Re: [qubes-users] USB hardware firewall

2016-12-12 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-10 14:36, Robert Fisk wrote:
> On 12/10/2016 08:25 AM, Marek Marczykowski-Górecki wrote:
>> This project have great potential! The USB proxy hardware can be
>> used for somehow more secure USB keyboard usage on Qubes OS, when
>> only a single USB controller is available. Take a look at this
>> idea[1]:
> 
>> Have a piece of hardware plugged between USB keyboard and PC (based
>> on https://github.com/robertfisk/USG?), to encrypt and
>> integrity-protect the events. And then decrypt them in dom0 and
>> check integrity protection, and only then pass them down to input
>> devices stack. This should at least partially guard against
>> malicious USB VM. It still will be able to perform timing based
>> attacks to guess what you're typing - not sure how accurate such
>> attacks are currently. Such device could introduce artificial delay
>> (like - inject queued events every 50ms) to at least partially
>> mitigate such attacks.
> 
>> What do you think about it? I think the hardware you've designed
>> is perfect for this!
> 
>> [1] 
>> https://github.com/QubesOS/qubes-issues/issues/2507#issuecomment-265894809
> 
> This sounds like a great idea, and I am keen to be involved. There is
> plenty of flash space available on the embedded CPUs to implement some
> form of encryption, although the best method of doing so on bare-metal
> ARM is certainly open for discussion.
> 
> A recent batch of hardware samples sold out in November. Due to Real
> Life(TM) the next batch of hardware is likely to be ready late January
> or early February. Pricing is currently NZ$80 each (approx US$57).
> 
> Regards,
> Robert
> 

Tracking this as a community-developed feature:

https://github.com/QubesOS/qubes-issues/issues/2518
https://www.qubes-os.org/qubes-issues/#usg-keyboard-hardware-proxy

Please keep us posted as to your progress, and let us know how we can
help. :)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYT6Z0AAoJENtN07w5UDAwXNsP/j0KrGEyjCHq0h3v7/nmlTwx
YGn05f+Bh7L7r9HSGOeH9PMgKkFr85btXdXPhG5+swCSdFgmhbkcad0lgy8hX2mz
uZND7Z/wnEI99kK7D2EN3Kl9vM4fHM4/I8jV6ulwXPrMfr8xNvdDiQn9JLfcUTwU
SvL4VzP92JKZTss2ILfjK8TsH7cIoFek72+Bn9dQKyppDmrlxi9xu0Y67m0B8NkW
L94YLLIQGO4Qq2vuuVlTIJmw6DGN8AXbwMwOixBtirM1AzeAZGt9GB3ZtTU438EE
xFXc9Ould67L2sqluuj7rkLoAE6QnkhzeyCbsgfS6OcE2rCXCNdQkmjx8zXzLrgL
DZg+D/PPCwSSyV2tzeGfsxTX4bY1w7dc8ecPHcgeuAV7L7UjL7hSrNJj3Y49jEtR
XBmleAq9XCaStYl29MkpYNLddCI3grLMwRFnW9adg85PU2Zay7q64Ay8OSjZDa72
wuO57t6UchbHRURth5P8Sa2SmjzenohPPWeWOqETa6O1ZMj+4+P+X2F+cS1pawio
EAggf4y/brbQkAAyC5eYpO7RxmzvbWN2Ciu0csYD8GEHBvvcJC2N/bENRBUujI8i
J9AjU2E1hoYwRbghwk7iNRFzCcPr1WJW3sbhibKjaTrIwKVsib/3XkgeXM5e6bU1
yGJ9eVDpcb/ekzvzM5qm
=kZIF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a10c703-9bef-1878-363c-41d0705c4734%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] "Cannot find unused qid!" when restoring backup

2016-12-12 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-12 21:30, Jeremy Rand wrote:
> I just tried to restore 5 VM's from a backup.  The backup was made on
> Qubes 3.0; I'm restoring to Qubes 3.2.  All 5 VM's fail to restore
> with this error (although of course the name of the VM in the error
> message varies depending on what VM I'm trying to restore):
> 
> -> Restoring QubesAppVm iso-linux...
> ERROR: Cannot find unused qid!
> *** Skipping VM: iso-linux
> 
> The error was copied by hand since copying from dom0 to an AppVM is
> difficult, so there might be a typo.  Based on the error message, I
> infer that maybe this has something to do with my Qubes 3.2 system
> having too many VM's on it already?  Is that an accurate guess, or is
> there a different reason for this error?  Is there any workaround?
> 
> Cheers,
> -Jeremy
> 

The only other case in which I've seen this happen is when a user
surpassed the maximum number of Qubes VMs (254):

https://groups.google.com/d/topic/qubes-users/Zw5XjZndrDo/discussion

Did you do the same?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYT5+IAAoJENtN07w5UDAwlckQAK72n0yw14/jCSJ5JAREdHBf
RJkFOgcH+h/JhCuHUHCMo1Wop4cGvWOmbpHhEcgRt8s1kxtj40+vS32vZ5nfESMV
yfLAsIlYbBODIvw5CdkIHpT5pY8Jft6hLS60Nf3XLuGRofyMLRu30A18mN3Umuw9
lP0dSc+N5y21F2oW/twLxT7f5JAXZg7ec8JrRb5uFaLejtDG6xx0k9VY6ucKhV8Q
V3BoLFBceCJozB6T+ISFSyUTy3Ra2x6abKKGlemOgPHT6xflFlUHqTg3LCmUBUrG
yjwD+mPY94gSRrTwPjVwpcq7HwzR5rsQdfL13iFeEIqjMpCdsZ6o+N3Sr/ww4AoX
nTbyrhf5gfhrbZYNOM7FfHX2NnlABlKxvlk2RWc++kss2B86jYjWf28RJo+0YDTc
goHnjSMZRSU1v3r+V3ViSLh777YJUcUbZgtrZ2V7ErALLT5pu8xubktCNIyI56VU
7H1aERx7P4Lh/nuqEccBCo1jE1SoJLFgMCdzTmU2GjJ/9hTApitW4ktBPkM+8q6Z
ahl+2Z7cScnZI+ds9lmXDIHe4qDbZzCESfs/M5gm684WU20i3R1bOjmIDRE3mkaV
jy6VRPRcEsj3RD37uc+9WMvta6MMvJYLJL0kBip1GHYwb+nIBY7v53TuP6Ojw/ac
33Nic8u8W2oV/oSxik3X
=/qzY
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/517aff31-c438-bec6-2a3b-136b90efeadb%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: hddtemp not executed properly in xfce bubble notification in top right on boot

2016-12-12 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-12 22:12, raahe...@gmail.com wrote:
> On Tuesday, December 13, 2016 at 1:05:33 AM UTC-5,
> raah...@gmail.com wrote:
>> where can I find this event log?
> [...] or is there a log of those xfce bubble notifications
> anywhere?  it was alot of text and it disappeared too quick lol.
> 

Maybe check journalctl?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYT553AAoJENtN07w5UDAwsTcQALAsgSnw8ui9Uc4s+wkwLOTT
5zdbigRS3xskhdEOGaZ/JPB4G047OumrcNcrkb52SQXXVXxHkAwBTJ3zYs44zNX6
fbz8X+lFhaou5cY+L56gH7z7bRbzAyd/HJ39V+VPjf8/ZAMVSNFcO0L7jusbabqw
YMN6tnsxd8OUWDwu8LoBFMCSl4gBCtBRLxmPV1NqNFVsCqRbtQwen3SsuK1RC6kc
qVMT2dOIs4lUHVcVmED97f3JwbiobK488jST7Mi3csCg4/bng9J4wTbBjY7UNU/j
aPN7Mtngma96Ncqrrqnxe68l1XExRlyaIswvsdd5l+1dg69A8x1DPzIK+ihXlG4Y
IeEEibQIbSa4cce1AC1T3Nb4DhFzvmSEr7EnWn4zqU+MxLRdBTYl+evqylL8m/xO
O4rO20Ae79vKW2GuOL/OuI8b4MvVWhj3kc0AZHjlZSyBt5sqg8+vMqzOetxQLo5/
+Jy5CXroDHJHIKSVuiYdJEQ0i4uCyso1fTmT0WD83uWHodWO1TV+mil/FyK06Hlj
hKaliqeM/7gDZtqXkHxivyLI2qaI+b2RbEl5ex1ln6e8yfHkeUU9KVOqjm0VBvEU
EtCPGEbwaZPNEPNye39uOP/PM6WEny9SDrt97WI18iC42dTTqYhlNKasEFwUVMXI
iWYqqwj4Sq11sHK145yJ
=Cb0U
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bfa921bd-3920-c2e8-c4a8-da0f76acc1d6%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to move/migrate a VM with a Fedora-23 custom template from 3.1 to 3.2?

2016-12-12 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-12 13:38, Marek Marczykowski-Górecki wrote:
> On Mon, Dec 12, 2016 at 08:04:00PM +0100, Leeteqxv wrote:
>> So I am really looking for which files/folders I need to copy
>> from the old system into the new installation, or, alternatively,
>> if I can "migrate" or point the new system to create a new
>> Template and a new AppVM by pointing it to a folder on the old
>> disk to use as a template for the creation. How can this be
>> done?
> 
> You can copy appropriate directories from /var/lib/qubes/ related
> to that VMs into your new installation (make sure to place them in
> exactly the same location: appvms/ or vm-templates/), then use
> qvm-add-template (for templates) and qvm-add-appvm (for appvms) to
> register them in Qubes. Do not override any files, if VM with the
> same name already exists, rename or remove it first. After this
> operation, proceed to template upgrade procedure you've already
> found.
> 

Thanks; I didn't know about these tools. In the case of AppVMs, how is
this different from creating a new AppVM with the same name as the old
one, then replacing the new private.img with the old one? Or do both
methods achieve the same effect?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYT54lAAoJENtN07w5UDAwV+gQAKH8/g9uDe35/OGYhSOO60LJ
1PZZjNmUwHzx0rzOCWdsWWDQuJJHimgepbNOtNYDRDuwbyaukyp4nRvOoRKhcZQ9
3rMWAZYJ5X781N+vzOqv4rSqlq+4UAnbarGdg7fcBJE8A2R4nK3TVGgXgiUiKB00
OrBpvOqJjSrp1gVgIiLrVuPwlgmsQyKaVkL7HUoRhlUaG3CG+QUJJM4hDhtB5Htn
WbwXC8I4fJumQ9ysOYLDwWPxAldsJ8AZhXbPWlFAqr8tc4Dp8U2gqCQ5WC1Ltj6a
o1tiXXYuiEiDfHjsutP+e0KG6bEaxO6GoXhro9XmY3J+reIwTV72um5+xEgVbfnX
DD4Ng1UTKoBiwkmzwTGMj0MunKwg6W2IAo8pgNWb0GTpMrWXAd5ANjzIbq40SrCk
NPWggvsw7L4VaxQhVVNHjURi1U1ZGHl16e9/jrONM9AxFLMS9lIQvd9kSXAaVvci
uUNgAH+Jwc57Mbw4glvWk0SOpyaMzYW4ADXIZINWHOUNrClNKJxamuFYc250LpoB
hGzwAEDhHCTY7hXnlGdE01Fw1+KjnJtvUzYvMZN/NKIkjsBqnjTaCP7GCXI3chZc
DSV/ddSs9RkjEF4+pZA2gLWp/vxGhQMr2ZUw78ZBu2mkVbM0AD0fMwCkXe/m+Tmj
P6SfrNg0wr7ot8Vn23yn
=xhfr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16be5ff4-e49e-86fb-1376-d8e13f3edbd9%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: hddtemp not executed properly in xfce bubble notification in top right on boot

2016-12-12 Thread raahelps
On Tuesday, December 13, 2016 at 1:05:33 AM UTC-5, raah...@gmail.com wrote:
> where can I find this event log?   I know fedora uses smartctl  not sure what 
> hddtemp is.  it works now when i type it in dom0 terminal.  hdd is only 33C.  
>  smartctl -a shows same thing.  I have had hdd die or dying and seen 120-130C 
>  immediate rma at that temp.
> 
> I wonder if my pc was hot at the time.  I kind of felt it was hot and i was 
> running windows and suffocating in my room...   so i ran to turn on the ac as 
> the fan started blaring on a reboot to bios passwd lol.  so I'm thinking 
> something to that actually and would like to find this programs logs.  Thanks.
> 
> I suspect i have had something wrong this bios on this machine for some time. 
>  This only happens after running baremetal windows,  and because I installed 
> a bootleg game years ago lol.  Or probably the something making the mobo 
> itself hot that doesn't register temperature to the os.  definitely affects 
> the cpu too.  I'll clean out the dust. order some good silver paste.
> 
> I might be crazy but I think alot of viruses don't do nothing if you just 
> simply keep a cpu monitor etc on all the time. haha

or is there a log of those xfce bubble notifications anywhere?  it was alot of 
text and it disappeared too quick lol.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e1c5600d-5f43-489b-a801-b7d55eaef614%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] hddtemp not executed properly in xfce bubble notification in top right on boot

2016-12-12 Thread raahelps
where can I find this event log?   I know fedora uses smartctl  not sure what 
hddtemp is.  it works now when i type it in dom0 terminal.  hdd is only 33C.   
smartctl -a shows same thing.  I have had hdd die or dying and seen 120-130C  
immediate rma at that temp.

I wonder if my pc was hot at the time.  I kind of felt it was hot and i was 
running windows and suffocating in my room...   so i ran to turn on the ac as 
the fan started blaring on a reboot to bios passwd lol.  so I'm thinking 
something to that actually and would like to find this programs logs.  Thanks.

I suspect i have had something wrong this bios on this machine for some time.  
This only happens after running baremetal windows,  and because I installed a 
bootleg game years ago lol.  Or probably the something making the mobo itself 
hot that doesn't register temperature to the os.  definitely affects the cpu 
too.  I'll clean out the dust. order some good silver paste.

I might be crazy but I think alot of viruses don't do nothing if you just 
simply keep a cpu monitor etc on all the time. haha

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04766191-95de-436f-bc6b-5f3bd31f4ad3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: FYI: Experimental Qubes coldkernel support now available

2016-12-12 Thread Reg Tiangha
On 12/12/2016 10:41 PM, Reg Tiangha wrote:
> On 12/11/2016 11:16 PM, Reg Tiangha wrote:
>> On 12/11/2016 06:01 PM, raahe...@gmail.com
>> wrote:
>>
>>> Thanks for all your info.
>>>
>> A few last observations:
>>
>> - If you run coldkernel on a NetVM or ProxyVM, *nothing* will be able to
>> connect behind it (which kind of sucks).
>> - Dropbox no longer launches and it keeps trying to download the daemon
>> every time you start it up. Ironically, there are no issues with
>> SpiderOAK or NextCloud, but those programs don't force you to download a
>> daemon after installation.
>> - coldkernel works in a usbVM with USB input proxy, however, it does
>> *not* work with mass storage device pass-through (which also sucks) and
>> it has the added effect of locking up Qubes VM Manager once you try as well.
>>
>> Note that all of my sysVMs are running Fedora minimal templates; not
>> sure if using a Debian template would make a difference, but I would
>> suspect not. In the meantime, I've reverted all of my service VMs to use
>> normal kernels and am only running coldkernel on AppVMs.
>>
>> I wonder if properly setting RBAC rules may help with some of the
>> issues? It'd be nice to be able to figure out how to get gradm working
>> in an AppVM. Does anyone know what the /dev/grsec device is or how to
>> create it?
>>
> Looks like preliminary coldkernel support for Debian templates is now
> official:
>
> https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html
>
> They fixed the makefile issue so the Debian instructions as written
> should just work. They even enabled the RBAC driver in the kernel.config
> file (if any of the coldhak team is out there reading this, thanks so
> much! But if you really don't want it in your kernel, you can modify the
> coldkernel.config file with CONFIG_GRKERNSEC_NO_RBAC=y ; and if you
> really wanted SELinux in your kernel, theoretically you would add the
> various SELinux kernel config options to this file as well; you can
> Google for what those are although I haven't tried it myself).
>
> The Fedora instructions are still pending for the reasons in the blog
> post, but if people *really* want to try it on a FC template, I'll give
> you my instructions from start to finish. I'll start with how to compile
> it on an FC BuildVM, then how to install your rpms on other FC templates
> without having to reinstall the entire build environment and compiling
> each time. I used FC 24, but it should still work on FC 23.
>
> First, the Build instructions:
>
> 1) On dom0:
>
>sudo qubes-dom0-update grub2-xen
>
> 2) On FC TemplateVM (make sure /home has at least 4GB free):
>
>   a) Install support for booting from pvgrub2 kernels:
>
>  sudo dnf install qubes-kernel-vm-support
>
>   b) Install the dev environment:
>
>  sudo dnf install hmaccalc zlib-devel binutils-devel
> elfutils-libelf-devel ncurses-devel gcc-plugin-devel wget git gnupg2 bc
> gcc-c++ rpm-build
>
>   c) Optional:  Install bison and flexx to compile gradm:
>
>  sudo dnf install bison flex
>
>
> OPTIONAL:  At this point, you can create an AppVM to do the actual
> compiling, just make sure to save the rpms and u2mfn.ko kernel module
> that you'll end up making. Otherwise, if this is the TemplateVM you
> intend to also use later on in a different AppVM, then keep going.
>
>
> 3)  Clone coldkernel from github:
>
>  wget "https://coldhak.ca/coldhak/keys/coldhak.asc; - O coldhak.asc
>
>  gpg --import coldhak.asc
>
>  git clone https://github.com/coldhakca/coldkernel
>
>  cd coldkernel
>
>  git verify-tag coldkernel-0.9a-4.8.13
>
>  git checkout tags/coldkernel-0.9a-4.8.13
>
> 4) Build coldkernel:
>
>  make qubes-guest
>
> 5) Now you'll have made two rpms. Install them:
>
> sudo dnf install
> kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm
> kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rpm
>
>
> Now, this is the tricky part. You'll also need to compile the u2mfn.ko
> kernel module, which isn't done by default because the coldkernel kernel
> sources aren't installed by default. BUT a version of the kernel sources
> still exists in your coldkernel directory so you can use that instead to
> build it.
>
>
> 6) Symlink kernel source to where dkms can find it:
>
>  sudo ln -s /home/user/coldkernel/linux-4.8.13
> /lib/modules/4.8.13-coldkernel-grsec-1/build
>
> 7) Build the u2mfn kernel module and rebuild initramfs:
>
>  sudo dkms autoinstall -k 4.8.13-coldkernel-grsec-1
>
>  sudo dracut --regenerate-all --force
>
>
> It will compile the u2mfn kernel module and will place it in
> /lib/modules/4.8.13-coldkernel-grsec-1/extra. IF YOU INTEND TO INSTALL
> COLDKERNEL ON OTHER FC TEMPLATES, BACK THIS FILE UP!!
>
> 7b) Back up the u2mfn kernel module:
>
>  sudo cp /lib/modules/4.8.13-coldkernel-grsec-1/extra/u2mfn.ko
> /home/user/coldkernel/
>
>
> Now, you'll have your two rpms and the u2mfn kernel module in your
> coldkernel directory. Save those elsewhere if you intend on installing

[qubes-users] Re: FYI: Experimental Qubes coldkernel support now available

2016-12-12 Thread Reg Tiangha
On 12/11/2016 11:16 PM, Reg Tiangha wrote:
> On 12/11/2016 06:01 PM, raahe...@gmail.com
> wrote:
>
>> Thanks for all your info.
>>
> A few last observations:
>
> - If you run coldkernel on a NetVM or ProxyVM, *nothing* will be able to
> connect behind it (which kind of sucks).
> - Dropbox no longer launches and it keeps trying to download the daemon
> every time you start it up. Ironically, there are no issues with
> SpiderOAK or NextCloud, but those programs don't force you to download a
> daemon after installation.
> - coldkernel works in a usbVM with USB input proxy, however, it does
> *not* work with mass storage device pass-through (which also sucks) and
> it has the added effect of locking up Qubes VM Manager once you try as well.
>
> Note that all of my sysVMs are running Fedora minimal templates; not
> sure if using a Debian template would make a difference, but I would
> suspect not. In the meantime, I've reverted all of my service VMs to use
> normal kernels and am only running coldkernel on AppVMs.
>
> I wonder if properly setting RBAC rules may help with some of the
> issues? It'd be nice to be able to figure out how to get gradm working
> in an AppVM. Does anyone know what the /dev/grsec device is or how to
> create it?
>
Looks like preliminary coldkernel support for Debian templates is now
official:

https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html

They fixed the makefile issue so the Debian instructions as written
should just work. They even enabled the RBAC driver in the kernel.config
file (if any of the coldhak team is out there reading this, thanks so
much! But if you really don't want it in your kernel, you can modify the
coldkernel.config file with CONFIG_GRKERNSEC_NO_RBAC=y ; and if you
really wanted SELinux in your kernel, theoretically you would add the
various SELinux kernel config options to this file as well; you can
Google for what those are although I haven't tried it myself).

The Fedora instructions are still pending for the reasons in the blog
post, but if people *really* want to try it on a FC template, I'll give
you my instructions from start to finish. I'll start with how to compile
it on an FC BuildVM, then how to install your rpms on other FC templates
without having to reinstall the entire build environment and compiling
each time. I used FC 24, but it should still work on FC 23.

First, the Build instructions:

1) On dom0:

   sudo qubes-dom0-update grub2-xen

2) On FC TemplateVM (make sure /home has at least 4GB free):

  a) Install support for booting from pvgrub2 kernels:

 sudo dnf install qubes-kernel-vm-support

  b) Install the dev environment:

 sudo dnf install hmaccalc zlib-devel binutils-devel
elfutils-libelf-devel ncurses-devel gcc-plugin-devel wget git gnupg2 bc
gcc-c++ rpm-build

  c) Optional:  Install bison and flexx to compile gradm:

 sudo dnf install bison flex


OPTIONAL:  At this point, you can create an AppVM to do the actual
compiling, just make sure to save the rpms and u2mfn.ko kernel module
that you'll end up making. Otherwise, if this is the TemplateVM you
intend to also use later on in a different AppVM, then keep going.


3)  Clone coldkernel from github:

 wget "https://coldhak.ca/coldhak/keys/coldhak.asc; - O coldhak.asc

 gpg --import coldhak.asc

 git clone https://github.com/coldhakca/coldkernel

 cd coldkernel

 git verify-tag coldkernel-0.9a-4.8.13

 git checkout tags/coldkernel-0.9a-4.8.13

4) Build coldkernel:

 make qubes-guest

5) Now you'll have made two rpms. Install them:

sudo dnf install
kernel-headers-4.8.13_coldkernel_grsec_1-2.x86_64.rpm
kernel-4.8.13_coldkernel_grsec_1-2.x86_64.rpm


Now, this is the tricky part. You'll also need to compile the u2mfn.ko
kernel module, which isn't done by default because the coldkernel kernel
sources aren't installed by default. BUT a version of the kernel sources
still exists in your coldkernel directory so you can use that instead to
build it.


6) Symlink kernel source to where dkms can find it:

 sudo ln -s /home/user/coldkernel/linux-4.8.13
/lib/modules/4.8.13-coldkernel-grsec-1/build

7) Build the u2mfn kernel module and rebuild initramfs:

 sudo dkms autoinstall -k 4.8.13-coldkernel-grsec-1

 sudo dracut --regenerate-all --force


It will compile the u2mfn kernel module and will place it in
/lib/modules/4.8.13-coldkernel-grsec-1/extra. IF YOU INTEND TO INSTALL
COLDKERNEL ON OTHER FC TEMPLATES, BACK THIS FILE UP!!

7b) Back up the u2mfn kernel module:

 sudo cp /lib/modules/4.8.13-coldkernel-grsec-1/extra/u2mfn.ko
/home/user/coldkernel/


Now, you'll have your two rpms and the u2mfn kernel module in your
coldkernel directory. Save those elsewhere if you intend on installing
coldkernel on other machines (ex. Copy to another VM).


Continuing on, you'll want to install grsecurity's paxctld program:

8) Grab paxctld and verify it:

 wget

Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread qubenix
qubenix:
> qubenix:
>> Marek Marczykowski-Górecki:
>>> On Mon, Dec 12, 2016 at 05:10:00PM +, qubenix wrote:
 Marek Marczykowski-Górecki:
> Looks like this issue:
> https://github.com/QubesOS/qubes-issues/issues/2514
>
> Rebuilt package just uploaded to testing repository
> (qubes-gui-agent_3.2.10-2+deb9u1).
>
>
>>>
 Doesn't seem to be fixed in stretch, stretch-testing, or
 stretch-securitytesting yet.
>>>
 ```
 [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
 dist-upgrade -y"
 Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
 Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
 Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
 Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
 Reading package lists...
 Reading package lists...
 Building dependency tree...
 Reading state information...
 Calculating upgrade...
 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
 [user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-gui
 ii qubes-gui-agent 3.2.8+deb9u1 amd64 Makes X11 windows available to
 qubes dom0
 ```
>>>
>>> Interesting, I have qubes-gui-agent 3.2.11 already, from
>>> stretch-testing. Do you have some caching proxy in between?
>>>
>> At one point I was using Rustybirds update cache proxy, but I've since
>> switched back to a whonix-gw and unchecked "Allow connections to Updates
>> Proxy".
>>
>> I have two debian-9 templates, and they both were connected to update
>> cache and are now connected to whonix-gw. Here's the results from my two
>> debian-9 templates (one is using stretch-testing and
>> stretch-securitytesting the other has only stretch-testing although I
>> don't think that should matter):
>>
>> ```
>> [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
>> dist-upgrade -y -V"
>> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
>> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
>> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
>> Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
>> Reading package lists...
>> Reading package lists...
>> Building dependency tree...
>> Reading state information...
>> Calculating upgrade...
>> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
>> [user@dom0 ~]$ qvm-run -p d9-kali "sudo apt-get update && sudo apt-get
>> dist-upgrade -y -V"
>> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
>> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
>> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
>> Hit:5 http://deb.bitmask.net/debian stretch InRelease
>> Hit:4 http://archive-3.kali.org/kali kali-rolling InRelease
>> Reading package lists...
>> Reading package lists...
>> Building dependency tree...
>> Reading state information...
>> Calculating upgrade...
>> The following packages have been kept back:
>>qubes-gui-agent (3.2.8+deb9u1 => 3.2.11-1+deb9u1)
>> 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
>> [user@dom0 ~]$ qvm-run -p d9-kali "sudo aptitude dist-upgrade"
>> Reading package lists...
>> Building dependency tree...
>> Reading state information...
>> Reading extended state information...
>> Initializing package states...
>> Building tag database...
>> The following NEW packages will be installed:
>>   xserver-xorg-input-qubes{ab} xserver-xorg-video-dummyqbs{ab}
>> The following packages will be upgraded:
>>   qubes-gui-agent
>> 1 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
>> Need to get 66.5 kB of archives. After unpacking 36.9 kB will be used.
>> The following packages have unmet dependencies:
>>  xserver-xorg-video-dummyqbs : Depends: xorg-video-abi-23 which is a
>> virtual package, provided by:
>> - xserver-xorg-core
>> (2:1.19.0-2), but 2:1.18.4-2 is installed
>>
>>Depends: xserver-xorg-core (>=
>> 2:1.18.99.901) but 2:1.18.4-2 is installed
>>  xserver-xorg-input-qubes : Depends: xorg-input-abi-24 which is a
>> virtual package, provided by:
>>  - xserver-xorg-core (2:1.19.0-2),
>> but 2:1.18.4-2 is installed
>>
>> Depends: xserver-xorg-core (>=
>> 2:1.18.99.901) but 2:1.18.4-2 is installed
>> The following actions will resolve these dependencies:
>>
>>  Keep the following packages at their current version:
>> 1) qubes-gui-agent [3.2.8+deb9u1 (now)]
>> 2) xserver-xorg-input-qubes [Not Installed]
>> 3) xserver-xorg-video-dummyqbs [Not Installed]
>>
>>
>>
>> Accept this solution? [Y/n/q/?]
>> ```
>>
> I fixed the second template (d9-kali) by issuing:
> 
> sudo apt-get install -t stretch xserver-xorg-core
> sudo apt-get dist-upgrade
> 
> That fixed my dependency problem and upgraded/installed the 3 packages.
> Still, though, my 

Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread qubenix
qubenix:
> Marek Marczykowski-Górecki:
>> On Mon, Dec 12, 2016 at 05:10:00PM +, qubenix wrote:
>>> Marek Marczykowski-Górecki:
 Looks like this issue:
 https://github.com/QubesOS/qubes-issues/issues/2514

 Rebuilt package just uploaded to testing repository
 (qubes-gui-agent_3.2.10-2+deb9u1).


>>
>>> Doesn't seem to be fixed in stretch, stretch-testing, or
>>> stretch-securitytesting yet.
>>
>>> ```
>>> [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
>>> dist-upgrade -y"
>>> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
>>> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
>>> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
>>> Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
>>> Reading package lists...
>>> Reading package lists...
>>> Building dependency tree...
>>> Reading state information...
>>> Calculating upgrade...
>>> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
>>> [user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-gui
>>> ii qubes-gui-agent 3.2.8+deb9u1 amd64 Makes X11 windows available to
>>> qubes dom0
>>> ```
>>
>> Interesting, I have qubes-gui-agent 3.2.11 already, from
>> stretch-testing. Do you have some caching proxy in between?
>>
> At one point I was using Rustybirds update cache proxy, but I've since
> switched back to a whonix-gw and unchecked "Allow connections to Updates
> Proxy".
> 
> I have two debian-9 templates, and they both were connected to update
> cache and are now connected to whonix-gw. Here's the results from my two
> debian-9 templates (one is using stretch-testing and
> stretch-securitytesting the other has only stretch-testing although I
> don't think that should matter):
> 
> ```
> [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
> dist-upgrade -y -V"
> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
> Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
> Reading package lists...
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Calculating upgrade...
> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> [user@dom0 ~]$ qvm-run -p d9-kali "sudo apt-get update && sudo apt-get
> dist-upgrade -y -V"
> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
> Hit:5 http://deb.bitmask.net/debian stretch InRelease
> Hit:4 http://archive-3.kali.org/kali kali-rolling InRelease
> Reading package lists...
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Calculating upgrade...
> The following packages have been kept back:
>qubes-gui-agent (3.2.8+deb9u1 => 3.2.11-1+deb9u1)
> 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
> [user@dom0 ~]$ qvm-run -p d9-kali "sudo aptitude dist-upgrade"
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Reading extended state information...
> Initializing package states...
> Building tag database...
> The following NEW packages will be installed:
>   xserver-xorg-input-qubes{ab} xserver-xorg-video-dummyqbs{ab}
> The following packages will be upgraded:
>   qubes-gui-agent
> 1 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
> Need to get 66.5 kB of archives. After unpacking 36.9 kB will be used.
> The following packages have unmet dependencies:
>  xserver-xorg-video-dummyqbs : Depends: xorg-video-abi-23 which is a
> virtual package, provided by:
> - xserver-xorg-core
> (2:1.19.0-2), but 2:1.18.4-2 is installed
> 
>Depends: xserver-xorg-core (>=
> 2:1.18.99.901) but 2:1.18.4-2 is installed
>  xserver-xorg-input-qubes : Depends: xorg-input-abi-24 which is a
> virtual package, provided by:
>  - xserver-xorg-core (2:1.19.0-2),
> but 2:1.18.4-2 is installed
> 
> Depends: xserver-xorg-core (>=
> 2:1.18.99.901) but 2:1.18.4-2 is installed
> The following actions will resolve these dependencies:
> 
>  Keep the following packages at their current version:
> 1) qubes-gui-agent [3.2.8+deb9u1 (now)]
> 2) xserver-xorg-input-qubes [Not Installed]
> 3) xserver-xorg-video-dummyqbs [Not Installed]
> 
> 
> 
> Accept this solution? [Y/n/q/?]
> ```
> 
I fixed the second template (d9-kali) by issuing:

sudo apt-get install -t stretch xserver-xorg-core
sudo apt-get dist-upgrade

That fixed my dependency problem and upgraded/installed the 3 packages.
Still, though, my d9 template is acting as though there is no package to
upgrade.

-- 
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

-- 

Re: [qubes-users] ssh keys gui not working / password no longer stored (deb8)

2016-12-12 Thread Unman
On Mon, Dec 12, 2016 at 11:53:25PM +0100, cubit wrote:
> Heia
> 
> Since using Qubes (debian 8 template) back to R3.1 when ever I used ssh I 
> would get a gui prompt asking for my key password and it would be remembered 
> for all subsequent ssh sessions until I restart the AppVM.
> 
> With a recent template update this has broken, now what happens is in the 
> terminal window I am asked for the keys password but the password is no 
> longer stored and I must retype for every new session.
> 
> Is there an easy way to get the gui / password managed option back?
> 
> Cubit
> 
>

Debian uses ssh-agent by default. Just use ssh-add to store the key
before opening the ssh session.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161213001143.GA27064%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread qubenix
Marek Marczykowski-Górecki:
> On Mon, Dec 12, 2016 at 05:10:00PM +, qubenix wrote:
>> Marek Marczykowski-Górecki:
>>> Looks like this issue:
>>> https://github.com/QubesOS/qubes-issues/issues/2514
>>>
>>> Rebuilt package just uploaded to testing repository
>>> (qubes-gui-agent_3.2.10-2+deb9u1).
>>>
>>>
> 
>> Doesn't seem to be fixed in stretch, stretch-testing, or
>> stretch-securitytesting yet.
> 
>> ```
>> [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
>> dist-upgrade -y"
>> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
>> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
>> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
>> Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
>> Reading package lists...
>> Reading package lists...
>> Building dependency tree...
>> Reading state information...
>> Calculating upgrade...
>> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
>> [user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-gui
>> ii qubes-gui-agent 3.2.8+deb9u1 amd64 Makes X11 windows available to
>> qubes dom0
>> ```
> 
> Interesting, I have qubes-gui-agent 3.2.11 already, from
> stretch-testing. Do you have some caching proxy in between?
> 
At one point I was using Rustybirds update cache proxy, but I've since
switched back to a whonix-gw and unchecked "Allow connections to Updates
Proxy".

I have two debian-9 templates, and they both were connected to update
cache and are now connected to whonix-gw. Here's the results from my two
debian-9 templates (one is using stretch-testing and
stretch-securitytesting the other has only stretch-testing although I
don't think that should matter):

```
[user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
dist-upgrade -y -V"
Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[user@dom0 ~]$ qvm-run -p d9-kali "sudo apt-get update && sudo apt-get
dist-upgrade -y -V"
Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
Hit:5 http://deb.bitmask.net/debian stretch InRelease
Hit:4 http://archive-3.kali.org/kali kali-rolling InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages have been kept back:
   qubes-gui-agent (3.2.8+deb9u1 => 3.2.11-1+deb9u1)
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
[user@dom0 ~]$ qvm-run -p d9-kali "sudo aptitude dist-upgrade"
Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
Building tag database...
The following NEW packages will be installed:
  xserver-xorg-input-qubes{ab} xserver-xorg-video-dummyqbs{ab}
The following packages will be upgraded:
  qubes-gui-agent
1 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 66.5 kB of archives. After unpacking 36.9 kB will be used.
The following packages have unmet dependencies:
 xserver-xorg-video-dummyqbs : Depends: xorg-video-abi-23 which is a
virtual package, provided by:
- xserver-xorg-core
(2:1.19.0-2), but 2:1.18.4-2 is installed

   Depends: xserver-xorg-core (>=
2:1.18.99.901) but 2:1.18.4-2 is installed
 xserver-xorg-input-qubes : Depends: xorg-input-abi-24 which is a
virtual package, provided by:
 - xserver-xorg-core (2:1.19.0-2),
but 2:1.18.4-2 is installed

Depends: xserver-xorg-core (>=
2:1.18.99.901) but 2:1.18.4-2 is installed
The following actions will resolve these dependencies:

 Keep the following packages at their current version:
1) qubes-gui-agent [3.2.8+deb9u1 (now)]
2) xserver-xorg-input-qubes [Not Installed]
3) xserver-xorg-video-dummyqbs [Not Installed]



Accept this solution? [Y/n/q/?]
```

-- 
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e8cbae1-d606-6ff4-b65a-79417943bf4b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing nvidia drivers in dom0

2016-12-12 Thread daltong defourne
On Tuesday, September 29, 2015 at 5:23:55 AM UTC+3, ver...@riseup.net wrote:
> > Do you know anything about support for this particular hardware in
> > baremetal Linux distributions (like Ubuntu, Fedora)?
> 
> I've successfully installed Ubuntu, Xubuntu, Fedora 22 (in basic graphics
> mode), PC-BSD, OpenBSD, and elementary OS on this Macbook. Ubuntu,
> Xubuntu, and elementary OS were all extremely choppy with Nouveau so I had
> to use the closed-source drivers, but OpenBSD and Fedora 22 ran fine
> without any driver modification.
> 
> 
> > I guess this
> > version of binary nvidia drivers wont work (based on your experience),
> > but maybe there is some way to get open source driver working...
> > Watch this ticket: https://github.com/QubesOS/qubes-issues/issues/794
> > I'll be posting there next test images soon - besides EFI support, it
> > also will contain updated kernel (4.1.x) and X drivers.
> 
> Thanks for the tip! I'll definitely try the next image and write an update
> if it ends up working.

Sorry to necro a year-old discussion, but I'd like to ask if any of the 
participants (OP?) have had success with this operation.

I need to get GTX 1070 box sorta kinda working with Qubes 3.2, and permanently 
installing a different GPU or using integrated graphics is, sadly, not an 
option (can use diff GPU as temporary solution in order to get through install 
process tho) ...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39563c6b-f77e-406e-9f0e-5575e62faa27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] ssh keys gui not working / password no longer stored (deb8)

2016-12-12 Thread cubit
Heia

Since using Qubes (debian 8 template) back to R3.1 when ever I used ssh I would 
get a gui prompt asking for my key password and it would be remembered for all 
subsequent ssh sessions until I restart the AppVM.

With a recent template update this has broken, now what happens is in the 
terminal window I am asked for the keys password but the password is no longer 
stored and I must retype for every new session.

Is there an easy way to get the gui / password managed option back?

Cubit


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KYpEOY---3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] help updating dom0 - no network - stuck with lots of pending updates

2016-12-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 12, 2016 at 07:52:53AM -0800, jasonwalshismyn...@gmail.com wrote:
> 
> > If updates are already downloaded (it looks so), you can try running
> > "sudo dnf update" in dom0 - maybe it will be better at resolving
> > dependencies.
> 
> [user@dom0 ~]$ sudo dnf update
> sudo: dnf: command not found

Is your sys-firewall based on Debian template? If so, there is
additional step in the upgrade procedure. 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYTxtBAAoJENuP0xzK19csjiQIAJEgCeXCh7wyqKhMiV8rMw2O
yuFA6CajSzUsQwZHR7oIqlwdK41sGlhKaxj1IHbTeSGzuVd0MHCyomMV3U8Dt7LW
/9E++hmk/r7ZYKAV+Ed1mFLFF0XNAZaSj3e8sPdc+plohl+Ccq67cQbPJYPv+z6i
LJRMJ1Ea+ZJMd1cZ187tLA1+QKfJ7tnDhigzLDt8WWHxmsH3NY9K7vYGj5OU7dA+
X32/N+xH4zXD1yTIxz1ffwQ7X9M3Dq9dDx3Xw/t9mN8Mp+q63ASV9PO8/w6rkvzf
LXwhvpqV3kgvk4as1OfRSRczznDLm6h9Pw82V/U5ZhR0OY8al5FkyGF5VnMRkVA=
=zwC5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161212214849.GJ1180%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to move/migrate a VM with a Fedora-23 custom template from 3.1 to 3.2?

2016-12-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 12, 2016 at 08:04:00PM +0100, Leeteqxv wrote:
> On 11/12/16 21:48, Andrew David Wong wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > On 2016-12-11 09:10, Leeteqxv wrote:
> > > I have a previous test installation of Qubes 3.1 on a separate HDD
> > > (now external USB), which cointains a customised (cloned+extra sw
> > > installs) Fedora-23 template used with a dedicated AppVM.
> > > 
> > > Now I have Qubes 3.2 installed on a new HDD on that machine and
> > > before we move on to Fedora-24 (when F23 "expires" later this
> > > month), I would like to "import" that custom template AND the
> > > related VM into the new (fresh) 3.2 install.
> > > 
> > > I cannot be sure if I have all the necessary insights into Qubes
> > > to assume I can just copy / paste some folders/files into the new
> > > installation, so I would like to know exactly which folders/files
> > > are involved, and if there are any special order/steps to take, and
> > > whatever else is needed for this. I also think that the resulting
> > > How-To list should be fitted into the documentation somewhere.
> > > 
> > > (PS. I have not yet upgraded the new 3.2 system to Fedora-24, so
> > > that part is not the question here. I will do the upgrade to F24
> > > after the migration of the template/VM along with the rest of the
> > > system. Hence, my question here is regarding a "migrate" between
> > > two F23-based systems, from Q3.1 to Q3.2)
> > > 
> > > I am aware of the following docs:
> > > 
> > > https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/
> > > https://www.qubes-os.org/doc/upgrade-to-r3.2/
> > > 
> > > Can someone provide an ordered list of steps for this?
> > > 
> > > Thanks.
> > > 
> > If I understand you correctly, it sounds like the built-in Qubes
> > backup tool (qvm-backup from the command-line, also available from the
> > Qubes Manager GUI) is the right tool for the job:
> > 
> > https://www.qubes-os.org/doc/backup-restore/
> > 
> > Especially this part:
> > 
> > https://www.qubes-os.org/doc/backup-restore/#migrating-between-two-physical-machines
> > 
> Thanks for the quick response.
> That method would work while still having the old system available/bootable.
> But in my case, I have replaced the old HDD with a new one (on a laptop),
> and need to access the old installation by simply adding that physical disk
> as a USB disk into the new system.
> 
> So I am really looking for which files/folders I need to copy from the old
> system into the new installation, or, alternatively, if I can "migrate" or
> point the new system to create a new Template and a new AppVM by pointing it
> to a folder on the old disk to use as a template for the creation.
> How can this be done?

You can copy appropriate directories from /var/lib/qubes/ related to
that VMs into your new installation (make sure to place them in exactly
the same location: appvms/ or vm-templates/), then use qvm-add-template
(for templates) and qvm-add-appvm (for appvms) to register them in
Qubes. Do not override any files, if VM with the same name already
exists, rename or remove it first.
After this operation, proceed to template upgrade procedure you've
already found.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYTxjpAAoJENuP0xzK19csNggH/3ooEggwxY++D9MiRdarwOPh
/POUDDdC6Mqp4bWPWnd86Mmkwm4jdOR2vFsD13D5+KTJ7ew9SCZ4vNU3S3+sxdnz
GIriztYOq4gUEsZojV9OkeziTAqWgVPFnCfzfONN6METpdh0ywz0VgZp29nldF11
8Y75+hmdJn6ndZk2z58BOM7VYgIeWG1FAEB4pbwqyN8lqUpUNcRtSmm1YzdF+0fK
rrRQ98pjJ4/7ZBmRl9lqE48th2uZDLnI9DJUiYjezkNYVbktexe2Ro7ErBsvmIo+
8CHvv7h4DsJYXJd3bGKSFN8US50PBNoN+qEsTrZ+eS+deQitOmmr4Xwal8zYoaE=
=anX/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161212213849.GI1180%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 12, 2016 at 05:10:00PM +, qubenix wrote:
> Marek Marczykowski-Górecki:
> > Looks like this issue:
> > https://github.com/QubesOS/qubes-issues/issues/2514
> > 
> > Rebuilt package just uploaded to testing repository
> > (qubes-gui-agent_3.2.10-2+deb9u1).
> > 
> > 
> 
> Doesn't seem to be fixed in stretch, stretch-testing, or
> stretch-securitytesting yet.
> 
> ```
> [user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
> dist-upgrade -y"
> Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
> Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
> Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
> Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
> Reading package lists...
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Calculating upgrade...
> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> [user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-gui
> ii qubes-gui-agent 3.2.8+deb9u1 amd64 Makes X11 windows available to
> qubes dom0
> ```

Interesting, I have qubes-gui-agent 3.2.11 already, from
stretch-testing. Do you have some caching proxy in between?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYTxerAAoJENuP0xzK19csdMMH/iJr7fL/7PkzfLmExgc/Q7wi
vp4M3UUo4j+gk70ROhR3I2kvLNccgeYmKnR5n2Mw1vTO9/mfGyHoXvZXx3+DPz33
o22MnV/ZBicRpBHFy3FxQ3LnLSmpnRy9xNHzuyWQA1U3ASS4CJtEUIXVaAOSExhv
uBZwqgGiBo1h14q4NTSi+wVvhXTxCCnDsv6kf8qUnNDcUo+zrubr+A4wm2qfwH1i
DcPNc5j1+FXX/NQMjT9nMdeb9Ri68bcXsapjUtq1FZuZda0Q2rcTaBpEgv4U+pYR
zStJWxje+oLxCdCMttByA3gHGjLXNDhqQLNJnSr/YFsaERW7gnLIXMWpuFjk7f4=
=Z1cq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161212213330.GH1180%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kernel 4.9 in Qubes

2016-12-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 12, 2016 at 08:32:21AM -0800, Grzesiek Chodzicki wrote:
> W dniu sobota, 19 listopada 2016 11:58:21 UTC+1 użytkownik Marek 
> Marczykowski-Górecki napisał:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > On Sat, Nov 19, 2016 at 02:44:38AM -0800, Grzesiek Chodzicki wrote:
> > > AFAIK Qubes uses only LTS kernels for both dom0 and templates. Will Qubes 
> > > be upgraded to the upcoming 4.9 kernel whenver final version is released? 
> > > 4.9 is supposed to be the next LTS version.
> > 
> > Maybe not immediately, but generally yes.
> 
> Kernel 4.9 has just been released
> http://news.softpedia.com/news/linux-kernel-4-9-officially-released-with-support-for-amd-radeon-si-gcn-1-0-gpus-510879.shtml
> How much work is it to port Qubes specific code to a new kernel?

Probably not much, as we already have it ported to 4.8. But on the other
hand, there are a lot of changes, so some time will be needed for
updating build config, and testing. Also, in practice, I'd wait for
4.9.2 or so for things to stabilize.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYTxWtAAoJENuP0xzK19csCRcH/i/+KQ7L8dOGPxFOaO7ronX6
ZOkvhKicdk9B0elUqKoSswKTxyx/tC+NiWSsqLSQISpWqjRKkR0M3wFAMaDvwsCV
J/hvhgM7j7gQ85fNKGY63SNVkM1u/mGaY6qD5lnRvvI7IBrAbF33HHlYQWOlWVug
L0KVCs7YhCXWFXUs1zJGecD4K0AAoTbr5i0+s9egfQiCN9ndjI888au5Rxzi8tfw
6HNjQvabCMOD9cJLjyDVet3CXOkWh6nD8TZuEUsHsluoonQoKUokN5aIjUkomCBW
Xp8gsVrsh7xgZHPlRFShq/152R+hkNgfWjJKbob8+EO88aJZpp30AP1dsHdvBpc=
=581E
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161212212501.GG1180%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to rollback Dom0 updates?

2016-12-12 Thread Manuel Amador (Rudd-O)
On 12/10/2016 09:51 AM, Simon wrote:
> Hello everybody,
>
> Is there a way to rollback updates which corrupted a Qubes-OS system?
>
> I checked DNF history, but it seems to have been disabled / bypassed
> for all events following the OS installation back in September:
>
> - 8< --
>
> [user@dom0 ~]$ sudo dnf history
> ID | Command line | Date and time| Action(s) 
> | Altered
> ---
>
>  5 | --exclude=qubes-template | 2016-09-19 21:10 | Install   
> |1  <
>  4 | remove cairo-dock-plug-i | 2016-09-07 18:19 | Erase 
> |   19 >
>  3 | --exclude=qubes-template | 2016-09-07 14:34 | Install   
> |   14  <
>  2 | --exclude=qubes-template | 2016-09-07 14:24 | Install   
> |5 ><
>  1 |  | 2016-09-04 17:57 | Install   
> |  937 >E
>
> - 8< --
>
> Is there any equivalent feature allowing update rollback in Qubes-OS
> for the Dom0 domain?
>

The reliable way to do rollbacks is to:

1. Install Qubes OS on a btrfs file system.
2. Install the dnf / yum plugin that will snapshot your system right
before upgrades.

Slightly less convenient:

1. Migrate your Qubes OS to ZFS.
2. Manually ZFS snapshot your Qubes OS before dom0 / template upgrades.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/142947de-d3bb-7ff3-38ff-aee3edb7e4a0%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to move/migrate a VM with a Fedora-23 custom template from 3.1 to 3.2?

2016-12-12 Thread Leeteqxv

On 11/12/16 21:48, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-11 09:10, Leeteqxv wrote:

I have a previous test installation of Qubes 3.1 on a separate HDD
(now external USB), which cointains a customised (cloned+extra sw
installs) Fedora-23 template used with a dedicated AppVM.

Now I have Qubes 3.2 installed on a new HDD on that machine and
before we move on to Fedora-24 (when F23 "expires" later this
month), I would like to "import" that custom template AND the
related VM into the new (fresh) 3.2 install.

I cannot be sure if I have all the necessary insights into Qubes
to assume I can just copy / paste some folders/files into the new
installation, so I would like to know exactly which folders/files
are involved, and if there are any special order/steps to take, and
whatever else is needed for this. I also think that the resulting
How-To list should be fitted into the documentation somewhere.

(PS. I have not yet upgraded the new 3.2 system to Fedora-24, so
that part is not the question here. I will do the upgrade to F24
after the migration of the template/VM along with the rest of the
system. Hence, my question here is regarding a "migrate" between
two F23-based systems, from Q3.1 to Q3.2)

I am aware of the following docs:

https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/
https://www.qubes-os.org/doc/upgrade-to-r3.2/

Can someone provide an ordered list of steps for this?

Thanks.


If I understand you correctly, it sounds like the built-in Qubes
backup tool (qvm-backup from the command-line, also available from the
Qubes Manager GUI) is the right tool for the job:

https://www.qubes-os.org/doc/backup-restore/

Especially this part:

https://www.qubes-os.org/doc/backup-restore/#migrating-between-two-physical-machines

- -- 
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org


Thanks for the quick response.
That method would work while still having the old system available/bootable.
But in my case, I have replaced the old HDD with a new one (on a 
laptop), and need to access the old installation by simply adding that 
physical disk as a USB disk into the new system.


So I am really looking for which files/folders I need to copy from the 
old system into the new installation, or, alternatively, if I can 
"migrate" or point the new system to create a new Template and a new 
AppVM by pointing it to a folder on the old disk to use as a template 
for the creation.

How can this be done?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23a9898b-c42b-d110-03e9-ba934474666f%40leeteq.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Nvidia drivers in dom0 still works? (need to get a GTX 1070 off the ground)

2016-12-12 Thread daltong defourne
Hi!
Does this procedure still work:
https://www.qubes-os.org/doc/install-nvidia-driver/

?

I have a box I want qubes on, but it has GTX 1070. I can temporarily swap the 
card out for a less obnoxious one (like, some Northern Islands Radeon, which I 
have lying around somewhere), but I'd prefer to put the 1070 back in eventually.

Since nouveau support for this GPU is in its infancy (and frankly nouveau is 
not very good) I'd like to install Nvidia's proprietary drivers.

Has anyone succeeded in using the "official" procedure  from link above (the 
RpmFusion packages version of procedure specifically) on Qubes 3.2 ? 

Are there any things beyond what is in that link that I should keep in mind?

 
P.S.:
For the purpose of this discussion, folks at rpmfusion and Nvidia are 
considered trustworthy ;-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aec43834-a258-4aff-b454-a0ae5786be19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread qubenix
Marek Marczykowski-Górecki:
> On Mon, Dec 12, 2016 at 12:17:16AM +, a.mcwh...@yandex.com wrote:
>> That means not only me has the same issue with debian-9 template. I've 
>> started reinstalling template.
> 
>> On December 12, 2016 11:01:00 AM AEDT, qubenix  wrote:
>>> Lucas Arnström:
 Hi, I have been using a debian template converted into kali for quite
 some time. But recently, neither the kali template nor any appvms
>>> based
 on it are responding. I can start the vms just fine, but cant do much
 other than that. It seems to be some recent change that induced this
 problem, considering i have been able to use the very same vms for
>>> quite
 some time. But after my last update they all stopped working.

 I have attempted to do a complete rebuild of my kali template. I got
 everything set up, but as soon as I restarted the template I got the
 same issue again.

 I'm attaching the logs.

 // Lucas

>>>
>>> I've had this same experience after a dist-upgrade on my debian-9
>>> template (d9) about 12 hours ago. I had made a clone of this template
>>> about two weeks ago and added the kali repos and some packages.
>>> Strangely, my kali template (and AppVM based on it) work normal even
>>> though it was also upgraded at the same time.
>>>
>>> ```
>>> user@dom0:~$ qvm-run -p d9 gnome-terminal
>>> Unable to init server: Could not connect: Connection refused
>>> Failed to parse arguments: Cannot open display:
>>> ```
> 
> Looks like this issue:
> https://github.com/QubesOS/qubes-issues/issues/2514
> 
> Rebuilt package just uploaded to testing repository
> (qubes-gui-agent_3.2.10-2+deb9u1).
> 
> 

Doesn't seem to be fixed in stretch, stretch-testing, or
stretch-securitytesting yet.

```
[user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
dist-upgrade -y"
Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-gui
ii qubes-gui-agent 3.2.8+deb9u1 amd64 Makes X11 windows available to
qubes dom0
```
-- 
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c5b9c017-5864-abb5-529b-b995500ca705%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kali VM no longer responding

2016-12-12 Thread qubenix
Marek Marczykowski-Górecki:
> On Mon, Dec 12, 2016 at 12:17:16AM +, a.mcwh...@yandex.com wrote:
>> That means not only me has the same issue with debian-9 template. I've 
>> started reinstalling template.
> 
>> On December 12, 2016 11:01:00 AM AEDT, qubenix  wrote:
>>> Lucas Arnström:
 Hi, I have been using a debian template converted into kali for quite
 some time. But recently, neither the kali template nor any appvms
>>> based
 on it are responding. I can start the vms just fine, but cant do much
 other than that. It seems to be some recent change that induced this
 problem, considering i have been able to use the very same vms for
>>> quite
 some time. But after my last update they all stopped working.

 I have attempted to do a complete rebuild of my kali template. I got
 everything set up, but as soon as I restarted the template I got the
 same issue again.

 I'm attaching the logs.

 // Lucas

>>>
>>> I've had this same experience after a dist-upgrade on my debian-9
>>> template (d9) about 12 hours ago. I had made a clone of this template
>>> about two weeks ago and added the kali repos and some packages.
>>> Strangely, my kali template (and AppVM based on it) work normal even
>>> though it was also upgraded at the same time.
>>>
>>> ```
>>> user@dom0:~$ qvm-run -p d9 gnome-terminal
>>> Unable to init server: Could not connect: Connection refused
>>> Failed to parse arguments: Cannot open display:
>>> ```
> 
> Looks like this issue:
> https://github.com/QubesOS/qubes-issues/issues/2514
> 
> Rebuilt package just uploaded to testing repository
> (qubes-gui-agent_3.2.10-2+deb9u1).
> 
> 

Doesn't seem to be fixed in stretch, stretch-testing, or
stretch-securitytesting yet.

```
[user@dom0 ~]$ qvm-run -p d9 "sudo apt-get update && sudo apt-get
dist-upgrade -y"
Hit:1 http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:2 http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:3 http://deb.qubes-os.org/r3.2/vm stretch-testing InRelease
Hit:4 http://deb.qubes-os.org/r3.2/vm stretch-securitytesting InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[user@dom0 ~]$ qvm-run -p d9 "sudo dpkg -l" | grep qubes-guiii
qubes-gui-agent  3.2.8+deb9u1
amd64Makes X11 windows available to qubes dom0
```
-- 
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43f95f6f-3e98-a174-196c-d3799f1f565c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kernel 4.9 in Qubes

2016-12-12 Thread Grzesiek Chodzicki
W dniu sobota, 19 listopada 2016 11:58:21 UTC+1 użytkownik Marek 
Marczykowski-Górecki napisał:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Sat, Nov 19, 2016 at 02:44:38AM -0800, Grzesiek Chodzicki wrote:
> > AFAIK Qubes uses only LTS kernels for both dom0 and templates. Will Qubes 
> > be upgraded to the upcoming 4.9 kernel whenver final version is released? 
> > 4.9 is supposed to be the next LTS version.
> 
> Maybe not immediately, but generally yes.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJYMDBGAAoJENuP0xzK19csyGgH/igZKONLkMdYToFG1RFxZjFm
> NIl+n5hiqzbDvcCzt0nJpHXXisdVKBDG+975zDBIFZuE6Pn189VD5g3zRcRQEHFT
> 9oJRFRVSm413xZWveR6Wuwvq9o+kcv5ysOGTz0thnqf63y3xLbih1t+YVh7Vs/tN
> MEqecCkZ6Wom027dRhJYJkmC83qCUO6pvPvuBQRRk0x4kzIV+uLpu0rvYJY65vXj
> AJZf5dxkJZ5uMItx1bJxJO27VfevvQtVtn/wxSXkXfpxAdGNvnH99QXR6Tk59T/I
> dA9HZB2VhCOhtFEr4PxfpBM2lXRdPcKVQIdfmODJreNsw+OLd0y3CYdS5icqsv4=
> =Kx2V
> -END PGP SIGNATURE-

Kernel 4.9 has just been released
http://news.softpedia.com/news/linux-kernel-4-9-officially-released-with-support-for-amd-radeon-si-gcn-1-0-gpus-510879.shtml
How much work is it to port Qubes specific code to a new kernel?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b648683-545c-4fba-8c66-ea548b9c0813%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] help updating dom0 - no network - stuck with lots of pending updates

2016-12-12 Thread jasonwalshismyname

> If updates are already downloaded (it looks so), you can try running
> "sudo dnf update" in dom0 - maybe it will be better at resolving
> dependencies.

[user@dom0 ~]$ sudo dnf update
sudo: dnf: command not found


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dcce1fa7-dbe5-4b04-9f5f-96d70c2c5e34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] help updating dom0 - no network - stuck with lots of pending updates

2016-12-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 12, 2016 at 06:23:40AM -0800, jasonwalshismyn...@gmail.com wrote:
> I'm trying to update dom0, (419 Updates Selected).
> 
> After searching for infos on qubesOS website and from google, after various 
> attempt, I'm still getting this message from dom0 :
> 
> "None of the selected packages could be updated."
> 
> When I click "check for new Updates", i'm getting this message :
> 
> "There is no network connection available. Please check your connection 
> settings and try again"
> 
> I'm still having 419 Updates to make 
> 
> I just upgraded from Qubes Os 3.1 to Qubes release 3.2 (R3.2)

In fact it looks like you're in the middle of upgrade process.

> You can find the logs from the command "sudo qubes-dom0-update --clean" here :
> 
> http://pastebin.com/Em0W21YV
> 
> Any help to properly update my dom0 will be very appreciated.

If updates are already downloaded (it looks so), you can try running
"sudo dnf update" in dom0 - maybe it will be better at resolving
dependencies.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYTrrYAAoJENuP0xzK19csdssH/1Nwo/HOJCL9YfNHoPtRMIlV
qcUitez/qCx6q1TNRfXxydZH8dhn65eifiifMVFu9ayO3Jq8cLvPaggTKG2E8CHp
aChLjXkPzFVqbqlR2snIO5pVVGjLzufROHx1Bl5Jerv1oq9xBKEHo5zC6ID9j4zk
krOrtusECq2KMmch41fwIseb0M6E8FYZpkb5aWeuTVi9nG/Xf5evvDCzRzTleZdH
f03sYfEDYuwgXLIQQoByNtV9nribEtFaiv0Rbmlvh2kfBx9ZBJBYHPlzWW2mWJbx
rhufK+uKloqkOulWGH8eKVAen7zF6ki+kCNniaxI+yMQpjcsR3RNeNt+RylIHgo=
=tWtI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161212145728.GF1180%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Nice publicity of Qubes

2016-12-12 Thread Pawel Debski

Not sure if it already has been posted:

https://theintercept.com/2016/11/12/surveillance-self-defense-against-the-trump-administration/

skip the political stuff and scroll down to the Qubes section for big 
"wow" effect :-)



--

Z powazaniem / Best Regards
Mit freundlichen Gruessen / Meilleures salutations
Pawel Debski

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0db50970-b4c8-35ac-5269-a9717129d546%40econsulting.pl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] help updating dom0 - no network - stuck with lots of pending updates

2016-12-12 Thread jasonwalshismyname
I'm trying to update dom0, (419 Updates Selected).

After searching for infos on qubesOS website and from google, after various 
attempt, I'm still getting this message from dom0 :

"None of the selected packages could be updated."

When I click "check for new Updates", i'm getting this message :

"There is no network connection available. Please check your connection 
settings and try again"

I'm still having 419 Updates to make 

I just upgraded from Qubes Os 3.1 to Qubes release 3.2 (R3.2)

You can find the logs from the command "sudo qubes-dom0-update --clean" here :

http://pastebin.com/Em0W21YV

Any help to properly update my dom0 will be very appreciated.

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd2290ef-eea8-4cf4-885e-a54a7c67ef47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to rollback Dom0 updates?

2016-12-12 Thread Simon

Hi Andrew,

Le 2016-12-11 21:45, Andrew David Wong a écrit :

- Usually I update all the templates and Dom0 simultaneously: I right
click on the AppVM template and click `Update VM', I do this for each
AppVM in a row (without waiting for the update of the previous AppVM 
to

terminate) and finally for Dom0 (since it locks access to the Qubes VM
Manager during the while Dom0 update process, which is the longest, 
see

below).


When you say "AppVM," do you actually mean TemplateVM? There should
normally be no reason to update AppVMs.



Yes sorry, that's indeed what I mean, I do this for each TemplateVM and 
not AppVM (usually when I update most AppVM are shut down).



- I have the impression that Dom0 updates are downloaded twice, most
probably an issue around the proxy feature (there is no such issue 
with

the templates, updating Dom0 takes twice as much time as updating the
templates).



Hm, that would be odd. The normal dom0 update process is for the 
updates
to b downloaded by the UpdateVM (default sys-firewall), then 
transferred
to dom0, where the signatures are checked, and the updates are 
installed.

This might have the appearance of the updates being downloaded twice,
but they're really only downloaded once.


Well, this morning again there was a new ghost update : I launched Dom0 
update, it was processing for 14 minutes and downloading about half of 
the time, before finally concluding that there is actually no update 
available. Odd and suboptimal indeed...


While trying to investigate a bit further, I stumbled on this 
interesting "property" of Fedora which randomly selects a "nearby" 
source to download the update. There was indeed updates currently 
available for both my Debian and Fedora packages:


- Debian update took less than a minute,
- Fedora is still ongoing, with a download speed hardly reaching 80 
KB/s.


I think I know understand why updating Dom0 seems so slow, thank you 
Fedora for allowing even the crappiest server to act as an update source 
as long as it is among the closest ones geographically speaking :( ...


I already stumbled on this before and had to cancel an update and try 
later in order to update my Fedora template due to such poor performance 
and an estimated time of completion counted in hours. A few time later, 
a decent server offering a download speed counted in MB instead of KB 
and the update was done in less than a minute too.


If I have some time, maybe I should try to find the culprit(s) and 
blacklist it/them somehow. By the way I'm a bit surprised to see the 
/var/log/tinyproxy to remain empty even after all those tests.


And to end-up on a more positive note I find it great that the template 
VM now shut down themselves automatically once the update is done :) !


Have a nice day,
Simon.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1a3211f8a7167bc02aee0b7c5486200%40whitewinterwolf.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Riseup Services Likely Compromised

2016-12-12 Thread Me
Michael Carbone:
> Me:
>> Qubes users beware. Riseup Services (including email)are likely
>> compromised by State actors.
>> For more info and to verify above statement visit
>> https://riseup.net/canary {here you'll see that the canary statement
>> hasn't been updated quarterly as promised} and here
>> https://www.whonix.org/blog/riseup.
>> Google the topic and you'll see lots of other statements that Riseup is
>> no longer trusted.
>> Stay Safe
> 
> https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/
> 
> which includes statements from the Riseup team.
> 
> It sounds like they were served with something boring, but because of
> how they defined their warrant canary they had to not update it.
> Removing a warrant canary does not mean compromise, which is one of the
> weaknesses of poorly defined (and followed) warrant canaries.
> 
The Intercept may be correct. However they do not publish this tweet
from Riseup "listen to the hummingbird, whose wings you cannot see,
listen to the hummingbird, don't listen to me." It doesn't take a rocket
scientist to intepret this. In any case, I have my doubts about the
integrity of The Intercept; which is funded by the owner of PAYPAL; that
well known privacy activist! who in the past hast blocked donations to
Wikileaks et al

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d376fbd-4db4-9a7f-80f2-83909f936718%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Debian 9 updates to x11 makes template unusable

2016-12-12 Thread Foppe de Haan
On Monday, December 12, 2016 at 6:58:21 AM UTC+1, Chris Laprise wrote:
> New updates to x11 in Debian 9 have made otherwise well-running template 
> unable to boot properly. The status dot stays yellow and sys-net NM icon 
> doesn't appear, so this appears to affect the GUI daemon. I had to 
> revert it to get stuff done, so I'll post details later.
> 
> Chris

You've seen this? https://github.com/QubesOS/qubes-issues/issues/2514 :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38001836-3b73-40dd-8739-8bbd68d588fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Dual boot, two disks

2016-12-12 Thread Wojciech Gustowski
Hi,
I am new user. I plan to install Qubes but I am not sure how my partition 
scheme should looks like with dual boot and two disks. I read documentation, 
but I didn’t find example similar to my case. 

1. Space for Qubes: I have two disks SSD with about 35-40 gb of space (sda) and 
about 130gb on standard magnetic disk (sdb). For the moment I have Fedora 
installed on both disks.
2. Windows is installed as EFI and uses most capacity of both disks . I know 
the risk of dual boot but I need Windows for different tasks. I would prefer 
avoid installation of Windows (if possible).
3. I have about 85 gb of important data that I need to store on one of VMs. I 
assume that it would be “personal” or I will make special one.
4. I thought that I will put “/” on sda, “/boot” & “swap” on sdb and mount rest 
of sdb to that special VM, but Marek mentioned in other thread that it won’t be 
good solution. In such case I assume that I should mount rest of sdb to 
“/var/lib/qubes”. If, it is good idea?

If some of You can suggest me some ideas or best practices in such case I will 
be glad.

Thank You.

Wojtek

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5c3beebe-6e83-433e-8a80-dd8bcc7596b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.