Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-19 03:43, Andrew David Wong wrote:
> On 2016-11-17 10:05, cubit wrote:
>> 17. Nov 2016 15:33 by dmoer...@gmail.com:
> 
>>> On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
 Yes. I get the same issue too. I can read the message, but I can't write, 
 and I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and Thunderbird. I 
 can READ messages, but I can't send them, nor verify/encrypt/sign them. 
 I'm not sure what to do with this...
>>>
>>> What template are you using for the gpg VM? 
>>>
>>  For me both my vault VM and thunderbird VM are sharing the same Debian 8 
>> template.   This template does have gnupg-agent 2.0.26-6+deb8u1  installed
> 
> 
> Sorry, this is a known issue. Enigmail 1.9 is incompatible with Split GPG on 
> Debian 8:
> 
> https://github.com/QubesOS/qubes-issues/issues/2170
> 
> Until this is resolved, I recommend using the Fedora template instead.
> 

Update: 3n7r0p1 has pointed out that this is not an issue, since Enigmail 1.9 
is not contained in the Debian 8 repos to begin with.

Details: 
https://github.com/QubesOS/qubes-issues/issues/2170#issuecomment-261741646

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMTBoAAoJENtN07w5UDAw1K4QAIrfh6kri4K5DV3UwY/aGYDS
AQsMBR0HHb58pOyiqHvWHmEgvvX3v70k7q8HKn8hsq4cICakp5/Ww4BRM0gaD+qn
lkvM4AHDER+aXaHj0qYI/mzgkS6aCKdzoTdenj8CNp+fKDGsdfUaJwGPvjoHKUpO
3w2na590jHPqmPKCzDhIsYj4hO37PnCpQoapHlnTkbLM5pL/KIL3SSmYH+d1A2HZ
0fytTGu58nw+pcdYSQZfQFh7jsXQm3rqWiCQbmlxJMzo3XCjRf0FH8nNGfvoKZMZ
rTmrhdfSXW5kOPzXPR8tBgw/ssNa2c0c6pBfzRuSzs/dCcSbqXnwWeYIzQ9NmcMQ
UVh23EJ0I2tY+H+bvTw70ZgFLp9ETYuaR6dZ2ijasOSofNWj2UCIRyKPkYNirDMU
akyAaZjDSCEf2prk5n/Wtqt48rdkwfL5loJwDGcx577inUDV3asYRi5qSfiowmyZ
IFj79iOBQWpcnbOMt2aPG6yanGQWQT1YoQ3dRy0634RJpq0mxPwueA8ySLHlgapb
qNRkfaG9PFDe4OXqXGA1UL+rjjBiT0x082Gw2wsh5KlUhqMqXC/3o/jEWouKTHLK
5b2dgrF5usFU+6bgEI3cn9XgZDMP12NCifQFSoczytWNBV2AX2s9HdqrFQtjUCH6
+AyF+Nw9CwEJivOgJBuU
=FKgI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ce29927-296d-9712-fdbc-9e5154c2eb49%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Kaspersky OS

2016-11-19 Thread Fabian Wloch

I don't like this project at all to be honest.
First thing is that it's closed source, which means he can prove exactly 
*nothing* to me in terms of security. As long as I can't check, I don't 
believe. Sorry.
Second: He writes it's hacking proof, which is impossible to proof. Yes, 
maybe it's hard to hack, but here again: We can't know. Nobody besides 
Kaspersky can. And as long as this is the case, I won't think better of it 
than I do from Cisco and others.
Kaspersky Software had some problems with security when itself should make 
your systems more secure, which doesn't make it any better.


Time will proof. Maybe it's an alternative OS for routers, switches and IoT 
stuff, but in my opinion its not better than everything else out there, if 
its not even worse.


I'd prefer Subgraph (Already was a topic in this mailing list) or OpenBSD 
as base / template.


And: Probably nothing will run on that Kaspersky OS, because its coded from 
scratch. No browser, no email client etc. You would need to port all this 
software to KasperskyOS, or develop it from scratch aswell, and I think is 
no practical approach, for a lot of different reasons.


-Fabian


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/158800d0230.275d.db864a7b1d5e2becb017b42ae5cd9fc6%40posteo.de.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Kaspersky OS

2016-11-19 Thread Sec Tester
Wow just been reading about Kaspersky OS.

Dam maybe this could be a new super hardened VM for Qubes..?

Apparently not even based on Linux tho, built from the ground up, 14 year 
project.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0769e654-e60c-44d6-8993-a4a5ec43ccee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Problem creating Win7 HVM

2016-11-19 Thread Sec Tester
So using the VM manager i created a Win7 HVM (not a HVM template)

I copied over the Win7.iso to a the user directory in dom0

using "qvm-run --pass-io  'cat /path/to/file_in_src_domain' > 
/path/to/file_name_in_dom0"


And ran "qvm-start win7 --cdrom=/home/myusername/Win7.iso"

=
First attempt
=
HVM loaded, got to the stage where it starts installing files, and got an error 
reading file or something along those lines.

I assumed the Win7_64bit.iso i downloaded from microsoft got corrupted, so I 
re-downloaded the .iso

==
Second attempt
==
I deleted the previous Win7 HVM, and created a new one

Copied over the iso and ran command to start HVM again.

Whats happening is Now is the HVM doesnt pass the windows logo stage. it just 
sits there and glows.

I dont think that i should even see the glowing windows logo at this stage of 
the install. I suspect that even tho i deleted & re-created the Win7 HVM, its 
still trying to boot of the failed partial install.
===
Is there a way to check the old Win7 HVM has been completely deleted?

Could this be another issue?

Cheers
Is

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c777475c-82f9-4fdb-9354-7610834f9065%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] HCL - Surface Pro 3 (i5-4300U 4Gb)

2016-11-19 Thread Johannes Zipperer
I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely.

Installation: No problems during install. Bootable USB is only accepted 
when the Secure Boot keys are removed (hit ESC or DEL during boot for 
uefi). TPM Module seems not to be identified but I did put not much 
effort into diagnosing the problem. 

Connect wifi: After some trouble of finding the network manager in the 
sys-net qube I successfully connected. Oddly the reception bars are red 
while there is no issue using the web.

Whonix: Following the installation wiki for whonix it worked out of the 
box to connect to the TOR network verified by check.torproject.org. I 
was able to watch a youtube clip with smooth playback and with working 
sound. HighDPI scaling has to be configured manually. The performance 
concerning web browsing is not much worse from firefox from the 
fedora-24 template.

Windows: using in dom0 the command qvm-start Windows-10 
--cd-rom=fedora-24:/home/user/Downloads/Windows.iso was not successful. 
So I gave up for now on that.

Touchscreen and stylus: both work out of the box. Stylus connected not 
very reliably, but drawing lines and writing after that is fine. 
Onscreen keyboard is missing and I didn't get florence to type anything. 
Annotating PDFs works fairly well in Okular. Volume rocker and power button 
works out of the box

USB-Devices and microSD: Mounted a FAT formatted USB drive successfully. Cherry 
DW5000 works out of the box but media keys and super key need 
configuring. I have no original type or touch cover to test. exFAT 
microSD didn't work. But the same microSD card worked in the built-in 
reader when formatted in NTFS (tested transfering and opening a JPG). 
Using a USB hub with SD cardreader worked out of the box.

High DPI scaling: works generally well for touch control. Firefox opens 
first time after restart with too big UI elements and text. Icons in 
some applications like in Gimp are not scaled and kind of small. The 
dom0 and template applications are generally not scaled.

Audio and Video: sound output works out of the box, playing mp3 in vlc 
as well, mp4 in vlc in software decoding mode very choppy. youtube 
videos are more fluid but no fullscreen support. streaming youtube 
videos in vlc didn't work. Recording audio from the microphone with 
pulsecaster works out of the box.

installing software: I was able to install and use vlc, Okular, 
LibreOffice, Inkscape (bad stylus support), Gimp (better stylus 
support), Thunderbird, Darktable, I changed the language and keyboard 
layout to german sucessfully. Since I installed, tested and configured 
everything in the template I have to say something about the use inside 
a qube. I didn't test the pulsecaster, florence, Okular successfully in 
the "personal" qube.

suspend reboot and shutdown: shutdown works, but is slow. device shows 
black screen after suspending and wakes up when a key is pressed, but I 
don't know if it really gets into the lower C states inbetween. reboot 
does not work.

File manager: starting the file manager needs a second click in 50% of 
the cases when I wanted to start it. Copying files works.

Performance and battery life: I assume that it is all rendered in 
software, so considering that, I think the performance is decent, maybe 
as a 1,3 GHz quad core Android phone regarding application start and tabbed 
browsing (sorry for the comparison =/). Battery life is lower 
than under windows, I didn't find the brightness controls and the 
brightness sensor did not work out of the box, so my battery life was 
only around 3 hours.

Reverting back to windows: I successfully tested installing again Windows 10, 
which was previously tied to this device on a certain Microsoft account 
(important because of the license server, that works without keys). It was 
installed by a USB stick previously formatted by the media creation tool. The 
risk is not so high to try Qubes, although I recommend getting accustomed 
before using it in production. I hope this helps others.   

Life is good, Jesus is better!
 Johannes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1249599975.32906.1479610107263%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-Microsoft_Corporation-Surface_Pro_3-20161119-225602.cpio.gz
Description: application/gzip


Qubes-HCL-Microsoft_Corporation-Surface_Pro_3-20161119-225602.yml
Description: application/yaml


Re: [qubes-users] HCL - Lenovo X230

2016-11-19 Thread Aaron Jefferson
Thanks

On Sat, Nov 19, 2016, 19:46 Chris Laprise  wrote:

> On 11/19/2016 06:15 PM, Aaron Jefferson wrote:
> > Hadn't turned it on.
> >
> > On Sat, Nov 19, 2016 at 6:08 PM, Aaron Jefferson
> > > wrote:
> >
> > Thanks, I'll check it out.
> >
> >
> > On Sat, Nov 19, 2016, 18:06 Chris Laprise  > > wrote:
> >
> > On 11/19/2016 02:02 PM, Aaron Jefferson wrote:
> > > First boot wlan didn't work, second boot worked fine.
> > >
> > >
> > >
> >
> > Most X230s with that CPU have Vt-d capability, but the report
> > says 'no'.
> > You may want to check your BIOS to make sure its switched on.
> >
> > This affects the security and operation of wlan, ethernet and
> USB.
> >
> > Chris
> >
> > --
> > All the best,
> >
> > Aaron Jefferson
> >
> >
>
> Since your sys-net was setup with Vt-d turned off, you should check its
> 'Devices' settings in Qubes Manager. If your NICs aren't selection, you
> can do it there manually.
>
> Chris
>
-- 
All the best,

Aaron Jefferson

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANaC%2BvTa%2B8seNpJLh1e6UYP1ZWKszfctPPmMZEVC6VaH1wn0%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Lenovo X230

2016-11-19 Thread Chris Laprise

On 11/19/2016 06:15 PM, Aaron Jefferson wrote:

Hadn't turned it on.

On Sat, Nov 19, 2016 at 6:08 PM, Aaron Jefferson 
> wrote:


Thanks, I'll check it out.


On Sat, Nov 19, 2016, 18:06 Chris Laprise > wrote:

On 11/19/2016 02:02 PM, Aaron Jefferson wrote:
> First boot wlan didn't work, second boot worked fine.
>
>
>

Most X230s with that CPU have Vt-d capability, but the report
says 'no'.
You may want to check your BIOS to make sure its switched on.

This affects the security and operation of wlan, ethernet and USB.

Chris

-- 
All the best,


Aaron Jefferson




Since your sys-net was setup with Vt-d turned off, you should check its 
'Devices' settings in Qubes Manager. If your NICs aren't selection, you 
can do it there manually.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6e18fe2f-f8a4-a5ed-634e-3d735dbf99a0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Lenovo X230

2016-11-19 Thread Aaron Jefferson
Hadn't turned it on.

On Sat, Nov 19, 2016 at 6:08 PM, Aaron Jefferson <ajefferson1...@gmail.com>
wrote:

> Thanks, I'll check it out.
>
> On Sat, Nov 19, 2016, 18:06 Chris Laprise <tas...@openmailbox.org> wrote:
>
>> On 11/19/2016 02:02 PM, Aaron Jefferson wrote:
>> > First boot wlan didn't work, second boot worked fine.
>> >
>> >
>> >
>>
>> Most X230s with that CPU have Vt-d capability, but the report says 'no'.
>> You may want to check your BIOS to make sure its switched on.
>>
>> This affects the security and operation of wlan, ethernet and USB.
>>
>> Chris
>>
> --
> All the best,
>
> Aaron Jefferson
>



-- 


[image: --]

Aaron Jefferson
[image: https://]about.me/aaron.jefferson
<https://about.me/aaron.jefferson?promo=email_sig_source=email_sig_medium=email_sig_campaign=external_links>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANaC%2BvSTkvt2L7y40wNkR7ECK%3DkMPH-1V4qRfWG8sp%3DHG_rr0w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-2325W4K-20161119-181318.yml
Description: application/yaml


[qubes-users] Re: How to block template vm? (prevent it from starting)

2016-11-19 Thread pleomati
you can build a tamplate and give im separate networking then if get some wrong 
just shut down networking that this template based.
Lets say Tamplate X give networking X and than abandon networking X to separate 
Tamplate X from universe.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5433cb0b-308b-44f0-8171-dee6b8f1b8cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Lenovo X230

2016-11-19 Thread Aaron Jefferson
Thanks, I'll check it out.

On Sat, Nov 19, 2016, 18:06 Chris Laprise  wrote:

> On 11/19/2016 02:02 PM, Aaron Jefferson wrote:
> > First boot wlan didn't work, second boot worked fine.
> >
> >
> >
>
> Most X230s with that CPU have Vt-d capability, but the report says 'no'.
> You may want to check your BIOS to make sure its switched on.
>
> This affects the security and operation of wlan, ethernet and USB.
>
> Chris
>
-- 
All the best,

Aaron Jefferson

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANaC%2BvTp_NUxz_DT-NxQuzohKiBO63n1Aa090cK_qcb7%2BYG9xg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Lenovo X230

2016-11-19 Thread Chris Laprise

On 11/19/2016 02:02 PM, Aaron Jefferson wrote:

First boot wlan didn't work, second boot worked fine.





Most X230s with that CPU have Vt-d capability, but the report says 'no'. 
You may want to check your BIOS to make sure its switched on.


This affects the security and operation of wlan, ethernet and USB.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c4a03611-dc61-ea37-63a7-e1338489fa86%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Thoughts on Qubes OS Security... Could be improved.

2016-11-19 Thread kev27
On Saturday, November 12, 2016 at 5:21:18 AM UTC+2, Sec Tester wrote:
> So Im still new to Qubes, but after going through a bit of a learning curve, 
> building & customizing VM's to suit my security needs, I have a few thoughts 
> on its security.
> 
> Firstly I really love the direction Qubes has taken the future of operating 
> systems, and its has definitely become my OS of choice. 
> 
> HOWEVER, i feel that Qubes OS relies HEAVILY on ONE security mechanism > 
> Isolation.
> 
> There are 2 ways we can improve security
> 
> 1. But adding layers of protection.
> 2. By reducing the attack surface area.
> 
> 
> Layers of protection
> 
> In regards to layers of protection, IMO Qubes only has one. By isolating VM's 
> if a system is infected, it has to breach that VM & gain access to dom0, 
> where it then has total control of the system.
> 
> The problem is in the current configuration, there is nothing to stop a 
> hacker or malicious software from running, manipulating VM system files, or 
> downloading additional hack tools/scripts to attempt to breach into dom0.
> 
> To basic extra layers of protection missing from Qubes that usually hardens 
> Linux security are;
> Password protected root access on VM's
> SELinux or AppArmor.
> 
> I have read Qubes excuse for NOT requiring a password for root access in VM's 
> https://www.qubes-os.org/doc/vm-sudo/
> 
> I frankly think saying "its highly unlikely if that person (who could breach 
> a VM to dom0) couldn't also find a user-to-root escalation in VM" as a very 
> LAZY justification.
> 
> They have basically said, Elite hackers can gain root, so lets just not even 
> bother with this foundational layer of security.
> 
> So we have VM's where any script kiddies code can run riot. This to me is 
> over confidence in VM isolation, and a lax attitude because, hey if your 
> infected you can just reboot & VM is clean again right? Except the infected 
> files sitting in the home directory, just waiting to be opened again and run 
> with root permissions.
> 
> And in the example of a server VM, that system may rarely be rebooted very 
> often? Infecting the system to infect others that connect to that server. NOT 
> GOOD.
> 
> From what i've read SELinux isn't running do to some compatibility errors, 
> and because there is no point when the whole system has root access. Well 
> lets lock down default VM root access, and lets find a way to make SELinux 
> work in Qubes VMs & even dom0, or possibly AppArmor. Or maybe we need a 
> totally new piece of software that is Qubes specific.
> 
> The more layers of security in the system the better.
> 
> 
> Reducing the attack surface area
> 
> Qubes OS through the use of dom0 has reduced the attack surface area of the 
> kernel, which is good.
> 
> However, where i think Qubes could improve right out of the box, is having 
> dedicated minimized templates for sys-net & sys-firewall.
> 
> I spent time setting up fedora-23-minimal templates specifically for sys-net, 
> sys-VPN, banking, email & browsing. I plan to make another for sys-firewall 
> soon. VM's that have the minimal amount of programs on as possible, reduce 
> the attack surface, and possible exploits.
> 
> Again SELinux not only adds a layer of protection, it also reduces the attack 
> surface area vulnerable in the system.
> 
> =
> Finial suggestion
> =
> I would like to see the option to setup a decoy OS in the installation 
> procedure, similar to true crypt/Veracrypt.
> 
> These days many countries airport security can force you to turn on your 
> laptop to be inspected, and while i imagine airport security being very 
> confused by Qubes haha, It would be nice to not have to show them any secure 
> files.
> 
> Another approach could be decoy VM's (as opposed to another entire decoy 
> Qubes OS), that boot into different encrypted VM's depending on the password.
> ==
> 
> I do think the Qubes OS team are doing a great job. And i hope they maintain 
> a security based focus, and not depend solely on isolation.

I'd also rather see Grsecurity. But if for whatever reason that's not possible, 
both legally (I think Grsec guys require an all or nothing adoption) or 
technical (Subgraph guys were complaining about Qubes not being compatible with 
part of Grsecurity), then at least I hope all the security features being 
introduced into the Linux kernel in the future from the Kernel Self-Protection 
project, will be adopted and implemented by default by Qubes.

I don't know if this is possible with the new management in Qubes 3.2, but what 
I'd like to see in the immediate future is the possibility to configure some 
apps and sandboxes ahead of time - like for DispVMs.

For instance, let's say I want to see Chromium in a DispVM. I would like to 
always open DispVM with Chromium sandboxed by Firejail. I wouldn't want 

Re: [qubes-users] How to block template vm? (prevent it from starting)

2016-11-19 Thread yaqu
On Sat, 19 Nov 2016 09:27:39 -0800 (PST), Pawel Debski
 wrote:

> is it possible to somehow block a TemplateVM and all VMs based on
> this template?
> 
> I.e. whenever some app would be started in any VM involving this
> template I'd like to get an error messages or at least have the
> operation fail silently instead of having Qubes start the VM.

You could add to rc.local script:
shutdown -h now

VM will shutdown immediately after starting.

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161119221651.D6182105E9B%40mail2.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Kaspersky OS

2016-11-19 Thread '02845'2894'502'45028'45'280'
Hello,

is the new Kaspersky OS programmed with integral securiy able to be a solid 
foundation of some stateless laptop?

Or is it using just the standard chipsets the the known hardware backdoors?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c86f428-70fe-4588-b6f1-e210417c7c6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Android-x86 on Qubes

2016-11-19 Thread entr0py
Torsten Grote:
> On 11/11/2016 06:01 PM, entr0py wrote:
>> Thanks! With that, some progress... Deleting `> bus='xen'/>` from the config file results in usbtablet being
>> replaced with ps/2 mouse device.
> 
> I finally got around to try that and it works indeed!
> 
>> Now, the pointer tracks mouse movements automatically instead of
>> requiring manual dragging. However, the mouse acceleration doesn't
>> match and the two pointers become de-synced.
> 
> Yes that has other usability issues than the drag pointer. I wonder if
> it is possible to change the mouse speed somehow. Maybe just temporarily
> in dom0?
> 
>> The mouse problem is not a Xen/Qubes issue. Android-x86-4.4-r5 
>> (KitKat) works perfectly on Qubes. Input handling has changed somehow
>> in Lollipop/Marshamallow. I would be perfectly content to use KitKat
>> but (of course), that version doesn't emulate OpenGL (under Qubes)
>> which breaks many Android apps
> 
> For me the problem with Android 4.4 is that it doesn't support ADB over
> IP, so there seems to be no way to connect with the debug bridge to it.
> 
>> @Torsten: Did you see my last comment on the issue tracker? Other 
>> than that, make sure partition is bootable and use a compatible vga 
>> mode.
> 
> Yes, I saw that, but I still can't boot the installed version. If I boot
> into the system right after installation it works, but if I shut it down
> and try to boot later, it just maxes out the load on one CPU and hangs
> at "Booting from Hard Disk..."
> 
> The partition is bootable and I installed GRUB and tried EFI GRUB 2 as
> well. It doesn't even seem to reach GRUB, so maybe an incompatible vga
> mode is not the problem. Do you use GPT? Which filesystem?
> 
> When trying around I could even once get GRUB2 to start only to then
> fail with an error 17.
> 
> I have the same issue with Android 4 and 6. Do you remove the "CD" from
> the VM config after the installation or do you always boot from the ISO?
> 
> Kind Regards,
> Torsten
> 

GPT: no
GRUB: yes
EFI GRUB2: no
Filesystem: whatever is the latest, EXT3/4
System: read/write (most likely irrelevant)

I always `Reboot` after install. When the GRUB loader appears, I kill the VM 
and clone if necessary at that point. I vaguely recall having had problems by 
Launching right after install.

It appears the video mode incompatibilities have been resolved since I last 
played with this. You should be able to proceed straight to the desktop. 
RemixOS is much more usable on the desktop and also has an option to disable 
screen timeout in Marshmallow. Damn mouse though...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c88ddd2-cd09-ea1c-d9a5-0a6f1d7e3d4e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-19 Thread taii...@gmx.com

On 11/19/2016 02:31 PM, Marek Marczykowski-Górecki wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 19, 2016 at 07:20:56PM +, Fred wrote:

On 2016-11-19 11:54, Andrew David Wong wrote:

On 2016-11-16 13:31, Fred wrote:

A good time to ask if Qubes encrypts /boot in it's LUKS setup. I've
not
checked myself.


By default, Qubes does not encrypt /boot. Traditionally, that's
because doing so would render the
system unbootable. However, that's no longer true with newer versions
of GRUB, which are now capable
of booting from encrypted block devices. So, it's worth considering
for Qubes. Tracking:

https://github.com/QubesOS/qubes-issues/issues/2442

Yup. I know these days GRUB supports LUKS and things like mdadm, LVM etc so
the days are hopefully gone since people need to worry about the position of
/boot on disk or which esoterica are required to boot (and any intitrd
issues).

I guess the bigger question is if it actually provides any real added
protection? Someone can still re-install GRUB by booting from other media
and reinstalling GRUB. If the authenticity of /boot can also be verified
then maybe it does? But once physical access is gained the game is over I
guess?

Yes, exactly - if any of the boot chain element can be tampered with,
attacker can subvert it to intercept disk password and/or infect further
elements. It doesn't matter if that's whole /boot, or just stage1 of
GRUB in MBR.
The situation is somehow better when your firmware can handle disk
encryption (like Coreboot with Linux or Grub payload can) - in this case
the whole disk can be encrypted and attacker would need to re-flash the
firmware - which is somehow harder, take more time etc. But still
doable...

- -- 
Best Regards,

Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYMKijAAoJENuP0xzK19cs770H/iKHTrMfdbFJSu53orcYNAVP
QLwDKzg7FVLHqcHYzwWe8Cu0pRxwHZwFzFZFyH6de96EmCa9FehJzuTFefUvOZ0T
HJ9ilXuIzpiarzxPO9UISLnhd1Qg/5xOWy6e7DS1BjWXsXjakek2/h+/wIsy8FCV
B0SFFFTo6Yiuxy0gThb1cNmLMlORCrVzt5mlENRyxz6KfmmM7mDhSaf7+hhfXAkX
28mz0jvuTqs56iJ07E9poWOCy5nDGAAposlp7GJSKmngMXQxPpdTOmXoSNMaPwii
BxnvPgyzBEoPg3FDPdUHsAOFPFy+0WeBxlpA6ykQ5qAZ9NsuWG3esYpIoPmdhRM=
=rNAe
-END PGP SIGNATURE-


Or considering as coreboot (and the proprietary firmwares) doesn't 
initialize IOMMU (yet), a DMA attack in the pre-linux dma prot initl 
window is also a viable option.

Turtles all the way down man.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7e034fc-15e5-aeb8-1ba6-f9fa64fbae35%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Android-x86 on Qubes

2016-11-19 Thread Torsten Grote
On 11/11/2016 06:01 PM, entr0py wrote:
> Thanks! With that, some progress... Deleting ` bus='xen'/>` from the config file results in usbtablet being
> replaced with ps/2 mouse device.

I finally got around to try that and it works indeed!

> Now, the pointer tracks mouse movements automatically instead of
> requiring manual dragging. However, the mouse acceleration doesn't
> match and the two pointers become de-synced.

Yes that has other usability issues than the drag pointer. I wonder if
it is possible to change the mouse speed somehow. Maybe just temporarily
in dom0?

> The mouse problem is not a Xen/Qubes issue. Android-x86-4.4-r5 
> (KitKat) works perfectly on Qubes. Input handling has changed somehow
> in Lollipop/Marshamallow. I would be perfectly content to use KitKat
> but (of course), that version doesn't emulate OpenGL (under Qubes)
> which breaks many Android apps

For me the problem with Android 4.4 is that it doesn't support ADB over
IP, so there seems to be no way to connect with the debug bridge to it.

> @Torsten: Did you see my last comment on the issue tracker? Other 
> than that, make sure partition is bootable and use a compatible vga 
> mode.

Yes, I saw that, but I still can't boot the installed version. If I boot
into the system right after installation it works, but if I shut it down
and try to boot later, it just maxes out the load on one CPU and hangs
at "Booting from Hard Disk..."

The partition is bootable and I installed GRUB and tried EFI GRUB 2 as
well. It doesn't even seem to reach GRUB, so maybe an incompatible vga
mode is not the problem. Do you use GPT? Which filesystem?

When trying around I could even once get GRUB2 to start only to then
fail with an error 17.

I have the same issue with Android 4 and 6. Do you remove the "CD" from
the VM config after the installation or do you always boot from the ISO?

Kind Regards,
Torsten

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f5d7f0d-1d04-aa76-f20b-01fa661b19c1%40grobox.de.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 19, 2016 at 07:20:56PM +, Fred wrote:
> On 2016-11-19 11:54, Andrew David Wong wrote:
> > On 2016-11-16 13:31, Fred wrote:
> > > A good time to ask if Qubes encrypts /boot in it's LUKS setup. I've
> > > not
> > > checked myself.
> > > 
> > 
> > By default, Qubes does not encrypt /boot. Traditionally, that's
> > because doing so would render the
> > system unbootable. However, that's no longer true with newer versions
> > of GRUB, which are now capable
> > of booting from encrypted block devices. So, it's worth considering
> > for Qubes. Tracking:
> > 
> > https://github.com/QubesOS/qubes-issues/issues/2442
> 
> Yup. I know these days GRUB supports LUKS and things like mdadm, LVM etc so
> the days are hopefully gone since people need to worry about the position of
> /boot on disk or which esoterica are required to boot (and any intitrd
> issues).
> 
> I guess the bigger question is if it actually provides any real added
> protection? Someone can still re-install GRUB by booting from other media
> and reinstalling GRUB. If the authenticity of /boot can also be verified
> then maybe it does? But once physical access is gained the game is over I
> guess?

Yes, exactly - if any of the boot chain element can be tampered with,
attacker can subvert it to intercept disk password and/or infect further
elements. It doesn't matter if that's whole /boot, or just stage1 of
GRUB in MBR.
The situation is somehow better when your firmware can handle disk
encryption (like Coreboot with Linux or Grub payload can) - in this case
the whole disk can be encrypted and attacker would need to re-flash the
firmware - which is somehow harder, take more time etc. But still
doable...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYMKijAAoJENuP0xzK19cs770H/iKHTrMfdbFJSu53orcYNAVP
QLwDKzg7FVLHqcHYzwWe8Cu0pRxwHZwFzFZFyH6de96EmCa9FehJzuTFefUvOZ0T
HJ9ilXuIzpiarzxPO9UISLnhd1Qg/5xOWy6e7DS1BjWXsXjakek2/h+/wIsy8FCV
B0SFFFTo6Yiuxy0gThb1cNmLMlORCrVzt5mlENRyxz6KfmmM7mDhSaf7+hhfXAkX
28mz0jvuTqs56iJ07E9poWOCy5nDGAAposlp7GJSKmngMXQxPpdTOmXoSNMaPwii
BxnvPgyzBEoPg3FDPdUHsAOFPFy+0WeBxlpA6ykQ5qAZ9NsuWG3esYpIoPmdhRM=
=rNAe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161119193148.GX1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-19 Thread Fred

On 2016-11-19 11:54, Andrew David Wong wrote:

On 2016-11-16 13:31, Fred wrote:
A good time to ask if Qubes encrypts /boot in it's LUKS setup. I've 
not

checked myself.



By default, Qubes does not encrypt /boot. Traditionally, that's
because doing so would render the
system unbootable. However, that's no longer true with newer versions
of GRUB, which are now capable
of booting from encrypted block devices. So, it's worth considering
for Qubes. Tracking:

https://github.com/QubesOS/qubes-issues/issues/2442


Yup. I know these days GRUB supports LUKS and things like mdadm, LVM etc 
so the days are hopefully gone since people need to worry about the 
position of /boot on disk or which esoterica are required to boot (and 
any intitrd issues).


I guess the bigger question is if it actually provides any real added 
protection? Someone can still re-install GRUB by booting from other 
media and reinstalling GRUB. If the authenticity of /boot can also be 
verified then maybe it does? But once physical access is gained the game 
is over I guess?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4d7d1ec901a8457f54936b2e27685b7%40email.gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] HCL - Lenovo X230

2016-11-19 Thread Aaron Jefferson
First boot wlan didn't work, second boot worked fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANaC%2BvQVrNjDXgN837xTbCRtCqZ1%3DgBNRZTBtddyvy6wFsvKHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-2325W4K-20161119-135504.yml
Description: application/yaml


Re: [qubes-users] Re: Qubes not shutting down

2016-11-19 Thread Loren Rogers



On 11/19/2016 06:28 AM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 13:27, Loren Rogers wrote:

On 11/16/2016 02:33 PM, Grzesiek Chodzicki wrote:


W dniu środa, 16 listopada 2016 20:04:14 UTC+1 użytkownik Loren Rogers napisał:

Hi all,

I've successfully installed Qubes on my Thinkpad X201 tablet, but it has
issues shutting down. When I explicitly tell it to reboot or shutdown,
it goes through the entire shutdown sequence, but hangs on an empty
black screen. Occasionally, I see an unchanging white underscore (_)
character displayed in the top left when it hangs.

I tried leaving it in this state for about an hour, and no change--I've
always had to force-reset. I assume this is not normal?

Also, I find that the system randomly begins the shutdown sequence on
its own. (And hangs on the black screen at the end.)

Thanks,
Loren

The same issue occurs on my system only if I shut the system down while a VM 
with a PCI device without FLR support is running

Also, I just confirmed that it shuts down cleanly with all VMs off and no USB 
devices plugged in.


It sounds like you've encountered one (or both) of these issues:

https://github.com/QubesOS/qubes-issues/issues/1581
https://github.com/QubesOS/qubes-issues/issues/1826

- -- 
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDdIAAoJENtN07w5UDAwOO4P/0/kWSaTEKkOeeGsKgY8gB+P
FRG9gjE1/OtxMZV1w0s6Dkr2DVe71gBmSYXpLIU88cfcWZH0FYquDGMCW4u3Gb7K
0qnVNFXkn6Emtg3/1qGhKW89bmvgxKFXz4GXlN/kfN+tmfn06+F1K9f7tWV9J1e5
0padvVA8KoAxiK9vdvTaHtjrfv7iIEkbBoaNthxuk2bGQdWA3FMesricfwWNHLZd
eiA+lh+PfQRjgmLdRNSV1rvzyBcD0JQRYtMl91iI+pJr6C8US9hvl8Z1eSwSjcy9
9Gp0XHlsEADLjFIGMfHlfzOKWkWaxEONUlyBFXSiN0Ffi5CY6Vq6m+mQhXMjbVT8
HaiBk8j9Qfl9mCKCDmJUvhnPx2B9zM8S9+hKwfDLre87Nhgw3IWYf18+eb4PKByc
LlA/9vB0cgxa/tATJ06NEwPvU93txrz5e1qLG9qzdeOLW1/DymTZVJzW+INxNK69
83JQ+exkpz3z/YwTMAi1aYoi/X1D5J62qMGUnOCQSX4Rj+rUZ+NnCDt3bLEzH7ba
F0gqGxEvU1cTaMDusN3Mq8spmHu+MmtfbMQOTmo/41+aL7u1+/wFgT+/alWblsfN
+jUuMmDhrlC5uQ+w320FNwQVMBf2iR9GdZfjsi3BmT8y4RgflspElj9FS6I8BWmJ
lApROFn+s29vmyv4CAgP
=bRaI
-END PGP SIGNATURE-
Another correlation I've noticed is that my machine randomly shuts 
itself down without warning when I'm browsing in the Anon-Whonix VM. It 
seems that simply having the Whonix browser open causes the problem. 
I've not been able to pin down an exact cause, but it seems to happen 
after about 5-20min. When this happens, the machine sometimes ends up in 
a hung state (black screen) at the end of the shutdown process.


I've also noticed that the fan speeds up right at it starts to shutdown. 
(The screen turns to the Qubes logo with the progress bar, then the fan 
cranks up.) Sometimes the bar makes it all the way to the end, other 
times it seems to simply crash to a hault. As I mentioned elsewhere, the 
Thinkpad X201t is known to have overheating issues, but I'm not sure if 
this is related. I'm not working the machine particularly hard (just 
browsing articles on the web), and the hardware is not particularly hot 
to the touch.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cb27a09-350b-c5c1-414c-328a40c22cd1%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] How to block template vm? (prevent it from starting)

2016-11-19 Thread Pawel Debski
Folks,

is it possible to somehow block a TemplateVM and all VMs based on this template?

I.e. whenever some app would be started in any VM involving this template I'd 
like to get an error messages or at least have the operation fail silently 
instead of having Qubes start the VM.

Best regards
PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04641d0d-0a9c-478f-a909-ef1ecac937b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-19 Thread Daniel Moerner
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/19/2016 06:43 AM, Andrew David Wong wrote:
> Sorry, this is a known issue. Enigmail 1.9 is incompatible with
> Split GPG on Debian 8:
> 
> https://github.com/QubesOS/qubes-issues/issues/2170
> 
> Until this is resolved, I recommend using the Fedora template
> instead.

I added some comments to the issue tracker:
https://github.com/QubesOS/qubes-issues/issues/2170#issuecomment-2617233
58

I can confirm that this is fixed in Debian 9. I was unable to fix it
in Debian 8. It must be the case that gnome-keyring is hijacking
gpg-agent independently of the contents of
/etc/xdg/autostart/gnome-keyring-gpg.desktop.

Daniel
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIwBAEBCAAaBQJYMIZNExxkbW9lcm5lckBnbWFpbC5jb20ACgkQyz0BTtfxsyoU
yRAAi4wWlOuvW4YYQYgKe5PWhgm/66Lgc9sAnzdf57QHdKUMyLMNWEjZnWuuOsr2
LMYmd/xNtUv4+B8LZJLF0SCPNYNrFuX6utFJF/rIs7hf7mNb06P9XP4PCjpBcurh
7IH+083aVylapADJ5q8JegXullDH2tN2yKhXFKjPMGkBz/+V9T0Kg2kuVcvradf5
3VQ1jpOYnYnJfWeY74xvDTOrS/hT2zPbZma+i7vqmcL6+JHlHQny5HLqw0+a9duQ
dlrLoVwSe6zx6leqUo+3IewZmd9s+uSZfl5UrUh0UDysVewvQx9qlA/UvePtLD2p
ktDcmeNHyoGfW0FOXfkIwTgxiRPBYrGT3n6vpe1KDP1fp3C6ETzLseco3EidjHWh
itDCMrjFYmw2Z+xOyh17pmIJZuxrwmLiP8xd8Y65zgfcCWMKzkZ45AAl9TIGPvut
TJ4Fz3xZ2E5n1GxUMLal7ADgGsgDxvYaNzlKMpfVsk8ikd9+EQpUIAOrejFjyuE6
J1e0cv8Gu1QuW7/88gLt0YhdOymrgJE7L9ty8lDbgZqz7+SwRyZtCc6Vau1FmYrm
RKPf6m8MwImB34xyL6EX5Ocums/+IWZVmVBPPqYApCKx4UVuikNQMQC+CRqZrtz2
jz/AVeH+3YiVHssdddjQoXdB6FojbQZ6XaTNpMIsK8acJJ0=
=+FX1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54d3813f-647b-8f23-b44c-2e71059e03f1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Trying to do an in-place upgrade from 3.1.17 to 3.2

2016-11-19 Thread Holger Levsen
On Sat, Nov 05, 2016 at 03:58:21PM +0100, Marek Marczykowski-Górecki wrote:
> > > > p.s./btw: https://www.qubes-os.org/doc/upgrade-to-r3.1/ advices one to
> > > > install qubes-mgmt-salt-admin-tools but this package does not exist?!
> > > That's interesting, this step should be in 3.1->3.2 instruction...
> > ah. so I guess I should send a patch for qubes-doc tomorrow… (gn8 ;)
> That would be great ;)

just two weeks later instead of tomorrow, but here is
https://github.com/QubesOS/qubes-doc/pull/223

granted, it's a lame commit, but every journey starts with small steps…
:)


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161119143347.GB20063%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Digital signature


Re: [qubes-users] Firewall loading error after backup restore

2016-11-19 Thread Franz
On Sat, Nov 19, 2016 at 9:15 AM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-11-19 03:53, Franz wrote:
> > Hello
> > After upgrading to 3.2 and backup restoring electrum VM, which had custom
> > firewall settings to connect only to electrum servers, I'm getting the
> > error documented in the enclosed photo.
> >
> > In the error message there is a suggestion, but it does not tell in which
> > Vm to try this.
> >
>
> I don't know the solution to your issue, but I can clarify the last part.
>
> The suggestion is to view the help information for the `iptables-restore`
> command. It does not matter which VM you do this in. Here's what you'll
> see:
>
> $ iptables-restore --help
> Usage: iptables-restore [-b] [-c] [-v] [-t] [-h]
>[ --binary ]
>[ --counters ]
>[ --verbose ]
>[ --test ]
>[ --help ]
>[ --noflush ]
>[ --table= ]
>   [ --modprobe=]
>
>
Humm, not clear what to do with that.

I tried to allow full access for 5 minutes and got the same error and am
unable to ping google.com. This seems strange because full access should
not bother with Electrum servers.
Best
Fran


> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJYMEJCAAoJENtN07w5UDAwTKwP/RpdbiHx2HOhctBV7+sOY25Q
> AJ2qAvLpskWFVwmtCcSpyX+Re1IAOKr5pVvPkHKb1ZZo7bW9qyNgwh+kzXEFx8FF
> +yR92GKyg35MxXFHnuK9vu2l751pk3AfmXX/ssNlNYv5E9yPhHrGSY8bY06HLZXH
> +JD3o7Sq81YeO+/AQyTu+ggBOD+enL00e+nsMo+8gbtHk9dGbSOxciAxKJJbmf4L
> YCu42ZOIcWXfc4ipV1pT2MRd65mTTu85Vvo5mfsWza3dNpzZeP6DNwxBb5GmmufD
> wc/TZjz6VJtRP88VHFsfYY4iFdLzYlKRMRZaPvyTGSkr3PqFvz9rtqeN9TTlVa03
> e608LRAKlwNAakbSBUB3+zrK8LhUpcjn9eOHL+2sSXoL0QtlbcmhPkWV6Oza91w7
> DRIXFch6TYEsZjYfGXzxTUZfhH/DpQIeD7n3QXudJRz33V1S3Wt02bi90qbaQp+k
> yF3/jzR47mWId/CnTGKHObac6JY8WyJTvIHIgxhi3sMCZvBA8/fnraBk9vOtBzIE
> BiONcS1SD4yl/5NcrLD5K5k/7EJ4pF6nQELiQirSYFnp8F1l8gK/uNwNW2CcluM9
> uHTk9fdCAjDhzoY4w3let8/G1eFyChbcK/nahS2w50gic+bpkLSzdt3Fqrl7Q22k
> du/bV3N9AlUfJ96Y0rj/
> =5trw
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qBJTVUU7N7wA-v4bNyPRwUv8ONegGWpx6tYRduy-SKz9g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-19 04:48, Achim Patzner wrote:
> Am 19.11.2016 um 12:58 schrieb Andrew David Wong:
>>> These requirements are probably the worst you can do for corporate
>> users; they prefer "standard hardware"; even I would rather stop using
>> Qubes than not being able to take any off-the-shelf Lenovo systems but
>> having to use underperforming boxes from unknown sources. Keep in mind
>> that the average company doesn't like hardware with broad maintenance
>> contracts and won't buy outdated designs (and that's about every
>> system supported by coreboot) either.
>>
>> Please note that these are the requirements for *certification*, not
>> the requirements to *run* Qubes 4.x.
> 
> You might rephrase that part and stress the fact that you are not left
> on your own if problems arise with non-certified hardware (I guess you
> lack the experience of having vendor-related problems being ignored with
> a hint at "your hardware has not been certified by us running our
> software" – just try a round of that with VMware 8-) ). Anything ewlse
> will put off a lot of people...
> 
> 
> Achim
> 
> 

Yes, we'll be sure to point this out when we make the official announcement
closer to Qubes 4.x. In the meantime, I've added a clarificatory note here:

https://www.qubes-os.org/hardware-certification/#hardware-certification-requirements

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYME2ZAAoJENtN07w5UDAwNREP/ArFcBRcAU8nFerIFtlg76S6
CfDVs4LuKQWaz3vy8zGnnOQpLHNAg+1lseeSYbjD/MA/mdTMl8Kb1xpgzHP9N6gE
EO7ttgxyuBI0b9IV6KwmW0gBo5E2L04fK3IxDNFAVVEh9qjZFcoGWSKYyCLGhsae
MkO1Gd0DoqIi/Wra7TH16vzg6A7MhacJxLTXqctNa1BBDPF1B709ZulL06dnnUwm
BEZXLQTL0DmhNhTgT/aqT0tpOdKA9pUfvaCJfJ/gsSKcDj2aiodq669k2GfaMOug
nJYCem1Iycuodol+3o0YzkioISIo301U5caBzdjiMbM3U5X43I45YqaoBZ6rHMLU
9T6b5tWLN02sKqacK862y2iHTmzFAMMaavnYVztSmfyUp3oLQ4x6WKLmDVRMBK2+
wXK7HoliT7x4WDjIU1vkb3KpMPZf5PkJxF+T4EyczJZurHDRANS9T95KdbuqK1v/
NQ2TwZl4t6+bm6RZaIBlA4ImnZwjJWaIWVJp13bD0qrdg96many0vU6bYJMfiGg+
bvhciCR9cZhUeT3AOB8H9PZYTkdxjDVgFLgh0dmn1Pgoz5k6f1kT1j4XWNsDG0h2
z+ylO3ZgamHbsqApMa0sRmraAt3EnT21T21JPmUxlvoGveQMbj2UWvqzDi2G4wL2
gih9uT7NUwgIvykBogco
=wGWQ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0281a12-419b-f11c-dc43-bc05a33381c0%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-19 Thread Achim Patzner
Am 19.11.2016 um 12:54 schrieb Andrew David Wong:
> By default, Qubes does not encrypt /boot. Traditionally, that's
> because doing so would render the
> system unbootable. However, that's no longer true with newer versions
> of GRUB, which are now capable
> of booting from encrypted block devices.

There is still the option of grub-less EFI booting. With exotic setups
like mine which is getting its boot loader from an external USB device
that unlocks boot and compares checksums of relevant files to a table
stored on that external device.


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc1a208a-b061-c626-4d6e-22b9d59d4948%40noses.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sparse fedora template

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-18 15:31, Eva Star wrote:
> Hello,
> 
> is it possible to sparse fedora template like Windows template? How to fill 
> it with nulls before cleaning?
> 
> I have this question because fedora-24 template 1 gb bigger after same 
> programs installed, then fedora-23.
> 
> 

You can use the qvm-trim-template tool to do this. For example:

$ qvm-trim-template fedora-24

https://www.qubes-os.org/doc/fedora-template-upgrade-23/#compacting-the-upgraded-template

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMEimAAoJENtN07w5UDAwM6cP/RnMqglcn770f0Gr8c/2nEYk
yJjXuma2bh8aLAa6Z5U0MWwcr9ylIKcTA6xmXaXHrb3qfzKvLtMUMI+Vx70UmN4p
2phulDqdpTC6f5Z9ZSL/RZ+XX/XFtfwq/F4jVSke9G0NEueAEYlWlcTtDOOkqvHr
g8hwD1Dzy1Q+RFsDi52LN1q1twa/BGWPqOi7GCIq3DNZQP2oT8NxCmkifkttIaxr
FsND4TunC+JKCZpV8Y53RvoCAKicNxCouPZ9jLO0bHoWvJnnCHd1UubIq0byqtPh
GKuHUN4dErHZvNqhU3kS3OO4Qc6gWwFjJAyPFFrJZ8RP/vrVxgIWteT7+jUy9DBe
9Qfcqchob1tM8q0cFXt4RytI92caTSdESBDTB0pgV/L4e6o1rW3InTym8A5ZNSv6
jiolKwwbIvVK/IK60nuNhTpUqpvy0+pet1jEnsq4WDLYVx2IRZjSEaGsUe7iHteH
fPvmKeQBSw/BhLOGJMGFJEgveuyeFQlTlkm9Vwinnuw+RrLRP9Ijrp3ssga8TKzx
fmkFG2i0gDsJZ4JF6gcF33WP6y41avQu5s7Ski7u4eIO+CYiQrp1lSLAhz4nRYwh
mfyVzoEu9UkG0ATMf4fi6sXGCSpnjI0rLxJt4qu2OSQTKPayG2P5psOWowI0mt2l
TpQ2PJmLpROp9DYn3EKj
=uTCa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e71454bf-5a1d-538d-a3aa-bd2e203f066c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] disable split-gpg notifications?

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-18 09:39, Michael Carbone wrote:
> Marek Marczykowski-Górecki:
>> On Fri, Nov 18, 2016 at 02:49:00PM +, Michael Carbone wrote:
>>> Is there an easy way to disable split-gpg notifications? They are just
>>> screen noise, and in XFCE cover the time and systray by default.
>>
>> The easy (hacky) way is to comment out notify-send in
>> /etc/qubes-rpc/qubes.Gpg.
> 
> thanks.
> 
>>> From a security perspective without timestamps in the access logs
>>> (https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
>>> pre-approved email client could just decrypt emails in mass when the
>>> user is AFK to avoid notifying the user, so I see little security benefit.
>>
>> That's true indeed. I wonder if blocking split-gpg while screenlocker is
>> engaged would make sense? Currently similar purpose have confirmation
>> with a 5min timeout.
> 
> I think that's an excellent idea.
> 

Ticket: https://github.com/QubesOS/qubes-issues/issues/2443

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMEWqAAoJENtN07w5UDAwzMsQAMcCQDNd17+adBDMCVLqnTEm
DvDWu8LKOHmAMaOjK4LLIP34XOt4p/0MZd+wk78DsClx/CZqsATxNXspKKXaksUn
5XoDrh5dyuwTYfqcuPhwguMEI2gtbhaNKg4ayJ0jlqO1W50uVowE10ARIQnfmjiN
j5qKKGHOj+ZrGKzSrNjFH4iURGLzPvIBKuv9/LXRcLyJj1isDxEBBRyZyNOSKxkS
QoNnq6ATDWC4j0itPxwg32S2YnOniE1c1EVbrfprDeB85XRkVbQFeO2CpzEuGFGa
srZUBaGdqi2UZgUecW39oQe27qWCpI3pk/RPwPU/zNuzUId06BYkP6q1bJyl/9Fw
0eOiPqVhMVpIr7aCXfJh6uro+zI0/jTdEGhYjdGc1gm6MiVaYbSeaJncXvNG9u/z
IBXF1+YVonDVxbZuHczy+J/Ae6g6l5hRlKHa4hDTgQphR/IaklXGsuUYvu/dfKFd
/aFyWeexxzuE+B7IKTu6RUhO7JySM93U8OYRYd4tircCPA30zf8NlOll0NEd3M+C
kkD+hRXCqifsWmSDlm9X3rOpX7PPs7lI52mJTlzgLOQdDYEbOtUOcP4JKrujMzJt
HeqADkTyP4pjiqAnoFSNc12kDOrBwukJvqK0wReisUnuqT0q2TTcBhM6mU55bTOB
uW1AzgDOeR+zHjyivNCk
=pMpg
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78bbb538-4bca-3120-3527-1c581b10e0cd%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] isolated workflows - image converter - trusted jpg

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 12:48, Chris Laprise wrote:
> What is the command to do the trusted image conversion?
> 

The command is: qvm-convert-img

(Requires Qubes 3.2)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMEPmAAoJENtN07w5UDAwI1YP/jZKAeQ/CdmaoO72fEJy7qvB
i95m9qqS/tzog+t8q2t84NpOypOe6foFPNS7wvuouMbQkKTju/xeh+0IkxuNXC+2
3T4abHuKFhoXXlOI9luBzANB7KpnZDm1NK+vYQnNVbL4pvq8BzrscYCudLI5bEj8
lRegBcWGpotRw51UMM60ltLmqEf/JRwhghgvAuc1Pq2AGzKkvy1RZx0rSThrCmCg
yH8tnD3iaaimM9/H7fhJ45lyV7IyRaqBJ+dZQ1oL/xk527x0nosjNVBMoRd2L5Bx
3yhErLfNaIiyDs120tdvgNIzGkhDq3cO+lrd1VzZXOYqbUaeZzzS6Nw/OmU3OCtl
hg3S+24ElMDbtxSc0Whii1xMjLQiD7seHAkKMsETerh/5EiOCEccMHn0LgAumytC
awF7Tn4EXffFeK3uUKs4qFeTc/Z2NMxGuy7pLvdTLUffVhdkzMeI20RYUMBHcP0t
VdIX+3l6pbnMKxcW0D/y4R/fpbl3MxzfzhnvjaLELk5iSMJYneHD6yw+yC9vJul8
VUNZcoiUFc9CURvtKku2ghtcu4DgA6A6/Yj37PAqjlQANwJcUttnpTj5Ol1gF5Bp
unyAvCLDdA+dn0c1xtZ6+PXT+p8zrpZLjdAZQxgN4x9X+V4H4ZtOfEap9JCNHOTs
9tknYBGnVQMoxmBjeWUK
=IgQu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5b53d60b-8a8e-dfe8-b131-593e145a397a%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Firewall loading error after backup restore

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-19 03:53, Franz wrote:
> Hello
> After upgrading to 3.2 and backup restoring electrum VM, which had custom
> firewall settings to connect only to electrum servers, I'm getting the
> error documented in the enclosed photo.
> 
> In the error message there is a suggestion, but it does not tell in which
> Vm to try this.
> 

I don't know the solution to your issue, but I can clarify the last part.

The suggestion is to view the help information for the `iptables-restore`
command. It does not matter which VM you do this in. Here's what you'll see:

$ iptables-restore --help
Usage: iptables-restore [-b] [-c] [-v] [-t] [-h]
   [ --binary ]
   [ --counters ]
   [ --verbose ]
   [ --test ]
   [ --help ]
   [ --noflush ]
   [ --table= ]
  [ --modprobe=]

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMEJCAAoJENtN07w5UDAwTKwP/RpdbiHx2HOhctBV7+sOY25Q
AJ2qAvLpskWFVwmtCcSpyX+Re1IAOKr5pVvPkHKb1ZZo7bW9qyNgwh+kzXEFx8FF
+yR92GKyg35MxXFHnuK9vu2l751pk3AfmXX/ssNlNYv5E9yPhHrGSY8bY06HLZXH
+JD3o7Sq81YeO+/AQyTu+ggBOD+enL00e+nsMo+8gbtHk9dGbSOxciAxKJJbmf4L
YCu42ZOIcWXfc4ipV1pT2MRd65mTTu85Vvo5mfsWza3dNpzZeP6DNwxBb5GmmufD
wc/TZjz6VJtRP88VHFsfYY4iFdLzYlKRMRZaPvyTGSkr3PqFvz9rtqeN9TTlVa03
e608LRAKlwNAakbSBUB3+zrK8LhUpcjn9eOHL+2sSXoL0QtlbcmhPkWV6Oza91w7
DRIXFch6TYEsZjYfGXzxTUZfhH/DpQIeD7n3QXudJRz33V1S3Wt02bi90qbaQp+k
yF3/jzR47mWId/CnTGKHObac6JY8WyJTvIHIgxhi3sMCZvBA8/fnraBk9vOtBzIE
BiONcS1SD4yl/5NcrLD5K5k/7EJ4pF6nQELiQirSYFnp8F1l8gK/uNwNW2CcluM9
uHTk9fdCAjDhzoY4w3let8/G1eFyChbcK/nahS2w50gic+bpkLSzdt3Fqrl7Q22k
du/bV3N9AlUfJ96Y0rj/
=5trw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ffa8238-b714-945d-88e1-ab51ed0be016%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Replacing Dolphin on Whonix-ws

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-17 22:07, Sec Tester wrote:
> I Really dislike Dolphin. Thumbnail previews dont even seem to work, and its 
> kinda annoying to use. I'd like to swap it out for something lite and simple 
> (like the fedora-23 file browser)
> 

Thumbnail previews are intentionally disabled by default as a security measure. 
If an adversary crafts a malicious thumbnail, automatically parsing it could 
compromise the VM, even if you intended to delete the file without ever opening 
it (or open it only in a DispVM). Thumbnail previews are also disabled by 
default in Nautilus, the default file manager in the Fedora template. This may 
be an acceptable risk in some VMs, so you're free to enable them in either case.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMEC7AAoJENtN07w5UDAwiboQAIh7qxkgN+VK1NoAhfofwfOO
sI5x4Rw3hJbJ9ZM3PXr9baf8qoblNizWjetBAGRj2FRpnusbNsLXjT6tPm6FJ6xV
zj10z5KgwaybfJO9gAd7p/eTEGtf+fMcMBwZicppPM11jvM+XoKx/0Ks3EQRPU8R
NQrnf9rn7fVsBv267mj3JVeCz2w10rh167RYeNKz3oF7X8CbIlqm5DlW1RfO893y
BPq5fXQyheAR4sBimhFxy71Cj7Iov53rTK6G4EVcAd9vx9DojgWl13m0w9otDhK6
HMW2gy6LacGm9wE8dcR/guNYODffUC3kPsx7tGJYltPKW+AW6rP5mBe31jbQ/0kH
TsXQnElnXSwJqvNUTC/92lSpYyY59Q60uqkyiLeYGCWDNVEjamsJ4eewUH2q92tl
ALsU7e7HalOMKW/rHl+E18Khyg06YM040Or9SG0KislnIvto/ji11+EInVvIvPVc
mv08H0xHkvNAjhnerQ10Dr0wiN0YYdBm0HKU8wFAPLdbxq1YPFuKT6UTsvTSjzvs
Ug1izP2ADNWfBbLIWdX65K/l9UK0IL0vxb7v/HoInHvZxqcV8DzsB3mhZiVPti3r
tg8oj0iKiJY8zUVvQ56NxX32qat2FWWI3QjLsDfXRPuxpqsmfTmmeUWSOiRLYS55
SSHkPViNgPGfxO9UwAJP
=QuUy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aaa78552-a427-7d3d-627a-d57befe4817c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-17 22:57, Sec Tester wrote:
> Just pointing out that there documentation here needs updating to include 
> commands for fedora-24:
> 
> https://www.qubes-os.org/doc/templates/
> 

Do you mean just the numbers ("23" to "24"), or have some actual commands 
changed?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMD+AAAoJENtN07w5UDAwN1oP/itHnn2/Mu7ifW9ucvzBSuDW
uV2LuiZSjdLDZPjLj0vECFC2oYZlARWPjI1lulNWsJexIguZ/aTAb/u/SPL5rsMn
ySXmu2uo/rSZYtBc/1AwdkpHtFbf5oPs38x5q6tVsNS6Z7xKBpobXFPWZYmzIOrJ
Q038yi5ZoKErifXYup9t2I0AzSzPoBPrMb3Q+k11KOHvGRMcLGg6kuS3uleluTBx
yI9+GFdONKKSE52OtWzbmcqWryxABgWBPHsJskAdNLndFVtY3Tp0IR1BsjRtee0d
pdTqthDgCTXWpIl8Hj+5VinAgwIVFAQwDUDb6Edsli57pJK+UJiSnC0GcSj+b6PF
iyelscYh+mWShypNJT7etJ4E/M6TJw8wkGVT5zGn/Ysz2phk/F9yRQu0oL01fvhB
Vyy/6a7GFaxuD77P1gBZsB2zHdc2RvNUuvEpzH/NBWRbdPJJ89Gv7xnCUVMsk4Xj
tttxSmWdA4DN9f1k1TF3EnW7526azyn9NVm/feRL/EpFBYnbFcsk63/TDUVuSThp
O6T3GgnGS0eZYr4nYxkkywLBi+UKFLQcYayHceH3qa1jNUjwLq6Kmx7XsMc5e3da
a/oNXu/MYZ2E/0xiP5az7Oxm64hqpr+5zvmjbGvbeY3QRf5eVmohhuXazO0KslAq
zdKQrMpQx+Kh20J6NH6+
=rSaA
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d5434ea-9626-2e86-bb6f-1e59e6aedf43%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 02:35, Achim Patzner wrote:
> Am 15.11.2016 um 14:46 schrieb Andrew David Wong:
>> If you plan to be using the same machines for Qubes 4.x, you should also 
>> take into consideration the updated requirements for Qubes-certified 
>> hardware, which will go into effect for 4.x:
>> https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
> 
> These requirements are probably the worst you can do for corporate users; 
> they prefer "standard hardware"; even I would rather stop using Qubes than 
> not being able to take any off-the-shelf Lenovo systems but having to use 
> underperforming boxes from unknown sources. Keep in mind that the average 
> company doesn't like hardware with broad maintenance contracts and won't buy 
> outdated designs (and that's about every system supported by coreboot) either.
> 

Please note that these are the requirements for *certification*, not the 
requirements to *run* Qubes 4.x. You (and I) should still be able to buy 
standard Lenovo business notebooks and run Qubes 4.x on them just fine. See the 
minimum requirements for 4.x here:

https://www.qubes-os.org/doc/system-requirements/#qubes-release-4x

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMD54AAoJENtN07w5UDAw+YcQAJQ3iTflDvu1pGrHXvIYM4wo
c2EkFC+jfKV+zegu2EorwweFCNOHKQCQKo5vKOWdLq03xxyiSNREsa5l3/vxyTFo
Diht2cLsKMuSLtozh+Jz/1DzWA73AycVSzDGnr7c75CUyipHXud+ZeM1BZNM9eG3
nOnL5NdJqsRKc4sX+2F0f39Ayy8AbpPk1LqELf+AMVoq8SFNwDrrrtenV0KDcsSM
UVhoYN8HO1JQKbGm8i9DYobzz/MOJ+/YFI7QwM9muvw97VmIAJwxWJesH0Hn7ua0
C+Lc//xGWp3JE3TYbUzOZezj9JHHh0sz1bdJYc55WlQHY6vwJ5OYzb5RfTNgcFMG
rKp6Q2mLhYVrYFKdznx5tFsr57HF0YEC4AJtfkSGVYM0H8rYBTxPKwbRTS4KE0pl
F6GNzWgNwA041fUNzpeIcTZdv8DcV9MO07+7sSw4q7VtrdCMhcAEUs+RFgG7yMJG
B8+SCz07Srj5YSVvBMr1+m5XAaFiXdFEqg+w3qjdJDByYQOqUTGod7wyn9bbS5Jq
WlZvyaVOa2dCy3PVrdlxesc+5WZMf1T/Y+4oXTfiTk6hQA/LConenvWibn3AMqfE
6Cmwm5w735rdcyvjCE/7uo0ZacSnuWGQkUkQtOr981mSAwZZxtZAqx3qxI3KLp5W
z/uVRyCjR3gxQNJOhgE/
=uZNq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7446be8f-9fd1-434a-0ef1-8ab48b497466%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-17 10:05, cubit wrote:
> 17. Nov 2016 15:33 by dmoer...@gmail.com:
> 
>> On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
>>> Yes. I get the same issue too. I can read the message, but I can't write, 
>>> and I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and Thunderbird. I 
>>> can READ messages, but I can't send them, nor verify/encrypt/sign them. I'm 
>>> not sure what to do with this...
>>
>> What template are you using for the gpg VM? 
>>
>  For me both my vault VM and thunderbird VM are sharing the same Debian 8 
> template.   This template does have gnupg-agent 2.0.26-6+deb8u1  installed
> 

Sorry, this is a known issue. Enigmail 1.9 is incompatible with Split GPG on 
Debian 8:

https://github.com/QubesOS/qubes-issues/issues/2170

Until this is resolved, I recommend using the Fedora template instead.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDr6AAoJENtN07w5UDAwCbgP/3z9RU8VOsmvVo+B7YA0E5PJ
+R9e8DuxKLavW5FRL+eoWclOnQ7/BgdINZa7r59XEs4e7fANQk9ZEdMErNbV3zS5
zw1hht0nbhUj7xZCGdw8AmPyTxp1KDBBB9MmFq3rP0ZlrEaacj4ef1U9jHxcnJMz
t1AciTj2R1he2y2hilEZ2f6hHAlzf9PYiu5o7YVnR9mLsbSRenYUewO3ExbVbrYP
me7P/dNasqZ/VAB6HB1EByrUycgt5vKxICmd4+E6N8qXn4K/15DGTQrgh1R9aGAD
2zBC/se8xMhDKPMZ0FZCrXZM6DnqgWh32iAdBR/JQQrOzpZMwel7i84BA5eDm/KQ
RhuEPhvdZUAqzfF68jk6yOKcMljGpatN+tgrpdX0SYObXCp9YpcmcfR8rDqT9b9F
wkJ1rIyDN43+gUJGNGzaJkgIT2RpjdfJ5VQppw73L4JwoKsPhebO1lwAtGU4FLbJ
O9Su3jkCJNfBFfOJOCvHmVHFZykgVIsy6SlTIJ6S15mPb82Iy/yT+bIcqsq2XMkK
m56NxHeUw7jwGEsvuuAlWHM6vy+ReYIVFgVOp+Hd/lFFs3cYN5KsGpT4L3UYj0Bg
Nw085JKxPjvnwdD+YcuN5hvxv3Qj0KM6LLf8rylHFsuICJK2bN0zx9Hh5Nv6ZuZr
atK2PCEgIUZ7ZlPidX35
=rsHN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6cf1b578-8424-a5a6-6990-a8c0818b6cd4%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: error reporting

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-17 04:26, Salmiakki wrote:
> Copy/Paste between dom0 and other domains is intentionally prohibited.
> 
> https://www.qubes-os.org/doc/copy-paste/#copypaste-between-dom0-and-other-domains
> 
> Or maybe you want this:
> 
> https://www.qubes-os.org/doc/copy-from-dom0/
> 

Yes, these are both the correct documentation sources. We're also considering 
adding a button to every dom0 error window with an easy button that copies the 
text to the inter-VM clipboard:

https://github.com/QubesOS/qubes-issues/issues/2438#issuecomment-261704575

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDl0AAoJENtN07w5UDAwMEUQALTJMFDLcVkXkP2akjGl/3W6
BJ0Fiq9oYbcIC7m287x7uc1Pzgly10DcgeM73VfcG/Qro0aurnrJdCu0APHM08ts
SNdVDrkZpMnydx76Q28cfdPSRAfhsK2lnBDbllX4Mr/Sw55B2ToJRpFWu9lCUyOW
GtP/PJN/1JKRpmOlrDQOyId1rEhw96fZtR0TS8NLflkDFPDooQ41d12FD0AKvrN4
OediV/vqlZ2JF1RcEGZqm8i+0nqifoU2+Pf0egmM11gFnj+v1MxRZb5wk6IL5+AG
dyVCuvUzU6/SjzXrRgl+qL5BslxEQJP3LAFK1ICDpLoxOede1NuVZmJgbBLF0Q9v
iuRujyth/WUfBit2PteO6QTAumD2blNieGaRbTE0lvdokVznMFYd3uKkQ2CawnYR
qyJ/KI1aMei6KW7GyLSxKYjJMuiEmukT1Lr/l929N0jjFuJOp+t/ZLTiUO9hU+JT
mX2dKCV01oI3zZvu06lEYSwHreTNB0Wpzi+4MmAlXNI8lKH2uFDALmDBu+EMaInf
8sXPYfGWmAyxgjWq3gZdmqvtktVB59TL7aGvL0UjWxuQ6Z60KQNcPDrubrTtuU89
o98c4yRxC1yaKUA3qTx3g98aBphHIhddF5HmCwIsQxTljOUsMJAb916ql2u3nS2u
nUk9GjwAcWCnuQUqCYWx
=4fiC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/954e2071-be20-4859-d68d-082f3464c77e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Just Broke Debian-8 Template

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 04:37, Sec Tester wrote:
> qvm-revert-template-changes debian-8 - didnt fix it. I tried to set an 
> earlier date, but --help file and man file didnt specific the option format.
> 

qvm-revert-template-changes can only roll back changes made during the last 
time the TemplateVM was run. It does not keep any history beyond that.

https://www.qubes-os.org/doc/software-update-vm/#reverting-changes-to-a-templatevm

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDjkAAoJENtN07w5UDAwy+UQAKuugiVovNhGw4jLCLxwx1qw
VF5Ki0aWmbwJNJuuVL59w7EyiD2IJcyk6pWerDxvl2tyhOuSkqAi+9QxCyiWcU4l
CdlH4srSzHIyQtygNUreIoU7aWTNWaqSLp2rk6VRhjLAQe5U7PBWHgcSNxR6eMhz
e6aszYa4EnwuneP7a6OH+kOkU41IZamOfUqkCIZRAWKed44V2QD1XbEKCjHXPkZN
AVQfQloX3AyMFGySm4EWrAEFV0nroZZ51pHERUelrirAdLP4hSbyU7zjjmrc0RqY
1A0hkKiG9UVE28ex/c+C3A3en4J4j/1HoC04WqwqPQEwU6KzFosptoFIeIGMQKpV
Py3cAAN86b19DTW3pif3coRB4WH/keX8rpaPdveTjxF1wD+bSAWw/XiBqMzgcBQt
YVD/j/hNbvVWHKt3u5BjvtlMiHOqjxJJ0X39zYDRM1ke+9g2NM4BQ3L+MlM+F76K
bncidYNW9gnFjJdbDfZ2/d/79qNAFMUdo9UayZ8O583CHM3rY4jb9q7eP5dKUOzw
A8InI0AGKnwrYpoqf4w+lZCRdzc9C3du5gxOMir2c96hJQtvt/QknlWGrT6rX/0A
TY8a5j32E6hBGqpgju/XeSUy9F7agkkimW42yWNTOy1onKXV3LnFTL1lwrFJifSO
gEAkDBYo4HN1uZIfsuLE
=IVc8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/011a9b2d-ff05-9e00-0e53-fb0877325ac2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Can't update dom0?

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 12:10, Loren Rogers wrote:
> I can't seem to update dom0 using the regular updater. The system keeps 
> telling me there are updates for dom0, but I can't get anything to actually 
> update. Is there something I'm missing here?
> 
> Clicking the "Update VM System" button with dom0 selected seems like it 
> starts, but it doesn't really go anywhere. I attached a screenshot of the 
> system after it gets going. Eventually, it'll just silently crash. I can 
> re-start the process, but it does the exact same thing.
> 
> I'm using R3.2 on a Thinkpad X201 Tablet.
> 
> Thanks!
> Loren
> 

Are you sure it's crashing instead of simply not finding any updates? There's a 
known issue with the update notification icon showing even when no updates are 
available:

https://github.com/QubesOS/qubes-issues/issues/2086

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDgfAAoJENtN07w5UDAwIcYP/0Di7vpfwxEbQf3/4NvnTT++
YM/57JO3jk6P8IAg6UsF1i5p0sNArX6EmxDoQJcPcBDgrSTuZY1iEWLKHhxAOdac
wVusXQoJ3RnrwZd6Sea1mqhbE1iHmm6lCVbYjkfXWRqrsR52avz6+E67dFvJkFEh
WjEpFzBy8BReXR8N06euawzPRw6z1rBae6usoxVVNefnMxPCK074LklPXDFssh6i
PNlbM2ZbfgPSjmIOnHP4EMcfvxN6eekhUrHNHdMM6HTozcL/6fdhjr0LcgftWYmN
4k6+mAy37l8YU7TETAx0B5WbN4shvCf3uXMQnyMpGPuqhS8/+ZLpZbZdZopnokFg
+ILW1lwkA9FXzz+zk7FzOcJeOo4uaWYpCSyf9reNBQ/jFB1JlnRiN8U1Iu69ti7j
PVGYBNElxejHzDeX2bQTNbttLuAX7mt+0ismC79DoU3UbdCdlapnzOm2PIMdJ1nA
cTqZpjyyQRusKpSum46keWfLrGr5JP3ec5/E3OJxcIFp9ceajUCbLVi0/ABwOf9m
Muc0cqWEZrea9c3ArgUQ+B8slpHWg42eCFptbYyuwOSP3PZ28G8H05idZNvq2usp
Ogxf6d5jDiqO8KwK/YrmZcCQWjZUwjQVKWUKO/ruUGIeXx5ihynt00+dxfJzsirw
qhqfcimSTpiXUiB/7Fzr
=fctT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d266b91-3cd7-9a96-daa9-040e785e52c5%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes not shutting down

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 13:27, Loren Rogers wrote:
> On 11/16/2016 02:33 PM, Grzesiek Chodzicki wrote:
> 
>> W dniu środa, 16 listopada 2016 20:04:14 UTC+1 użytkownik Loren Rogers 
>> napisał:
>>> Hi all,
>>>
>>> I've successfully installed Qubes on my Thinkpad X201 tablet, but it has
>>> issues shutting down. When I explicitly tell it to reboot or shutdown,
>>> it goes through the entire shutdown sequence, but hangs on an empty
>>> black screen. Occasionally, I see an unchanging white underscore (_)
>>> character displayed in the top left when it hangs.
>>>
>>> I tried leaving it in this state for about an hour, and no change--I've
>>> always had to force-reset. I assume this is not normal?
>>>
>>> Also, I find that the system randomly begins the shutdown sequence on
>>> its own. (And hangs on the black screen at the end.)
>>>
>>> Thanks,
>>> Loren
>> The same issue occurs on my system only if I shut the system down while a VM 
>> with a PCI device without FLR support is running
> 
> Also, I just confirmed that it shuts down cleanly with all VMs off and no USB 
> devices plugged in.
> 

It sounds like you've encountered one (or both) of these issues:

https://github.com/QubesOS/qubes-issues/issues/1581
https://github.com/QubesOS/qubes-issues/issues/1826

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDdIAAoJENtN07w5UDAwOO4P/0/kWSaTEKkOeeGsKgY8gB+P
FRG9gjE1/OtxMZV1w0s6Dkr2DVe71gBmSYXpLIU88cfcWZH0FYquDGMCW4u3Gb7K
0qnVNFXkn6Emtg3/1qGhKW89bmvgxKFXz4GXlN/kfN+tmfn06+F1K9f7tWV9J1e5
0padvVA8KoAxiK9vdvTaHtjrfv7iIEkbBoaNthxuk2bGQdWA3FMesricfwWNHLZd
eiA+lh+PfQRjgmLdRNSV1rvzyBcD0JQRYtMl91iI+pJr6C8US9hvl8Z1eSwSjcy9
9Gp0XHlsEADLjFIGMfHlfzOKWkWaxEONUlyBFXSiN0Ffi5CY6Vq6m+mQhXMjbVT8
HaiBk8j9Qfl9mCKCDmJUvhnPx2B9zM8S9+hKwfDLre87Nhgw3IWYf18+eb4PKByc
LlA/9vB0cgxa/tATJ06NEwPvU93txrz5e1qLG9qzdeOLW1/DymTZVJzW+INxNK69
83JQ+exkpz3z/YwTMAi1aYoi/X1D5J62qMGUnOCQSX4Rj+rUZ+NnCDt3bLEzH7ba
F0gqGxEvU1cTaMDusN3Mq8spmHu+MmtfbMQOTmo/41+aL7u1+/wFgT+/alWblsfN
+jUuMmDhrlC5uQ+w320FNwQVMBf2iR9GdZfjsi3BmT8y4RgflspElj9FS6I8BWmJ
lApROFn+s29vmyv4CAgP
=bRaI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e763a5b1-cd5f-c708-6ef8-c8dbb53748ff%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Q Diskmanagement partition?

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 11:15, '834'109438'1094328'0193284'098 wrote:
> Hello,
> 
> Q need enough free disk space in the root partition, as I found in the 
> documentation:
> 
> https://www.qubes-os.org/doc/out-of-memory/
> 
> Check the disk space:
> 
> df
> 
> Normally I should stay on the standard installation path, with the full disk 
> encryption (beside /boot, which stays un-encrypted per default). So that's 
> fine.
> 
> Can I improve the disk-management, if 
> i) I define a own partition for the root (so this will have always free space)

This is already done as part of the default partitioning, but it will not 
prevent you from filling the root partition.

> ii) I estimate the disk size-changes before I store or change a read-only 
> Template VM inside the root partition
> 

Yes, this is a good idea if you're short on space.

> Would make it sense to give the system an extra reservation, so that the 
> qubes-dom0-root has plenty of disk and not too many changes and the hole 
> systems become more reliant against out-of-mem-errors?
> 

I'm not aware of a way to do this merely through partitioning.

> lsblk
> 
> /
> qubes_dom0-root
> 

?

> Which other operations will change the disk size of / beside the TVMs?
> 

Anything that writes or removes data to the root partition. Assuming the 
default partition scheme: Adding/removing data in AppVMs, log files, anything 
you store in dom0's $HOME, etc. 

> Can I display the disk space of dom0 (or other VMs) in the QM in some way?

Not in Qubes Manager, but there are various desktop widgets for it in most DEs, 
including Xfce4 and KDE.

> Does post Q some warning, if the dom0 disk space gets short?
> 

Not that I'm aware of.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMDZZAAoJENtN07w5UDAwAGUQAJnFc8uZyOjGSuIV+fSSj496
KhZP+IijO9KSMleSPS8wnd6PRao6j0IGqHd9SwGVcCNOQq1v1PwGvX+8m9ZCx1s7
/oypK+lpC/me/dL6PGuP3mqNtgmf8dpRtSk2BjD11otmTboZ54mnnJ+soEuuQoe7
LChAfYsCHh4VH8ETcBsox4lKZklIz7Dd0LZT0guxOVjt9H5rwt/nnYUaMmapaHxa
VE3Ds/GmwZXPT1+33PQCPAkEB2unIhq5UGq7I1PtnkAs1+ZlGf+nxRklDZcBjdBi
+734YIo2G3S2OaLNam4/IaWZjDaLaqdG6yoG/1RGBWuQY/qVeZHpcIkoFaj7fdWw
AGgaIx1saq4TcC+Yj10aIYmErIZiM4YtPTn1TopUzK9kE6uM82sGJRzFXA/8Tjnd
636h41x0b0IFQ9qVc+PqDojC3Du9EtS4s+yuN7/XYpR67fDTFGWpJMVxHvW2FzPd
aNNkiCWy9O6TwmcdMg0GexLhs2iA5WoZgGcgiwlxntWUh8/lEvxnD8GDmukz8eTG
xpSh7I7Wdfcaqbz9eCzs7hGFOEfIFvWcDWMtuveoGyI6RqHz7sV0UyQo6wo4G8TS
LP4PsbfuSsCcvpLtpfzvLlznnLSEnIbbd5fcZg1ECIesOTh4rHCEoe1vv+oo6DyC
D4MFDCQe5x2lypOP2l9w
=2yBP
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ca23250-9a72-bfe5-5e21-3c83976d8403%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] desktop sharing, capturing and screenshoting

2016-11-19 Thread Manuel Amador (Rudd-O)
On 11/19/2016 09:30 AM, Ray Brainer wrote:
> I am having hard time to make desktop sharing in Qubes.
> Within VM I see white screen.

X server in VM does not allow screengrabs at all.  Security measure.

> Installing software on dom0 and using it in broadcast is denied.
> What should I do?
>

dom0 does not allow networking.

You may be able to hook some sort of bridge using qvm-run --pass-io and
socat, but it sounds like a bad idea.

Qubes OS is intended to be a highly-secure OS.  Sharing the screen of
dom0 with other machines defeats that purpose entirely.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/faf934d9-1d53-0f2f-14da-c89db68d2c79%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: desktop sharing, capturing and screenshoting

2016-11-19 Thread pixel fairy
On Saturday, November 19, 2016 at 4:30:44 AM UTC-5, Ray Brainer wrote:
> I am having hard time to make desktop sharing in Qubes.
> Within VM I see white screen.
> Installing software on dom0 and using it in broadcast is denied.
> What should I do?

what are you trying to do? dom0 has no internet, so it cant share. you could, 
in theory, run a vncserver attached to a unix domain socket and then pipe that 
to an appvm to share it, but then you completely break qubes security model. 
the only app i know that actually runs a vnc server on a unix socket is qemu, 
so youd probably have to patch your vnc server to do this.

you could run a desktop sharing app in an appvm, and yea, most of it would be 
blank. its an x server with only app windows drawn. if you dont like that, you 
could make an hvm and share that. 

either way, the incoming connection would have to get past the netvm. so, 
either make a port forward in netvm (and possibly in firewallvm), or initiate 
the connection from your appvm. something vnc can do. or use ssh -R to make a 
reverse tunnel to somewhere the viewer can reach. 

if you have a server you and the viewer can both reach, you could also run a 
remote desktop there. or, if all you need is a terminal session, screen or 
tmux, which will be faster than sharing any gui desktop. in either of these 
cases, you get a persistent session. either or both of you can detach and leave 
it running and come back to it at leisure. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a29ec40-351c-4667-8b9d-9c9f20bf9543%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Kernel 4.9 in Qubes

2016-11-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 19, 2016 at 02:44:38AM -0800, Grzesiek Chodzicki wrote:
> AFAIK Qubes uses only LTS kernels for both dom0 and templates. Will Qubes be 
> upgraded to the upcoming 4.9 kernel whenver final version is released? 4.9 is 
> supposed to be the next LTS version.

Maybe not immediately, but generally yes.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYMDBGAAoJENuP0xzK19csyGgH/igZKONLkMdYToFG1RFxZjFm
NIl+n5hiqzbDvcCzt0nJpHXXisdVKBDG+975zDBIFZuE6Pn189VD5g3zRcRQEHFT
9oJRFRVSm413xZWveR6Wuwvq9o+kcv5ysOGTz0thnqf63y3xLbih1t+YVh7Vs/tN
MEqecCkZ6Wom027dRhJYJkmC83qCUO6pvPvuBQRRk0x4kzIV+uLpu0rvYJY65vXj
AJZf5dxkJZ5uMItx1bJxJO27VfevvQtVtn/wxSXkXfpxAdGNvnH99QXR6Tk59T/I
dA9HZB2VhCOhtFEr4PxfpBM2lXRdPcKVQIdfmODJreNsw+OLd0y3CYdS5icqsv4=
=Kx2V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161119105815.GV1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] vPro and Qubes

2016-11-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-16 00:03, nezna...@xy9ce.tk wrote:
> If i have intel processor with the vPro technology - should i afraid some 
> "factory vulnerabilities" of that technology and some manipulation with my 
> BIOS. Or security of Qubes is higher of that level?
> 

Short answer: Yes, but it's not just vPro you should be worried about.

Long answer:

Read this post: https://blog.invisiblethings.org/2015/10/27/x86_harmful.html
And this paper: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYMC29AAoJENtN07w5UDAwvLUP/idIreuywqbUlq8cnaAp7Fxe
I6+JqPxPDeuqtZ6vS/3P6k0OTqBBvsDGBoBJ+O4WdxiJ1yh4HlGVI+87LddIYrl1
IGOTBKGCHOvZCQzxzMPPmJlKUJX+X81nhhJAKVqngjDcqT/eLlkOuPkemIIO0mYe
edCdm7jiDNeFzn+IwnAgp5lh25LS7lYwWkH4ri45oxux8IP4jwAT0JckaUH0FUU7
qfTRcxgfdO3UTuKqzz7gBhXFtsTNAHEM/Kubm+4TF/qj2hETS1WKMLUBosNBTWGw
NSdlBUN+SjynGAO9bGUc2uHM2aYbV5b/Hn+o+hCgD7zKzKl7loJyFIe1BCG+z9mo
u2XL7mXdqZ/lOlrFJEZVFWoF0Mc4IrGWwPwfrMDLPIVBPskq2bIxFKO5I8aSaHFK
q2EmceF6eLXeIKOA5WWW3QODgsl4eO69EMi94FZ/bFh9epbtjfaWb0Oc3+prGgPx
tnOzR75+B+Vjvn8TPTiNDVXkD8kJfv0guVGkOo2KnDMBjYAHObNoh54wWQMrD8us
pZ8XsFUXdV66Bwimo8PV1pBo2kuoBSa9oJBSOS/AP0aDwIT3oeruYkiCnip6e8yC
SNJYOk357euBMUTpItH0oxNh8TSO6es+Fn7WQYibKksN0tPxWG7wYheHq0DFQ+oE
h0l6ahsujt158BBT8wlQ
=9afc
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/030c9782-8272-61a4--af31887e3b5e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] desktop sharing, capturing and screenshoting

2016-11-19 Thread Ray Brainer
I am having hard time to make desktop sharing in Qubes.
Within VM I see white screen.
Installing software on dom0 and using it in broadcast is denied.
What should I do?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b98d50b0-3739-4f4a-b507-19cef3cb200c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.