Re: [qubes-users] Are my AppVMs living in a tiny corner of my hard drive?

2016-12-01 Thread mojosam
On Thursday, December 1, 2016 at 9:27:42 PM UTC-8, Chris Laprise wrote:
> On 12/01/2016 11:52 PM, mojosam wrote:
> > I have a 110 GB SSD.  If I look at the settings for any of my AppVMs, it 
> > says that the "Private storage max. size" is 2048 MB (which is the 
> > default).  It also says that "System storage max size" is 10240 MB.
> >
> > Is 10240 MB the maximum size that an AppVM is allowed to get, or is that 
> > the size of the drive it's living on?  If it's the latter, I'm concerned 
> > about why that's one tenth the size of my drive.
> >
> > What I want to do is create a few more AppVMs, but I'm worried about 
> > running out of space on my drive.
> >
> 
> Each appVM's storage lives in a separate disk image file that is 
> "sparse". That means it grows or shrinks depending on how much data you 
> have added or deleted. But it can only grow as far as the "Private 
> storage max" that you set.
> 
> You could set a bunch of appVMs to each have a Private max size that is 
> larger than your hard drive (or, combined, their Private max could be 
> larger than your hard drive) and they will work fine unless/until you 
> add too much data to them. That setting is so you can expand appVM 
> storage to sizes that will reasonably hold your data, and you can keep 
> expanding the max as needed.
> 
> The "System storage max" refers to the VM's system root image (where the 
> guest OS lives), not your hard disk. It means that particular template 
> (or standalone) OS can't grow beyond that size. You probably won't need 
> to adjust this setting. For VMs that use a template, the actual system 
> size is the 'Size' you see listed for the template in Qubes Manager.
> 
> To get an idea of the free space available to Qubes, you can enter 'df 
> -m' in a dom0 command prompt to see the value in megabytes. Or in the 
> GUI (KDE), you can right-click on the taskbar or desktop to add a Widget 
> that displays overall disk space.
> 
> Chris

Thanks for the clarification.  I think I understand that better now.  I 
couldn't find that in the documentation.  I was definitely confusing system 
storage and private storage.

I was playing around with 'df -m' before I posted that question, and it was 
just confusing me more.  But just now I created another VM and reran 'df -m' 
and saw which directory got fuller.  I should have done that first.  This whole 
thing is slowly starting to gel in my mind.  (I've used Linux sporadically over 
the years, but I've never had to administer it.  I guess there's a lot I still 
don't know about how Unixy computers think.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/532f86e6-444b-4c1c-af31-84a23a34d761%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: qubes large volume inter-vm file copy fails

2016-12-01 Thread rohan kumbhar
On Thursday, 1 December 2016 13:35:38 UTC-5, rohan kumbhar  wrote:
> Hi,
> 
> Context for said subject:
> task : automation
> src vm : work
> target vm : win7-64
> operation : file-copy
> File-Copy src: /home/user/files
> File-Copy target : /user/Documents/QubesIncoming/win7-64
> 
> the 2 vm's mentioned above are connected to different firewalls.
> hence, there are 2 isolated networks.
> 
> work vm fetches *.* into the files folder using a python-script-1. the same 
> script further issues qvm-copy-to-vm command on every file fetched to win7-64 
> vm.
> 
> inside win7-64 vm another python-script-2 resides. it processes the received 
> files.
> 
> Issue: 
>   While python-script-1 dumps files, if python-script-2 accesses the 
> File-Copy target, then python-script-1 in work vm starts displaying "connect: 
> connection refused."
> 
> How to interpret whats wrong?
> Is it that the qrexec-agent lost the handle to directory?
> There was a race-condition?
> Virtual channel closed? if yes, why?

checked sudo journalctl -b -u qubes-qrexec-agent.service 
nothing found there. 

how to debug this connect: Connection refused

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6af3071d-4281-4c23-bdf0-54e4bdf721d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Are my AppVMs living in a tiny corner of my hard drive?

2016-12-01 Thread mojosam
I have a 110 GB SSD.  If I look at the settings for any of my AppVMs, it says 
that the "Private storage max. size" is 2048 MB (which is the default).  It 
also says that "System storage max size" is 10240 MB.

Is 10240 MB the maximum size that an AppVM is allowed to get, or is that the 
size of the drive it's living on?  If it's the latter, I'm concerned about why 
that's one tenth the size of my drive.

What I want to do is create a few more AppVMs, but I'm worried about running 
out of space on my drive.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d770154-dcb9-4a83-873d-b8a5604f39d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes and HiDPI

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 6:25 PM, pixel fairy  wrote:
> On Thursday, December 1, 2016 at 2:58:21 PM UTC-5, Marc de Bruin wrote:
>
>> Is there a way to get around this? Doesn't the Qubes VM Manager “window” 
>> proportionally scale itself related to the occupied pixels of the text due 
>> to the font? Or am I missing something?
>>
>
> Im missing something here, why not just set your screen res in dom0 to 
> 1920x1080 or whatever you find comfortable?

FWIW this is what I have done, and I don't mind it.

The not-quite-pixel-bound edges due to scaling are noticeable if you
are looking for them, but it doesn't bother me.

A positive effect of this is AppVMs have less pixels to render without
hardware acceleration, so lower resolutions are in some cases
noticeably more responsive.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CTBFTqrGd%3DdaH7tFbN4t56Jk8RoUya2e8keerCPBC4dQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Scanner or Printer?

2016-12-01 Thread raahelps
On Thursday, December 1, 2016 at 9:58:23 AM UTC-5, Loren Rogers wrote:
> On 12/01/2016 06:25 AM, Franz wrote:
> 
> 
> 
>   
> 
> 
> 
> 
> 
>   
> On Thu, Dec 1, 2016 at 12:47 AM, 
> wrote:
> 
> On Wednesday, November 30, 2016 at 7:02:19 PM
> UTC-5, Loren Rogers wrote:
> 
> > What's the recommended way to handle scanners and
> printers? It
> 
> >       sounds like I'll need to go through a USB
> Qube, but I
> 
> >         don't trust the closed-source drivers to
> run alongside my USB
> 
> >         keyboard.
> 
> >
> 
> > Will I need to assign a USB PCI device to a
> particular
> 
> >       printer-scanner Qube and have the others go
> through dom0?
> 
> 
> 
>   most use network printer i believe cause easier to
>   print to.  Printer is never considered secure or printing
>   private.
> 
>   
> 
>   
> 
> 
> 
> 
> 
> If you do not have a network printer you cann buy a
>   printer server for a few dollars.
> 
> 
> 
> best
> 
> 
> 
> Fran 
> 
> 
> 
> --
> 
> You received this message because you are subscribed to
> the Google Groups "qubes-users" group.
> 
> To unsubscribe from this group and stop receiving emails
> from it, send an email to qubes-users...@googlegroups.com.
> 
> To post to this group, send email to 
> qubes...@googlegroups.com.
> 
>   To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/2cd15b8a-89ca-4480-a904-f1c8913b6505%40googlegroups.com.
> 
>   
> 
> 
> For more options, visit https://groups.google.com/d/optout.
> 
> 
>   
> 
>   
>   
> 
> 
>   
> 
> Good point - I suppose it makes most sense to set up a print/scan
> server and just connect to it remotely.
> 
> 
> 
> However, assuming I had some other USB device that required
> closed-source drivers, would my only option be to connect it to the
> USB Qube or dedicate a PCI USB device to a separate Qube?

I use a raspberry pi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a47d1878-df63-40eb-989f-e3a43ec038ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Templates: can a template be replaced by another with the same name?

2016-12-01 Thread Leeteqxv

On 02/12/16 00:03, yaqu wrote:

On Thu, 1 Dec 2016 14:10:08 -0800, Andrew David Wong 
wrote:


1. delete the cloned template.

2. clone fedora23 again onto a new clone using EXACTLY the same
name as the first clone that was deleted in step 1.

Question:

- the existing AppVMs that are already based on a template with
that name, will they now just continue to work against the new
clone, or is there anything else than the template NAME that
affects the link between AppVMs and their templates?


Qubes won't let you delete a template while AppVMs are still based on
it. You'll have to temporarily switch those one or two AppVMs to a
different template, delete the one you don't want, clone the one you
want, then switch them to the new clone.

Or, to avoid switching AppVM's template multiple times, one could:

1. clone template (under temporary name)
2. switch AppVMs to the new template
3. delete the old template
4. rename cloned template to the final name



Thanks for the explanation. 1-3 is probably enough unless the original 
name is important for some reason.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f02480c-d48b-ab00-008a-9909b7a5e5d5%40leeteq.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Yubikeys in Qubes

2016-12-01 Thread Chris Laprise

What is an acceptable / secure way to obtain a Yubikey fob?

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e45d682-b49f-a91d-817d-13e541a41d94%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Any plans for a CCC meeting?

2016-12-01 Thread Manuel Amador (Rudd-O)
I have a couple friends who are huge fans of Qubes OS and they are going
to CCC.  Since they are not subbed to this list, I'd love to know if
there's a meeting of Qubes OS devs and users planned for CCC, so I can
tell them and they can go.

Any plans?

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aab6c8c9-fe6d-4ee7-c298-ca6901ad8a0a%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Yubikeys in Qubes

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 03:54:51PM -0800, Micah Lee wrote:
> I just wrote a quick blog post about using Yubikeys in Qubes.
> Specifically, I wanted to share a script that will use qvm-usb to attach
> your Yubikey to your gpgvm no matter what USB port you plug it into.
> 
> https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/

Thanks! That's interesting. I'd add two things:

The tool run by qvm-usb does support alternative device identification
- - using product and vendor ID. Also to specify which device to attach. 
This isn't exposed by qvm-usb tool, because it may be ambiguous, but may
be useful here. See README for more details:
https://github.com/QubesOS/qubes-app-linux-usb-proxy
I acknowledge that your solution is better in some aspect: it exists and
works :)

Is communication with YubiKey encrypted, or at least somehow
authenticated? Otherwise malicious USB VM could easily perform some kind
of man in the middle attack and for example sign document you really
didn't want to sign. Or decrypt arbitrary data. It's possible even when
physical confirmation (button) is required - by simply waiting until you
perform *some* operation.
This is general problem with USB devices, which are hard to solve with
the current USB infrastructure (USB VM can do anything with any device
connected to it). Without some fundamental USB rework - probably at
hardware layer, I think the only alternative is protecting the data at
individual device protocol level (like you do with encrypted USB sticks
for example).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQMJNAAoJENuP0xzK19csL6UIAJqJSD49PwzMOJBoYVHIWsuM
sraQDLT8gkArL7P6vWmCZhd/U6ZMurcXlcrFvjW9bUWm7siOmJn5NpU5DG0ve5pS
I83BSkymhGMynXzZCHfW0Sf9hJdOgBtnnpqSTPTfsAXuR8JV3OV6/GbslvcbIOqU
JofhflbhqvD9tPI8q7smG6RyRUGH8KXDI8HVgjewlPfHqUNpXF/aZpWLfIhQBesU
VPjmgSmOz8ioi9JwlFzJrLkPbp75xx23E5/sl5Bd6BRm2tG+6lZtfbLFH7nk17ci
QbjekfytI5/eTKb542OL9UPlUF/6m0Qj5jasrxy4CUbmKC1LEPIQrNPH4kyA06s=
=hZPo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161202003732.GA1371%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 09:40:58PM +0200, Ilpo Järvinen wrote:
> On Wed, 30 Nov 2016, Andrew David Wong wrote:
> 
> > Commercial editions of Qubes OS will be customized to meet special corporate
> > requirements. For example, two features that might be particularly 
> > attractive to corporate customers are (1) "locking down" dom0 in order 
> > to separate the user and administrator roles 
> 
> I suppose this implies there is unlikely to be support for multi-user
> environment for a shared computer any time soon except for commercial
> users (e.g., within a family with one of the user effectively having
> a sort of "administator role" and the other users would have less 
> priviledges)?

That's right. We (as core Qubes OS team) don't plan to work on this
anytime soon in open source version.

> If yes, are the core devs/maintainers going to actively oppose
> inclusion of feature(s) which would make the multi-user case
> easier/feasible if it is provided by somebody from community?
> I suppose it could be seen overlapping functionality and
> therefore rejected on technical grounds (or it might be even
> thought to deincentivize from getting the commercial version).
> 
> I understand the economical realities, so please don't take this
> as complaining of any sort, I'm just asking what is the expected
> position here.

I think both use cases still differ significantly. One is mostly about
protecting system configuration (maybe with addition of remote
attestation, or sth like this?), the other one is about protecting data
of other user(s). Some technical means may be the same, but I think not
all. And I think it's ok to accept contributions about one use case,
even if somehow overlap with the other. Of course if done properly.

Also note that the above mentioned examples are just examples. Actual
features will depend on customers needs.

But to answer more generic question: we can't stop anyone from
implementing the same features as in commercial version, and announcing
it anywhere. This is how open source works (which is great that we have
this freedom!). But we'd like to ask the community to not compromise the
business model - as explained above I think the use cases are different
and this shouldn't conflict with the goals of Qubes OS as the open
source project.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQMAHAAoJENuP0xzK19csjrkH/0hiyaEPYhPH/crEBATApFuE
+WX9umAKibeRbotaEDkY6o9vm92zoVKY1pSewbWMgXxQMKwIjCFfrsBYSH+PRYUD
Id9ES0uARuXMxNnEtZ2+B43DLngMOXtbZfb3LtGG4dq1WRFMRfZyUM82lNq+hPq8
OET+847PPdJ36TOZs+FgdeyW9xfFdmGU7mKavsv/iaunNou68NEOlxd6WEP27beA
w1S/5j8LyiOCfUPwGhVoKIVYCbGzAkE1RlJaSR8iwKe/Dl6PYNkjtB2WKVSfeIHL
cx3JIXiUP4z0skzXW3HoxhUYeEycDZtSTruD0E8PPcoHodBblXOfmpjCXBSc6nM=
=KiiL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161202002751.GS1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Yubikeys in Qubes

2016-12-01 Thread Micah Lee
I just wrote a quick blog post about using Yubikeys in Qubes.
Specifically, I wanted to share a script that will use qvm-usb to attach
your Yubikey to your gpgvm no matter what USB port you plug it into.

https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e442acf-1d2f-c37a-b69c-65b1a57e45dd%40micahflee.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes and HiDPI

2016-12-01 Thread pixel fairy
On Thursday, December 1, 2016 at 2:58:21 PM UTC-5, Marc de Bruin wrote:

> Is there a way to get around this? Doesn't the Qubes VM Manager “window” 
> proportionally scale itself related to the occupied pixels of the text due to 
> the font? Or am I missing something?
> 

Im missing something here, why not just set your screen res in dom0 to 
1920x1080 or whatever you find comfortable? 

i could see it useful for art or visualization. what other advantage would it 
have?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b24abfdc-6aca-437c-8f8a-dc4834e0da63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-01 Thread pixel fairy
So this is basically support contracts with some custom coding thrown in? The 
next step, probably scary to some users, is corporate channels. Have you 
contacted dell and hp yet? 

either way, im happy for this and hope it works!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b95f0188-bce5-42ed-846c-6a17896f37f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Templates: can a template be replaced by another with the same name?

2016-12-01 Thread yaqu
On Thu, 1 Dec 2016 14:10:08 -0800, Andrew David Wong 
wrote:

> > 1. delete the cloned template.
> > 
> > 2. clone fedora23 again onto a new clone using EXACTLY the same
> > name as the first clone that was deleted in step 1.
> > 
> > Question:
> > 
> > - the existing AppVMs that are already based on a template with
> > that name, will they now just continue to work against the new
> > clone, or is there anything else than the template NAME that
> > affects the link between AppVMs and their templates?
> > 
> 
> Qubes won't let you delete a template while AppVMs are still based on
> it. You'll have to temporarily switch those one or two AppVMs to a
> different template, delete the one you don't want, clone the one you
> want, then switch them to the new clone.

Or, to avoid switching AppVM's template multiple times, one could:

1. clone template (under temporary name)
2. switch AppVMs to the new template
3. delete the old template
4. rename cloned template to the final name

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201230316.75908207459%40mail.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes large volume inter-vm file copy fails

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 10:35:37AM -0800, rohan kumbhar wrote:
> Hi,
> 
> Context for said subject:
> task : automation
> src vm : work
> target vm : win7-64
> operation : file-copy
> File-Copy src: /home/user/files
> File-Copy target : /user/Documents/QubesIncoming/win7-64
> 
> the 2 vm's mentioned above are connected to different firewalls.
> hence, there are 2 isolated networks.
> 
> work vm fetches *.* into the files folder using a python-script-1. the same 
> script further issues qvm-copy-to-vm command on every file fetched to win7-64 
> vm.
> 
> inside win7-64 vm another python-script-2 resides. it processes the received 
> files.
> 
> Issue: 
>   While python-script-1 dumps files, if python-script-2 accesses the 
> File-Copy target, then python-script-1 in work vm starts displaying "connect: 
> connection refused."
> 
> How to interpret whats wrong?
> Is it that the qrexec-agent lost the handle to directory?
> There was a race-condition?
> Virtual channel closed? if yes, why?

Check logs of qrexec-agent running in work VM, for example using:

sudo journalctl -b -u qubes-qrexec-agent.service

"connect: connection refused." suggests problem on connecting to it -
maybe it's dead?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQKZXAAoJENuP0xzK19csFoMIAIHSdVGBjhdgkZLpealuFLoq
pLRG+pd9CJtbZowALAWJM6K9nn3XD2mjr+CCzJHruW0/R0b2PMzhikM84yv7I3IJ
yF8IClGrMzFez0wYGL6PpwAaLPetPbSJrapFewtkyJRGZiQJajfAFWsZO7epA+So
KWb2W2U9iGSrkTCgq+QsjlvrEgtYZNoJ7XWB48QwhqwNATRH+FCFKHlr2o75ZfsR
VCqV3kbsl3Pt6Ht0WMNx8uqXgQT4XLbzeTvafyR1HyOVsCJlqPJsLcon7K8j+rDf
8O8sZOtathIJi81HKJvVKXQ+UqvWJ1I0osMTJ0QLN8tWyyjr1HX/8T3EwUCQXh4=
=/nuL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201223814.GR1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-01 Thread Franz
On Wed, Nov 30, 2016 at 8:56 PM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear Qubes Community,
>
> Since the initial launch [01] of Qubes OS back in April 2010, work on Qubes
> has been funded in several different ways.  Originally a pet project, it
> was
> first supported by Invisible Things Lab [02] (ITL) out of the money we
> earned
> on various R and consulting contracts. Later, we decided that we should
> try to
> commercialize it. Our idea, back then, was to commercialize Windows AppVM
> support.  Unlike the rest of Qubes OS, which is licensed under GPLv2, we
> thought
> we would offer Windows AppVM support under a proprietary license. Even
> though we
> made a lot of progress on both the business and technical sides of this
> endeavor, it ultimately failed.
>
> Luckily, we got a helping hand from the Open Technology Fund [03] (OTF),
> which
> has supported [04] the project for the past two years. While not a large
> sum of money in itself, it did help us a lot, especially with all the work
> necessary to improve Qubes' user interface, documentation, and outreach to
> new
> communities.  Indeed, the (estimated) Qubes user base has grown [05]
> significantly over that period. Thank you, OTF!
>
> But Qubes is more than just a nice UI: it's an entirely new, complex
> system --
> a system that aims to change the game of endpoint security. Consequently,
> it
> requires expertise covering a wide spectrum of topics: from understanding
> low-level aspects of hardware and firmware (and how they translate to the
> security of a desktop system), to UI design, documentation writing, and
> community outreach. Even if we consider only the "security research"
> aspect of
> Qubes, this area alone easily scales beyond the capabilities of a single
> human
> being.
>
> In order to continue to deliver on its promise of strong desktop security,
> Qubes
> must retain and expand its core team, and this requires substantial
> funding. At
> this point, we believe the only realistic way to achieve this is through
> commercialization, supplemented by community funding.
>
>
> Commercialization
> =
>
> We're taking a different approach to commercialization this time.
> Building on
> the success of the recent Qubes 3.2 release, which has been praised by
> users for
> its stability and overall usability, we will begin offering commercial
> editions
> (licenses) of Qubes OS to corporate customers. We believe that the
> maturity of
> Qubes, combined with its powerful new management stack [06], makes it ripe
> for adoption by any corporation with significant security needs.
>
> Commercial editions of Qubes OS will be customized to meet special
> corporate
> requirements. For example, two features that might be particularly
> attractive to
> corporate customers are (1) "locking down" dom0 in order to separate the
> user
> and administrator roles and (2) integrating our local management stack
> with a
> corporation's remote management infrastructure. These are both examples of
> features that our developers are capable of implementing now, on Qubes 3.2.
>
> We plan to partner with one to three corporate clients in order to run a
> pilot
> program throughout the first half of 2017.  After it has been successfully
> completed, we'll then widen our offer to more corporate customers and,
> ultimately, to small business customers. Our main constraint is the
> scalability
> required to cover each additional client. Hence, we plan to focus on larger
> customers first.
>
> Let there be no misunderstanding: Qubes OS will always remain open source.
> We
> anticipate that the majority of our commercialization efforts will involve
> the
> creation of custom Salt configurations, and perhaps writing a few
> additional
> apps and integration code. In the event that any corporate features require
> reworking the core Qubes code, that new code will remain open source.
>
> We considered many other ways of attempting to commercialize Qubes before
> arriving at this model. One possibility that some of our users have
> inquired
> about is that we sell dedicated Qubes hardware (i.e. laptops). However,
> there
> are a number of challenges here, both in terms of making the hardware
> trustworthy enough to merit our "seal of approval", and from a business and
> logistics perspective. For these reasons, we don't plan to pursue this
> option in
> the immediate future.
>
>
> Community funding
> =
>
> Unfortunately, the financial necessity of shifting our priorities to
> commercial
> clients will mean that we have less time to work on features that benefit
> the
> wider, security-minded open source community, which has been our focus for
> the
> past seven years.  This deeply saddens us. (We all use Qubes on our
> personal
> computers too!) However, the reality is that ITL can't afford to sustain
> the
> open source development of Qubes for much longer. We're running out 

Re: [qubes-users] Templates: can a template be replaced by another with the same name?

2016-12-01 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-01 02:04, Leeteqxv wrote:
> I have a relatively newly cloned template of fedora23 used by only one or two 
> AppVMs, but never really gotten any special customisations.
> 
> Meanwhile, I have done some updates/additional software installs in the main 
> fedora23 template, so if I want to save time I hope I can just clone it again 
> without having to update the existing clone? Can I do it like this..:
> 
> 1. delete the cloned template.
> 
> 2. clone fedora23 again onto a new clone using EXACTLY the same name as the 
> first clone that was deleted in step 1.
> 
> Question:
> 
> - the existing AppVMs that are already based on a template with that name, 
> will they now just continue to work against the new clone, or is there 
> anything else than the template NAME that affects the link between AppVMs and 
> their templates?
> 

Qubes won't let you delete a template while AppVMs are still based on it. 
You'll have to temporarily switch those one or two AppVMs to a different 
template, delete the one you don't want, clone the one you want, then switch 
them to the new clone.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYQJ+9AAoJENtN07w5UDAwnk4QALut3MLqYufpv7zNhu1dJVA+
8enQR5Gjnjh1RU1qK3k+XJEKUd0PelrSPv3axTC1HAM0xoJtHhlkcdguHhKKILI/
QBs/LlyHivhAdD3xUAl0HRS5oC+lk4c62fvxTdIK53kAFyBUTkgy11S41AuiZWNc
nk0q6Ck23SrOHyml/H18H5sHEa4dmv4jGCLv1t7qNOZs6wivCOV6oKd4B4PDIiTk
tK7UZUgS6LyyUUf4YOnOBsoM7dlgfO+4EUOP2f5QUg8UKTo5fFKQjyhxJwMsYDxb
vfhWtlPUuHu15DwVtRlunoSPamNwwck7qcQKyEh9ohRTBp78FhPdQNH4hBNzBrnE
t9kOOg9nX9DILRFs7N+JFzjy5fLAPYE9W2bhKa0nuQGMUjHEqb0XYw6hK6f+PzHc
SO/NCTfyzwj/2eFNtHPfpZcpRZzFX7HsPHA5IOVaL5Slkk5+/V5R1DYzUt2Hikog
hWFsVu5zC3lsJMJ1K6KMP+/r3rIOAKZebYJBYjjpWUfLjvafi+LMKyeexUP2Db7m
uVpquH8OQwhvluMUNyA6Kk3rRz4t59y2YqThJUlmz9Pwit4zeNsaANZt81E6L0IZ
aDJODIhiOI6vmwZeFiSLYJEIz2Tj77v6iDBJTZyYNdZpUsnEE1GawEeadVntSjH/
3g5DoRgoM+F+HPq/LLDU
=o3Yi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4cd0a1b7-83ba-5192-a9fd-7090475a45eb%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] fedora-24-minimal and WiFi: Shows network, but does not connect

2016-12-01 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-01 07:01, Robert Mittendorf wrote:
> As mentioned here:
> https://www.qubes-os.org/doc/templates/fedora-minimal/
> 
> I installed:
> NetworkManager NetworkManager-wifi network-manager-applet wireless-tools
> dbus-x11 dejavu-sans-fonts tinyproxy
> 
> to the minimal template to use it for a NetVM (WiFi)
> 
> The NetworkManager icon appears and lists available networks. If I
> double-click in order to connect nothing happens. If I use fedora-24 or
> fedora-23 template for the same VM, everything is fine.
> 
> Does somebody know which package is missing?
> 

Are you sure it's a missing package? I pretty sure I installed only those
packages and haven't run into that issue.

Does it work correctly if you try switching to the full template?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYQJ8dAAoJENtN07w5UDAwIGcQAIa1GQFcXisCSoWxXqQbK/ho
E+uGzVahD9h7nCt/hLOT+kDaD8nMYU6LRZUPQmaHSq7dkf4zQ6Z/Favqn0Zsv5uV
iWY747TuAhXgQ8y7E1IHgV7yZ43gFzwkHTH5tYtRQ/fGFXCjf4x2c6GCQL1KEW4/
8EL6rjoYKAM9AILdbsdQmXCx2LPdtPua6Jk0Iq/gi/MyvVmdOnbNgLPZhmcqSK5e
WKJPlM2fD3jAfYNcbXLCz8sWctPkAZJT34Tu/QMDOtXZIcqFA1ZX794J07iuwezR
7PeUOyaNeHknnFU4vT/NgBpig+snhVtXnglCs2s5zeqvp0h/SG29DPH4kUtqGUko
tE8jfhHP5KGu04hMELrCGSQ9MOc56NsTH7YLaMAfB6bS8GMy6Hu1ey/ZVIsYnI0p
Q5HWh51MMtSOQS3ejlndS5J4J2YpxcSnfz/IH+oDxO/D3mseHU+unD0Xzh6MLBNV
SI5euQv3Vu17eQO6y8ucLW8v9IOE8XO0j+9HkR6o2X9QDt41ctRn9bgzXZaXJptO
buKndOH6it4835m3dON9D1JyQx5HoY1Zuon2EP/f/YAlGNRdR5TbYRceGFCwcycy
oFnHM3wFKr8JxJqQH4PmHeKVciq+mo5lC/WVfIYSxHMZj2p47y0R/pB8xNChN9Hz
yXWwwDTlkaM8Y3i+cBm1
=c1+5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1e6c4d69-1bf8-eb44-a15d-455f0881f8c6%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes and HiDPI

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 2:58 PM, Marc de Bruin  wrote:
> Doesn't the Qubes VM Manager “window” proportionally scale itself related to 
> the
> occupied pixels of the text due to the font? Or am I missing something?

Agh, unfortunately no. Some layout is hard-coded.

I wanted to fix it, but no time, and whole qubes manager is due to be
replaced anyway.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BMdZWuHx-kjtBNxu80qisV5UuHgExA_vZuyYZadR%2B7mg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-01 07:59, cubit wrote:
> 1. Dec 2016 13:43 by a...@qubes-os.org:
> 
>> we don't consider this to be a security risk of any kind due to the way dom0 
>> is isolated from domUs:
>>
> Does using older and potentially EOL  distros for Dom0 leave it with out 
> dated software that can be beneficial to users?  e.g. Updated XFCE will 
> always bring improvements for like with dual monitor setups and other fixes 
> better support for HiDPI monitoers.With out these it seem to me that it 
> means Qubes support gets relegated to older hardware with out fancy features.
> 
> Should user experience also be considered for major releases?
> 

Yes, but we simply don't have the workforce at this point. Higher priority 
tasks consume all available developer bandwidth.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYQJjFAAoJENtN07w5UDAweWIP/1uhEsizec0muw7ACQn6ku2z
ZM8WL9+xqTP7TKd+MYZes8PhkNyVTX7Wu3NHmhM4tTIZYdycMz76CutZG2W7buHU
S1WjgyQ1JdauITkRhN7L5kbvq8U81WqLI1KB522s6l/j4gsI/WX6D/QSE3O6pAl7
p+vL3itHzpDL7owPd9dDzMCPD4Bb1H9lYZc1Oy+Sx8vqyjBlAVpzM+fxZE6rGT+R
iNQZ7mnSA5PjqmFyVSGbPaIdiehfu8XG5PVNU/H5+unZ/9myCVOrLmUkdQCLxS1b
dSkFpVuTPFxFKngCP+VOuFKgO4vyGRgZA9f2lg7aE/hv7XIIxJb4XP5fKhkFvQvy
zOduWnYigZfHmBxoOWsmMQlVzQoE2WbI9TkopezQ0Q7ZFvI4KlIzlYdKHNLNKbvC
4awGSKe1RGbzvVRAD8qtPAplVy/ry9DqU4Ji5uU99z+O45KBHD0lvPAMQUbGawCY
Vn+NKqqizeBXEMuE14usEI6DBb0b2Bihf1nLMdkkK+yjFfPGbZWs6prGyG2Xl5MU
9/DG6FQJHTLbfzkIX5O47gPYl2759YU5Wt3pE33ILUgc4hBhn0n9k7cOJrCSWauO
imAbUoyC2veVPzUxNozrqrrBAeWOIBbgQHQ2tbNAjG+OSkWzNYir7Msik1nEdABH
nY4z2MgrD4f/eP+Eg6l3
=Y/eE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e25557d5-b214-7432-5292-ed3986f8f622%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] TemplateVM Best-Practices?

2016-12-01 Thread Chris Laprise

On 12/01/2016 03:48 AM, Zrubi wrote:

On 11/30/2016 02:59 PM, Loren Rogers wrote:

Hi all,

Are there any recommended strategies for creating and managing
TemplateVMs for regular users?


I'm having those templates:
netVMs, Proxym Firewall, VPN: fedora minimal based
regular AppVMs: Fedora, stuffed with all the apps I ever needed.
Devel VMs : Fedora, with development focused things.
Work : Fedora with work related apps.

Still thinking of merging the Devel one with my regular template because
of the update overhead.


One precaution I usually follow is not putting development tools like 
compilers in systems that are meant for non-development use. If I were 
to merge any of those categories you listed, it would be Work and Regular.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ecaca031-8057-8f5a-f14e-c650ac0652d0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: TemplateVM Best-Practices?

2016-12-01 Thread Chris Laprise

On 11/30/2016 07:02 PM, Loren Rogers wrote:

On 11/30/2016 09:14 AM, Daniel Moerner wrote:


On Wednesday, November 30, 2016 at 8:59:58 AM UTC-5, Loren Rogers wrote:

Hi all,

Are there any recommended strategies for creating and managing
TemplateVMs for regular users?

Speaking personally, I use four templates: (based on Debian 9)

base: For sys-*, vault, gpg, shopping, banking, etc.
office: Libreoffice, thunderbird extensions, latex. For work and 
personal VMs.

dev: Developer tools, compilers, etc. For dev VMs.
untrusted: Media software (vlc, etc.) as well as Chrome.

This lets me keep the individual templates to a more manageable size 
and prevents me from accidentally mixing up my workflow across VMs.


I would be open to using a more stripped-down base template but I'm 
not convinced it's worth it.
Thanks - it's really helpful to hear how others manage things. I'll 
give a similar setup a try.




There have been discussions about this over the years.

I don't think its wrong to add lots of software to a 'general appVM use' 
template as long as the new programs are not network-facing *services* 
(as opposed to network clients).


This touches on the Qubes idea that users should compartmentalize. 'How' 
we should do it is left to us to decide, however the default Qubes 
config including VMs for work, personal, etc. suggests we can 
comfortably segregate by role; We don't have to do it app-by-app they 
way some people suggest and that would drive a lot of people crazy. 
Implied in role-based compartmentalization is that each role will need a 
lot of common apps working in concert.


Exceptions to this routine may emerge out of necessity. For example, it 
generally isn't a good idea to add new software to Whonix templates. 
Some also feel that service VMs like sys-net and sys-firewall should be 
run with a minimal template without regular apps present... this makes 
them more like router installations and theoretically more secure.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02c637e8-63b1-2d86-8300-52ebf0d6b580%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] PAM errors after disabling password-less root

2016-12-01 Thread Chris Laprise
Would it have anything to do with upgrading to kernel 4.8 (both dom0 and 
domU)?


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b28b48b4-c3bb-3ed0-0e84-4377ac1e85d3%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] PAM errors after disabling password-less root

2016-12-01 Thread Chris Laprise

On 11/30/2016 03:55 PM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 30, 2016 at 02:44:17PM -0500, Chris Laprise wrote:

On 11/28/2016 05:27 PM, Patrick Schleizer wrote:

Probably related issues:
- https://github.com/QubesOS/qubes-doc/pull/176
- https://github.com/QubesOS/qubes-doc/pull/228

Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/
[which was reported to work now] (and the qubes-whonix package).

I may not work much on this issue however due to Qubes project policy,
explained in detail here:
https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132

Btw I almost missed this mail. As of now, best way to get my attention
btw is adding my e-mail address adrela...@riseup.net or adding Whonix to
the subject. Otherwise I cannot monitor / read all on this kinda high
traffic mailing list.

Cheers,
Patrick


I'm having one remaining issue after restricting root in the templates...

dom0 is logging tons of PAM 'audit' messages which makes the log very noisy.
I think the auth requests are originating from dom0. I'd like to find a way
to squelch them.

It's a "feature" of systemd-journald:
https://github.com/systemd/systemd/issues/959

In short: add "audit=0" to VM kernel command options, or run "auditd -s
disable". Personally I have "auditd -s disable" in /rw/config/rc.local
in some (most?) VMs.

- -- 


I added 'audit=0' to my domU kernelopts, but after restarting all VMs 
I'm still getting the same amount of audit lines in dmesg.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d7236a3-2f07-6546-81b0-27b48b8c9807%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Powerpoint Presenter mode in Windows 7 HVM

2016-12-01 Thread Marc de Bruin
Lo,

I’m trying to get presenter mode working in a Windows 7 HVM. According to this, 
http://www.peterfillmore.com/2015/05/enabling-additional-screen-in-qubes-os.html
 
,
 it might be possible to virtually attach a second screen to a Windows 7 HVM 
with the Qubes Windows Tools installed.

I’m trying to copy his approach but ran into problems. First of all, after 
installing the Windows Tools, my Windows 7 HVM always seems to “full screen” 
itself in a maximized window. Is there a way to resize that window after the 
tools are installed? Second, when following his approach, the second screen 
seems to be there but cannot be seen. And, to my horror, starting the Windows 7 
HVM suggests that the cannot-be-seen second screen has become the primary 
output of that Windows 7 HVM. :-(  I had to restart the HVM in safe mode and 
disable the “Standard VGA Graphics Adapter” to get things normal again.

Could this nevertheless work? 

Greetz,
Marc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/BD227CE2-11AC-48F8-9EFE-4615F3D4CBB6%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes and HiDPI

2016-12-01 Thread Marc de Bruin
Lo,

To start with, I’ve read https://github.com/QubesOS/qubes-issues/issues/1951 
. 

I got this new Dell XPS 15 9550 with a HiDPI screen (3840x2160). I’ve been 
trying to get it working the way I want: native resolution with readable text. 
Xfce provides a way to increase the system font to 192dpi; KDE has a scale 
factor to increase all fonts with a factor. Either way, the Qubes VM Manager 
doesn’t seem to scale it’s own “graphics” accordingly, is that correct? E.g., 
displaying the column with the IP-addresses results in it only displaying 
“10.137.”. The rest is cut of, because the width of the column doesn’t seem to 
get wide enough.

Is there a way to get around this? Doesn't the Qubes VM Manager “window” 
proportionally scale itself related to the occupied pixels of the text due to 
the font? Or am I missing something?

Greetz,
Marc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2A7511E7-9382-465B-9B07-85DDCDDC4D68%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-01 Thread Ilpo Järvinen
On Wed, 30 Nov 2016, Andrew David Wong wrote:

> Commercial editions of Qubes OS will be customized to meet special corporate
> requirements. For example, two features that might be particularly 
> attractive to corporate customers are (1) "locking down" dom0 in order 
> to separate the user and administrator roles 

I suppose this implies there is unlikely to be support for multi-user
environment for a shared computer any time soon except for commercial
users (e.g., within a family with one of the user effectively having
a sort of "administator role" and the other users would have less 
priviledges)?

If yes, are the core devs/maintainers going to actively oppose
inclusion of feature(s) which would make the multi-user case
easier/feasible if it is provided by somebody from community?
I suppose it could be seen overlapping functionality and
therefore rejected on technical grounds (or it might be even
thought to deincentivize from getting the commercial version).

I understand the economical realities, so please don't take this
as complaining of any sort, I'm just asking what is the expected
position here.


-- 
 i.


Re: [qubes-users] Massive performance improvement after disabling power management in the BIOS

2016-12-01 Thread kototamo

> Hi, might I ask what manufacturer/model your laptop is?

Lenovo X240.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d0d85d6-b032-4db9-8f00-abe346bc6df9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-12-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:

> Hi Rusty Bird, and thanks for your help,
> 
> > Is the SINIT module working? Run the "find" command from step 2b of
> > /usr/share/doc/anti-evil-maid/README, but look at the lines for PCRs
> > 17, 18, and 19 instead: They should have very random-looking values.
> 
> Uh... Lines 17-19 are all FF

Well, the good news is we've definitely narrowed down the problem. :)

Are you sure you've successfully copied the *right* SINIT blob for your
system to /boot? (Intel's download page is... not great.)

Does "ls /boot/*SINIT*.BIN" - note the uppercase for both the name and
the extension) show exactly one file?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYQHjGXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfqDkP/ivq6Kwwug1Eo+Isr9nnoYDz
Yj530MuWQcsUqZ5L6Dgi62G22v/zlppuVHWG7QNVh+WC4HjGMAzHcqy1Wj16Wb75
QIgKkMTbNiLK/KBpKHLXBThbAd/yjawzOQZNLZLfyFpAby/po7x+EBOW/JkWbCVS
7NBat08DJ8MfRF2e+VWsTSRptSkrKpIX2RikVH4jPSFGjTWDpZMEcekVOK4HL1x0
RkSKqG5LZxIcxtfQ8nTfeV+n/UEDERudQgde66gtQNPEv0N93oxGjxsAudo+X3rA
CLzNw+ewFGxMTeETuRIy6r5AV4XHukNaSBCujizHUSQAIKDx41Ndong+wvKDxbGx
77jbnKoXCtBkHijylnvFlI5udI6xA1vfFLJxMWoXkV7zU5K1AyZkKaukPuZYcBVC
HK6mYZSZ3p5csrChh7O1oVB6J2g0Q+LmoKRPxeahvi6N8NxI0BIbjC4iE6ECS2oP
K0HmlFlP9rWwT5aCz8Wu0BHr5v8cQuP7QZEBu5GHwTvjwvmAUxVBB4fRAITBcfZe
3MndhZ6QTCgGKgbA7/19fswh5FBt/Pgf/P8oWQm/CqQTqbyi7awOrBIUbEX+7E2l
sIna69VuaNtadE1Mz3MOU7GpqOocQu4pyfvMRW6G7nSlbzM5qdUE3voXWn1TSKeC
SNL0Sfas1yJuuyYC7wYu
=VRW4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201192350.GA2198%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 7:55 AM,   wrote:
> Also, What about the Tresor mod which saves your encryption key in the cpu? I 
> really like the idea of being able to prevent people frm extracting the key 
> from my ram.

IMO not worth it in practice. See "TRESOR-HUNT: Attacking CPU-Bound
Encryption" paper.

https://dl.acm.org/citation.cfm?id=2420961
https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program=view.php==237=4

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_DEA40E3BQpAMPpZcKDVP7ZdnHh-qujECNhhUmO%3DKjCfw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] qubes large volume inter-vm file copy fails

2016-12-01 Thread rohan kumbhar
Hi,

Context for said subject:
task : automation
src vm : work
target vm : win7-64
operation : file-copy
File-Copy src: /home/user/files
File-Copy target : /user/Documents/QubesIncoming/win7-64

the 2 vm's mentioned above are connected to different firewalls.
hence, there are 2 isolated networks.

work vm fetches *.* into the files folder using a python-script-1. the same 
script further issues qvm-copy-to-vm command on every file fetched to win7-64 
vm.

inside win7-64 vm another python-script-2 resides. it processes the received 
files.

Issue: 
  While python-script-1 dumps files, if python-script-2 accesses the 
File-Copy target, then python-script-1 in work vm starts displaying "connect: 
connection refused."

How to interpret whats wrong?
Is it that the qrexec-agent lost the handle to directory?
There was a race-condition?
Virtual channel closed? if yes, why?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/773980a3-959d-4287-9dbb-d9c89cbda5f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Secure Fullscreen Mode in Qubes R3.2

2016-12-01 Thread tezeb
On Thu, 1 Dec 2016 08:38:48 -0800 (PST)
DJ Mischkonsum  wrote:

> Hey!
> I installed Qubes R3.2 which has XFCE by default (at least my
> installation does and I didn't see any possibility in the installer
> to use KDE instead). I'm trying to watch videos in fullscreen mode,
> which - as I found out here
> (https://www.qubes-os.org/doc/full-screen-mode/) - is disabled by
> default. Now the problems with fullscreen mode mentioned in the guide
> seem relevant to take into account, which is why I'd like to use the
> secure fullscreen mode also mentioned in the guide. Problem is, this
> is only detailed for KDE and not XFCE... does anyone know if
> something similar is possible in XFCE and how to do it?
> 
> Best regards
> 

Hey,

You can enable fullscreen the same way as described in qubes-os doc.
But the keyboard shortcut is different. By default it's Alt+F11.
You can also check/verify keyboard shortucts in:
System Menu(Qubes log on panel)->System Tools->Settings Manager, in
section Other click Settings->Editor. In the right-hand panel there is
xfce4-keyboard-shortcuts entry, which will show all(afaik) keyboard
shortcuts set in XFCE.

As a side note, enabling full-screen as described in
docs(https://www.qubes-os.org/doc/full-screen-mode/), is used for
allowing app running inside VM to request going fullscreen(ie.
fullscreen button on youtube video). You can use fullscreen keyboard
shortcut to fullscreen any app from any VM, even without this option
set.

Regards,
tezeb

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201181904.49f94c69%40outoftheblue.pl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Secure Fullscreen Mode in Qubes R3.2

2016-12-01 Thread DJ Mischkonsum
Hey!
I installed Qubes R3.2 which has XFCE by default (at least my installation does 
and I didn't see any possibility in the installer to use KDE instead). I'm 
trying to watch videos in fullscreen mode, which - as I found out here 
(https://www.qubes-os.org/doc/full-screen-mode/) - is disabled by default. Now 
the problems with fullscreen mode mentioned in the guide seem relevant to take 
into account, which is why I'd like to use the secure fullscreen mode also 
mentioned in the guide. Problem is, this is only detailed for KDE and not 
XFCE... does anyone know if something similar is possible in XFCE and how to do 
it?

Best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/218557e2-ae76-4d29-a984-f5d6db7b06d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Scanner or Printer?

2016-12-01 Thread Franz
On Thu, Dec 1, 2016 at 11:58 AM, Loren Rogers 
wrote:

>
>
> On 12/01/2016 06:25 AM, Franz wrote:
>
>
>
> On Thu, Dec 1, 2016 at 12:47 AM,  wrote:
>
>> On Wednesday, November 30, 2016 at 7:02:19 PM UTC-5, Loren Rogers wrote:
>> > What's the recommended way to handle scanners and printers? It
>> >   sounds like I'll need to go through a USB Qube, but I
>> > don't trust the closed-source drivers to run alongside my USB
>> > keyboard.
>> >
>> > Will I need to assign a USB PCI device to a particular
>> >   printer-scanner Qube and have the others go through dom0?
>>
>> most use network printer i believe cause easier to print to.  Printer is
>> never considered secure or printing private.
>>
>>
> If you do not have a network printer you cann buy a printer server for a
> few dollars.
> best
> Fran
>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/qubes-users/2cd15b8a-89ca-4480-a904-f1c8913b6505%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> Good point - I suppose it makes most sense to set up a print/scan server
> and just connect to it remotely.
>
> However, assuming I had some other USB device that required closed-source
> drivers, would my only option be to connect it to the USB Qube or dedicate
> a PCI USB device to a separate Qube?
>

Both. The second one may be safer because there is some separation at the
level of the usb controller. The first one uses the same USB controller for
different VMs and the use for USB devices other than block-devices is
somehow experimental.
Best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCiTgELA1t-FY-Wy72vRZsbPYXny7Lb22TSKmr3c2ZMyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread cubit
1. Dec 2016 13:43 by a...@qubes-os.org:

> we don't consider this to be a security risk of any kind due to the way dom0 
> is isolated from domUs:
>




Does using older and potentially EOL  distros for Dom0 leave it with out dated 
software that can be beneficial to users?  e.g. Updated XFCE will always bring 
improvements for like with dual monitor setups and other fixes better support 
for HiDPI monitoers.    With out these it seem to me that it means Qubes 
support gets relegated to older hardware with out fancy features.





Should user experience also be considered for major releases?










 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KXv6Fzh--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-12-01 Thread Swâmi Petaramesh
Hi Rusty Bird, and thanks for your help,

Please see below.

> 
> Is the SINIT module working? Run the "find" command from step 2b of
> /usr/share/doc/anti-evil-maid/README, but look at the lines for PCRs
> 17, 18, and 19 instead: They should have very random-looking values.

Uh... Lines 17-19 are all FF

On my system :

PCR-00 to 07look random
PCR-08 to 12are all 00
PCR-13  looks random
PCR-14 to 16are all 00
PCR-17 to 22are all FF
PCR-23  are all 00

So the problem seems to be there... But I don't know what to do with
this (I know almost nothing about TPM...)


> Is AEM sealing to the right registers? If you run the command
> "source /etc/anti-evil-maid.conf; echo $SEAL" in dom0, it should print
> "--pcr 13 --pcr 17 --pcr 18 --pcr 19".

This is OK.

> Did the unsealed image somehow end up in the wrong place? The file
> /usr/share/plymouth/themes/qubes-dark/antievilmaid_secret.png should
> *not* exist in dom0.

This is OK as well.

Thanks again for your help.

ॐ

-- 
Swâmi Petaramesh  PGP 9076E32E

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38dd6b76-3767-225b-de49-439e36eaea4f%40petaramesh.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature


[qubes-users] fedora-24-minimal and WiFi: Shows network, but does not connect

2016-12-01 Thread Robert Mittendorf
As mentioned here:
https://www.qubes-os.org/doc/templates/fedora-minimal/

I installed:
NetworkManager NetworkManager-wifi network-manager-applet wireless-tools
dbus-x11 dejavu-sans-fonts tinyproxy

to the minimal template to use it for a NetVM (WiFi)

The NetworkManager icon appears and lists available networks. If I
double-click in order to connect nothing happens. If I use fedora-24 or
fedora-23 template for the same VM, everything is fine.

Does somebody know which package is missing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38ae90c2-feed-0234-8d48-ae086a75b6fd%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Scanner or Printer?

2016-12-01 Thread Loren Rogers



On 12/01/2016 06:25 AM, Franz wrote:



On Thu, Dec 1, 2016 at 12:47 AM, > wrote:


On Wednesday, November 30, 2016 at 7:02:19 PM UTC-5, Loren Rogers
wrote:
> What's the recommended way to handle scanners and printers? It
>   sounds like I'll need to go through a USB Qube, but I
> don't trust the closed-source drivers to run alongside
my USB
> keyboard.
>
> Will I need to assign a USB PCI device to a particular
>   printer-scanner Qube and have the others go through dom0?

most use network printer i believe cause easier to print to. 
Printer is never considered secure or printing private.



If you do not have a network printer you cann buy a printer server for 
a few dollars.

best
Fran

--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to qubes-users+unsubscr...@googlegroups.com
.
To post to this group, send email to qubes-users@googlegroups.com
.
To view this discussion on the web visit

https://groups.google.com/d/msgid/qubes-users/2cd15b8a-89ca-4480-a904-f1c8913b6505%40googlegroups.com

.
For more options, visit https://groups.google.com/d/optout
.


Good point - I suppose it makes most sense to set up a print/scan server 
and just connect to it remotely.


However, assuming I had some other USB device that required 
closed-source drivers, would my only option be to connect it to the USB 
Qube or dedicate a PCI USB device to a separate Qube?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ac7a17b-a666-41b0-a997-fe117bd1e5df%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread C. L. Martinez
On Thu  1.Dec'16 at 15:19:16 +0100, Marek Marczykowski-Górecki wrote:
> On Thu, Dec 01, 2016 at 02:06:16PM +, C. L. Martinez wrote:
> > On Thu  1.Dec'16 at 14:50:59 +0100, Marek Marczykowski-Górecki wrote:
> > > On Thu, Dec 01, 2016 at 04:26:38PM +0300, Eva Star wrote:
> > > > On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:
> > > > 
> > > > > > R4 Will be fedora-23 based for dom0 right?
> > > > > 
> > > > > This is the plan right now.
> > > > > 
> > > > 
> > > > Why plans always point to old fedora release? Fedora 25 already 
> > > > available.
> > > > Why Qubes dom0 planed to be at fedora-23? (two versions delay)
> > > 
> > > To not delay Qubes 4.0 any more than necessary. Switching to new Fedora
> > > release requires some work. And as Andrew pointed out, it isn't a
> > > problem for security. If anything at all, some hardware compatibility,
> > > but we will provide newer kernel at least.
> > > 
> > 
> > To avoid this type of situations, why not use an LTS distro (CentOS, 
> > Unbuntu ...) for dom0??
> 
> In most cases LTS distro does not solve hardware compatibility problem
> at all - you still get old drivers even if the release is still
> supported. The only difference is how long bug fixes (for this outdated
> software) are released.
> 
> So, generally it is good idea, but it will not solve this particular
> problem. This is why we have this ticket:
> https://github.com/QubesOS/qubes-issues/issues/1919
> See discussion there for details.
> 
Ok, understood ... But, IMO, CentOS (or any RHEL derived distro and RHEL) has a 
really good compatibility with old and new laptops (specially with thinkpads, 
acer aspire, etc.) and there is no problems with graphics drivers, nics, 
storage controllers, etc... I am using RHEL/CentOS/OL in all my laptops from 7 
years ago without problems (yes, all of them they was/are thinkpads T).

Anyway, we can wait to Qubes 4.0 to see how it goes ..

Many thanks for your answer Marek.

-- 
Greetings,
C. L. Martinez

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201144227.GB4688%40scotland.uxdom.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 02:06:16PM +, C. L. Martinez wrote:
> On Thu  1.Dec'16 at 14:50:59 +0100, Marek Marczykowski-Górecki wrote:
> > On Thu, Dec 01, 2016 at 04:26:38PM +0300, Eva Star wrote:
> > > On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:
> > > 
> > > > > R4 Will be fedora-23 based for dom0 right?
> > > > 
> > > > This is the plan right now.
> > > > 
> > > 
> > > Why plans always point to old fedora release? Fedora 25 already available.
> > > Why Qubes dom0 planed to be at fedora-23? (two versions delay)
> > 
> > To not delay Qubes 4.0 any more than necessary. Switching to new Fedora
> > release requires some work. And as Andrew pointed out, it isn't a
> > problem for security. If anything at all, some hardware compatibility,
> > but we will provide newer kernel at least.
> > 
> 
> To avoid this type of situations, why not use an LTS distro (CentOS, Unbuntu 
> ...) for dom0??

In most cases LTS distro does not solve hardware compatibility problem
at all - you still get old drivers even if the release is still
supported. The only difference is how long bug fixes (for this outdated
software) are released.

So, generally it is good idea, but it will not solve this particular
problem. This is why we have this ticket:
https://github.com/QubesOS/qubes-issues/issues/1919
See discussion there for details.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQDFmAAoJENuP0xzK19csFscH/iK3SGKwkvtVwub61z2Mxh7s
Mbz8IfQ3s2TAAvHjL8ejE+1LzJYKqC60q5pi67BYD3OPXijSrOajfpahWVxO7EPz
HRaOxhwKzkTtvC2ZMNfOmFAnA6DNrqGewx8YceFbjk0SJm++CmbApfplqVV++wXL
FJwQlB3Sy9jM9d8LC/63BPalon5WUaPkkxcnd/LKmXfq4YWv9UcqsKGGY1NXFm65
Zx7Hqx22yJcU8zxWfpXp4x2vsipISP2L/3LbyzpCGNsam6W2Wz48RBqrs6MIjoBT
/UYufRLGpdahxrqYMOZDx4QzLmRkQ2QDY2ybbdB8qmhEipM3j2/C4etY7IgXJXk=
=a2Ik
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201141916.GK1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread C. L. Martinez
On Thu  1.Dec'16 at 14:50:59 +0100, Marek Marczykowski-Górecki wrote:
> On Thu, Dec 01, 2016 at 04:26:38PM +0300, Eva Star wrote:
> > On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:
> > 
> > > > R4 Will be fedora-23 based for dom0 right?
> > > 
> > > This is the plan right now.
> > > 
> > 
> > Why plans always point to old fedora release? Fedora 25 already available.
> > Why Qubes dom0 planed to be at fedora-23? (two versions delay)
> 
> To not delay Qubes 4.0 any more than necessary. Switching to new Fedora
> release requires some work. And as Andrew pointed out, it isn't a
> problem for security. If anything at all, some hardware compatibility,
> but we will provide newer kernel at least.
> 

To avoid this type of situations, why not use an LTS distro (CentOS, Unbuntu 
...) for dom0??

-- 
Greetings,
C. L. Martinez

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201140616.GA4688%40scotland.uxdom.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 04:26:38PM +0300, Eva Star wrote:
> On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:
> 
> > > R4 Will be fedora-23 based for dom0 right?
> > 
> > This is the plan right now.
> > 
> 
> Why plans always point to old fedora release? Fedora 25 already available.
> Why Qubes dom0 planed to be at fedora-23? (two versions delay)

To not delay Qubes 4.0 any more than necessary. Switching to new Fedora
release requires some work. And as Andrew pointed out, it isn't a
problem for security. If anything at all, some hardware compatibility,
but we will provide newer kernel at least.

> And what is about fedora-25 template for AppVM? It will be available when
> fedora 25 will be released? Is this "one version" delay, because it take too
> much time to make new template or it's something security related, because
> new fedora can be unstable?

Actually I have Fedora 25 already built and relevant packages are
already uploaded (as some users already noticed). Just some final
testing.

> And where is https://github.com/QubesOS/qubes-roadmap ?

https://github.com/rootkovska/qubes-roadmap

> What is about plans for beta releases of Q4 ?

See my other message.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQCrFAAoJENuP0xzK19csRcIH/ilLGvAFrIN70sCTdyBSEzaI
WoMFZ6guB5UeZR/iE+QnRagRkyAAMwkLO8M4x/IoZO+HuqqmdHMouFG4HN+3xQg3
Kw+n7akLF0n6cMaoO4cKNLaRP0sXgWXG9rJk+6KjsLzWO0HlcEvpQT+uN+M+caum
RfvgsyHoi9uvyEigOKtEFOTeaQM5sWu6zBa0ouAZ+WdkJQZftlfQOTAbC4sEPFVp
3WxL59noPFEGANOe8o2Tyw62kOruw40EuXPC6p0nohvQhixm9E9Zuu5iS1l4P3gZ
vEAFVZtH5eoIB4XiiP+/qNOHvq5YZYW3wsGdaZ7WYRPCnvutBHTcbDUK+3cdqgE=
=0ZH5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201135059.GJ1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Possible R3.1 incompatibility with Samsung T3 portable SSD

2016-12-01 Thread mjinthenet
On Saturday, April 23, 2016 at 8:22:35 PM UTC-4, Cory Nelson wrote:
> Hello,
> 
> I'm trying to install Qubes 3.1 to a 512GB Samsung T3 (external USB
> 3.1 SSD with UAS). May have identified an incompatibility.
> 
> Qubes errors out while creating partitions. Not the UI to reclaim or
> manually partition, but the step afterward when you finally start the
> install.
> 
> I've run a full test of the drive verifying no bad blocks and even
> installed Ubuntu on it to ensure it's in working order. I then tried
> to install Qubes to a 64GB thumb drive  on the same PC and it worked
> fine there.
> 
> -- 
> Cory Nelson
> http://int64.org

Cory,

In your original post about the Qubes 3.1 install, you indicate success 
installing ubuntu on the Samsung SSD T3.  How?  I have ubuntu installed on a 
Samsung 850 SSD, externally mounted and connected via USB, but I cannot get any 
of the ubuntu 16.04 installers (server or desktop) to see the Samsung T3. Get 
to the partition step and it comes back with no disks found.
Can you share the steps to get ubuntu on the T3?

Mark Jackson

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3879c7f-bb22-4661-b31f-1150d6349b62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 04:55:46AM -0800, bentva...@cloudctrl.nl wrote:
> So, how should I configure my qubes-builder config file? Any chance you could 
> maybe upload the config file that you've set the parameters for so I can have 
> it build R4 build .iso ?

As I said, I'll write an update on this soon :)

If you really want it right now, here my builder.conf:
https://gist.github.com/marmarek/2e42558c3ad2c53b1e4bb49beb18c1a9

But I can't guarantee it will work out of the box.

> How long before hvm with pv stubs is implemented? Or is this one already in, 
> and only pvh2 missing? 

HW42 is working on updated stubdomain there, to have not-so-ancient qemu
inside. I think this is the only missing part, at least in theory.

> How long before gui management tools are ready? Are all the terminal 
> management tools working? If so, I dont care, I could use some practice with 
> the management commands in the terminal :). 

Yes, most (all?) qvm-tools are working.

> By the way, I have a pgp-card, (Nitrokey) that I would like to use for 
> security on my build. Any tips for how to best use one for solid full disk 
> encryption? What storage layout should I use on a SSD with full disk crypto, 
> for optimal security, and prefent evil maid attacks? I was wondering about if 
> it would be possible to encrypt the whole disk, including boot? Or save boot 
> on my nitrokey, and encrypt it, (grub encrypt) so thr usb gives the 
> bootloader, the encryption password, the authentication over pgp, and maybe 
> some more security certificates that are required for accessing the O.S.
> 
> The main thing I want to prevent is people tampering with my bootfiles to 
> have a keylogger or something installed,  or prevent people logging in using 
> a password obtained with a hidden camera. I want my (disk encryption) 
> security to be real 2 factor security requiring atleast my nitrokey, personal 
> password, and if possible maybe a third factor to be able yo log in to my 
> system, or even be able to unlock my filesystem. 
> 
> Also, 
> What about the Tresor mod which saves your encryption key in the cpu? I 
> really like the idea of being able to prevent people frm extracting the key 
> from my ram. Any other tips for security ? 
Those questions deserve separate thread(s), but generally the answer is:
nice ideas, but not easy to implement in practice.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQCmrAAoJENuP0xzK19cs/1AIAJrqs+uOvAaJkxZnefMMvpCS
cptkkN9xZmQ23w26hGgwfmcCjpyYzWeZSMRbAtuLRd8lZZ11WojmCgMHKY/9iQgO
X9SqEPgD/OjAZswQK4PdeYw4K19mk72XV7KSbvdi1lONbTaFclu8ydcdjGvCz4gR
7WDUW1nnCkCwx/FeFWZGz6rKl6K7W6HjSSc4mAfpa/KWuIbIcjhZwMK6XMq24Vef
5WL66yg+W14Yzedc8PomnoW/ElIhvlJsWnOvFQjW8BnErfoGkBbuV46QedJ5f8JC
43Uh04DiUx1MsWIDHRpuyT6hbxEuxiTUeEBahxSceg7BSJ3/XqO3lCsDVI+nf9Y=
=tAlB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201134618.GV2130%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-01 05:26, Eva Star wrote:
> On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:
> 
>>> R4 Will be fedora-23 based for dom0 right?
>>
>> This is the plan right now.
>>
> 
> Why plans always point to old fedora release? Fedora 25 already available. 
> Why Qubes dom0 planed to be at fedora-23? (two versions delay)
> 

This doesn't answer the "why" question, but it's worth noting that dom0 has 
historically been based on older versions of Fedora, including EOL versions for 
periods of time. However, we don't consider this to be a security risk of any 
kind due to the way dom0 is isolated from domUs:

https://www.qubes-os.org/doc/supported-versions/#dom0

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYQCkOAAoJENtN07w5UDAw7yAQALRBb1BP3Y2BjKM8JEbkjpUL
yl7RbsLZwi21JQFw5TQFiIq4ZggkFpvQNFFAQDBShaPUfwVDVuTN53MC3eTJnFbj
AZ6C+vky/Xhem4K2Kgd/JKsXC4iTOntLJrqTBGRPH5R0c3VfsrsnN+Er7mSNxkps
Uf3Ekl8YxTDzTuG3jiuAhcxs5Zm771u3TR+fYzOO/IRl2zhuayQ7Xfu/R4x+u9ih
PKPJqperpKSVTB+go7inG4wH0UlNY67GsPDcme1n3OXdrfKgoRvHixBXyCXxedBC
4YA8q08YFLL0sdJKA2uMlYFpkcGJ1uzuEwJMtkf+eTUIinOa/Mz49qgyr//WivYz
GAa6ilUja15I7/B1f1qd73QCTQzWM0DFkvclpNceaqKF5UnHHmZ9mclPv9fXqAN2
d9V3uy/j8PyFhpE4E+dQKgovr/0lF1D5oBnMJs5W/BJOI8XO2+YcMHaTllQ2WyGI
JQvocnzeYA5BrwvdCgE5WZuhCOeldJM0M15Lk1LqfRyRaaj3iYt3auqlYc6dc4h4
/MkquV3ErTJwC8vcWY1D3N7w31kUzkTP8xBpYjtjntNqDsqZxrKxXf6IqrpqCPuJ
4tq97PzJtwx3G71ecBCR4qohYc5lWgt2WXrCGOsTQ1rXe+yHwVJkJ/rfI7CR3unY
tgQSAnjsFCsK2FuqvsHB
=KPMe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/356da0e0-4aa6-db54-8923-c3182736ca83%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Eva Star

On 12/01/2016 02:47 PM, Marek Marczykowski-Górecki wrote:


R4 Will be fedora-23 based for dom0 right?


This is the plan right now.



Why plans always point to old fedora release? Fedora 25 already 
available. Why Qubes dom0 planed to be at fedora-23? (two versions delay)


And what is about fedora-25 template for AppVM? It will be available 
when fedora 25 will be released? Is this "one version" delay, because it 
take too much time to make new template or it's something security 
related, because new fedora can be unstable?


And where is https://github.com/QubesOS/qubes-roadmap ?
What is about plans for beta releases of Q4 ?

--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b0dbeeb-010b-6d9e-9180-46a43562ccf6%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1881b55b-8100-4d48-95d1-bdddbf515017%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88621bae-902d-400c-88fa-9938a2c4475f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d89ef9d-2727-4b8a-8356-6025947b933b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8997506-958d-48d3-a40d-30159b95884e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4534a5bb-ae72-4b89-83a7-bf8e0d636f8e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
So, how should I configure my qubes-builder config file? Any chance you could 
maybe upload the config file that you've set the parameters for so I can have 
it build R4 build .iso ?

How long before hvm with pv stubs is implemented? Or is this one already in, 
and only pvh2 missing? 

How long before gui management tools are ready? Are all the terminal management 
tools working? If so, I dont care, I could use some practice with the 
management commands in the terminal :). 

By the way, I have a pgp-card, (Nitrokey) that I would like to use for security 
on my build. Any tips for how to best use one for solid full disk encryption? 
What storage layout should I use on a SSD with full disk crypto, for optimal 
security, and prefent evil maid attacks? I was wondering about if it would be 
possible to encrypt the whole disk, including boot? Or save boot on my 
nitrokey, and encrypt it, (grub encrypt) so thr usb gives the bootloader, the 
encryption password, the authentication over pgp, and maybe some more security 
certificates that are required for accessing the O.S.

The main thing I want to prevent is people tampering with my bootfiles to have 
a keylogger or something installed,  or prevent people logging in using a 
password obtained with a hidden camera. I want my (disk encryption) security to 
be real 2 factor security requiring atleast my nitrokey, personal password, and 
if possible maybe a third factor to be able yo log in to my system, or even be 
able to unlock my filesystem. 

Also, 
What about the Tresor mod which saves your encryption key in the cpu? I really 
like the idea of being able to prevent people frm extracting the key from my 
ram. Any other tips for security ? 

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57fed018-370a-4724-aed5-0e791fea7354%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 01, 2016 at 02:54:03AM -0800, bentva...@cloudctrl.nl wrote:
> Should I just download memmek's qubes-build? Or the normal one aswell? Or 
> just the normal one? 
> 
> Could someone give me a detailed explanation how I should build the most 
> recent R4.0 iso, with the most up to date dom0 and vm builds? 
> 
> R4 Will be fedora-23 based for dom0 right? 

This is the plan right now.

> Will I be able to use this build for day to day working in its current state? 
> Or is it still too early?

A bit too early. Basically there are two major features missing:
 - use HVM/PVHv2 instead of PV for everything
 - GUI tools (new manager)

Besides that, there is _a lot_ of minor issues. And actually those minor
issues (like: time synchronization does not work) are most annoying and
IMO blocking daily usage.

Anyway, I'll write soon some more elaborate status update on Qubes 4.0,
on qubes-devel mailing list.

> I would also like to know what choices have been made regarding pvhvm or 
> hvmlite as the main virtualization architecture? 

In the current state of PVH(v2 aka HVMlite) in Xen, we've chosen to wait a 
little
with this, and for Qubes 4.0 use HVM with (still PV based) stubdomains.
When PVHv2 support will be mature enough, we'll smoothly switch to it
later (as a configuration option first).

> Is the fedora build the most complete? Or would debian have any benefits over 
> fedora? 

Both are supported and both should work. I think the only place that may
have some impact on compatibility is "Update VM" (the VM for downloading
dom0 updates) - here having the same tool (dnf) as in dom0 (Fedora)
makes it more compatible - for example you can issue any action (search,
list, etc.) instead of just "download all updates" / "install specific
package".

> What parameters should I pick? Version r4.0.0, with dev. Testing or something 
> ? What about unstable vs security-testing? 

Currently no binary package is uploaded to yum/apt repository (this is
where security-testing, unstable, current-testing, current repositories
are) for Qubes 4.0.
As for the source code - in most repositories "master" branch already
contains Qubes 4.0 code. There are few (but important!) exceptions,
where "core3-devel" branch should be used. We're working right now on
moving remaining code to "master" branch.

> Hope someone can explain how I can build myself a good r4.0 iso.


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYQA3gAAoJENuP0xzK19csBxAH/iTdN8K16EBuFnzqU3w+p8+j
38NmFkD8i/tjGAqtErQaCOpC3m9Pvy6TS7ZSSDJHOxuFtLngRix+Mm8dRHIpAk86
lKDEFV56r+BPO/iyLpPnCHGEPHtiszIfQHZe83WGdx84oCTKAuQ8TyIsCglFvPdi
YujuUE5xL0CtffBLxSGjK6lheE48ECuFes11ucO3wtyyvzocuJ+A3SZKtZUNhQPQ
H9RVpmPsdh7yopCSWWawEEdgfG6a8eyMpyvKy40qquYe8tMrg0NvRIjWrBte9gwU
8BK4kFCuBrPO0KmCq4gtiYKCKlP1zSI1N9ehnACKxG/489qafdrtVrorwGi10FA=
=XNj0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201114743.GF1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Scanner or Printer?

2016-12-01 Thread Franz
On Thu, Dec 1, 2016 at 12:47 AM,  wrote:

> On Wednesday, November 30, 2016 at 7:02:19 PM UTC-5, Loren Rogers wrote:
> > What's the recommended way to handle scanners and printers? It
> >   sounds like I'll need to go through a USB Qube, but I
> > don't trust the closed-source drivers to run alongside my USB
> > keyboard.
> >
> > Will I need to assign a USB PCI device to a particular
> >   printer-scanner Qube and have the others go through dom0?
>
> most use network printer i believe cause easier to print to.  Printer is
> never considered secure or printing private.
>
>
If you do not have a network printer you cann buy a printer server for a
few dollars.
best
Fran

> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/2cd15b8a-89ca-4480-a904-f1c8913b6505%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCXBqxC1Dz_Qdkt6vb0AwNrXK4KiTY_Giv6LcHepUAN5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread bentvader
Should I just download memmek's qubes-build? Or the normal one aswell? Or just 
the normal one? 

Could someone give me a detailed explanation how I should build the most recent 
R4.0 iso, with the most up to date dom0 and vm builds? 

R4 Will be fedora-23 based for dom0 right? Will I be able to use this build for 
day to day working in its current state? Or is it still too early?

I would also like to know what choices have been made regarding pvhvm or 
hvmlite as the main virtualization architecture? 

Is the fedora build the most complete? Or would debian have any benefits over 
fedora? 

What parameters should I pick? Version r4.0.0, with dev. Testing or something ? 
What about unstable vs security-testing? 

Hope someone can explain how I can build myself a good r4.0 iso.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6dca7cc0-7aca-45ea-ad37-f795f7817965%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [3.2, bugs] Xen 4.6.3 seems failed

2016-12-01 Thread Eva Star

On 12/01/2016 12:14 AM, Marek Marczykowski-Górecki wrote:


Thanks for help and for the way/info/ point to start from.



--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f71a2692-d51b-b64e-f9ec-e1dc0550cb9f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Templates: can a template be replaced by another with the same name?

2016-12-01 Thread Leeteqxv
I have a relatively newly cloned template of fedora23 used by only one 
or two AppVMs, but never really gotten any special customisations.


Meanwhile, I have done some updates/additional software installs in the 
main fedora23 template, so if I want to save time I hope I can just 
clone it again without having to update the existing clone? Can I do it 
like this..:


1. delete the cloned template.

2. clone fedora23 again onto a new clone using EXACTLY the same name as 
the first clone that was deleted in step 1.


Question:

- the existing AppVMs that are already based on a template with that 
name, will they now just continue to work against the new clone, or is 
there anything else than the template NAME that affects the link between 
AppVMs and their templates?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d34bb73-2573-dace-b8e4-224297e65328%40leeteq.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] TemplateVM Best-Practices?

2016-12-01 Thread Zrubi
On 11/30/2016 02:59 PM, Loren Rogers wrote:
> Hi all,
> 
> Are there any recommended strategies for creating and managing
> TemplateVMs for regular users?
> 

I'm having those templates:
netVMs, Proxym Firewall, VPN: fedora minimal based
regular AppVMs: Fedora, stuffed with all the apps I ever needed.
Devel VMs : Fedora, with development focused things.
Work : Fedora with work related apps.

Still thinking of merging the Devel one with my regular template because
of the update overhead.


-- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e05ce082-80a0-e49a-0198-38a6092bdfd4%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature