Re: [qubes-users] Query on upgrade process - what next after downloading the fedora23 template?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-15 20:10, Emma Baillie wrote:
> No, you misunderstand me. I already did all the things in that document.

Sorry for the misunderstanding. You do not have to (and, indeed, cannot)
update your TemplateBasedVMs from Fedora 21 to Fedora 23, since they're
Template-based. This means that they don't have a root filesystem (where the OS
and programs are stored) of their own. Instead, they get their root filesystem
from the TemplateVM on which they're based. As long as your TemplateVMs have
been upgraded correctly, your TemplateBasedVMs should work with the upgraded
TemplateVMs normally.

This page contains more information about how TemplateVMs work:

https://www.qubes-os.org/doc/templates/

> I'm asking what to do _next_. Just shut down all my VMs one by one 
> including sys_net and sys_firewall and tell them in VM-manager to be 
> fedora-23 not fedora-21 VMs? Or is there a better way?
> 

Hm. Your questions here suggest that you may not have followed the
instructions correctly. The procedure, in outline, is this:

1. Upgrade all TemplateVMs and StandaloneVMs.
2. Upgrade dom0.
3. Reboot dom0.

(The details of how to perform each step are in the linked documentation page.)

The fact that you're now asking whether you should shut down all of your VMs
one by one suggests that you may not have followed the above procedure, since
rebooting dom0 entails shutting down all of those VMs (but it's also possible
that this is just a miscommunication).

It's also not clear to me what you mean by "tell them in VM-manager to be
fedora-23 not fedora-21 VMs." There isn't really any way to "tell" a
TemplateBasedVM to "be" a fedora-21 or fedora-23 VM. The closest thing would
be to set a TemplateBasedVM's template to either a fedora-21 or fedora-23
template. If you've just performed an in-place upgrade on a template (from
Fedora 21 to Fedora 23) with the intention of using it, then it would indeed
make sense to base your AppVM on this newly upgraded template (if it wasn't
already). Again, as long as the upgrade has been done correctly, everything
should work normally.

P.S. - Please keep the list CCed, and please don't top-post.

> On Tue, Aug 16, 2016 at 12:56 PM, Andrew David Wong  
> wrote: On 2016-08-15 19:33, eobail...@gmail.com wrote:
 Hi qubes people,
 
 I have just completed the Qubes 3.0 to 3.1 upgrade process, ending 
 up, as suggested in the upgrade doc, with getting the new Fedora 23 
 template.
 
 However, I'm not sure where to go from here. All my existing VMs 
 (which is just the standard out-of-the-box set) are still using 
 fedora 21, obviously - what is the next step meant to be? Can I 
 update my TemplateBasedVMs from 21 to 23 without losing my files?
 
 Thanks
 
 Emma
 
> 
> Yes, you can upgrade your existing templates using this procedure:
> 
> https://www.qubes-os.org/doc/upgrade-to-r3.1/
> 
> As always, please make sure to back everything up before attempting this.
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsozCAAoJENtN07w5UDAwXBkQALAnAOtJHJ1e1oH+oLAHjZl2
srv0HoyXF5t25qhKCGBNa3xfFhZgyCbskXhjsr1SFqnLOe1i26DXvk/EgQRr4rsT
Csz6SHjl47pkYrHWEBfoHrA7G1FWqVjGnJ4ZdDtgFeBN/1hMRENAFW8UHvHOudlb
lHFdzBSshTu7exByIk/zshW8WJFPESAAtDVZsc88GWsvPCcqaZsoTVQibb7tJuCt
2bgzGMmH2i1f1vJBoy25wFXw9rxxEBRyma09hH5e9mh9a1Ve8psHQQw9Lo825KZE
M770oUYIhTR06SuhfBkziOHqOsHmULoyZooYoBF1dp6hb6aIPzTX6RujZLUpyCuU
gWv6RyAa1QdkINLUEdA5WLbELlVAquUHCRH86IBfvqhSBStt/0KhjR5Cz41ljc/H
OYDKUbJL583kiZxz9ayb8xg8wSuXkeSZEufEOiOB2dccSoHzXX5GC+xqRpTlVhM4
0DTsfn+5seYU0Zk4SrwN/xk6o3fYIiEpQeoXK41LwQr3O0ww2symuH/x+YEoFvK4
XPNK5TaOj1fQDO7j1Iu1jNhftx/2lWn4VZH96bE7KjLKJnv8lQGYAiQmKk+c/N5V
GrPRE4r/pB9sZyww6pt6XHGgDLrh+A2KMH0LmwPn7HrBavRpyGUCWLM8S9jZt22c
HPJEP3AfMNbgOJQ1rED1
=+28m
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29aeceb6-a726-d504-dfca-1fa2835dd436%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Query on upgrade process - what next after downloading the fedora23 template?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-15 19:33, eobail...@gmail.com wrote:
> Hi qubes people,
> 
> I have just completed the Qubes 3.0 to 3.1 upgrade process, ending up, as 
> suggested in the upgrade doc, with getting the new Fedora 23 template.
> 
> However, I'm not sure where to go from here. All my existing VMs (which is 
> just the standard out-of-the-box set) are still using fedora 21, obviously
> - what is the next step meant to be? Can I update my TemplateBasedVMs from
> 21 to 23 without losing my files?
> 
> Thanks
> 
> Emma
> 

Yes, you can upgrade your existing templates using this procedure:

https://www.qubes-os.org/doc/upgrade-to-r3.1/

As always, please make sure to back everything up before attempting this.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsoDjAAoJENtN07w5UDAwWvYP+QEu6OwMm+aqDvsmujHCtdzW
kKGkxTRi/6hjPSr9kz5ijAzwvcQAROEtIBaxMncfpsn0Lr/+iScIyNYKNEARcz+L
SwfuB/crbar0yJNdU+RP8ZeaD03yQOfjvk7QwaC9odgnNG7KIGPjyMWwYCN55+fc
p7RPetRJsEyHXas51ZF11ENpFtgGORcasOSwHwKn0QE9V+eLNjPSc8DnklQWiKvv
eomSLTjp1j5f+lba5m7ZD+2G44Brvc+hH8zaZKnPH4KsLmYUNGcq4QHsAi8jsJJA
XJ9EVXrERjVXK3jA0+Z2n8MEBFw0pyAezZAJb8OLnVlV1cduUMYACtbmPaERdK6l
teQS3yyEIaShulIotxZHL8L3dZjkRCLQW8dp+hBMQXnoZ3SmQW1zfe/KhZgxbDkg
hoEBP+IdFX+5mkJ5UCDdsbsZssuAXEJceN1TJxFvHZmVklfqbFjWpACcPstNfjyR
0Fb0L+5WOjjUjupXKv0om3HHAHW8mnTxJwPrp9duW/mubDwnkTUgqOeCqkRz75/L
Vq6Htys/oNlTSHEYoPeJh3n+kuWEZbRCjlA7tfcvZ1hiPsDhTsvOZOZ92sCsZvpL
JDPjbmIBQ3pMg66jCkJaf7h6KihiYrkrpLTqbkRbojbUNi7ZnoXK+Dgyd0nxUmpl
X51K+RESghLQbut4iRLl
=70x1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eecf1975-24bc-bc42-a26d-b07aca7abfbe%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Query on upgrade process - what next after downloading the fedora23 template?

[eobaillie]

Hi qubes people,

I have just completed the Qubes 3.0 to 3.1 upgrade process, ending up, as 
suggested in the upgrade doc, with getting the new Fedora 23 template.

However, I'm not sure where to go from here. All my existing VMs (which is just 
the standard out-of-the-box set) are still using fedora 21, obviously - what is 
the next step meant to be? Can I update my TemplateBasedVMs from 21 to 23 
without losing my files?

Thanks

Emma

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8594035-1622-45c2-a039-c6415ebc9e47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Network printer: Printing test page - unable to locate printer

[John Goold]

Background: I am testing Qubes OS 3.1 on my desktop machine (CompuLabs 
Intense PC) with a view to migrating my laptop (HP Spectre X360) from 
Linux Mint 18 (Xfce).


My network printer is functioning under Linux Mint (based on Debian). I 
appeared to have successfully added the printer (Epson WorkForce 360) to 
the default debian-8 template VM following the instructions 
(https://www.qubes-os.org/doc/network-printer/).


I then shutdown the template VM and started a qube based on it. Attempts 
to print failed, so I back-tracked to the template VM, starting it up, 
setting "Allow full access for" (20 min), starting Printer settings 
(which I had added to the menu) and attempting to print a test page.


This was looking like it was working but after getting to "Processing - 
Print page 1: 26%", the message changes to "Processing - Unable to 
locate printer."


I've read all the seemingly relevant posts (did a search for "network 
printer") and none of them seem to apply.


When setting up the printer (in Qubes), there didn't appear to be a 
"Find network printer", other than a dialogue box that asks for a 
"Host:). I was not sure what would happen, but I plugged-in the URI 
(checking the settings on my laptop). That appeared to work as the 
dialog filled in the "Make and Model:".


Looking at the properties on my laptop (LM) and the debian-8 template, 
the only difference appears to be in the version of Gutenprint (v5.2.11 
on the laptop; v5.2.10 on the desktop) -- complete properties listed at 
the bottom.


The only other difference (other than OSes!) is that the laptop is 
connected using WiFi and the desktop with ethernet (but when it was 
running Linux Mint, I had no printing problems). Networking doesn't 
"appear" to be a problem (I have a qube based on the debian-8 template 
that I am using for web surfing and listening to streaming radio).

__

Settings: (see note about Gutenprint above)

Description:  Epson WorkForce 630
Location: Study
Device URI: dnssd://EPSON5A0FBB%20(WorkForce%20630)._printer._tcp.local/
Make and Model: Epson WorkForce 630 - CUPS+Gutenprint v5.2.10
__

Any suggestions for further steps in resolving this issue would be 
greatly appreciated.


John
St. John's, NL Canada


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7fdfaed4-6281-5e45-790c-3730bb647841%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Current Windows instructions?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-15 16:23, IX4 Svs wrote:
> Hello
> 
> The instructions over at https://www.qubes-os.org/doc/hvm/ still say:
> 
> == Using Template-based HVM domains
> 
> TODO (Coming in Qubes R2 beta 3). ==
> 
> What is the current authoritative source for instructions on building 
> template-based Windows VMs?
> 
> Thanks,
> 
> Alex
> 

Here it is:

https://www.qubes-os.org/doc/windows-appvms/

I'll update that other page. Thanks!

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsm8VAAoJENtN07w5UDAw+fwP+gKt7DpzIWoAPgHcp9j7BJku
+c6pLyshzEoSedI3OrStbViS4P8SxK1fGeTbY2LUCS2DTqkFo/Mb5x1AJNWcDrRa
3XPnC2NEfnKWgSgMmmWS0685qSBTiHTejHh+/8zf8OMOsrejPdcn6KhMZEzbLSq0
+4v88JcuM1XLhTy2H1W4/i39yxD8T0spIF+emMS47a/c9wKztC8cA87TktSTytpI
Hg/ODC2XMjvsxsTMybd6VKTeXgF4MFFAcp7Elbq5u53eFzWyEG1Yg1xoFtXCMROv
We2mVe4mJhzACVuBCPPNMD4k4PHn/lBiG4AX/wCNBucvLe//oLfHNhOjXE2gLK1M
/BdurHQVigXG8+FZsehOdjgHEot1ae48H71In50K+3aMHQpTEEYG6GqGq1T9tHzk
QGKC79p9XXvB/YgkhzVnA4csJ2ksjOBh4R68dICfXvJ2zT8z22kRpokvthDl8WjP
/6qjtvdrF2DwSnHhBQfzEya2pZtZy5Mv1VC/h84GuHxOPtRSC4JEBXh/JmQTYysw
CxQn+24cb+3S0rQhLm68V7c7f6Uv6xS24xzAK/dOVSxKkhu1itgBM3ySZrh8a3mx
P/HBIabCcb6XUsumfuQ4M7Tvaqos3tvJT6AUkDgG3AQQ500u1Mmsuj0MRpXz5ApQ
KSiMwrPVvJfQ/d+wYdZK
=M7Jo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/abe1ad3e-aa40-7307-6f9c-6e695516f66b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN ProxyVM rc.local

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-15 08:42, Paf LeGeek wrote:
>> 
>> The vpn doc was written for both Fedora and Debian templates. The 
>> /rw/config/rc.local script is a Qubes feature that works on both. The doc
>> uses that location so users do not have to dedicate a whole template to
>> their vpn... /rw/config was designed for per-vm customizations such as
>> this.
>> 
>> Chris
> 
> Oh ok. My mistake. I did not understand the purpose of the /rw/ folder
> until now. Thanks a lot for this very valuable information.
> 

You can read more about this and other Qubes-specific config files here:

https://www.qubes-os.org/doc/config-files/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsmqeAAoJENtN07w5UDAwcpkQAIQnAxDF9v/yT6nH+PXQSfd2
9vQe2Zg/0xtoLRYrkCyACUVnUujDHo0TOivK/Y9LR8QLYyNxr/jpMjdf1HoVZy7V
23CeEjwmu2FvQ88qvnvQjaxe3747ZgR7ssJ38VyfCZizz8oi1AyRK+0YQ8cWX11p
MgTxB/pSkKer6XQHZqs2Cst75koYQ0jZkzxGQuE64C1+IiZ1UpGvAVG5qURaCvO3
lSzgALqoj3DVxhIzEGyMw7aBjDsXqa9bFy3D3lCARzLKP0FoC8VVv1+OFJILGzxl
jxPXP4gEHotjnnZThS0UWHCPMq3JyvK5xGGBTV7FWVTALOTYCNhuvnY9SvJkgKh9
W+fXv6g8QLFHoTkoxLeQ1mZN6FvKm4DimudHujvx4h1VQ64V/0GMYKNHO1WntJjF
ZgHAhDlq+ov6xM1EOwc7yeCwxi6XvQdeEwX0mqtB34qqpIKOP1WAGbnVW+2CNRhp
rRqCP0hQQMrZQmrAQEP1pQFgbvr1Lsp1E3s+9bfPA7z1f60kGYFPUqJKR2su5gaI
TXr5gSr7TfEWTvjfNfbSv06t2iHCz68H12vUEZrmcp4KmWgrhmZ2GiAsBDUi8lxt
27578qzRZF+fwZmO+qJfjdqKnQbGmb878fGaVWVtPWgcNYEc+iTXQjrL3xcwvSgR
AznB/b2dB7K3Qe9bdVnf
=mKD/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/70f08e80-ec63-a738-1316-acf0acea7643%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] metadata between vms

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-15 02:31, adicarli...@gmail.com wrote:
> Writing OS being where i dd from my old, potentially at risk OS
> 

I think that depends entirely on the OS and tools you used to create the
bootable USB drive. In principle, the Qubes ISO should be the same as any ISO
in that respect. In other words: Whether your OS or tools keep metadata about
ISOs after you dd them somewhere is beyond the control of the ISO being
copied. The ISO is just a file, a blob of data. It can't control whether the
OS or tools manipulating it leave traces of it behind.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsmltAAoJENtN07w5UDAw/kAQAIUYrpSK4ReTC9c1zOWN6DRk
OuC1/D5dERTq1oD0nt/a7Ab6AEpkI4H29dT8U8F+wDF8RFm4OQyAR+gws83LHA4q
dgOPvoLjrXFY7BRwvqyuSvd8sc+Q3Diuajxla8mm8PUbT2IwhS77fPh1CjebYq7/
qhJ0DJhUq6AJqBUXJb8O425ipkWKDoCJOztq+cAbjfPaB290XoSTQWArfwtgTida
4xWlsCA0wBfB7hekWkPPSMwYZCxZpeHJyXKIuwycZQSiNdzn3lXRhhd5B8d5rGaM
D9y/By6XFdBhemsufauKSD2+fazn/nkCOea9PgdRsSbvk2r8JUsVU23hRUKgdvJV
1oWYMuFhKxp99euXnAQIqRg3lsuDeZ5r9XT47pB9tMHE75QszZ9GASWElZjMrzUr
sQjRnIxOCJhDuAgDRuJwMPUGzKtxat5GtXnWIgtcw01T49jC6cjbWzEqWb5LyEUO
8uw4GUXbG+PlrF/na0JR7I9tWICCUnAJg/hq6BguKi5IKP8wL0Hdzkg7TE684JJj
SL0Jr3kSp2UZgSc7p1fXdYARHwXuR+Htxi0KODU0QJP4bTd/pmqN2bYcteZ99lHR
3/RglJ7qinyGEYv/P9DlzO8eRAKwLZvNJ86O6lEvIV4id3mIajCCWzRIOCKBo5zp
3GU3SUzqMYV864M6DmhS
=Gt5S
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dddc5e07-bebc-dc24-fb7b-0a4afbb8723d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Unable to install R3.1 / media check failure

[Ben Wika]

Worth noting that, even though I had the same issue with Rufus, I could still 
install Qubes-OS from the USB when I bypass the media check.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/daf8ea8a-aaa4-447c-879b-bfca68fc6537%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO

[Ben Wika]

On Tuesday, 16 August 2016 07:55:08 UTC+10, Alex  wrote:
> On Mon, Aug 15, 2016 at 11:43 AM, pixel fairy  wrote:
> On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
> 
> ...
> 
> > 1. Install the Chromium browser in your appvm template - skip if you were 
> > already using it. Shut down the template VM.
> 
> 
> 
> I keep wondering how safe chromium browser is. do redhat or debian track 
> updates in time with google-chrome?
> 
> 
> 
> 
> For this specific use case (Signal), there is currently no other option - 
> Chromium is the only way of getting Signal to work on Qubes. I only use 
> Chromium to host the Signal app and Firefox as my mainstream browser for 
> everything else.
> 
> 
> If you're wondering in general how well distributions track the Chromium OSS 
> project, I suspect the answer is "very well", but refer to distro-specific 
> release notes to check for yourself. Note that Google Chrome is the 
> Google-branded "stable" release of the Chromium OSS project, so asking 
> whether distributions track updates "in time with Chrome" doesn't make much 
> sense. See https://en.wikipedia.org/wiki/Chromium_(web_browser) for more.

Is F-Droid's Silence any better than Signal given it can run without Google 
Play Store?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39f692f7-414b-4f9b-b51d-ec3200d0fc6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] No DNS with ProxyVM + OpenVPN

[Chris Laprise]

On 08/15/2016 01:05 PM, kotot...@gmail.com wrote:

Thank you very much for your help. The DNS are transmitted but the rules in the 
firewall seems to be missing:

Chain PR-QBS (1 references)
  pkts bytes target prot opt in out source   destination
 0 0 DNAT   udp  --  anyany anywhere 10.137.5.1 
  udp dpt:domain to:10.137.2.1
 0 0 DNAT   tcp  --  anyany anywhere 10.137.5.1 
  tcp dpt:domain to:10.137.2.1
 0 0 DNAT   udp  --  anyany anywhere 
10.137.5.254 udp dpt:domain to:10.137.2.254
 0 0 DNAT   tcp  --  anyany anywhere 
10.137.5.254 tcp dpt:domain to:10.137.2.254

The qubes script is nonetheless correctly started because I see the notification 
"VPN is up".


Something else may be running a dnat script when you connect, because 
that is the only thing that would be re-populating PR-QBS with the Qubes 
internal IPs.


To test this theory, you could put a 7sec delay in qubes-vpn-handler.sh 
right before the line 'iptables -t nat -F PR-QBS'. Then the right IPs 
should appear in PR-QBS.


Alternative theory is that somehow openvpn is passing the internal IPs 
to the script, but I think that's unlikely.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1010675-628e-206e-979a-3cf2d49f7671%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes-manager not showing on KDE

[Chris Laprise]

On 08/15/2016 11:22 AM, angelo "angico" costa wrote:

Hi, guys!

Still slowly progressing through Qubes.

I changed from XFCE to KDE and qubes-manager simply disappeared! I invoke it 
through the menu link as well as through CLI, but it just doesn't show up. It 
shows normally on XFCE, though. Also, 'ps aux | grep qubes-manager' lists it as 
running:

/usr/bin/python2 /usr/bin/qubes-manager -session ...

What am I possibly doing wrong? Any hint?

Thanks in advance,

angico.


Hi,

What version of Qubes is it?

Did you try rebooting to switch to KDE, instead of logout/login?

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6260346-116c-b934-595d-543e3118983d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO

[IX4 Svs]

On Mon, Aug 15, 2016 at 11:43 AM, pixel fairy  wrote:

> On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
> ...
> > 1. Install the Chromium browser in your appvm template - skip if you
> were already using it. Shut down the template VM.
>
> I keep wondering how safe chromium browser is. do redhat or debian track
> updates in time with google-chrome?
>

For this specific use case (Signal), there is currently no other option -
Chromium is the only way of getting Signal to work on Qubes. I only use
Chromium to host the Signal app and Firefox as my mainstream browser for
everything else.

If you're wondering in general how well distributions track the Chromium
OSS project, I suspect the answer is "very well", but refer to
distro-specific release notes to check for yourself. Note that Google
Chrome is the Google-branded "stable" release of the Chromium OSS project,
so asking whether distributions track updates "in time with Chrome" doesn't
make much sense. See https://en.wikipedia.org/wiki/Chromium_(web_browser)
for more.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTfaLZ8%2BG0sDT8FFLsvY4d8smXAUsyOC6y4Wd8ux3yKsFw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[IX4 Svs]

On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-08-14 15:22, IX4 Svs wrote:
> > Just spent a few minutes to figure this out so I thought I'd share.
> >
>
> Thanks, Alex! Would you mind if we added this to the docs at some point?
>
>
Not at all - especially if you improve my clumsy way of creating the custom
shortcut (steps 7-12) and use the proper Qubes way that Nicklaus linked to.

Cheers,

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTctf_hjWZx_CbP_1EshFfk7J9FZ%3DWZgwQ3ks0TK5tV03A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows7 issue with Dom0 GUI Daemon

[3n7r0py1]

On Monday, August 15, 2016 at 4:51:13 PM UTC, 3n7r...@gmail.com wrote:
> On Monday, August 15, 2016 at 2:35:45 PM UTC, 3n7r...@gmail.com wrote:
> > On Monday, August 15, 2016 at 1:33:35 PM UTC, 3n7r...@gmail.com wrote:
> > > Qubes 3.1
> > > Windows7 Pro x64
> > > Windows Tools 3.0.4-1
> > > 
> > > Without Debug mode, VM does not produce any windows and ends in an 
> > > unresponsive Yellow state.
> > > 
> > > With Debug mode, VM appears to hang after Windows logo boot screen. In F8 
> > > Low-Resolution Mode, VM boots to desktop and is fully functional.
> > > 
> > > Increasing resolution while in Low-Resolution Mode sends VM into 
> > > unresponsive Yellow state.
> > > 
> > > Any workarounds? Existing threads seem to have been patched.
> > 
> > * Multi-monitor setup
> > 
> > * This error presented itself on one boot but has gone away.
> > [Dom0] Sorry - KDialog: The Dom0 GUI daemon do not support protocol version 
> > 107:0, requested by the VM 'win7'.
> 
> Disabled all additional monitors.
> Everything works great - including Seamless GUI.

Duplicate of Unresolved Issue: 
https://groups.google.com/forum/#!searchin/qubes-users/windows$20multi$20monitor/qubes-users/lG6ynmOkIgY/1Nu4sT9XCwAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cf36a4c4-90d9-4f7b-adf3-4186524af13f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows7 issue with Dom0 GUI Daemon

[3n7r0py1]

On Monday, August 15, 2016 at 2:35:45 PM UTC, 3n7r...@gmail.com wrote:
> On Monday, August 15, 2016 at 1:33:35 PM UTC, 3n7r...@gmail.com wrote:
> > Qubes 3.1
> > Windows7 Pro x64
> > Windows Tools 3.0.4-1
> > 
> > Without Debug mode, VM does not produce any windows and ends in an 
> > unresponsive Yellow state.
> > 
> > With Debug mode, VM appears to hang after Windows logo boot screen. In F8 
> > Low-Resolution Mode, VM boots to desktop and is fully functional.
> > 
> > Increasing resolution while in Low-Resolution Mode sends VM into 
> > unresponsive Yellow state.
> > 
> > Any workarounds? Existing threads seem to have been patched.
> 
> * Multi-monitor setup
> 
> * This error presented itself on one boot but has gone away.
> [Dom0] Sorry - KDialog: The Dom0 GUI daemon do not support protocol version 
> 107:0, requested by the VM 'win7'.

Disabled all additional monitors.
Everything works great - including Seamless GUI.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a300bf78-56e8-4097-9914-705553e58638%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] No DNS with ProxyVM + OpenVPN

[Chris Laprise]

On 08/15/2016 03:33 AM, kotot...@gmail.com wrote:

Hi,


I set up a proxyVM with openvpn following the instructions from 
https://www.qubes-os.org/doc/vpn/.

  I cannot do DNS query over the VPN, for example this command executed from a 
VM connected to the Proxy:


[user@fedora-23-dvm ~]$ dig www.google.com

; <<>> DiG 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached


Executing 'dig @8.8.8.8 www.google.com' works well.

What am I doing wrong?


Hi,

Its possible that your vpn service isn't supplying dns server info upon 
connection.


You can check what openvpn is getting from your service by upping the 
verbosity to 3 while running openvpn manually like this:


$ sudo groupadd -rf qvpn
$ sudo sg qvpn -c 'openvpn --cd /rw/config/openvpn/ --config 
openvpn-client.ovpn --verb 3'


You should see a message like this from openvpn, though the dns numbers 
will probably be different:
PUSH: Received control message: PUSH_REPLY,dhcp-option DNS 
1.2.3.4,dhcp-option DNS 1.2.3.5


...etc. This indicates that openvpn has received dns server info from 
the vpn provider.


Another thing to check is whether those dns numbers got into the firewall:
$ sudo iptables -v -L -t nat

The chain PR-QBS should have two entries per dns address.

OTOH, if you want to bypass dhcp and use hard-coded dns numbers instead, 
add them to your openvpn config file like this:


setenv vpn_dns '1.2.3.4  1.2.3.5'

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6c455e5c-50a2-a5dd-770a-96a7ed681e7e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN ProxyVM rc.local

[Chris Laprise]

On 08/15/2016 10:49 AM, Paf LeGeek wrote:

I use the Debian 8 Template so the rc.local file is in the /etc/ folder not in 
the /rw/ folder. As I said, the script works find if i launch it manually in my 
ProxyVM terminal.

This is the content of my rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

groupadd -rf qvpn ; sleep 2s
sg qvpn -c 'openvpn --cd /etc/openvpn/ --config myopenvpnfile.ovpn \
--daemon --writepid /var/run/openvpn/openvpn-client.pid'

exit 0



The vpn doc was written for both Fedora and Debian templates. The 
/rw/config/rc.local script is a Qubes feature that works on both. The 
doc uses that location so users do not have to dedicate a whole template 
to their vpn... /rw/config was designed for per-vm customizations such 
as this.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55e32991-6f09-702c-b048-08360a2b6de2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN ProxyVM rc.local

[Paf LeGeek]

I use the Debian 8 Template so the rc.local file is in the /etc/ folder not in 
the /rw/ folder. As I said, the script works find if i launch it manually in my 
ProxyVM terminal.

This is the content of my rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

groupadd -rf qvpn ; sleep 2s
sg qvpn -c 'openvpn --cd /etc/openvpn/ --config myopenvpnfile.ovpn \
--daemon --writepid /var/run/openvpn/openvpn-client.pid'

exit 0



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1ed419ed-3713-420b-9c8e-7a5f76a3429e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Windows7 issue with Dom0 GUI Daemon

[3n7r0py1]

Qubes 3.1
Windows7 Pro x64
Windows Tools 3.0.4-1

Without Debug mode, VM does not produce any windows and ends in an unresponsive 
Yellow state.

With Debug mode, VM appears to hang after Windows logo boot screen. In F8 
Low-Resolution Mode, VM boots to desktop and is fully functional.

Increasing resolution while in Low-Resolution Mode sends VM into unresponsive 
Yellow state.

Any workarounds? Existing threads seem to have been patched.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d4f7b66d-ca9a-4cba-9be5-fd864800013f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Screen corruption on nvidia

[johnyjukya]

I realize that nVidia's aren't the preferred video card, but (being
divorce-poor) one sometimes has to make do with what one has.  :)

With my on-board nVidia (GeForce7100) and the nouveau driver (on both
Tails and Qubes), things work okay, then suddenly at some random point the
screen gets filled with diagonal line garbage, and things are
unresponsive.  (The system seems to still be running, but the screen is
pooched and keyboard seems unresponsive, and no Alt-F1'ing or whatever
will get it back.  Processes still seem to be running though, and the
ethernet light is blinking normally as traffic goes in an out, etc.)

So I put in a PCI card, nVidia Geforce 7300, which seems solid, works
perfectly under Tails.

However, under Qubes, I experience random screen corruption.

See: https://i.imgur.com/ovEFgYO.png

It's usually fewer horizontal lines than in that snap, but I thought I'd
include an extreme example to show the problem.

It usually happens when the system is a bit busier CPU-wise/memory-wise,
but otherwise functioning fine.  Moving the window, or switching to
another window and back, clears up the corruption.

Screen corruption like that could be a sign of some wild pointer or other
memory management bug, so I thought I'd bring it up.

The paranoid half of me (okay, okay, I'll admit, it's more than half)
worries it might be some attempted DMA attack.

(I've been, and continue to be, the subject of some rather high-end
professional hacking over the years, which adds to the concern.)

I've read about attacks where screen memory is used to stuff code and run
it to escalate privileges.  And the nature of the garbage doesn't look
like mis-placed screen stuff, but code or other binary data.  Thankfully,
if this is the case, the corruption seems contained to the AppVM.  The
garbage never spills outside an AppVm's window.  It happens in both
Redhat-23 and Debian-8 based AppVMs.  I've never seen evidence of it in
dom0/Qubes Manager and such.

It realize it's *probably* not an attack, but I'd like to track down the
nature of the problem whether it's a bug or an attack.

I've read in another thread about video corruption caused by accessing
memory who page has moved, and "echo 0
>/proc/sys/vm/compact_unevictable_allowed" supposedly helps.  At first, I
thought that made a difference, but ultimately, the problem is still
there.

Any ideas on what I can try, short of giving up and hunting down an ATI
card or the like?  (I might try the proprietary nVidia drivers when I get
a chance to compile them.  Not comfortable with grabbing binary versions
for obvious reasons.)

Thanks.  You guys rock!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d571d11b44eaab879857416904323581.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: installing Signal on Qubes mini-HOWTO

[pixel fairy]

On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
...
> 1. Install the Chromium browser in your appvm template - skip if you were 
> already using it. Shut down the template VM.

I keep wondering how safe chromium browser is. do redhat or debian track 
updates in time with google-chrome?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6c7c5591-0b0b-4172-bb3a-90bf6bdf30bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] metadata between vms

[adicarlisle]

Writing OS being where i dd from my old, potentially at risk OS

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fb61ad8-5e2d-40c1-9d1a-e83d2e3af3c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] metadata between vms

[adicarlisle]

Can someone answer or point to me a place in the docs for this.
I want to know about the level of metadata sharing between the writing OS, the 
disk, aswell as between new vms and the OS itself.
When i dd my verified OS to my usb i assume some amount of identifiable info is 
on the disk.
This isnt neccesarily about attack risk, more about anonymity.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b31fc51-176c-403b-9219-f1518090a2c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thinkpwn?

[Joanna Rutkowska]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Aug 15, 2016 at 11:06:32AM +0200, Joanna Rutkowska wrote:
> On Sun, Aug 14, 2016 at 12:55:10PM -0700, el...@tutanota.com wrote:
> > Just to clarify, that means that even if the UEFI is exploited, it does not
> > matter with Qubes?  
> 
> Yes.

Oh, I noticed you wrote 'exploited', while I originally understood
'exploitable'. So, if it is 'exploited', which I assume you meant 'already
compromised', then it's likely a game over, no matter what OS on the host.

joanna.
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXsYnHAAoJEDOT2L8N3GcYUR0P/i5goJ9TH09QbFRFysHMJKyz
4cm4xPI4IsskXWQJHbwD62332iGZ2UpYqK/NBixfj2q+UbwruF5BOVSTkdpsaJe/
Lu8qmqEHxBOqqmX+utnyJtvjob8Ranuj3IzCw0zcC03riUEuUz/YyvUEBoyPDyWb
KTbw1NJc3DrPGty8NW1hNbsGHNMNrvKwGA7rCl1kHdyZQ0WB4T2Ury2QpXeMYoD+
Jz9R3GXAH0ZhPOiqy4+5laWnl/kQ7MK5h1cUTvkFYUmX8j9kDuvpjmZ2sG5/tkC3
KH4uVXzRcHlj/Wa/ihKFPSgReRLDeQop/zPraMF0upZH/fcawfJSXdpD5YWDu5JN
sn6JDzYRO/tWOgTnWRYRgMFn/ILuyb56XO7F8DnFQOmo32smRJwUlhE+W5VnhEhf
ibYYsDEV7+GCIjxLuDL28o2/flPYdmed8YEpf6ilPidSHn/OahlRACx8DhP7acXV
e6an11/3GnQ5cUDp7jM0J+gx0rJ58jOgfS6KQ1WTLHpLQuPKV3OooG6qdYJav1NC
h2hEhDMrDU198wyB5KjnP8UzFZXZKj4P44+5ATIv2XoU7wmuTiaRe7Vg+jHdxg96
vpJ9Vwv+iY5jN1cB5Eh6MWS9j2Qlud/voDgxnwMqen33wp3w0nmC6VDL/1bD+KbN
wTBGjE0Im3VaXM57we/9
=w+Ko
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160815092214.GF2484%40work-mutt.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-14 15:22, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd share.
> 

Thanks, Alex! Would you mind if we added this to the docs at some point?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXsYknAAoJENtN07w5UDAwg68P/i48OPoy6eAJBbRkMdY+9zn6
Ygr/7WoMp7ZXdl5T7o4Wlyx8fFgDYqZJs22nY+tKf+6l//3YzAp1FAtrbRG8Ju8S
z6A6SowrEuvt3T+XQfkDbYIyKGW7TG7rJmBNMacC+afp2iiMlXrIXLVG7/Pg6icF
ZJg7FSChl3bKWlhQocAUqK/XTgiFnMZcozwiN1uoEBv1Mi7AwUOhqUMuVE54XGKW
atmN3Ix9b/EORTusHvBUzgqqFk52Iz/EsieJIgDNb7aaUxC8gN1qsn0LYpBHStqm
oYKG2LFM6zmQ4APkWY87j8bx2Zn6mHCimabamnCtAItkSgSDif/HcSW2YoTitAhJ
h9BXEpc7U2qT5vxD0folocpevhVfwvTVV6F/inP+ipio5X8WdOt9aT+mDqYafWpN
jYXgFob1SCdoi/kJ3Ct85NIzsj2vCoeaTE/SEX/51dLglySEKGXYFAiRlGcbAUKn
eCTdpu3zZtMu5zmel2pUuE8ZyRqHEjBYfSyZFmga7Zl6bPo/cfjZEjzXpKEUPROk
poU2E+NsqT4/O8Z3c8Da9V5YIyXbf8j7dhkMSMefms1xrPefg8PqhceaM6UKb8HD
OwPOB/mUTI0SmghJQaXR8fYzfgltPQTqQ8aKARUwVzyeBOLjUzNWg3KNyQYHsIJy
+qvMFHRr0uG/wxEmTzx4
=NJTS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ace446e-a1c7-a64d-cd94-706616b1ac51%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thinkpwn?

[Joanna Rutkowska]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Aug 14, 2016 at 12:55:10PM -0700, el...@tutanota.com wrote:
> Just to clarify, that means that even if the UEFI is exploited, it does not
> matter with Qubes?  

Yes. Unless the isolation-provider that Qubes happens to be using -- currently
Xen -- is terribly buggy and fails at providing this isolation. Sadly, this was
the case with XSA 148 (last year[1]) and XSA 182 (just recently [2]) :(

We hope the move to SLAT-based memory virtualization in Qubes 4 would minimize
likelihood for similar bugs in the future (see [2] again).

I shall point out, however, that majority of other "critical Xen bugs" have not
affected Qubes to date, either because of various architecture decisions we made
(e.g. getting rid of qemu from Dom0, most backends treated as untrusted, running
in other-than-Dom0 domains, etc), or by a combination of luck and gut feeling
(e.g. not using 32-bit VMs, etc).

Thanks,
joanna.

[1] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt
[2] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXsYYZAAoJEDOT2L8N3GcYFnEQANlqIJWhFHXvAIljGjZQwtl0
vgzkV0ZHA69OzPl5M4TvZhcUWgtTiOTTGjeHdUmkblCZEBLOCqakKQv1h4h+7I+6
oLtR5mKR4a6H7Mt9L5Ux5ciyRzx2oqDQpe7dehha/pOVMd3jj6niqJRTdhOSrVlB
GJD2BGNvoFa1hfSKEMBBs1SP7vgGCz2YWI/MoX7fpcM6g2XwvSYTQKpPnRbG/AUa
D6j6Gku0Rj+jDaiBDG4Iy6ymDbr7yW/7oYxOKXLpI8nj3UjZ0QIA2ym5dGb/hWjl
pmqDv5yKesCFedIUr/8SQzdwkhfQCbb8OYvXQBNoQNeAJxiT0eJFvD+9rohuVTdZ
KwLYKuUlCIrcxv+ULYSqPLm3GuzQAnJGi9eSw3N8t2UeHCDB2//fcihKzssZQeON
3h/U5Gj/IcXAITAq52/Euy1VinMwghC09HHR2lMJ8ZDuBAMaYOnLlOM8KGqMYUO0
5Q+iGxejjSnexVhMzBYIjm5m20e1cvDHEkTcoTfJ0r4CIGZyaLdJjjkKvpwm8tdN
0q5mippj+Sf4UlXFIQbrCE1jHVGL+KUUFilpMx8E4nFzhjIeN8EeBPzm861efNS6
qD2RowN6wVPa88v+kVGSRHgNxpZDDuSH5215+2MxUKrcx3oxdNPXKQ6RbCNKTk+n
wwNrXWQXiDy0koRjPVRQ
=CC3q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160815090632.GB2484%40work-mutt.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] No DNS with ProxyVM + OpenVPN

[kototamo]

Hi,


I set up a proxyVM with openvpn following the instructions from 
https://www.qubes-os.org/doc/vpn/.

 I cannot do DNS query over the VPN, for example this command executed from a 
VM connected to the Proxy:


[user@fedora-23-dvm ~]$ dig www.google.com

; <<>> DiG 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached


Executing 'dig @8.8.8.8 www.google.com' works well.

What am I doing wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/343a725e-e386-4f54-8745-0ad8b9e4c1ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.