Re: [qubes-users] Re: Black Screen when installing 4.0.3 & 4.1 on AMD Ryzen 4750U

[Dylanger Daly]

> I'm going to experiment with moving a couple of my Qubes VMs over to the
Ubuntu install under KVM (using VM Manager app).

Nice, I've had the same thought with Fedora Silverblue, but Qube's qvm- etc 
tools make everything so much easier.

> The Qubes 4.1 tree appears to have Xen 4.13 and Linux 5.7, currently.

Indeed R4.1 is using Xen 4.13.1 
 last commit was 
back on May 7th 2020, I can't seem to see any AMD/Ryzen specific commits 
that are newer than this date, I was looking at cherry picking Xen commits 
related to AMD/Ryzen however I can't find any.

Any and all AMD Related commits I can find were made in 2019 and are 
included in the current Xen 4.13.1

So perhaps this is actually a dom0/Linux Kernel issue? Surely if it were 
Xen they'd have something committed by now?
On Monday, August 10, 2020 at 8:21:05 PM UTC+10 Chris Laprise wrote:

> On 8/5/20 7:29 PM, Dylanger Daly wrote:
> > Hmm, wonder if I should try building a 4.1 ISO with a Linux 5.8 Kernel, 
> > it's interesting because Xen is able to write to the framebuffer just 
> > fine, I think it's dom0 that isn't able to remap it so it stays at an 
> > address Xen had it configured for, it almost smells like an IOMMU/Memory 
> > Mapping issue, not necessarily GPU.
>
> My Thinkpad T14 arrived and Qubes 4.0.3 installer behaves the same on 
> the T14 as what you reported.
>
> With Ubuntu upgraded to kernel 5.8.0 to fix broken suspend & brightness 
> and system running hot; now its great extremely fast, cool and 
> quiet. (Yes, I upgraded kernel bc the existing one had.)
>
> I'm going to experiment with moving a couple of my Qubes VMs over to the 
> Ubuntu install under KVM (using VM Manager app). I've already got an LVM 
> thin pool setup and re-provisioning OS root snapshots to specific VMs 
> before they boot as if they were templates.
>
> > 
> > There's UEFI Options for the UMA Framebuffer size of 512MB, 1GB and 2GB 
> > I've tried all variants unsuccessfully.
> > I don't think it's a Xen issue because I tried simply moving my current 
> > laptop's NVMe, when I entered my LUKs Password (Blind) I could see LEDs 
> > on the keyboard initialize so I think 4.0.3 does indeed work fine.
>
> FYI release notes for both Xen 4.13 and 4.14 mention additional support 
> for new AMD Epyc processors. I interpret this as a server-oriented way 
> of expressing support for certain generations of AMD processors, though 
> I don't know how close Ryzen and Epyc are in terms of operation.
>
> The Qubes 4.1 tree appears to have Xen 4.13 and Linux 5.7, currently.
>
> > 
> > I don't think there's a migration path for 4.0.3 - 4.1 (Backup & 
> > Restore) yet, I don't think the Qubes team have even signed any 4.1 ISOs 
> > yet either so I'd rather 4.0.3 but I'll take anything I can get at this 
> > point.
>
> I feel the same way. I would love to run Qubes on my T14 but I have a 
> feeling that Linux 5.7 won't cut it and I'm not experienced enough with 
> qubes builder to confidently upgrade either Linux or Xen. I did make a 
> sloppy attempt with ISO Master to replace the Qubes 4.0.3 installer ISO 
> kernel with the Ubuntu 5.8.0 kernel but due to my ignorance about the 
> format I couldn't get it to initiate the boot process.
>
> -- 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/473120a6-96f5-4ad5-8f8f-20213f5d283an%40googlegroups.com.

Re: [qubes-users] Why Fedora?

[Chris Laprise]

On 8/10/20 5:22 PM, Toptin wrote:

Chris Laprise:

On 8/10/20 12:30 PM, Toptin wrote:

Jeff Kayser:

Here is one reason to use Fedora.

https://www.fossmint.com/which-linux-distribution-does-linus-torvalds-use/



Ah, see... Mr Torvalds is your God. That isn't a reason at all. But
thanks you put a smile on my face.



~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On
Behalf Of Chris Laprise
Sent: Monday, August 10, 2020 9:18 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

On 8/10/20 12:05 PM, Toptin wrote:

Dear Qubes Users,

I'm currently digging my way through the exceptional good Qubes
documentation. Everything is nicely explained as to why a certain
decision / implementation was made, except for the use of Fedora as
main distribution.

I wonder what's the rationale of that decision; Fedora 25 isn't even
supported anymore. No offense or critic intended, just curiosity.

Regards, toptin.


I think the subtext here is that Fedora gets the changes first and it
makes a good development environment (for Linux code anyway). But that's
also why they don't curate or test or secure it like a regular
production-ready OS. And also why they don't care about having a wide
array of apps.

I'd rather see a transition to something more stable like Debian which
is also flexible enough to let you pull in newer packages from a tiered
repository (stable, testing, unstable, and experimental).



That was my thinking too, but still as mentioned in my previous post I
would have thought something like Arch-Linux or even Gentoo would be
better choice because both distribution are actually meta-distributions
(a distribution to build a target distribution). I worked with both and
wouldn't recommend it to an end-user but for development to build
something like Qubes? Yes, I would consider that.

Nothing against Debian. Definitely not. Very trustworthy and
knowledgeable community, but still quite a big system, especially if one
wants to strip it down. And then those unfortunate version upgrades. But
once it's installed it's rock solid.


I don't know if bare-minimum really signifies, at least with the way 
most people define it. A lot of the things you would remove to reduce 
attack surface won't make a big impact on the install's disk space 
usage. Compounding that is Qubes being a PC operating system after all, 
and I've found just about the only DE that gets all the GUI and HID 
stuff working correctly is big ol KDE. For most users, XFCE is suitable 
for already mired-in-Linux users who are conditioned to accept broken or 
absent UI features.


OTOH if its the klocs themselves that are seen as a threat (enabling 
attacks from upstream) then that's a tough spot bc very low kloc IMO is 
a recipe for bad UI w too many missing features that make users feel 
paralyzed. At the end of the day these are still computers and their job 
is to manage complexity and _that_ requires lots of vertical integration.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ff01b60-02ad-2ba0-d5c2-033902d667dd%40posteo.net.

Re: [qubes-users] Can't get Debian-11 template updated

['awokd' via qubes-users]

TheGardner:
> I recently got some templates (bullseye, kali and Debian-11) installed on 
> my system, but I can't get them updated. So speaking first about Denian-11, 
> I always get the following message, when I try to update the qube via 
> "Update Qube" function:
> 
> 
> 
> *Failed to apply DSA-4371 fix: dpkg-query: package 'libapt-pkg5.0' is not 
> installed and no information is availableUse dpkg --info (= dpkg-deb 
> --info) to examine archive files.*
> *Error: Failed to get apt version.*
> 
> Anyone, who could point me to the next steps to get this working? dpkg 
> --info and/or dpkg-deb --info didn't help to find out, whats wrong here.
> 
> btw. a 'sudo qubes-dom0-update qubes-template-debian-11' always brings up a 
> 'No match for argument qubes-template-debian-11' altough my Debian11 
> template is called Debian-11

Debian 11 is not supported under Qubes yet. It's usually a month or two
after it fully releases out of freeze (not scheduled to start until Jan.
2021) before it is supported. Either switch back to 10 or review the
code and package dependencies to determine how to make it compatible
with 11.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53812571-0230-7c3f-b042-b5adf7c0d828%40danwin1210.me.

Re: [qubes-users] HP Elitebook 2570P - sys-usb fails to start

['awokd' via qubes-users]

'c1nturion' via qubes-users:

> Clicked OK to continue the install anyway and finishes ok apart from the 
> sys-usb problem above. When I try to start sys-usb it fails to start with 
> error:
> "Domain sys-usb has failed to start: internal error:
> Unable to reset PCI device :00:14.0: internal error:libxenlight failed to 
> create new domain 'sys-usb'.
> 
> Everything else with install is good.
> 
> Tried the following to fix the sys-usb problem:
> qvm-pci detach sys-usb dom0:00_14.0
> qvm-pci attach --persistent -o no-strict-reset=True sys-usb dom0:00_14.0
> Still get the same error. Tried the same for 00_1a.0 and 00_1d.0. Same error.
> Tried to delete sys-usb and recreate but problem persists.

Good troubleshooting steps. I'd expect EHCI controllers to be more
pass-through compatible than XHCI, so focus on 00_1a.0 alone for now.
Remove all USB controllers except that one from sys-usb. Attach with
no-strict-reset=true like you have been, but you may also need to add
the permissive option. After attempting to start sys-usb, also check to
see if there are any related messages in
/var/log/libvirt/libxl/libxl-driver.log.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8921ff3e-5360-f8e6-0306-df300ff2f184%40danwin1210.me.

Re: [qubes-users] Why Fedora?

[Toptin]

Chris Laprise:
> On 8/10/20 12:30 PM, Toptin wrote:
>> Jeff Kayser:
>>> Here is one reason to use Fedora.
>>>
>>> https://www.fossmint.com/which-linux-distribution-does-linus-torvalds-use/
>>>
>>
>> Ah, see... Mr Torvalds is your God. That isn't a reason at all. But
>> thanks you put a smile on my face.
>>
>>>
>>> ~Jeff Kayser
>>>
>>> -Original Message-
>>> From: qubes-users@googlegroups.com  On
>>> Behalf Of Chris Laprise
>>> Sent: Monday, August 10, 2020 9:18 AM
>>> To: qubes-users@googlegroups.com
>>> Subject: Re: [qubes-users] Why Fedora?
>>>
>>> This email originated from outside the organization
>>>
>>> On 8/10/20 12:05 PM, Toptin wrote:
 Dear Qubes Users,

 I'm currently digging my way through the exceptional good Qubes
 documentation. Everything is nicely explained as to why a certain
 decision / implementation was made, except for the use of Fedora as
 main distribution.

 I wonder what's the rationale of that decision; Fedora 25 isn't even
 supported anymore. No offense or critic intended, just curiosity.

 Regards, toptin.
> 
> I think the subtext here is that Fedora gets the changes first and it
> makes a good development environment (for Linux code anyway). But that's
> also why they don't curate or test or secure it like a regular
> production-ready OS. And also why they don't care about having a wide
> array of apps.
> 
> I'd rather see a transition to something more stable like Debian which
> is also flexible enough to let you pull in newer packages from a tiered
> repository (stable, testing, unstable, and experimental).
> 

That was my thinking too, but still as mentioned in my previous post I
would have thought something like Arch-Linux or even Gentoo would be
better choice because both distribution are actually meta-distributions
(a distribution to build a target distribution). I worked with both and
wouldn't recommend it to an end-user but for development to build
something like Qubes? Yes, I would consider that.

Nothing against Debian. Definitely not. Very trustworthy and
knowledgeable community, but still quite a big system, especially if one
wants to strip it down. And then those unfortunate version upgrades. But
once it's installed it's rock solid.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a723cfbd-df7c-2161-e445-a2753d318f7a%40riseup.net.

Re: [qubes-users] Why Fedora?

[Toptin]

Qubes:
> On 8/10/20 8:03 PM, Toptin wrote:
>> Jeff Kayser:
>>> Hi, Toptin.
>>>
>>> Glad to put a smile on your face!  Humor helps in difficult times,
>>> and COVID has certainly made things difficult.
>>>
>>> Torvalds isn't my God; Jesus is.  However, in the area of Linux, few
>>> people are more of an expert than Linus Torvalds.  If he prefers
>>> Fedora, that’s a pretty good endorsement.
>>>
>>> There is one other reason: containers are very important, especially
>>> for the cloud.  When I started learning about containers, one concern
>>> I had was security.  From a security standpoint, docker sucks.  To
>>> address the container security issue, one promising direction is
>>> podman.  It is a docker replacement, with a *much* better security
>>> architecture.  The latest podman is delivered in Fedora.  I figured
>>> that if I wanted to learn containers, I should use something secure,
>>> so I started with Fedora and podman.  My main Linux VM is Fedora 32.
>>>
>>> I have also used Oracle Linux, Ubuntu, Raspbian, etc, so it's nothing
>>> personal with Fedora.  But, the container security issue pushed me
>>> over the edge towards Fedora.
>>
>> That's a very good rationale, and makes sense. Although, I still have a
>> little problem with distributions like Fedora. Fedora is Redhat and
>> Redhat is IBM. So, in my world they can't be any trust in a company
>> especially such giants like IBM. I got branded with SuSe when they got
>> bought by Novel...
>>
>> I would have thought that the best distribution for a project like
>> Qubes-OS would have been a fully independent community driven one. Like
>> Debian (I'm not a big fan, but if we talk stability and security; Debian
>> is a rock), or maybe something like Arch-Linux.
>>
> Debian community sponsored? Isn't Canonical the biggest sponsor? They're
> not small.
> 
> Has OmniosCE with the ZFS file system integrated along with a host of
> VERY cool features been considered as  replacement? It should.

I don't know OmniosCE, but I had a quick look at https://omniosce.org/
and it states on their front-page "OMNIOS community edition The Open
Source Enterprise Server OS...". Qubes-OS is designed as a single-user
laptop / desktop system. I think it would be a hell of an afford to
implement such an server system on a laptop. And why?

As Joanna Rutkowska describes in Qubes OS Architecture 2010 v0.3 [1] the
footprint for the base system should be as small as possible (small
attack surface). Although that wasn't the only consideration:
separation, isolation of small modules is key.

So, it's about attack surface and code review; maintenance. The smaller
the code base the easier it is to do a code review, and the harder it is
to attack. That's why I got curious as to why such complex distribution
like Fedora got chosen to be the base; 6 month release cycle / 13 month
max life cycle, and version upgrades.

That's why I thought something like Arch-Linux or Gentoo would be more
preferable because it is its nature to be small, simple, practical. The
installation can be tweaked deep down into the last bit. I don't mean to
say that the end-user should do it. But from the development point of
view I would consider that an advantage.

Then end-user would still install the system via a GUI. But the best
thing for the end-user would be that Arch-Linux (or something similar)
would have a rolling upgrade. So, no version upgrades and then fixing
the system for the next couple of days. For those who are not familiar
with AL: it's one simple command: pacman -Suy . That command takes care
of everything.

I work for over a decade with VMs. I have everything in VMs. Result:
more security that's for sure, but also more complexity in regards to
backup / restore. For example: What if a restored VM won't start because
of a corrupt vdisk...do you still do traditional backups? etc, etc. It's
complicated...

So, to have a small, simple, and practical base system is a must. I
don't see that with Fedora... However, I have to try when I get my new
laptops and see for myself...

1:
http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf

> 
> I have worked with ZFS on OmniosCE for a while and I can really see how
> Qubes can greatly benefit from it. With the way that Qubes has been
> designed dropping in ZFS can open up a world of possibilities in what we
> can do with our VMs, be that TemplateVMs or AppVMs.
> 
> Before I stumbled on to Qubes I had dreams of running my electronic life
> much like Qubes is designed today. I don't even mean the security it
> provides, just the plain freaking awesomeness of how quickly one can
> achieve certain things. Just something as simple as spinning up a new VM
> just to test something. ZFS can improve current functionality.
> 
> OmniosCE is under active development I have been a part of that
> community for a while. I can recommend it.
> 
>> However I got your point.
>>
>> Thanks for clarifying.

Re: [qubes-users] Why Fedora?

[Chris Laprise]

On 8/10/20 12:30 PM, Toptin wrote:

Jeff Kayser:

Here is one reason to use Fedora.

https://www.fossmint.com/which-linux-distribution-does-linus-torvalds-use/


Ah, see... Mr Torvalds is your God. That isn't a reason at all. But
thanks you put a smile on my face.



~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On Behalf Of 
Chris Laprise
Sent: Monday, August 10, 2020 9:18 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

On 8/10/20 12:05 PM, Toptin wrote:

Dear Qubes Users,

I'm currently digging my way through the exceptional good Qubes
documentation. Everything is nicely explained as to why a certain
decision / implementation was made, except for the use of Fedora as
main distribution.

I wonder what's the rationale of that decision; Fedora 25 isn't even
supported anymore. No offense or critic intended, just curiosity.

Regards, toptin.


I think the subtext here is that Fedora gets the changes first and it 
makes a good development environment (for Linux code anyway). But that's 
also why they don't curate or test or secure it like a regular 
production-ready OS. And also why they don't care about having a wide 
array of apps.


I'd rather see a transition to something more stable like Debian which 
is also flexible enough to let you pull in newer packages from a tiered 
repository (stable, testing, unstable, and experimental).


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9488d0a3-7cce-4b79-646e-5774dd1bf188%40posteo.net.

Re: [qubes-users] Why Fedora?

[Qubes]

On 8/10/20 8:03 PM, Toptin wrote:

Jeff Kayser:

Hi, Toptin.

Glad to put a smile on your face!  Humor helps in difficult times, and COVID 
has certainly made things difficult.

Torvalds isn't my God; Jesus is.  However, in the area of Linux, few people are 
more of an expert than Linus Torvalds.  If he prefers Fedora, that’s a pretty 
good endorsement.

There is one other reason: containers are very important, especially for the 
cloud.  When I started learning about containers, one concern I had was 
security.  From a security standpoint, docker sucks.  To address the container 
security issue, one promising direction is podman.  It is a docker replacement, 
with a *much* better security architecture.  The latest podman is delivered in 
Fedora.  I figured that if I wanted to learn containers, I should use something 
secure, so I started with Fedora and podman.  My main Linux VM is Fedora 32.

I have also used Oracle Linux, Ubuntu, Raspbian, etc, so it's nothing personal 
with Fedora.  But, the container security issue pushed me over the edge towards 
Fedora.


That's a very good rationale, and makes sense. Although, I still have a
little problem with distributions like Fedora. Fedora is Redhat and
Redhat is IBM. So, in my world they can't be any trust in a company
especially such giants like IBM. I got branded with SuSe when they got
bought by Novel...

I would have thought that the best distribution for a project like
Qubes-OS would have been a fully independent community driven one. Like
Debian (I'm not a big fan, but if we talk stability and security; Debian
is a rock), or maybe something like Arch-Linux.

Debian community sponsored? Isn't Canonical the biggest sponsor? They're 
not small.


Has OmniosCE with the ZFS file system integrated along with a host of 
VERY cool features been considered as  replacement? It should.


I have worked with ZFS on OmniosCE for a while and I can really see how 
Qubes can greatly benefit from it. With the way that Qubes has been 
designed dropping in ZFS can open up a world of possibilities in what we 
can do with our VMs, be that TemplateVMs or AppVMs.


Before I stumbled on to Qubes I had dreams of running my electronic life 
much like Qubes is designed today. I don't even mean the security it 
provides, just the plain freaking awesomeness of how quickly one can 
achieve certain things. Just something as simple as spinning up a new VM 
just to test something. ZFS can improve current functionality.


OmniosCE is under active development I have been a part of that 
community for a while. I can recommend it.



However I got your point.

Thanks for clarifying.

Regards, toptin.



~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On Behalf Of 
Toptin
Sent: Monday, August 10, 2020 9:30 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

Jeff Kayser:

Here is one reason to use Fedora.

https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
fossmint.com%2Fwhich-linux-distribution-does-linus-torvalds-use%2F
;data=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7Cfab8ee9071e24793fa
ce08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C6373267377
62988903sdata=dPvgOWqLbgomi%2BMnI1TqGMqdebCxwUBLQQmiFehVNy0%3D
p;reserved=0


Ah, see... Mr Torvalds is your God. That isn't a reason at all. But thanks you 
put a smile on my face.



~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On
Behalf Of Chris Laprise
Sent: Monday, August 10, 2020 9:18 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

On 8/10/20 12:05 PM, Toptin wrote:

Dear Qubes Users,

I'm currently digging my way through the exceptional good Qubes
documentation. Everything is nicely explained as to why a certain
decision / implementation was made, except for the use of Fedora as
main distribution.

I wonder what's the rationale of that decision; Fedora 25 isn't even
supported anymore. No offense or critic intended, just curiosity.

Regards, toptin.



IIRC the core Linux developer for Qubes stated that Fedora was simply what he 
was used to when starting the project.

Since then an issue has been open to replace Fedora in dom0 with something else.


Yep, that's more like it. Thought something like that.

Thanks both of you for your response.

Regards, toptin.




--
Chris Laprise, tas...@posteo.net
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
ub.com%2Ftasketdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7
Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7
C0%7C0%7C637326737762988903sdata=rf5LyRZwJn4dfRrEEFcLntVnlgT2qQxy
MEBgXjzfmKI%3Dreserved=0
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwit
ter.com%2Fttaskettdata=02%7C01%7Cjeff.kayser%40thehackettgroup.co

Re: [qubes-users] Why Fedora?

[Toptin]

Jeff Kayser:
> Hi, Toptin.
> 
> Glad to put a smile on your face!  Humor helps in difficult times, and COVID 
> has certainly made things difficult.
> 
> Torvalds isn't my God; Jesus is.  However, in the area of Linux, few people 
> are more of an expert than Linus Torvalds.  If he prefers Fedora, that’s a 
> pretty good endorsement.
> 
> There is one other reason: containers are very important, especially for the 
> cloud.  When I started learning about containers, one concern I had was 
> security.  From a security standpoint, docker sucks.  To address the 
> container security issue, one promising direction is podman.  It is a docker 
> replacement, with a *much* better security architecture.  The latest podman 
> is delivered in Fedora.  I figured that if I wanted to learn containers, I 
> should use something secure, so I started with Fedora and podman.  My main 
> Linux VM is Fedora 32.
> 
> I have also used Oracle Linux, Ubuntu, Raspbian, etc, so it's nothing 
> personal with Fedora.  But, the container security issue pushed me over the 
> edge towards Fedora.

That's a very good rationale, and makes sense. Although, I still have a
little problem with distributions like Fedora. Fedora is Redhat and
Redhat is IBM. So, in my world they can't be any trust in a company
especially such giants like IBM. I got branded with SuSe when they got
bought by Novel...

I would have thought that the best distribution for a project like
Qubes-OS would have been a fully independent community driven one. Like
Debian (I'm not a big fan, but if we talk stability and security; Debian
is a rock), or maybe something like Arch-Linux.

However I got your point.

Thanks for clarifying.

Regards, toptin.

> 
> ~Jeff Kayser
> 
> -Original Message-
> From: qubes-users@googlegroups.com  On Behalf 
> Of Toptin
> Sent: Monday, August 10, 2020 9:30 AM
> To: qubes-users@googlegroups.com
> Subject: Re: [qubes-users] Why Fedora?
> 
> This email originated from outside the organization
> 
> Jeff Kayser:
>> Here is one reason to use Fedora.
>>
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> fossmint.com%2Fwhich-linux-distribution-does-linus-torvalds-use%2F
>> ;data=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7Cfab8ee9071e24793fa
>> ce08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C6373267377
>> 62988903sdata=dPvgOWqLbgomi%2BMnI1TqGMqdebCxwUBLQQmiFehVNy0%3D
>> p;reserved=0
> 
> Ah, see... Mr Torvalds is your God. That isn't a reason at all. But thanks 
> you put a smile on my face.
> 
>>
>> ~Jeff Kayser
>>
>> -Original Message-
>> From: qubes-users@googlegroups.com  On 
>> Behalf Of Chris Laprise
>> Sent: Monday, August 10, 2020 9:18 AM
>> To: qubes-users@googlegroups.com
>> Subject: Re: [qubes-users] Why Fedora?
>>
>> This email originated from outside the organization
>>
>> On 8/10/20 12:05 PM, Toptin wrote:
>>> Dear Qubes Users,
>>>
>>> I'm currently digging my way through the exceptional good Qubes 
>>> documentation. Everything is nicely explained as to why a certain 
>>> decision / implementation was made, except for the use of Fedora as 
>>> main distribution.
>>>
>>> I wonder what's the rationale of that decision; Fedora 25 isn't even 
>>> supported anymore. No offense or critic intended, just curiosity.
>>>
>>> Regards, toptin.
>>>
>>
>> IIRC the core Linux developer for Qubes stated that Fedora was simply what 
>> he was used to when starting the project.
>>
>> Since then an issue has been open to replace Fedora in dom0 with something 
>> else.
> 
> Yep, that's more like it. Thought something like that.
> 
> Thanks both of you for your response.
> 
> Regards, toptin.
> 
> 
>>
>> --
>> Chris Laprise, tas...@posteo.net
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
>> ub.com%2Ftasketdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7
>> Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7
>> C0%7C0%7C637326737762988903sdata=rf5LyRZwJn4dfRrEEFcLntVnlgT2qQxy
>> MEBgXjzfmKI%3Dreserved=0
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwit
>> ter.com%2Fttaskettdata=02%7C01%7Cjeff.kayser%40thehackettgroup.co
>> m%7Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518
>> d%7C0%7C0%7C637326737762988903sdata=91Nba%2F%2FMjm47xk1d%2BnTb9C3
>> K99uzoIEzj%2B8TAzxIMSU%3Dreserved=0
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> 

RE: [qubes-users] Why Fedora?

[Jeff Kayser]

Hi, Toptin.

Glad to put a smile on your face!  Humor helps in difficult times, and COVID 
has certainly made things difficult.

Torvalds isn't my God; Jesus is.  However, in the area of Linux, few people are 
more of an expert than Linus Torvalds.  If he prefers Fedora, that’s a pretty 
good endorsement.

There is one other reason: containers are very important, especially for the 
cloud.  When I started learning about containers, one concern I had was 
security.  From a security standpoint, docker sucks.  To address the container 
security issue, one promising direction is podman.  It is a docker replacement, 
with a *much* better security architecture.  The latest podman is delivered in 
Fedora.  I figured that if I wanted to learn containers, I should use something 
secure, so I started with Fedora and podman.  My main Linux VM is Fedora 32.

I have also used Oracle Linux, Ubuntu, Raspbian, etc, so it's nothing personal 
with Fedora.  But, the container security issue pushed me over the edge towards 
Fedora.

~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On Behalf Of 
Toptin
Sent: Monday, August 10, 2020 9:30 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

Jeff Kayser:
> Here is one reason to use Fedora.
>
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> fossmint.com%2Fwhich-linux-distribution-does-linus-torvalds-use%2F
> ;data=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7Cfab8ee9071e24793fa
> ce08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C6373267377
> 62988903sdata=dPvgOWqLbgomi%2BMnI1TqGMqdebCxwUBLQQmiFehVNy0%3D
> p;reserved=0

Ah, see... Mr Torvalds is your God. That isn't a reason at all. But thanks you 
put a smile on my face.

>
> ~Jeff Kayser
>
> -Original Message-
> From: qubes-users@googlegroups.com  On 
> Behalf Of Chris Laprise
> Sent: Monday, August 10, 2020 9:18 AM
> To: qubes-users@googlegroups.com
> Subject: Re: [qubes-users] Why Fedora?
>
> This email originated from outside the organization
>
> On 8/10/20 12:05 PM, Toptin wrote:
>> Dear Qubes Users,
>>
>> I'm currently digging my way through the exceptional good Qubes 
>> documentation. Everything is nicely explained as to why a certain 
>> decision / implementation was made, except for the use of Fedora as 
>> main distribution.
>>
>> I wonder what's the rationale of that decision; Fedora 25 isn't even 
>> supported anymore. No offense or critic intended, just curiosity.
>>
>> Regards, toptin.
>>
>
> IIRC the core Linux developer for Qubes stated that Fedora was simply what he 
> was used to when starting the project.
>
> Since then an issue has been open to replace Fedora in dom0 with something 
> else.

Yep, that's more like it. Thought something like that.

Thanks both of you for your response.

Regards, toptin.


>
> --
> Chris Laprise, tas...@posteo.net
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Ftasketdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7
> Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7
> C0%7C0%7C637326737762988903sdata=rf5LyRZwJn4dfRrEEFcLntVnlgT2qQxy
> MEBgXjzfmKI%3Dreserved=0
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwit
> ter.com%2Fttaskettdata=02%7C01%7Cjeff.kayser%40thehackettgroup.co
> m%7Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518
> d%7C0%7C0%7C637326737762988903sdata=91Nba%2F%2FMjm47xk1d%2BnTb9C3
> K99uzoIEzj%2B8TAzxIMSU%3Dreserved=0
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fqubes-users%2Ff27b8bcd-9f82-7aa0-799e-c5887ce4ca79%2540posteo.netdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326737762988903sdata=hJxGmBtxsge7s6vFXKQ3Xt98igaCbAr6O%2BIrzLBTgUI%3Dreserved=0.
>

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fqubes-users%2Ff2534e20-77c3-976d-100a-3e6f7065f04b%2540riseup.netdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7Cfab8ee9071e24793face08d83d4a9056%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326737762988903sdata=PhM7n3XyB%2F4HzHSYzdb4ehqIfd%2B4LPZDIT6sIK5z%2F6U%3Dreserved=0.

-- 
You received this message because you are subscribed to 

Re: [qubes-users] Why Fedora?

[Toptin]

Jeff Kayser:
> Here is one reason to use Fedora.
> 
> https://www.fossmint.com/which-linux-distribution-does-linus-torvalds-use/

Ah, see... Mr Torvalds is your God. That isn't a reason at all. But
thanks you put a smile on my face.

> 
> ~Jeff Kayser
> 
> -Original Message-
> From: qubes-users@googlegroups.com  On Behalf 
> Of Chris Laprise
> Sent: Monday, August 10, 2020 9:18 AM
> To: qubes-users@googlegroups.com
> Subject: Re: [qubes-users] Why Fedora?
> 
> This email originated from outside the organization
> 
> On 8/10/20 12:05 PM, Toptin wrote:
>> Dear Qubes Users,
>>
>> I'm currently digging my way through the exceptional good Qubes 
>> documentation. Everything is nicely explained as to why a certain 
>> decision / implementation was made, except for the use of Fedora as 
>> main distribution.
>>
>> I wonder what's the rationale of that decision; Fedora 25 isn't even 
>> supported anymore. No offense or critic intended, just curiosity.
>>
>> Regards, toptin.
>>
> 
> IIRC the core Linux developer for Qubes stated that Fedora was simply what he 
> was used to when starting the project.
> 
> Since then an issue has been open to replace Fedora in dom0 with something 
> else.

Yep, that's more like it. Thought something like that.

Thanks both of you for your response.

Regards, toptin.


> 
> --
> Chris Laprise, tas...@posteo.net
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftasketdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=vjfF0L7eJup%2FcvgXggfDKLp7tUC%2Bb%2B5lpiuwNIO347g%3Dreserved=0
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fttaskettdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=Mkg7peTFq6xHFIdwiAgnpM0b1psmUp%2FSCJBvHjRocQk%3Dreserved=0
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fqubes-users%2Ff27b8bcd-9f82-7aa0-799e-c5887ce4ca79%2540posteo.netdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=WwRI2k%2BlFE3qk1AYKPdr68ctuDtwx2FFn0L1u6%2F1nkk%3Dreserved=0.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2534e20-77c3-976d-100a-3e6f7065f04b%40riseup.net.

RE: [qubes-users] Why Fedora?

[Jeff Kayser]

Here is one reason to use Fedora.

https://www.fossmint.com/which-linux-distribution-does-linus-torvalds-use/

~Jeff Kayser

-Original Message-
From: qubes-users@googlegroups.com  On Behalf Of 
Chris Laprise
Sent: Monday, August 10, 2020 9:18 AM
To: qubes-users@googlegroups.com
Subject: Re: [qubes-users] Why Fedora?

This email originated from outside the organization

On 8/10/20 12:05 PM, Toptin wrote:
> Dear Qubes Users,
>
> I'm currently digging my way through the exceptional good Qubes 
> documentation. Everything is nicely explained as to why a certain 
> decision / implementation was made, except for the use of Fedora as 
> main distribution.
>
> I wonder what's the rationale of that decision; Fedora 25 isn't even 
> supported anymore. No offense or critic intended, just curiosity.
>
> Regards, toptin.
>

IIRC the core Linux developer for Qubes stated that Fedora was simply what he 
was used to when starting the project.

Since then an issue has been open to replace Fedora in dom0 with something else.

--
Chris Laprise, tas...@posteo.net
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftasketdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=vjfF0L7eJup%2FcvgXggfDKLp7tUC%2Bb%2B5lpiuwNIO347g%3Dreserved=0
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fttaskettdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=Mkg7peTFq6xHFIdwiAgnpM0b1psmUp%2FSCJBvHjRocQk%3Dreserved=0
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fqubes-users%2Ff27b8bcd-9f82-7aa0-799e-c5887ce4ca79%2540posteo.netdata=02%7C01%7Cjeff.kayser%40thehackettgroup.com%7C03215ff832c64cbc59da08d83d48f934%7C9a21f1283011452ca6829b884467518d%7C0%7C0%7C637326730915551213sdata=WwRI2k%2BlFE3qk1AYKPdr68ctuDtwx2FFn0L1u6%2F1nkk%3Dreserved=0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/BYAPR08MB55901528FA48188F368037E2E1440%40BYAPR08MB5590.namprd08.prod.outlook.com.

Re: [qubes-users] Global Dark Theme For Qt (KDE) Based Applications

[Chris Laprise]

On 8/10/20 12:10 PM, Qubes wrote:

On 6/23/20 5:37 PM, Sven Semmler wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 6/23/20 9:47 AM, Qubes wrote:

Would anybody here know how you apply a global dark theme to your
AppVM(s) for Qt (KDE) based applications like Amarok, Krusader,
etc?


Install qt5ct and style plugins ...

Fedora: sudo dnf install qt5ct qt5-qtstyleplugins
Debian: sudo apt install qt5ct qt5-style-plugins

Then set QT_QPA_PLATFORMTHEME=qt5ct in etc/environment and reboot the
qube.

Now launch qt5ct and select the 'gtk2' theme. If you are simply using
Adwaita-Dark then qt5ct has a dedicated theme for that. Or you may
install and select the themes you mentioned.



For me this only works on Debian, the 'Qt5 Settings' application does 
not work as it should Fedora (30, 31, 32).



Finally there is also the Kvantum engine with it's dedicated manager
you could search for.

Kvantum looks like something I am checking this out as well. Maybe 
Kvantum will play better with Fedora than the Qt5 control panel.



I found this page supremely helpful:
https://wiki.archlinux.org/index.php/Uniform_Look_for_QT_and_GTK_Applica
tions


Yeah, the best option seems to be Debian template, install KDE with 
'tasksel' command, then run 'systemsettings5' to select the KDE theme or 
color scheme.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98b738e8-2d40-8dc8-292e-c9a5acc2bb19%40posteo.net.

Re: [qubes-users] Why Fedora?

[Chris Laprise]

On 8/10/20 12:05 PM, Toptin wrote:

Dear Qubes Users,

I'm currently digging my way through the exceptional good Qubes
documentation. Everything is nicely explained as to why a certain
decision / implementation was made, except for the use of Fedora as main
distribution.

I wonder what's the rationale of that decision; Fedora 25 isn't even
supported anymore. No offense or critic intended, just curiosity.

Regards, toptin.



IIRC the core Linux developer for Qubes stated that Fedora was simply 
what he was used to when starting the project.


Since then an issue has been open to replace Fedora in dom0 with 
something else.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f27b8bcd-9f82-7aa0-799e-c5887ce4ca79%40posteo.net.

Re: [EXT] Re: [qubes-users] Update templates in parallel

[Qubes]

On 8/6/20 12:05 PM, Chris Laprise wrote:

On 8/6/20 3:54 AM, fiftyfourthparal...@gmail.com wrote:

On Thursday, 6 August 2020 12:31:44 UTC+8, Emily wrote:


    -- I'm not unman, but I just checked the repo data and it appears
    they use sha256


This is reassuring. Thanks, Emily


I hate to break that feeling, but Fedora is unique in that it doesn't 
sign its repo metadata, and sadly that is what matters. They put a 
bandaid on it by fetching more hashes via https... so the update 
security in Fedora is based on the strength of https. That is bad, as 
https can be subverted by resourceful attackers.


https://bugzilla.redhat.com/show_bug.cgi?id=1130491

What this potentially allows is an attacker to blind Fedora systems to 
specific package updates, where the systems appear to retrieve updates 
normally without the users being aware that particular packages with 
known vulnerabilities have been held back.


Note that RHEL and Centos _do_ sign their repomd.xml. So we're looking 
at some kind of decision made either by Red Hat's marketing department 
(keep Fedora off RHEL's expensive turf) or by some idea that Fedora is 
not for serious mission critical environments, or both.


So this is a sizable hole in Qubes security. The best advice I can give 
is to avoid using Fedora templates and pay attention to Qubes Security 
Bulletins when they mention which dom0 components will be updated (and 
pay close attention when running qubes-dom0-update to look for the 
mentioned components).


Why does the Qubes project continue using Fedora as the base for a 
default install. Even dom0 is Fedora. I assume they are well aware of 
this issue.


Do the Qubes core team not regard this as a problem or what is the 
rationale?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bec77142-a177-7cab-63b1-7fa1ce508d7a%40ak47.co.za.

Re: [qubes-users] Global Dark Theme For Qt (KDE) Based Applications

[Qubes]

On 6/23/20 5:37 PM, Sven Semmler wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 6/23/20 9:47 AM, Qubes wrote:

Would anybody here know how you apply a global dark theme to your
AppVM(s) for Qt (KDE) based applications like Amarok, Krusader,
etc?


Install qt5ct and style plugins ...

Fedora: sudo dnf install qt5ct qt5-qtstyleplugins
Debian: sudo apt install qt5ct qt5-style-plugins

Then set QT_QPA_PLATFORMTHEME=qt5ct in etc/environment and reboot the
qube.

Now launch qt5ct and select the 'gtk2' theme. If you are simply using
Adwaita-Dark then qt5ct has a dedicated theme for that. Or you may
install and select the themes you mentioned.



For me this only works on Debian, the 'Qt5 Settings' application does 
not work as it should Fedora (30, 31, 32).



Finally there is also the Kvantum engine with it's dedicated manager
you could search for.

Kvantum looks like something I am checking this out as well. Maybe 
Kvantum will play better with Fedora than the Qt5 control panel.



I found this page supremely helpful:
https://wiki.archlinux.org/index.php/Uniform_Look_for_QT_and_GTK_Applica
tions

/Sven

- -- 
  public key: https://www.svensemmler.org/0x8F541FB6.asc

fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7yIc8ACgkQ2m4We49U
H7YECxAAkjC4vlvYBhYDp/tzAdDGOv2Sx88d5o7JVxiJLgz5tzs3rSsMTJzCiSyd
YcvqBZUH0u5X0C4dPkjrZW7ZRxXMUz1AP9zwEiVN6TiThpgZ3gaY5ZLeR7YqywbO
NpEiLI6CT91awx+EeJM+iTCQxl2qrJcWMt9UihLpGIKYmdK5TCs9asFQo9pmib4D
SoOCdTLnmSwQ8RLP+iiSjsgDf2eTT+BZZy2+HstQFuw8KzmZmH5mXYWRUrMOVOt6
yW9Z4IGB8JWa3V95fVGWQk4LdhaqowVnXSV0HEgRVVagCx+t3HHzXmygmfM4J68X
+/NGoaVh2Ms/PUbs2SueHCv3pWUoRd8EkRm5cWymaKT1EQi3J09vp5WyFFlshdzV
2eGiqk3evRoq3U1bZp/RnE5xoxBkvhZU9gkAgK3Q8pmFXkGnmABYmaWqdpwQ9Lsx
d2Iq0J+NfnzUjlWYZdgCrKdLteUv624YBi2fFGdyMlObqUGBlDFEkBNs+YL7cWHf
qISI9HJvqRueD/agWauYzeojyI9mx2jaWCS8To4G3d9fI6oTglkTmHbWhvxj1Z8N
fTTigAeKWQ8gcYjIPMd/dO3xj5pWUTI7KwlO4QXgZM5YdCTrwQ0emqoQmIpDKCSh
rBXOu3pOOUgU+jINs8RdeMMpHfSdpvx65Ik/Inxd2Tk0cnrQj/4=
=mIGs
-END PGP SIGNATURE-



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41db8747-065d-1389-f4c9-3ce8aad734b1%40ak47.co.za.

[qubes-users] Why Fedora?

[Toptin]

Dear Qubes Users,

I'm currently digging my way through the exceptional good Qubes
documentation. Everything is nicely explained as to why a certain
decision / implementation was made, except for the use of Fedora as main
distribution.

I wonder what's the rationale of that decision; Fedora 25 isn't even
supported anymore. No offense or critic intended, just curiosity.

Regards, toptin.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9f62ab3-a39d-e2c8-5901-6d921a784eea%40riseup.net.

[qubes-users] Can't get Debian-11 template updated

[TheGardner]

I recently got some templates (bullseye, kali and Debian-11) installed on 
my system, but I can't get them updated. So speaking first about Denian-11, 
I always get the following message, when I try to update the qube via 
"Update Qube" function:



*Failed to apply DSA-4371 fix: dpkg-query: package 'libapt-pkg5.0' is not 
installed and no information is availableUse dpkg --info (= dpkg-deb 
--info) to examine archive files.*
*Error: Failed to get apt version.*

Anyone, who could point me to the next steps to get this working? dpkg 
--info and/or dpkg-deb --info didn't help to find out, whats wrong here.

btw. a 'sudo qubes-dom0-update qubes-template-debian-11' always brings up a 
'No match for argument qubes-template-debian-11' altough my Debian11 
template is called Debian-11

Thanks & Cheers 
Steffen

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92eef065-a980-4a3a-86ff-3e9e379586e4n%40googlegroups.com.

Re: [qubes-users] Can’t download large files

['cubit' via qubes-users]

Aug 7, 2020, 20:22 by shamaarmarti...@gmail.com:

> I’m trying to download a 1.6gb file but after it’s complete I get:
>
> there is not enough room on the disk to save /tmp/mozilla_user0/fN+pjzFx.part
>
> I made sure the download was directed to another file after download in 
> Firefox but it still keeps prioritizing the tmp folder. I then attempt to 
> unmount:
> sudo umount /tmp  - -force
> Device is busy
> I tried deleting the mozilla_user0 and the system created the folder that’s 
> only 1gb
>
> Is there any other way to fix this?
>

Make sure the allocated space for the AppVM is large enough.  By default an 
AppVM get created with 2GB of user space.

Open Qubes Manager,   open the settings for the AppVM and increase "Private 
storage Max size" as needed.

cubit

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/MENgHVO--3-2%40tutanota.com.

Re: [qubes-users] Qubes dom0-update-guard script

[fiftyfourthparallel]

On Monday, 10 August 2020 18:39:53 UTC+8, Andrew David Wong wrote:
>
> The QSB formats are actually pretty standardized already, though our 
> expectation has been that they'd be read by humans rather than 
> programmatically. We use a template [1] for the overall structure, and 
> in particular, the "Patching" section always follows this format: 
>

Chris, Andrew,

I'm grateful for your pointers. As a newcomer to programming, I don't think 
I'm ready to integrate bulletin parsing and PGP verification into my 
script. As of right now I'm trying to figure out whether I should use bash, 
sh, or Python to write the script and using Chris' qubes-scripts and 
qubes-vm-hardening as reference on how I should proceed. Maybe I'll get 
around to integrating PGP verification into the process, but for now I want 
to focus on the basics.

Besides, don't the bulletins cover only a tiny (though critical) portion of 
the updates dom0 receives? The PGP verification will provide a strong 
additional layer of assurances, but I think cross-checking 'rpm -qa' 
against the onion repodata, which itself has been cross-checked with at 
least three other HTTPS repodata, should suffice for now, given my 
abilities.

Oh, and if someone more proficient at programming than I am (probably > 90% 
of the people here) would like to write the script, then by all means--I'll 
take my time and will likely come up with something substandard and in need 
of multiple major revisions. I can still practice even though someone else 
has written it, so please don't think of this little project as 'mine' or 
anything--I'd hate to get in the way of others improving Qubes' security.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0dbe073f-6bac-4133-a82f-32cafff3d31fo%40googlegroups.com.

Re: [qubes-users] Qubes dom0-update-guard script

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-09 3:05 PM, Chris Laprise wrote:
> On 8/8/20 10:20 AM, fiftyfourthparal...@gmail.com wrote:
>> So the new overview of the script is: have a dedicated (and
>> hardened?) tor VM --basically, whonix-ws-- download the metadata
>> from a few mirror sites, compare them to the metadata from Tor,
>> and if all checks out, compare the tor version to the packages
>> installed in dom0. If it doesn't check out, alert user and ask
>> whether to proceed. To do this entirely in dom0 (keeping it safe
>> and simple for a newbie at programming), I'm going to use qvm-run
>> with --pass-io somewhere in my script, along with something to
>> read the whonix output and run cross checks.
>
> Just an idea: Use the Qubes Security Bulletins as your reference
> for checking package versions:
>
> https://www.qubes-os.org/security/pack/
>
> These bulletins are signed txt files, which makes them secure. The
> difficult part would be parsing the QSBs themselves but I wonder
> if Qubes devs would agree to a standard format going forward to
> make it easier + reliable.
>

The QSB formats are actually pretty standardized already, though our
expectation has been that they'd be read by humans rather than
programmatically. We use a template [1] for the overall structure, and
in particular, the "Patching" section always follows this format:

```
Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes :
  - 
  - 
  - 
  - 

  For Qubes :
  - 
  - 
  - 
  - 

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
```

Feel free to take a look at any QSBs for specific examples. [2] I'm sure
it wouldn't be a problem to change the syntax slightly if that would
make things easier, as long as it doesn't harm human readability.


[1] https://www.qubes-os.org/security/bulletins/template/
[2] https://www.qubes-os.org/security/bulletins/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8xI+QACgkQ203TvDlQ
MDBOyg//T0/mxeE+pVlF7LIUuShy1B55Fjxxi35JhlkfX9Ws7fLT7hLh6172cxGQ
55E1WXlZ19AE9OZFeIUNX08ov5X6/OelAy8qFdtAmXFI3dEDzdjDVRk8naRpdtu6
hxqsnP4zsHLj0WQEYnsuPyjfgFuIZCy5TfXRlxm8u4l9oorK/IB6sqhBftwnT078
U37Sls/fPlKpnZ0rPJ6Kv/cGbXG1wKpxuui2LAsTis/IY/3TsRpEY8CLa1oIKX53
okQCY8GXnp7ova+8LEyhHBdoDK4iT1Fl8ohfJ+JzekE2SaR/7CnFGO2XrwyiFyXw
Zz9Huu+UIJl+ygIGK80HBBmUNSF+/sSoMSo0SYKZP96JnV0Vka54EEppH5Ctzexy
8yVIpYSwmavHOUO2+GVXh4ykETgkpC0UKg+QLoWacNTRqihT5XTCY3J7SqNLn93Z
21OHE5bAy7/cXNtq0rrnw/BeIzgmrHuaKMrOuW9HExoWIrroyb4a+rpEPbQfsCrb
G09/1A5uOt04ZQXKVhly2UYBA8Zzlld6vh4mKlCYBRBFBzAgJ69yHt3gubWcMAVV
f42Za2qpOZsNharvb6lvHI/7E0XY7FpqvOHZuVfX1c0UiTifTm5ZLwN0IDpGgw0f
1K26/H7GriIU4MZlC4qjToRGGXf40jV6l9zHZUzUzbdSGxEF20A=
=Gs9V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1074ec2f-3146-f1d6-7c73-6aaefdafd200%40qubes-os.org.

Re: [qubes-users] Re: Black Screen when installing 4.0.3 & 4.1 on AMD Ryzen 4750U

[Chris Laprise]

On 8/5/20 7:29 PM, Dylanger Daly wrote:
Hmm, wonder if I should try building a 4.1 ISO with a Linux 5.8 Kernel, 
it's interesting because Xen is able to write to the framebuffer just 
fine, I think it's dom0 that isn't able to remap it so it stays at an 
address Xen had it configured for, it almost smells like an IOMMU/Memory 
Mapping issue, not necessarily GPU.


My Thinkpad T14 arrived and Qubes 4.0.3 installer behaves the same on 
the T14 as what you reported.


With Ubuntu upgraded to kernel 5.8.0 to fix broken suspend & brightness 
and system running hot; now its great extremely fast, cool and 
quiet. (Yes, I upgraded kernel bc the existing one had.)


I'm going to experiment with moving a couple of my Qubes VMs over to the 
Ubuntu install under KVM (using VM Manager app). I've already got an LVM 
thin pool setup and re-provisioning OS root snapshots to specific VMs 
before they boot as if they were templates.




There's UEFI Options for the UMA Framebuffer size of 512MB, 1GB and 2GB 
I've tried all variants unsuccessfully.
I don't think it's a Xen issue because I tried simply moving my current 
laptop's NVMe, when I entered my LUKs Password (Blind) I could see LEDs 
on the keyboard initialize so I think 4.0.3 does indeed work fine.


FYI release notes for both Xen 4.13 and 4.14 mention additional support 
for new AMD Epyc processors. I interpret this as a server-oriented way 
of expressing support for certain generations of AMD processors, though 
I don't know how close Ryzen and Epyc are in terms of operation.


The Qubes 4.1 tree appears to have Xen 4.13 and Linux 5.7, currently.



I don't think there's a migration path for 4.0.3 - 4.1 (Backup & 
Restore) yet, I don't think the Qubes team have even signed any 4.1 ISOs 
yet either so I'd rather 4.0.3 but I'll take anything I can get at this 
point.


I feel the same way. I would love to run Qubes on my T14 but I have a 
feeling that Linux 5.7 won't cut it and I'm not experienced enough with 
qubes builder to confidently upgrade either Linux or Xen. I did make a 
sloppy attempt with ISO Master to replace the Qubes 4.0.3 installer ISO 
kernel with the Ubuntu 5.8.0 kernel but due to my ignorance about the 
format I couldn't get it to initiate the boot process.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba7bb1b9-e281-84b1-b47e-5a9d86d4aff7%40posteo.net.

[qubes-users] HP Elitebook 2570P - sys-usb fails to start

['c1nturion' via qubes-users]

I have an HP Elitebook 2570P, 16GB RAM:
BIOS is 68ISB F.67
Couldn't get the install to work with UEFI but worked with Legacy BIOS.
VT-x and VT-d are enabled in BIOS.
Tried the install with Qubes OS 3.2.1 and 4.0.3 and get the same problem.
Tried detaching and attaching with qvm-pci attach --persistent -o 
no-strict-reset=True sys-usb dom0:00_14.
Still will not start:

During the install (where you specify you want a separate sys-usb) I get the 
following error message pop-up:

[systemctl, 'start' 
'[qubes...@sys-usb.serv](mailto:qubes-vm@sys-usb.servoce)ice'] failed:
stdout:''
stderr: 'Job for qubes-vm@sys-usb.service failed because the control process 
exited with error code.
See "systemctl status qubes-vm@sys-usb.service" and "journalctl-xe" for 
details.]

OUTPUT from Journalctl:
MESSAGE=Creating directory: /var/lib/qubes/appvms/sys-usb
MESSAGE=Creating icon symlink: /var/lib/qubes/appvms/sys-usb/icon.png -> 
/usr/share/icons/hicolor/128x128/devices/appvm-red.png
_CMDLINE=runuser -u c1nturion -- env DISPLAY=:0 qvm-appmenus --quiet --init 
--create sys-usb
_CMDLINE=runuser -u c1nturion -- env DISPLAY=:0 qvm-appmenus --quiet --init 
--create sys-usb
_CMDLINE=runuser -u c1nturion -- env DISPLAY=:0 qvm-appmenus --quiet --force 
--update sys-usb
_CMDLINE=runuser -u c1nturion -- env DISPLAY=:0 qvm-appmenus --quiet --force 
--update sys-usb
MESSAGE=Starting sys-usb
MESSAGE=2020-08-09 20:58:14.208+: 2868: error : libxlDomainStart:1308 : 
internal error: libxenlight failed to create new domain 'sys-usb'
MESSAGE=2020-08-09 20:58:14.211+: 2868: error : virPCIDeviceReset:1002 : 
internal error: Unable to reset PCI device :00:14.0: internal error: 
libxenlight failed to create new domain 'sys-usb'
MESSAGE=Start failed: internal error: Unable to reset PCI device :00:14.0: 
internal error: libxenlight failed to create new domain 'sys-usb'
MESSAGE=sys-usb: Creating appmenus
MESSAGE=Starting sys-usb
MESSAGE=2020-08-09 22:19:58.643+: 2868: error : libxlDomainStart:1308 : 
internal error: libxenlight failed to create new domain 'sys-usb'
MESSAGE=2020-08-09 22:19:58.644+: 2868: error : virPCIDeviceReset:1002 : 
internal error: Unable to reset PCI device :00:14.0: internal error: 
libxenlight failed to create new domain 'sys-usb'
MESSAGE=Start failed: internal error: Unable to reset PCI device :00:14.0: 
internal error: libxenlight failed to create new domain 'sys-usb'
MESSAGE=Starting sys-usb
MESSAGE=2020-08-09 22:28:55.200+: 2864: error : libxlDomainStart:1308 : 
internal error: libxenlight failed to create new domain 'sys-usb'
MESSAGE=2020-08-09 22:28:55.201+: 2864: error : virPCIDeviceReset:1002 : 
internal error: Unable to reset PCI device :00:14.0: internal error: 
libxenlight failed to create new domain 'sys-usb'
MESSAGE=Start failed: internal error: Unable to reset PCI device :00:14.0: 
internal error: libxenlight failed to create new domain 'sys-usb'

Clicked OK to continue the install anyway and finishes ok apart from the 
sys-usb problem above. When I try to start sys-usb it fails to start with error:
"Domain sys-usb has failed to start: internal error:
Unable to reset PCI device :00:14.0: internal error:libxenlight failed to 
create new domain 'sys-usb'.

Everything else with install is good.

Tried the following to fix the sys-usb problem:
qvm-pci detach sys-usb dom0:00_14.0
qvm-pci attach --persistent -o no-strict-reset=True sys-usb dom0:00_14.0
Still get the same error. Tried the same for 00_1a.0 and 00_1d.0. Same error.
Tried to delete sys-usb and recreate but problem persists.

COMMAND OUTPUT:
user@dom0 ~]$ sudo lspci -vv -s 00:14:0
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family 
USB xHCI Host Controller (rev 04) (prog-if 30 [XHCI])
Subsystem: Hewlett-Packard Company Device 17df
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- 
SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- TAbort- SERR- TAbort- SERR- https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/amcvmOFHvmKSAkWt5EdPWhQHlQ5DhFqbWMfC6UeuZs41NS2P0jWY6wFJAMFemXjxb-aeBtV6c3j_t6DFQtr5YKVcjUupmaCMEvtUM5aQE4w%3D%40protonmail.com.