID (human interface device) and make it send those mouse clicks. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3164963.Ui2e7s9DGh%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multiple usability issues Qubes 4RC3
On Tuesday, 9 January 2018 08:54:02 GMT aaq via qubes-users wrote: > Okay, so I found the documentation for bind-dirs > (https://www.qubes-os.org/doc/bind-dirs/), but was still wondering if > you meant binding the AppVMs /usr/bin and /usr/local/bin, or was thinking > of something else? > > I would assume I need to bind all dirs that a given application is going > to write to (such as potentionally /usr/share, /var/lib, etc). Let me give you an example usage; I have the binary build "keybase" app in its own AppVM. It installs the majority of its files in /opt, as such I bind that dir. (restart before install!). There are a dozen files also being copied into the /usr/ dir-structure. I copied those files into the /rw/keybase/usr/ dir structure and I edited /rw/config/rc.local to copy those files back onto the /usr dir-structure at vm-boot. This was enough for this app, your actual usage may depend on how your app installs itself. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2618527.1rHtBk9TLS%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multiple usability issues Qubes 4RC3
On Monday, 8 January 2018 13:29:02 GMT 'Ahmed Al Aqtash' via qubes-users wrote: > * One I call 'trusted' which is based on debian sid (unstable) that I > install everything I use for daily usage (firefox, libreoffice, mpv, > emacs, other open source tools). Primarily AppVM's will be based out of > this template. > > * One I call 'untrusted' that is going to be a clone of 'trusted', and > that I install proprietary software in, that I also use on a daily basis > (e.g. spotify). Also AppVM's out of this, but probably only 1 to start > with. An alternative solution is to make your "untrusted" VM an AppVM and you install the software in there using bind-dirs. Then you *only* use that VM for running that software and you likely store no personal data there (other than maybe your spotify cridentials). Additional bonus would be to open any webpages in disposable VMs, should you click on a link in any of those apps. > * I will probably create a standalone VM based off of 'trusted' that I use > for development. So I will install stuff like docker, golang, and all > other > stuff I would otherwise use for developing. I may be wrong, but all those development tools are open source and likely shipped by your distro. In which case I wonder what the benefit is to putting them into its own VM? In short, maybe the simplest way is to create; * TemplateVM: debian9 * Work AppVM based on debian9 * Untrusted AppVM based on debian9, adds untrusted apps using binds * any other AppVMs you need... All based on the same debian9 template. > NOTE: I use zsh with oh my zsh and spacemacs. Both of which are git repos > that are cloned to the homedir of the user (meaning they are git repos > cloned to /etc/skel) Using /etc/skel just causes the data to be copied to the appvm homedir on first start. You end up duplicating the data anyway, maybe you can use a different way to copy everthing between VM homedirs. Notice that you can just do a qvm-copy [dir] which copies recursively. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2937565.vjQbnCdrbL%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Big if true: AMD reportedly allows disabling of the PSP (its Intel ME equivalent)
On Monday, 8 January 2018 10:10:17 GMT qubestheb...@tutanota.com wrote: > Hi. > > https://www.phoronix.com/scan.php?page=news_item=AMD-PSP-Disable-Option > It's still yet not known whether this disabling is effective and whether > it disables the PSP in its entirety. > > But if it does, then that would make the most recent AMD processors one of > the best choices for Qubes 4.x usage. In context; https://www.phoronix.com/scan.php?page=news_item=AMD-PSP-2018-Vulnerability https://www.phoronix.com/scan.php?page=news_item=Linux-Tip-Git-Disable-x86-PTI So its an up / down :) * AMD is faster (no PTI) * AMD has a remote code execution issue, at least until you can turn off PSA using a bios update. * Bios updates are not much seen in the wild. Time will tell. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3608826.gtipCf02p4%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU?
On Sunday, 14 January 2018 08:12:24 CET r...@tuta.io wrote: > Is qubes able to use the computing power of the gpu or is the type of gpu > installed a waste in this issue? Relevant here is an email I wrote recently; https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ The context is a GSoC proposal proposal to modernize the painting pipeline of Qubes. Today GL using software uses [llvmpipe] to compile and render GL inside of a Qube, completely in software and then push the 2d image to dom0. This indeed wastes the GPU. [llvmpipe]: https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1970768.QL1Wn2a4Hl%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to reinstall template? (i think it's not enabled by repo)
On Sunday, 14 January 2018 03:07:09 GMT jerr...@disroot.org wrote: > the template is whonix-ws > when running command > sudo qubes-dom0-update --action=reinstall qubes-template-package-name This is quite broken in 4.0 and you have to be a bit clever to work around this; here are some tips. Reinstall doesn't work, you should delete and install instead. But this is still quite tricky :) So, first you want to do a sudo yum remove qubes-template-NAME the tricky part is that the RPM also calls 'qvm-revove' and refuses to continue when that fails. If you hit that case where you already deleted your VM, all you need to do is calling 'qvm-create' with the name it expects and just make it follow the standard template etc. The goal is to have an empty VM, just to allow the qvm-remove that yum calls to pass. You should be able to do a simple 'qubes-dom0-update' to install the whonix template after this which probably includes downloading it. Good luck! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1516748.CqIyHg4BlZ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Moving dom0 screenshots immediately to VMs
On Friday, 19 January 2018 12:48:27 CET wordswithn...@gmail.com wrote: > Qubes already has built-in the capability to screenshot the entire desktop > (Printscreen) or the current window (Ctrl+Printscreen). Yes, it does. But this is not something you should use and then send to a VM becuase that VM then suddenly gets knowledge about all the other windows on screen that may be from another VM. Imagine having your Vault VM window open with all your passwords and then you auto-upload a screenshot of that into a compromised VM which then causes the screenshot to be uploaded to a server. I'm not aware of any way to avoid this data-leakage using the screenshot application in dom0. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/10316388.tD1Ru9rIBq%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No network (HELP)
On Friday, 19 January 2018 11:48:56 CET aaq via qubes-users wrote: > What can I do Could this have something to do with the broken qmemman? Try turning off memory-management and give the sys-net an initial amount of something like 800MB. also check if xentop has anything weird in the first line with memory usage. Good luck! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11847609.GmVBfOX6Xq%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager
On Saturday, 20 January 2018 20:03:31 CET Davidson wrote: > Hey, thanks again for your work, much appreciated. > > Another thought just occurred to me, a collapsible tree like option. I > have like "work" VMs (one for libre office stuff, another for email, > another for vid confer) and for general communications (one for IRC, > another for Signal, another for personal email) and anon stuff (crypto > wallets, email via tor, browser, etc), the list I have is really quite > long and I find myself sorting/re-sorting naming etc. I use tree-style > addon in firefox which has the fantastic option to let you stack tabs > among other things, considering that and how I have my file manager > setup to show a tree of the folders I have it would really be quite > handy to organize VMs into a collapsible tree. As my list of VMs is growing, this speaks to me. I really like this idea. Thanks for sharing it! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33700686.oUyV2A9qP9%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No network (HELP)
On Friday, 19 January 2018 16:38:54 CET Marek Marczykowski-Górecki wrote: > Specifically qmemman was broken in qubes-core-dom0 in 4.0.16 and 4.0.17. Can confirm it works much better 4.0.18 than it ever did before :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3763763.oUbUMMdPzh%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: XFCE Settings menu gone
On Saturday, 20 January 2018 23:25:55 CET Unman wrote: > You are probably missing the desktop files from /usr/share/applications > You can copy the files from out of a Fedora based qube if you have one. Ohh, smart, I didn't think about that. I did this to get the majority of them back; ``` cd qvm-run -p sys-net 'tar cf - /usr/share/applications' | tar xvf - qvm-run -p sys-net 'tar cf - /usr/share/app-info/icons/fedora/' | tar xvf - and then you can copy or move the files from $HOME/usr/share/ into the system dir. I'll add the suggestion to double check they do what they are supposed to be doing (check the Exec line). -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1543717.SWleCcofj4%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] blanking screen with dpms off induces locking - how to disable?
On Monday, 22 January 2018 15:56:06 CET 'Guillaume Bertin' via qubes-users wrote: > My ideal configuration for my standalone home computer would be "dpms > after 10 minutes" and "lock after 120 minutes". I'm not sure if this is the kind of answer you are looking for; xscreensaver is a really really old application and there are plenty of better ones, some likely do have the kind of features you and awod are looking for. I personally use kde which does this all. It has a "lock automatically (x min)" separate from "require password after locking (x seconds)" and "dim screen", "turn off screen" etc are all separately configurable. And, yes, on Q4 I run kde in dom0. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3821375.Ho9g2hPL09%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] template vm private.img file weighs (size) 171.8 MB, not 3 GB, can you save data?
On Sunday, 14 January 2018 15:02:48 GMT jerr...@disroot.org wrote: > can you somehow save the data? is it a corrupt file? when i put this file > in the template folder in /var/lib/qubes, the data is not there. 'private.img' is the contens of /home and /rw you may be looking for 'root.img' if you are talking about a template. Not sure if this command is available on 3.2, but qvm-volume is useful too. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/18950202.ngMElmZk0O%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Thursday, 11 January 2018 18:16:04 GMT Unman wrote: > On the VPN case your own comment confirms that it would be better to > provide a separate section, rather than trying to put "exceptions" in to > the existing text. Thank you for explaining that unman, much clearer indeed. While I agree on the general statement above, I feel its not the best solution in this case where 4.0 have massive changes in all layers of the technology. In many cases the about half of the text will be duplicated between the 3.2 and the 4.x sections, albeit with major changes. This will not help the reader much. More importantly, I fear that the new users (potential contributors) that have not used 3.2 will have a hard time deciding what to do with information that clearly doesn't represent the current state of technology. Asking people to put a lot of effort into reformatting documentation that may or may not actually be useful to anyone using an older version is a big ask in a volunteer project. I personally prefer the solution where a git repo is cloned for 3.2 as "legacy" which is then attached to the website under a subdirectory and people can edit that for maintainance and fixes. http://qubes-os.org/doc/3/ or somesuch. The majority of changes would then be in the 'master' branch which people can edit and they can add references to the github issues concerning known bugs. We can mark known issues with the pages like the VPN one I described and people reading the docs will actually be aware of pitt-falls. In my opinion there is only one thing worse than no documentation, it is official looking documentation that is wrong. > Also, that once 3.0 is retired, it will be simple to remove the 3.0 > relevant material, rather than filleting our bits from each page. This would be even better, if qubes ever wants to they can just remove the subrepository. What do others think? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11311960.j3zXc7upma%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Newbie question on KDE configuration
On Saturday, 27 January 2018 18:14:23 CET billol...@gmail.com wrote: > First, while KDE seems to be working well, I noticed that I can't download > and install new themes, widgets, etc. through the KDE GUI. It can't > connect to the KDE server. I'm assuming that this is because dom0 > doesn't actually have a network connection (which I think I read > somewhere). It's not the end of the world for me to download the stuff > from kde.org and install it from file, but it's more convenient to use > the gui interface. What I need to know is if it is possible or should I > move on and just do it by hand. The AdminVM (dom0) indeed has no network, the reason for this is that it is the one completely trusted place. I would advice against installing anything you downloaded from KDE directly, as that basically works around all the security you get by running qubes in the first place. > Second, I really liked that convention in the default window manager for > having a different color for the title bar for each domain. That got > lost when I moved to KDE, though the domain is still *listed* in the > title bar. I know how to set colors in kwin on an application by > application basis, but I don't know how to do it on a domain basis. Is > there a mechanism for that in KDE? This got readded in a recent update in the 'testing' repo, but only on the default window-manager decorations called Breeze. So make sure you are up-to-date and make sure you are using Breeze. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2759472.AhVYJc1rjo%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 Documentation
On Thursday, 25 January 2018 19:28:58 CET 'awokd' via qubes-users wrote: > Resuming working my way through splitting up the documentation now that > the 3.2 vs. 3.3 question has been mostly settled. Some general questions: Awesome! I was thinking about the qubes docs when I saw a wiki that had a banner for articles (or sections) that were known to be "disputed". I was wondering if it might be useful to have such a concept on the doc pages, it may invite people to actually add their knowledge. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2186960.iXCjZ6PEC1%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0 / Qubes in general
On Monday, 5 February 2018 12:21:51 CET Tim W wrote: > I am currently going thru all the setup script qubes build template > options to find what templates compile correctly and what ones have bugs. > After that I am happy to write up a markdown page for how to compile and > install the Qubes Controller and use it. That can then be submitted to > be added to the Qubes 4.0 Docs. Awesome! You should be able to get a lot of detials from this; https://github.com/QubesController/qubes-api-cpp-lib/blob/master/Install.md -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1659041.GGZUbeKTOT%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 02:33:02 CET Unman wrote: > You are, of > course, free to rewrite Qubes and its components in a language you're > comfortable with. Don't be so dramatic, I m not suggesting any such thing. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2625249.9gTKQABKm0%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Sunday, 4 February 2018 21:00:55 CET 'awokd' via qubes-users wrote: > Working on it (where other contributors haven't already)! Am about halfway > through now. Sweet! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12985717.lppHrPCCKh%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Sunday, 4 February 2018 18:10:44 CET Yuraeitha wrote: > Also it's been explicitly said that no Qubes 4 existing features will be > added to the new-old Qube Manager. Which might also hint towards no > changes coming to Qube Manager. If anything, it has to be re-made almost > entirely to work well with Qubes 4+, and currently no one is doing that. The Qubes Manager is written to Qt4, which is equally outdated as the backends of Qubes it used (3.x). I started a project using Qubes4-api and Qt5 APIs, though. See Ps at the bottom of the mail. [start rant] The biggest issue i ran into is that Qubes4 is just too immature to actually use for more than browsing and email. It was too painful for my desktop full-time work machine. I tried for 2 months, my significant other stated that I had been extraordinary patient with Qubes when I finally stopped using it ;) My problems are widespread; * the admin-api is very immature and poorly implemented. Getting a stack- trace in the server logs and no answer is just unacceptable. Unit tests, anyone? * system-tray is hopelessly broken. Losing apps because they don't show in the system-tray up when you close them was fun! * The design of qubes-daemon is too fragile, it starts/stops VMs and patiently waits and hopes everything will work. I expected a much more 'hands-on' approach (at least for Linux kernels) with much more reporting. I also lost data because apps aren't being quit, they are being killed on VM shutdown. * Why do I see 'lock'-icons for most of my windows in the task-bar? * the documentation is very out-of-date. * I don't know how, it may be fedora packaging, it may be qubes packaging or configs, but the amount of KDE (apps running in dom0) crashes I had in the 2 months of using Qubes is greater than the amount i had in the previous 5 years. This boggles the mind... * The graphics pipeline is hopelessly outdated. Its about a decade behind the industry. * Poor quality of many tools, the icon-copier copying the 22px icon from a VM instead of the 256 one that was also there is just... sad. * The amount of services, bash-scripts, config files, duplicated data in qubes and then again in the system is horrible, under documented mess. * rexecd validation being implemented using bash is a joke (mostly felt because its extremely slow) * total lack of mature end-user-focused tools. Swear to God. There are zero today. * Having nothing but python APIs for your operating system is something that makes no sense. Python was never meant for servers, or even big applications. Finding a full-stack python developer is more rare than finding a Bitcoin C++ developer. end-rant. Qubes is an amazing idea, has some fantastic and genius concepts in it. I hope many of those things will get fixed, although the list has grown so long that I'm not sure it can without being forked. ps. https://github.com/QubesController is the place where I wrote an already pretty decent "Qubes Controller" using the new APis. I'm open to adding anyone to the approved committers list that wants to work on it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9861258.aloPWp28RD%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 00:55:34 CET Unman wrote: > On Sun, Feb 04, 2018 at 08:14:57PM +0100, 'Tom Zander' via qubes-users wrote: > > * Having nothing but python APIs for your operating system is something > > that makes no sense. Python was never meant for servers, or even big > > applications. Finding a full-stack python developer is more rare than > > finding a Bitcoin C++ developer. > > I'm not sure how much of this is just trolling. It is not trolling. > You obviously dont mean uses like Google, DropBox, YouTube, Reddit etc. > Perhaps you dont know about Eve Online? Mercurial? Blender? Absolutely none of these use python for anywhere near the same percentage of components as Qubes does. Google is a good example, for instance they shipped proto-buffers. Which have bindings in a long list of languages (20 or so). Check wikipedia for those examples, reality is much more sobering that you think. > There are exceptional developers working in many companies -Google, > NASA, Astra Zeneca, to name a few, all using python. The fact that > you arent comfortable with it is fine, but not a reason to reject it. Thats moving the goalpost. Naturally there are many experienced python developers. Let me re-state the point for your benefit; Having nothing but python bindings and having practically all your components written in python is without a doubt very realistically limiting the amount of people you can get hacking on Qubes. Add on top of that the content matter, which is highly complex and in many cases includes networking or cross-VM communication or hard-core linux components and you limit the amount of people even more, to the extend I mentioned above. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1610076.pebm5Wnf9q%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes 3.2: qubes-vm-manager not consistent
On Tuesday, 30 January 2018 00:19:58 CET ludwig jaffe wrote: > Ok I found the file, backed it up and want to edit it. > Do you know an xml ediitor with folding to edit this with more comfort, > as there is no in the xml, just spaghetti. > A vim for xml with folding or something like that with curses text gui > woud be best. $ xmllint -format < in.xml > out.xml $ vim out.xml :set foldmethod=syntax -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20247273.4H386KnXkH%40cherry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] after update no VM 'starts' apps anymore.
Is this a known issue? I can start a VM using qvm-start, but when I use qvm-run nothing happens, it hangs forever. Even commands that don't need a X server. For any qube of the various OSs I run. The Qubes icons also no longer show in my system-tray. I can still update dom0 via yum, though. Thats a relief. Is this a known issue? Can I expect a fix soon? If not, are there any log files anywhere I can look at? The only relevant part I found was in qrexec.Work.log some lines saying "Unable to connect to X server". Trial and error shows this is due to some timeout, as it only appears after a substantial amount of seconds. Would be really happy to get my system properly working again as this is my work workstation :( Some related questions; what is 'anaconda' ? I thought it was the installer, but if it is then why is it running on dom0? Is there any way to connect to the VM and get a tty? Think serial-line fallback. is it known that grubs advanced menu doesn't get updated when new kernels are installed? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5091490.V4NiCZqDXe%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] connect to other VMs in qubes by using vm name
On Saturday, 27 January 2018 15:45:27 CET Yoganandam Marava wrote: > by adding forward rules at sysfirewall we can ping each other VM through > ip address but not using VM name. Is this some thing possible with Qubes > 4? I am naive in networking.please suggest if there is a way? Each VM has a static IP address that won't change. What you could do is add a line to your /etc/hosts for each VM to match its name to the IP. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3027465.EVIPjTjbbe%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 02:51:06 CET 'awokd' via qubes-users wrote: > Enable Debug mode? I always wondered what this was, anyone know what effect it has to set this to true? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4033376.ZqIuirrLiM%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 01:05:39 CET 'Tom Zander' via qubes-users wrote: > I can start a VM using qvm-start, but when I use qvm-run nothing happens, > it hangs forever. Even commands that don't need a X server. > For any qube of the various OSs I run. > > The Qubes icons also no longer show in my system-tray. > I can still update dom0 via yum, though. Thats a relief. > Is this a known issue? Can I expect a fix soon? There were a bunch more updates in the repo 4.0 current-testing this morning which I applied and I rebooted, but no change. Still no icons in my systray, still not able to start any apps on any VMs. does anyone know if its possible to tell qubes-dom0-update to go back to the stable version (4.0 current instead of testing)? I tried switching one of my VMs back to the previous kernel. No change. guid log states; ``` Icon size: 128x128 libvchan_is_eof Icon size: 128x128 domain dead Failed to connect to gui-agent ``` pacat logs look ok, but nothing shows up in my dom0 mixer app vchan log has repeated series of; ``` vchan closed reconnecting vchan closed ``` qrexec (after a while) has this log ``` Unable to connect to X server Unable to connect to X server eintr ``` I'll switch to my old ArchLinux OS, until Qubes gets more stable. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3072269.2ckbBL5Sd1%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 11:19:18 CET 'Tom Zander' via qubes-users wrote: > There were a bunch more updates in the repo 4.0 current-testing this > morning which I applied and I rebooted, but no change. > Still no icons in my systray, still not able to start any apps on any VMs. Oh, I focused into the issue. I logged into xfce for 2 seconds and the Qubes app showed up. Then logging out and logging back into KDE and stuff still works. If you don't log into xfce you get the attached error from qubes-manager. Maybe someone made a mistake and used an xfce specific thing? I'm a bit worried that the system can become so broken. That thing that logging into xfce started should likely be auto-triggered and happen, not on login, but on need. Still really looking forward to Qubes getting more stable... -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1826574.hMNDsBkHFt%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Tuesday, 6 February 2018 11:32:07 CET 'awokd' via qubes-users wrote: > I'm not getting past the first step of: > > Verify you are cutting through the sys-net VM firewall by looking at its > counters (column 2) Yes, that sounds familiar. The problem isn't limited to sys-net either, using netcat to listen on any port on any (fedora based) appvm I could not get anything to connect to those ports. So, for instance, starting netcat on sys-firewall I could not connect to it from sys-net. Similarly, listening on a random VM and connecting to it from sys-firewall failed too. And I tried a lot of ways to convince the iptables to accept it... I mostly used archlinux templates for appvms, which do not have the qubes networking packages and thus the iptables list is empty. [1] Listening there and connecting from it worked fine. Hope that helps. 1) Personally I would say that simpler is better, or least surprises is better. The current design where any appvm gets those complex firewall rules is a bug. Only VMs that expose their network (providing) should run it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2307203.OnATnpnmTp%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0 backup vm to USB from dom0
On Saturday, 10 February 2018 09:05:51 CET Yuraeitha wrote: > On Saturday, February 10, 2018 at 6:51:47 AM UTC+1, cybe...@national.shitposting.agency wrote: > > I have a usb drive attached to sys-usb, lets say its mounted at /mnt on > > sys-usb and im trying to backup a vm named MyVm from dom0 the command: > > > > sudo qvm-backup sys-usb:/mnt MyVm > > > > returns the error: > > > > The backup directory does not exist > > > > how can i make a backup to USB when USB devices are not exposed to dom0? > > and yes, this works for USB too. Just ensure the USB is mounted inside > your AppVM, and then just throw the path to your USB which it is mounted > on :-) I just wanted to point out that the GUI backup app has exactly the same problem. I tried to make a backup a coupele of days ago. The GUI tool correctly notices I have a sys-usb and I used it to browse to the directory there to do the backup. All that worked fine. Until I pressed the final button to start the backup, it just failed saying it could not find the directory... I ended up giving up on doing a backup. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6961393.CzZMHb5EV0%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 04:34:35 CET Tim W wrote: > People complain about doc being outdated..then fix them. If someone can figure out how to port-forward in 4.0, please do update the docs. I never managed to get that working. The firewall page can also be a bit more detailed as-is, it assumes people already know the actual setup of the qubes firewall ruleset. I don't, thats why I went to that page. > Tom has built a Qubes Controller (manager) based on the 4.0 code and went > so far as to add in library package so other coding can be used to build. > He has been super open to adding functions based on comments. If > another person or two could help him with coding now that its not needed > to just be python it could become the defacto Qubes GUI to manage the > qubes system. That would take it off the plate of the core system devs. > i plan to use his controller and if the QM does not work well I will stay > with his controller. Thanks for the kind words, I too would like to see it become the default. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2100635.UGIMOZXGtA%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 08:00:35 CET 'awokd' via qubes-users wrote: > Why are you complaining about bugs when running a ".0rc" version? They're > to be expected; if not the point of release candidates. Actually... https://en.wikipedia.org/wiki/Software_release_life_cycle#Release_candidate Release candidates are, like the word describes, not made unless the developers are thinking that its ready to release but needs more real-world testing to make sure. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1850398.zmgnZS8haS%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Wednesday, 7 February 2018 08:17:11 CET Andrew David Wong wrote: > Are you using the `-a` option? > > qvm-run -a > > This starts the VM if it's powered off, then runs the command in it. > Working fine for me on 3.2. As I wrote, qvm-start works fine, the VM is active and working. You just can t actually “run” anything on it. The reasons seems to be that there is some magic thing that starts when you log into xfce4, and only xfce4. See the screenshot attached elsewhere in this thread of qubes manager dying on startup due to the same issue. Tested on Rc4. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5810037.nmPg43q2Ws%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 14:04:03 CET Wojtek Porczyk wrote: > On Tue, Feb 20, 2018 at 01:21:30PM +0100, 'Tom Zander' via qubes-devel wrote: > > On Tuesday, 20 February 2018 01:49:37 CET Marek Marczykowski-Górecki wrote: > > > We've decided to deprecate the '$' character from qrexec-related > > > usage. > > > Instead, to denote special tokens, we will use the '@' character, > > > which we believe is less likely to be interpreted in a special way > > > by the relevant software. > > > > I would argue against the @ sign on account that it is a special > > character in bash as well. > > > > I don't immediately see a way to exploit it, but why risk it? > > We absolutely need a special character that is not allowed in qube name to > make the special tokens immediately obvious in policy. The process I used > was to list available characters (POSIX Portable Character Set [1]) [] > If I missed something, could you please point out? I know shell just good > enough to know that it's not possible to know every shell quirk. :) The thing you have to rememeber is that the escape character never needs to be typed by the user. In QRexec you are defining an API, applications like qvm-run are using that API. What the user passes into qvm-run and what is actually sent to dom0 does not have to be identical. I guess you do the translation currently as well; '$' turns into '@' in your new code. The consequence of this is that you don't have to limit yourself to the posix list. Using the portable characters set for a non-character simply isn't needed. So, knowing that your API is actually based on 8-bit characters and not 7 bits which you are limiting yourself to, my suggestion is to take something above 127 and below 256 as a special char. Most fun one would be “ÿ” which is a normal character you can pass on a shell script if you must, its actual byte-value is 0xFF -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5355623.KmoKho9gXC%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 19:41:19 CET Marek Marczykowski-Górecki wrote: > > On the 'other' side of qrexec (on dom0) you have perfect control over > > the > > situation and you also don't have any need for recoding or encodings or > > anything like that. It still is just 8 bits data, not encoded. > > And then, after policy evaluation, you pass that data to actual service > to execute the operation (which may be in dom0 or another VM). Yes, WITHOUT the escape character. Remember, you escape the special names of VM names that dom0 will substitute. “$adminvm” doesn't end up being the string you offer to qubesd, the string “dom0” is. Likewise; you don't start a service in Dispvm18431 and send it the text “$dispvm”. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2032074.AZcuCm27fB%40strawberry. For more options, visit https://groups.google.com/d/optout.
