Re: [qubes-users] Disposable VMs

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-05 14:23, Unman wrote:
> On Sun, Feb 05, 2017 at 04:38:09AM -0800, Andrew David Wong wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
>> 
>> On 2017-02-04 12:59, Unman wrote:
>>> On Sat, Feb 04, 2017 at 07:02:57PM +0100, john.david.r.smith 
>>> wrote:
 On 04/02/17 18:42, Loren Rogers wrote:
> Hi all,
> 
> I'm confused about running disposable VMs - if I open a
> browser or file viewer, then want to open a terminal for
> the same VM, how could I do this? (E.g. I want to view an
> untrusted file, then make some edits.)
 right click the dispvm in the qubes manager. select run
 command. enter xterm or whatever you want to run
 
 or user (in dom0) qvm-run DISPVM_NAME xterm
> 
> Is there a way to configure the default disposable VM in
> the Qubes menu? I see that disposable VMs can be configured
> for individual domains, but I can't find where the generic
> one is.
> 
>> 
>> Yes, you can customize the default DispVM by following these
>> instructions:
>> 
>> https://www.qubes-os.org/doc/dispvm-customization/
>> 
> Also, is it possible to specify a different template for 
> disposable machines? Say I'm running something based on
> the default fedora-23, and I want to open a document from
> my work VM, which uses that template. But I want to open it
> with my fedora-23-custom template as a disposable VM. (E.g.
> running a video in VLC that has untrustworthy components.)
> Is this doable?
 
 currently you can only have one dispvm. if you want, you can
 set the template as default for dispvms
 (qvm-create-default-dvm)
 
 -john
>>> 
>>> Loren,
>>> 
>>> You can't configure disposable VMs for individual qubes - what
>>> you can do is change the netVM which will apply if you start a 
>>> disposableVM from that qube. The dispVM that will be started
>>> is determined by the default dvm, and this is set by 
>>> qvm-create-default-dvm.
>>> 
>>> As John said, you can only have one default dvm, but it's
>>> trivial to work around this with a small script.
>> 
>> Care to share that script, unman?
>> 
>>> It's possible to do this because qvm-create-default-dvm does
>>> NOT remove the files for old dvms. You can see this if you
>>> generate a new default-dvm, and then look in
>>> /var/lib/qubes/appvms. So if you generate a number of different
>>> dvms based on different templates, it's simple to switch
>>> between them before launching a new dispVM. The launch time
>>> isn't noticeably different from starting up a new dispVM, and
>>> voila - multiple template disposable VMs on the cheap.
>>> 
>> 
>> How do you easily switch between the different DVM templates?
>> 
>>> I do this without any apparent ill effects, but it certainly
>>> isn't part of the canon.
>>> 
>>> unman
>>> 
>> 
> 
> I've attached the script. It's trivial.
> 
> First generate assorted dvms using qvm-create-default-dvm and
> customize them as wou will. (Strictly this isnt necessary but you
> may as well get your dvm just the way you want it.)
> 
> Then just run the script: "./switch_dvm debian-8 xterm" will load a
> dvm based on the debian-8 template and run xterm in a new dispVM
> derived from that dvm. The debian-8-dvm will be the default from
> then on, but you can easily switch to another: "./switch_dvm
> xenial-desktop " If you havent generated a dvm already, then the
> script calls 'qvm-create -default-dvm' for you.
> 
> Because you can set dvms with different netvms, and alternate Qubes
> networking paths, it's possible to trigger dispVMs using different
> torVMs/ VPNs through different NICs, in the same time it takes to
> load a dispVM ordinarily. I have a number of keyboard shortcuts to
> call it with different parameters, to do exactly this.
> 
> It should be obvious that because you are using the saved dvm, you
> wont see any changes you make in the template until you trigger an
> updated saved dvm.
> 
> There's all sorts of stuff wrong with it, but it's a quick hack and
> it works fine (for me). Try it at your own risk.
> 
> unman
> 

Very interesting! Thanks, unman!

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmBraAAoJENtN07w5UDAwqw4P/3wIKcdPhh2hXWj2L5/7A7T/
UOPdKA9pChMYNjooULpResPgOJCjWOxhBMqBUmHom5u6F9ACITWg7KaFTZj7EKM3
qS5Y6TI91MENQjVcwNd3Dhp4wX7VOxvBdJNIin1rf/NXuqrSCmiQUtGNMxugqtdD
katbdW17w7euG9F+4z2yx84wlIkU0bDMJpHC7LYc3m+RbM2D0F8kQi7QyEe+9Ow1
Zp5wO2Xl0wGunpE5O/6yghSDVtqzlzZ5VA+vjy3F6kyOWVFqH0blbZYeQSL1yvNH
O7RW6FvFksDaLBbLmxu00JU9Cicel5hf+2gKra91h4hGNu7iPQm8JmmeQrcyUBfA
jlmZtL2qomHGe6CKaNHfPtC7JxgUmSnVdVDhDTT8wknXMb69Ne/KxKe/sh+G80sM
ceiq0m4oWdmcX/rFOAaZa3ah/pirsExcYmF2FbZ7spiLgg/+0teFIlCW2rQ3Rvv3
cwdFFWGD3LrWHj30G8qtt+poUwzVok5YL+d0L0wtQfpnHhB9nc6gS7G67y7PmLzI
ld4gKccZU3FN2Hshr/AZiezoyPAB4ODwBTcHIR/fUMcrL8bpmy91/PbAPOULchKH

[qubes-users] Re: Fedora-minimal Based netVM Not Working

[Tim W]

On Sunday, February 5, 2017 at 9:21:05 PM UTC-5, jimmy@gmail.com wrote:
> I have a netVM that works fine with a regular Fedora template but not 
> Fedora-minimal. I've tried both Fedora-23-minimal and Fedora-24-minimal but 
> neither seems work.
> 
> The icon for networking does appear on the panel but Wi-Fi is not on it and 
> there is no option to enable it. So it seems like I'm part-way there but 
> something isn't right when it comes to wireless specifically--though I'm new 
> to both Qubes and Linux, so I could be very wrong about that.
> 
> Taking into account the known issue with installing software in 
> Fedora-24-minimal (GitHub Issue #2606), I've taken care to manually install 
> the recommended packages, specifying version number. I've then verified that 
> the library has no newer version of each package, so I know they are all in 
> place and up to date. Same for 23-minimal.
> 
> Still, neither works thus far.
> 
> Fedora-minimal seems like a nicely economical way to go, so I would really 
> like to get it working. Any and all help would be much appreciated! :-)



It might help if you posted up a list of all the packages you installed tot he 
minimal template for NetVM support.

Here is a list for both FW and Net that Rudd-O posted up in a thread for me 
when I asked what was needed for net and fw temp using Fedora-minimal:

tar
- qubes-tor-repo
- qubes-tor
- dconf
- NetworkManager
- NetworkManager-wifi
- network-manager-applet
- linux-firmware
- dbus-x11
- gnome-keyring
- wireless-tools
- wpa_supplicant
- iwl7260-firmware
- tinyproxy
- which
- pciutils
- usbutils


Vít Šesták mentioned doing a net and fw Fed-min and it worked.  He also 
mentioned installing "haveged" utility program as well.  He stated having issue 
with net-card firmware as it seemed to need different firmware than the full 
version for some reason.  He found it via a complaint in a log.

The thread it was all in I was able to just find again so here is the link:

Unikernels and 
Qubes
 -

Scroll down almost to the end and look for the last time Vít Šesták posted.  
Its one of the last couple posts on 1/4/16.  That is where it starts about the 
fedora minimal between Him myself and  Manuel/Rudd-o.   Maybe that might be of 
some help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06bae092-1646-4eae-a695-d78706bdafcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fedora-minimal Based netVM Not Working

[jimmy . dack . 68]

I have a netVM that works fine with a regular Fedora template but not 
Fedora-minimal. I've tried both Fedora-23-minimal and Fedora-24-minimal but 
neither seems work.

The icon for networking does appear on the panel but Wi-Fi is not on it and 
there is no option to enable it. So it seems like I'm part-way there but 
something isn't right when it comes to wireless specifically--though I'm new to 
both Qubes and Linux, so I could be very wrong about that.

Taking into account the known issue with installing software in 
Fedora-24-minimal (GitHub Issue #2606), I've taken care to manually install the 
recommended packages, specifying version number. I've then verified that the 
library has no newer version of each package, so I know they are all in place 
and up to date. Same for 23-minimal.

Still, neither works thus far.

Fedora-minimal seems like a nicely economical way to go, so I would really like 
to get it working. Any and all help would be much appreciated! :-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bca5766a-496c-419e-aa0b-84812f807f38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: off topic - invite codes to 'riseup'

[Jeremy Rand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

kamaliko...@gmail.com:
> need invite code for riseup.net email account pls help me

Aside from the fact that Riseup is probably compromised for months,
it's very bothersome seeing these spammy requests on a public mailing
list.  Please stop sending them; they have nothing to do with Qubes.
There are other email hosts that don't demand invite codes; you can
use one of them.

- -Jeremy Rand
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYl7j+AAoJELPy0WV4bWVwa5oP/2axmIdHHGjWpQv3wV7J4/6q
TP7ZTA8zt4ywcMVTCjePn0mbVi/7wNNnoYT8XA2iYxnOILEubUZHpbhgDDjD+KTH
Hc1faSv3Pmpi+rXW4ciU42s/jRL6xANOfpLfZXDzHt4kEJnxfrwUfPpVkm87sUOs
RzsaeHfOPG3HCLMrLTUMJuOkZkJKPuR/WqQ2xXwPOyFcKXiWFT6FjGp0zPUQe2nu
pl2IbDyZucMbzCehb2cvZUfLJEavvtExEATZkrLBus8/GCIwkhYupekC9c2xwUp1
HBU1hgkkeWgynrcPKoCBSMtATH4/6FPvlrRk1NaXpoHTUuaSMHnzNYRD22HQC5wG
6iMDF38e/vj8Wa7tyo7eQXFoSciXieTYo2++we4BhUJqytuXr2eLIW/STbji1Kae
okCvmOimNHZeRsRhTloazlcKNYwSZXHPYesre2BBjm76OVYSDszK0ljMooHFc1Gm
YJ2ty/WBkNpQALp2uL3pGN62gk0Mb/fw/wePiNBJ+N+lCEpUYfZ4x3DCxPD05yW1
/tYYi7ukKzCsA9fpcd6kadso2cRYOV/PweL+KHihTULxQPSAM2FeH9pagPNRMYzC
OlgJdG4sMvRXK9GFgpd7JkICQD3ndp5SuiauYpH9Bi8HWT5FRj+J0K4jH63d8JVS
DB7/gtW5io3i+glqSZDg
=Qzzs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e73affa-1e29-5450-a5a1-b9f792986909%40airmail.cc.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AttributeError: 'Qstring' from qubes-manager updated to 3.2.7-1

[Strak8]

> Until this is fixed, you can always downgrade to the previous version.
> 'dnf downgrade qubes-manager-3.2.6' would do it, I think.
> 
> Or you could download the package from yum.qubes-os.org, and install it
> using 'dnf downgrade blah.rpm'


Thanks Unman, I downloaded manually from your link and now works again.
dnf downgrade did not find the package, do not know why.
the important thing is that it works now.

I let the discussion open again for a short time, maybe someone will tell us 
how to fix this error the last version.

Thanks again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/68c89cd9-cb0b-45f2-a611-a5972f8ba925%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Kernel 4.9 in Qubes

[Holger Levsen]

On Mon, Dec 12, 2016 at 10:25:01PM +0100, Marek Marczykowski-Górecki wrote:
> > Kernel 4.9 has just been released
> > How much work is it to port Qubes specific code to a new kernel?
> Probably not much, as we already have it ported to 4.8. But on the other
> hand, there are a lot of changes, so some time will be needed for
> updating build config, and testing. Also, in practice, I'd wait for
> 4.9.2 or so for things to stabilize.

any news on a 4.9 kernel for Qubes? I'm seeing rather frequent "deep sleep
suspends" where this machine wouldn't wake up(!) after suspend and I'm having
light hopes this might be fixed with a newer kernel…

(unfortunatly I dont have high hopes as I haven't seen such "deep sleep
issues" using 4.8 (non-xen) kernels from Debian…)


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170205232548.GA10734%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Digital signature

Re: [qubes-users] "Backup VMs" does not backup salt configuration

[john.david.r.smith]

On 05/02/17 23:59, john.david.r.smith wrote:

On 05/02/17 00:06, Oleg Artemiev wrote:

Hi.

On Wed, Feb 1, 2017 at 11:56 PM, john.david.r.smith
 wrote:

On 01/02/17 21:30, qu...@posteo.de wrote:

I have now nearly a complete salt configuration for all my templates so I
do not need to backup them anymore and save a lot of space by this.

So I have ran a backup including dom0 and realized that the salt
configuration ("/srv/salt") does not seem to be included because it is much
bigger than the MB listed for dom0.

Is there a way to back it up right now with this method or do I manually
have to copy everything outside of dom0?

Thx in advance



i put my files in ~/salt and symlinked them to /srv/salt
then backups should work


Could you point to source for more information on your work?

Backups work slow (disk/network bottlenecks) & I'm also interested to
backup less.


i started to extend the salt documentation and just added an pull-request.
you can find my repo of the doc here:

https://github.com/john-david-r-smith/qubes-doc/blob/salt-doc/configuration/salt.md


here the correct link (i failed to push on my branch...):
https://github.com/john-david-r-smith/qubes-doc/blob/master/configuration/salt.md

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d90a0278-4868-264f-8abf-2f8232788037%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Backup VMs" does not backup salt configuration

[john.david.r.smith]

On 05/02/17 00:06, Oleg Artemiev wrote:

Hi.

On Wed, Feb 1, 2017 at 11:56 PM, john.david.r.smith
 wrote:

On 01/02/17 21:30, qu...@posteo.de wrote:

I have now nearly a complete salt configuration for all my templates so I
do not need to backup them anymore and save a lot of space by this.

So I have ran a backup including dom0 and realized that the salt
configuration ("/srv/salt") does not seem to be included because it is much
bigger than the MB listed for dom0.

Is there a way to back it up right now with this method or do I manually
have to copy everything outside of dom0?

Thx in advance



i put my files in ~/salt and symlinked them to /srv/salt
then backups should work


Could you point to source for more information on your work?

Backups work slow (disk/network bottlenecks) & I'm also interested to
backup less.


i started to extend the salt documentation and just added an pull-request.
you can find my repo of the doc here:

https://github.com/john-david-r-smith/qubes-doc/blob/salt-doc/configuration/salt.md

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2505d2c9-ff11-08e0-b815-bf768464b65a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AttributeError: 'Qstring' from qubes-manager updated to 3.2.7-1

[Unman]

On Sun, Feb 05, 2017 at 08:21:52AM -0800, Strak8 wrote:
> Hello guys,
> after the qubes-manager update to 3.2.7-1 I get an error that prevents me 
> from access to configure the VM's. I tried to do a downgrade of the package 
> at 3.2.6-1 but it tells me that I have the first version and can not install 
> the previous one. Now I admit my stupidity and a nice quota of bad luck, but 
> I think that the previous version of qubes-manager has been cleared by the 
> new installation.
> 
> I had just finished installing Windows 10 and was looking for how to set a 
> resolution of 1366x768 that is not present, before trying anxiously to 
> install the secondary video adapter with PCI passtrought. But apparently I'm 
> unable to.
> 
> This is error:
> 
> AttributeError: 'Qstring' object has no attribute ' format'
> 
> 
> line: self.setWindowTitle(self.tr("Settings: {vm}").format(vm=self.vm.name))
> func: __init__
> line no.: 57
> file: /usr/lib64/python2.7/site-packages/qubesmanager/settings.py
> 
> line: "basic")
> func: action_settings_triggered
> line no.: 1384
> file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py
> 
> 
> Thanks for your patience

Until this is fixed, you can always downgrade to the previous version.
'dnf downgrade qubes-manager-3.2.6' would do it, I think.

Or you could download the package from yum.qubes-os.org, and install it
using 'dnf downgrade blah.rpm'
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170205224324.GA6284%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disposable VMs

[Unman]

On Sun, Feb 05, 2017 at 04:38:09AM -0800, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2017-02-04 12:59, Unman wrote:
> > On Sat, Feb 04, 2017 at 07:02:57PM +0100, john.david.r.smith
> > wrote:
> >> On 04/02/17 18:42, Loren Rogers wrote:
> >>> Hi all,
> >>> 
> >>> I'm confused about running disposable VMs - if I open a browser
> >>> or file viewer, then want to open a terminal for the same VM,
> >>> how could I do this? (E.g. I want to view an untrusted file,
> >>> then make some edits.)
> >> right click the dispvm in the qubes manager. select run command. 
> >> enter xterm or whatever you want to run
> >> 
> >> or user (in dom0) qvm-run DISPVM_NAME xterm
> >>> 
> >>> Is there a way to configure the default disposable VM in the
> >>> Qubes menu? I see that disposable VMs can be configured for
> >>> individual domains, but I can't find where the generic one is.
> >>> 
> 
> Yes, you can customize the default DispVM by following
> these instructions:
> 
> https://www.qubes-os.org/doc/dispvm-customization/
> 
> >>> Also, is it possible to specify a different template for
> >>> disposable machines? Say I'm running something based on the
> >>> default fedora-23, and I want to open a document from my work
> >>> VM, which uses that template. But I want to open it with my
> >>> fedora-23-custom template as a disposable VM. (E.g. running a
> >>> video in VLC that has untrustworthy components.) Is this
> >>> doable?
> >> 
> >> currently you can only have one dispvm. if you want, you can set
> >> the template as default for dispvms (qvm-create-default-dvm)
> >> 
> >> -john
> > 
> > Loren,
> > 
> > You can't configure disposable VMs for individual qubes - what you
> > can do is change the netVM which will apply if you start a
> > disposableVM from that qube. The dispVM that will be started is
> > determined by the default dvm, and this is set by
> > qvm-create-default-dvm.
> > 
> > As John said, you can only have one default dvm, but it's trivial
> > to work around this with a small script.
> 
> Care to share that script, unman?
> 
> > It's possible to do this because qvm-create-default-dvm does NOT
> > remove the files for old dvms. You can see this if you generate a
> > new default-dvm, and then look in /var/lib/qubes/appvms. So if you
> > generate a number of different dvms based on different templates,
> > it's simple to switch between them before launching a new dispVM.
> > The launch time isn't noticeably different from starting up a new
> > dispVM, and voila - multiple template disposable VMs on the cheap.
> > 
> 
> How do you easily switch between the different DVM templates?
> 
> > I do this without any apparent ill effects, but it certainly isn't
> > part of the canon.
> > 
> > unman
> > 
> 

I've attached the script. It's trivial.

First generate assorted dvms using qvm-create-default-dvm and customize
them as wou will. (Strictly this isnt necessary but you may as well get
your dvm just the way you want it.)

Then just run the script:
"./switch_dvm debian-8 xterm" will load a dvm based on the debian-8 template
and run xterm in a new dispVM derived from that dvm.
The debian-8-dvm will be the default from then on, but you can easily
switch to another: "./switch_dvm xenial-desktop "
If you havent generated a dvm already, then the script calls 'qvm-create
-default-dvm' for you.

Because you can set dvms with different netvms, and alternate
Qubes networking paths, it's possible to trigger dispVMs using
different torVMs/ VPNs through different NICs, in the same time it takes
to load a dispVM ordinarily.
I have a number of keyboard shortcuts to call it with different
parameters, to do exactly this. 

It should be obvious that because you are using the saved dvm, you wont
see any changes you make in the template until you trigger an updated
saved dvm.

There's all sorts of stuff wrong with it, but it's a quick hack and it
works fine (for me). Try it at your own risk.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170205222339.GA6028%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
#!/bin/sh
if [ $# -eq 0 -o $# -gt 2 ] ; then
echo 'Usage: switch_dvm templatename [command]'
exit 1
fi
TEMPLATENAME=$1
DVMTMPL="$TEMPLATENAME"-dvm
DVMTMPLDIR="/var/lib/qubes/appvms/$DVMTMPL"
ROOT=/var/lib/qubes/dvmdata/savefile-root
DEFAULT=/var/lib/qubes/dvmdata/default-savefile
CURRENT=/var/run/qubes/current-savefile
SHMDIR=/dev/shm/qubes
SHMCOPY=$SHMDIR/current-savefile
if [ -d $DVMTMPLDIR ] ; then
rm -f $ROOT $DEFAULT $CURRENT
ln -s "$DVMTMPLDIR/dvm-savefile" $DEFAULT
ln -s 

[qubes-users] Debian template - Issues updating to 9

[adonis28850]

Hi guys,

I'm having issues updating to Debian 9.

I've followed the official docs, which basically tell you to:

- Update current Debian 8 template
- Clone it
- Change repos in clone and then do a dist-upgrade

At this point is when I keep getting the same error:

***
E: Failed to fetch [...]  Unable to connect to 10.137.255.254:8082:
E: Failed to fetch [...]  Unable to connect to 10.137.255.254:8082:
***

It doesn't seem to be able to connect to the ProxyVM for some reason, but it is 
super weird, as the Debian 8 template updates without any issue, and I've just 
cloned it!!

I have sys-fw as my UpdateVM, and as I said, the Debian 8 template updates, 
plus I've upgraded the Fedora 23 template to 24 without trouble.

Any ideas?.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/296ced42-e080-4998-a5e4-df8d6333a135%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can somebody explain me how install flux on Qubes OS 3.2 in a fedora Template ?

[codeur4life]

Le samedi 4 février 2017 20:24:36 UTC+1, Chris Laprise a écrit :
> On 02/04/2017 08:08 AM, codeur4l...@gmail.com wrote:
> > Le vendredi 3 février 2017 19:08:54 UTC+1, Chris Laprise a écrit :
> >> On 02/03/2017 05:52 AM, codeur4l...@gmail.com wrote:
> >>> Can somebody explain me the procédure for installing f.lux or fluxgui on 
> >>> Qubes OS 3.2 in a fedora Template ?
> >>>
> >> You could install redshift in dom0 instead.
> >>
> >> Chris
> > Ok this is this http://jonls.dk/redshift/
> > What should I do for installing this in dom0 ?
> > open dom0 console and execute  sudo yum install redshift ?
> 
> $ sudo qubes-dom0-update redshift
> 
> Here is the doc for updates/installs: 
> https://www.qubes-os.org/doc/software-update-dom0/
> 
> There are two GUIs for redshift that you can also add:
> plasma-applet-redshift-control (KDE)
> redshift-gtk (Xfce)
> 
> Chris

Works fine.
redshift-gtk does not work, seems to have a problem with goeclue.
But work with redshift -O 4000 -g 0.9
Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aebcab79-e45b-4003-a08e-eed33691a2c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thunderbolt, dockingstations, DMA and security

[taii...@gmx.com]

On 02/05/2017 07:30 AM, Stickstoff wrote:


Hello everybody,

I have been thinking about the risks involved using different kinds of
dock or dockingstation.

[I'll recap what I think I found out about the docking situation, skip
if you know how docks, usb type c and DMA works]

Most business notebooks have proprietary docking connectors, like the
traditional connector on the underside of notebooks or the big connector
on the sides of some newer, thinner notebooks.
These seem to be just "breakout connectors", like routing the signals of
an internal usb or display adapter to the outside. Nothing with DMA
seems to be on the outer side of the notebook. I checked on a Lenovo
machine with an "onelink" connector, and couldn't see any new pci devices.

Now more and more notebooks come with a usb type c connector as an
universal connector. This by itself only defines the physical conenctor,
not the protocol used. There are two kinds: usb 3 and thunderbolt. Both
protocols allow alternate modes, where some pins of the cable are used
for power, video or other signals.
The first case, with usb 3, could be a monitor which connects to the
notebook with that one usb type c cable, receives usb & video & audio
from the notebok and charges it simultaneously.
With thunderbolt all of this is possible too, in addition you have two
pcie lanes. With this, you could theoretically connect any device,
including desktop grafic adapters for example.
Also, pcie has DMA, direct memory access, where a device can
"physically" read and write the entire memory, on a level below regular
operating system or cpu intervention.
This, if course, is a huge and nasty security risk.
Attacks via DMA were demonstrated via firewire for example, where a
firewire device plugs in, reads the memory, and extracts encryption
passwords right away. Potentially completely unnoticed too. Thank you,
invisible things lab, for your spearhead work on this topic.

[/recap]

Regular dockingstations don't seem to be a huge security problem,
besides the old "I trust my usb-vm with all keystrokes".
Any pcie or other DMA bus reachable from outside has huge security
problems though.

- Can DMA be tamed completely? Wikipedia [1] suggests IOMMU can limit
DMA. As I understand it, Qubes currently does not protect against a
malicious DMA device?
The linux kernel *should* properly activate the iommu and protect you, 
unless you are using drivers or firmware attached to that device.


- Can an entire PCI bridge, which has thunderbolt or an express card or
any other DMA connector-to-the-outside be assigned to a VM, even with no
device connected yet? At least 2012 it didn't seem possible [2] at all.
More recently, trials with thunderbolt were done [3]. As I read it,
thunderbolt itself works, USB makes more problems with assigning. DMA
wasn't scope on that thread.
The idea isn't assigning the bridge, it is assigning all the devices 
behind it.
Although I assume you could theoretically assign a bridge device itself 
to a VM, no idea if that currently works though.


- Can PCI bridges be deactivated/reactivated on-the-fly? Like, asking
for confirmation when a device is connected, or deactivating the bridge
when the screen is locked?
Software dependent, you would need a team of computer engineers to pull 
this off (I know some reputable ones if you have extra cash, probably 
would be around 5-10K to do this)


- It seems like (thunderbolt) dockingstations with ethernet will all
connect it via usb. So I would have to trust my usb-vm with both my
unencrypted keystrokes and "physical" network traffic. In worst case all
on the same usb hub too. Can such a machine be reasonably secure at all?

- Is thunderbolt a complete no-go from a security perspective?

No more than any other port with DMA, such as ExpressCard


- Are we preparing for a world where most new notebooks only have a usb
type c conector, and maybe one, two other ports?
For the average laptop at a store yes, because the people who buy them 
(apple types) aren't doing real work. But those laptops were always shit 
anyway.
There will always be industrial and embedded applications OEM's that 
produce stuff with real ports, getac company for instance makes new 
laptops with serial ports.
The side issue is that almost every new laptop is x86, and they all have 
ME/PSP (besides novena and the lenovo G505S)




Stickstoff


[1] https://en.wikipedia.org/wiki/DMA_attack
[2] https://groups.google.com/forum/#!topic/qubes-devel/zkPTk4tjWBM
[3] https://groups.google.com/forum/#!topic/qubes-users/uk11tSeu5yU
 https://groups.google.com/forum/#!topic/qubes-users/xbtacWEVt7g



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 

[qubes-users] Qubes OS working on Thinkpad X220

[ipadrennes2]

Hi there,

I failed to boot Qubes from USB drive on a Thinkpad X220 whereas it should work 
fine.
I used Rufus (DD Image) to install the ISO on the USB drive, desactivated the 
UEFI boot.
Any advice ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f59a030-6862-4724-9ddb-fa745303184c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] AttributeError: 'Qstring' from qubes-manager updated to 3.2.7-1

[Strak8]

Hello guys,
after the qubes-manager update to 3.2.7-1 I get an error that prevents me from 
access to configure the VM's. I tried to do a downgrade of the package at 
3.2.6-1 but it tells me that I have the first version and can not install the 
previous one. Now I admit my stupidity and a nice quota of bad luck, but I 
think that the previous version of qubes-manager has been cleared by the new 
installation.

I had just finished installing Windows 10 and was looking for how to set a 
resolution of 1366x768 that is not present, before trying anxiously to install 
the secondary video adapter with PCI passtrought. But apparently I'm unable to.

This is error:

AttributeError: 'Qstring' object has no attribute ' format'


line: self.setWindowTitle(self.tr("Settings: {vm}").format(vm=self.vm.name))
func: __init__
line no.: 57
file: /usr/lib64/python2.7/site-packages/qubesmanager/settings.py

line: "basic")
func: action_settings_triggered
line no.: 1384
file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py


Thanks for your patience

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2828bb40-a529-4908-a958-265d33418fee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-05 05:10, Stickstoff wrote:
> On 02/05/2017 01:39 PM, Andrew David Wong wrote:
>> On 2017-02-04 15:10, Oleg Artemiev wrote:
 This is a good time to mention that we're in need of an HCL 
 maintainer. [..] Any volunteers?
>>> Why not to just script-out this once and forget?
> 
> I can't help with maintaining the HCL, sorry. Yes, an automated
> solution might help here.
> 
> Talking about automation: I am in a position to have several
> notebooks on my desk every week. Anything between three and ten
> maybe, steadily. Mostly older consumer devices. How much of a
> priority is it to fill the HCL? If I had a bootable stick which
> fetches all interesting info in short time without (much) user 
> input, I could do that to a lot of notebooks.

Thank you for you willingness to do this! It might be enough just to
install Qubes onto a USB drive, boot from it, and run qubes-hcl-report.

> This would only make sense if we could find out the notebook model
> with the script. Or maybe just type it in while it scans stuff.
> 

I think qubes-hcl-report automatically gets the model number in most
cases.

> There are many places with high notebook throughput. Heck, we can
> even walk through an electronic store and check out one new
> notebook after another, if it's reasonably fast and simple.
> 
> Would it be worthwile to have many new HCL reports to program such
> a stick? Is an automated report even worth much, without hands-on 
> experience of a user testing functionality? I am no programmer,
> unfortunately, so I can't create such a stick by myself. And, of
> course, we need to be prepared for many new reports with a new 
> maintainer and/or a more automated processing.
> 

Good question. I think the reports would still be somewhat useful,
since at least anyone who is considering acquiring model X will be
able to see the HCL report for model X before acquiring it. However,
HCL reports for newer models are likely to be more useful than ones
for older models, unless the older models are particularly popular for
some reason.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlzloAAoJENtN07w5UDAwHX4QAIUH183kbpYz/m4oK9Bl4w96
lpI18e+cS8nI6jirkX4Zkw/PNtj8F4eME3mE1dSapcUlo2h5IuBdJ4BgZvB7hK4D
6f08GuWJxQ5TJJCzM/k/YlYQD4KX+yQKsz5GLQ2vfFpFFec6UzA21r2Dkqs4nm9q
TKEFvDzfgg6xcqOQRkAz3rfPvW3oF+/zDuPocb267EyXGkkc/rEoWAjrFWIxr2VX
0WMA2hIwIBLSpPsYAQayVBz2AcyWhAj5fvdDFaXlTzS8s6hJMYzz5hyf7lylYlHr
YXEh/FU6BEqpegYIzYKom2Z25Vaigoal1UXNJdrrKNhOEi/dl7Xf6BFN/HCr5Rqh
k4wrSKJwISBfXXPLW4xziUgJvTPg/3Sn+UdEo1qDjmUtwip0sttgHJYoH/CjsZ7x
9QjFMUiOlwh6/kpWnZLU9n1hOAdxvnF2FYei2oV+z/MNM6FtJFyOBlmmVeFsaXGc
L7OkWBpUvj7vuBlhlaFh5My//GOwl0SQiwQxZMCyMqwn5maxZOGjabGlCXkPzNde
RwwrueHxnAJpLNkwTLzeiciJlKJtwcJcvOsImftVZLLWJ/Es3sz7wMjwcdo/A5UP
xKy7b9A52OvpvdWP65lB+DL/ojnJ+M6XtIHcjTrkX5QGBQ/VgF+gFGt/ziw9ey39
en81m8Yz07vmNfaZLSU6
=xZ5r
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c253004b-eb7e-8ff0-f59f-1ff91792240d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Backup VMs" does not backup salt configuration

[qubes]

Hey,

On 05.02.2017 00:06, Oleg Artemiev wrote:

Hi.

On Wed, Feb 1, 2017 at 11:56 PM, john.david.r.smith
 wrote:

On 01/02/17 21:30, qu...@posteo.de wrote:
I have now nearly a complete salt configuration for all my templates 
so I

do not need to backup them anymore and save a lot of space by this.


Could you point to source for more information on your work?


I have not posted my work anywhere but I learned most things from this 
repo https://github.com/Nekroze/qubes-salt

 and of course the salt documentation and hints from John

Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3860054a52b9e9541b8aa80793ef99f%40posteo.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Stickstoff]

On 02/05/2017 01:39 PM, Andrew David Wong wrote:
> On 2017-02-04 15:10, Oleg Artemiev wrote:
>>> This is a good time to mention that we're in need of an HCL 
>>> maintainer. [..] Any volunteers?
>> Why not to just script-out this once and forget?

I can't help with maintaining the HCL, sorry. Yes, an automated solution
might help here.

Talking about automation: I am in a position to have several notebooks
on my desk every week. Anything between three and ten maybe, steadily.
Mostly older consumer devices.
How much of a priority is it to fill the HCL? If I had a bootable stick
which fetches all interesting info in short time without (much) user
input, I could do that to a lot of notebooks.
This would only make sense if we could find out the notebook model with
the script. Or maybe just type it in while it scans stuff.

There are many places with high notebook throughput. Heck, we can even
walk through an electronic store and check out one new notebook after
another, if it's reasonably fast and simple.

Would it be worthwile to have many new HCL reports to program such a
stick? Is an automated report even worth much, without hands-on
experience of a user testing functionality?
I am no programmer, unfortunately, so I can't create such a stick by myself.
And, of course, we need to be prepared for many new reports with a new
maintainer and/or a more automated processing.

Stickstoff

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2878d34e-14a4-ff53-5d56-ce70a993b846%40posteo.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] qubes regularry attaches and detaches usb card reader

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-04 20:22, Oleg Artemiev wrote:
> Currently I've all usb controllers attached to Dom0.
> 
> Subj:
> 
> Is there any process that should do it usually in Dom0?
> 

Sorry, I'm not sure what you mean. Are you asking about how to create
a USB qube?

https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlx5XAAoJENtN07w5UDAwYjEP/3cEI+b9C0R6i1Y+Uo0LiQ/z
bB1/KyIZS8+LrkndSe39qofaeD2Va6liUloLQeMndH8gjTbpME5Q7Ry9PYNhUCWj
7Uf9vw1Me6YcOGXk8dT8hl5/YRlVVOfm1rEO84gWMf3IZVs6YsD+v0xaLRd3mzjZ
Y0ZuBHPH5GKeqwp3LhQbcS2uVwXjG0hzpYQq68m0VibhD6yTlgt5LXa64WwCiqCO
GFJ+kJ+GjFeXbvMXTLqdsbtWwNSpdVT9/QZpi3zQD5Wvkos+NwhIj+AXtBGc4Cu1
G++5hAGdXalpL2exYg+Naqg/igP/E4hG8aiOkaX2ZyaPKgQXCCsm1xiWfrEQiZTG
pwstjb9ozVSqVRBjbHOYGFduiFS7hRKjBwrOhtU0pSq5jpq6EPZLfpUlShgidNmL
ZW5/KTs2OVHd6algEe+9FpYkOIdZC+qORnlACw9lXQo0G22mDdAIOKmfLu9EX6a9
nlVHh+d/9BiJS6lV+xkubLsIqzM0B/Xvl9YFzXvMnZfQCEdgPtMqlikI3eZPqq+0
Lm+XL2xSIxduFJlfNL3xyTNRnpXKdL6tLDw2tUx63cY0azy8M3RjQoOSR/WDvtAH
q3ZCZV9oJ9eZLdYtZ34Ak3XOybzGXE3FUc91zEr4Sii/5NVoKycpHup01kLUiIF6
Y7hoeRNK/tFMEa2yjKdq
=NMMf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ea5660d-2398-680f-5809-8ec93a9c10ff%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] symlinks in /va/lib/qubes for files

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-04 15:27, Oleg Artemiev wrote:
> Hello.
> 
> I'm thinking about upgrading from 3.0 by reinstalling.
> 
> Subj?
> 
> I remember I had some troubles w/ qubes utilities when had install 
> with many mount points under /var/lib/qubes and attempted to
> symlink some dirs to another path in dom0. Sorry - more than 1.5
> years ago - don't remember exactly what was a problem - AFAIR I was
> interested in moving file to difrent location and place a symlink
> to new location..%)
> 

You don't mention it, but I presume you're asking about
qvm-backup[-restore].

I can't comment on symlinked files, because I only have symlinked
directories for bulky AppVMs, per:

https://www.qubes-os.org/doc/secondary-storage/

However, I can at least say that I have no problems backing up and
restoring AppVMs in such symlinked directories.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlx2RAAoJENtN07w5UDAwwtoQAI64lYDoPjb6jMBDnzJersmF
QmeYHjLxf+amM0E2ujfjJnviVQCuEIrEiN/kCJiRosI+q0kvZnP+3vEIsUBNBR7Y
hb107sQP3Iy1rJb5+B7VafGvL+zKbZi98hRnIQuLFjoTQdHPRWk/Fgvf/JiSq+PU
jv1pspgk1LtJ63UBQXnQxSTN7oAyLFEoLM9i6LPNbT4TX8baS4ddF2SadYjiwWlo
Q/MycVj84B7KSst7sK7TygbmE7odVcXYdwol6P8/xTzUHgpMVHCTlMssXPgC7RHu
QSCjMvxi0IauSeV5HwdVg7mwodRE3zbIvVCIp4Srpk/ZvFK3v+/nB0xzBYLknMx9
VxQzTk4LUFmhIQVw7CGrbitcP2Tz7QTsbm/E6BGEl8owqYDaHAKX/JLzbTMuJY0b
ktRb21HOQNuqHRY69XieM92nkLqkT8K6pLoomld350X95u6emvLvr9/jh03S1Vox
fFQu+gv2HUmHtqJ6NPr5uqSL1jfw1iI/B8JMAXUbasxD/eyR0FdDjv4mbJNiBg7s
KIVbTpEx4Z9um2qs0uptJoXuJw3Elph4AEPKYQpj3cEQOfqFnkcA37mKxwl6XidI
PCU98QF/TSeu76nLdgnKk8wrJpcDHSkk1x80/sifeTSRIT25obnC5ZtzDEt3Qi3y
MZe60PbJvrsV2B34gIHX
=XM2N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67088eb5-2eeb-9ee9-25ed-92eaa2916729%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-04 15:10, Oleg Artemiev wrote:
>> This is a good time to mention that we're in need of an HCL 
>> maintainer. Our longtime volunteer HCL maintainer, Zrubi, no
>> longer has the time to do it. We all owe Zrubi a debt of
>> gratitude for keeping up this thankless task for so long! :)
>> 
>> Any volunteers?
> Why not to just script-out this once and forget?
> 
> source information: email from someone, output information -> some 
> file to put on the web?
> 

Some stuff still had to be edited manually, but it could indeed be
automated better. Can you help us with that? :D

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlxzlAAoJENtN07w5UDAwK8AQAMRo/7/9OUj0W6/CTc32Bqfj
iQ6IfX24RMKDSs8GGhFQpSeBX7O6O8+kKMSQEpoOAbLC9BL/u1amlC90N0Eb1DcZ
GcU6ZtG7p63WlyqO3ADrBP6XKzrxyXV6v800inAKc7eVTGr3CFkvcc81+l/jT5kZ
tDXHjzNMn+VXQfvo/b3IUJcq+l0N5lYd0PPOC4hFEW8kzIBcPxH9YO1ZOw2NrgPp
xlunMLyhWAmYn8I/9QucTveD11szzs//Meq/JvbETYZDYGRPZqdh5C9imEkJtHVw
jwJnaD/mX2CvzkBV+HG3XQYDa8ZdQInE2bPt1krDu0pt8KSKkgO4aj1sj/AauR1y
AgWHovX4sC40PkvkTh8WyjZY8aJ7ynxmdXGRAzvbrKoTIN8YQN2mCbzZzHfd2hFa
8RVG7Rud0OX1BjIKI5XACMV+U0RI85/mb+2NwfXjqW77BwAL5wih4PW4oa1bHgtj
63gElFEdzvYHdmsIUTdCjnQ5tgB02uWYYi0uAHdyG8DwuFr13i+U4fj/prNP8l5l
NrAdyb14jDMqb9tF1iFYzFpxVfH9umLbzWpXNpu4n+vq65+flN2IvYwvqKhoS7B3
YzCN09xRSKKR7f2/NyOHgKl1pScVVriqI6kYNb9iGIv8b1n+0xiigCrYPRATmEL9
vwoloQWohop56Xwbh3u7
=UVVr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b895d675-8e25-ab33-cb24-aef7ba94450d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disposable VMs

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-04 12:59, Unman wrote:
> On Sat, Feb 04, 2017 at 07:02:57PM +0100, john.david.r.smith
> wrote:
>> On 04/02/17 18:42, Loren Rogers wrote:
>>> Hi all,
>>> 
>>> I'm confused about running disposable VMs - if I open a browser
>>> or file viewer, then want to open a terminal for the same VM,
>>> how could I do this? (E.g. I want to view an untrusted file,
>>> then make some edits.)
>> right click the dispvm in the qubes manager. select run command. 
>> enter xterm or whatever you want to run
>> 
>> or user (in dom0) qvm-run DISPVM_NAME xterm
>>> 
>>> Is there a way to configure the default disposable VM in the
>>> Qubes menu? I see that disposable VMs can be configured for
>>> individual domains, but I can't find where the generic one is.
>>> 

Yes, you can customize the default DispVM by following
these instructions:

https://www.qubes-os.org/doc/dispvm-customization/

>>> Also, is it possible to specify a different template for
>>> disposable machines? Say I'm running something based on the
>>> default fedora-23, and I want to open a document from my work
>>> VM, which uses that template. But I want to open it with my
>>> fedora-23-custom template as a disposable VM. (E.g. running a
>>> video in VLC that has untrustworthy components.) Is this
>>> doable?
>> 
>> currently you can only have one dispvm. if you want, you can set
>> the template as default for dispvms (qvm-create-default-dvm)
>> 
>> -john
> 
> Loren,
> 
> You can't configure disposable VMs for individual qubes - what you
> can do is change the netVM which will apply if you start a
> disposableVM from that qube. The dispVM that will be started is
> determined by the default dvm, and this is set by
> qvm-create-default-dvm.
> 
> As John said, you can only have one default dvm, but it's trivial
> to work around this with a small script.

Care to share that script, unman?

> It's possible to do this because qvm-create-default-dvm does NOT
> remove the files for old dvms. You can see this if you generate a
> new default-dvm, and then look in /var/lib/qubes/appvms. So if you
> generate a number of different dvms based on different templates,
> it's simple to switch between them before launching a new dispVM.
> The launch time isn't noticeably different from starting up a new
> dispVM, and voila - multiple template disposable VMs on the cheap.
> 

How do you easily switch between the different DVM templates?

> I do this without any apparent ill effects, but it certainly isn't
> part of the canon.
> 
> unman
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlxywAAoJENtN07w5UDAwL6sQAKsIaVtoIYt9bZJswcalKALa
U2CN68p1snmVCNmI4BAAULK1T33GbKcDUMgIAwIQdtLD5GVm3MC/t80LTEq3GQ3o
Px5+Tx0Ho32RpLIG4hAauGTPY+afHrR8SU4fNbR+hbENzWpiQ5JSitADlB5aOaMN
IgQ72QUZPKvgHFX05HqJeDKQlwaiM+EgnhqOaw7UxO3dTwFnE8Rwu/GZFhez3NAC
Z8xVwrBgyTWiyGw/f2iQW5oDIgbfisRaAhHHh0il6sPG5LGheyjbf0n5kD85PFrk
mbMGXNRqt7NtMLHBjKQLjZTRHE7h4Y+kxC5J8RH/dohdcMY4K8lQWeL4j4XMv1ln
v+BypyOJ5cOyBGLGoxuYwJeZxwrleJb2TVo6PxpvNog7F0UsokxUHwS/P63uT+VF
VOMHfvjX5tL83gPAd+uEMXbhWkqX3rSXcwlb5W5NFJaxhj/7e5C5TJaNB74uxN9C
wvkgE8zM87UxvyIPB75NcF9SzXD8ma66zilooaMnAO8+ljYGuGHj2StrM5Qe54Ys
jyb/FjzLiy/gTdwK+ZvsmHQSCaF27d3/ekvsT9NdWyoLqxjkOjXCqXFR2QxIGFaz
wxJGx9chxan1JXAdmxAek0PHcdNdVnF2+9ql4NvpvkVv7KpMGhiOqcsZxZUzP3nd
tNGvf5phasOxfyK3A7Dp
=GkEc
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/796372d9-a85b-9fa4-7692-bff4b541331e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Current chances of successful Qubes-3.2 on iMac 27" Retina, Mac OSX Sierra 10.12.3 (i5, Radeon M380)

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-04 10:43, dave m. wrote:
> It looks like there are occasionally people who want to run Qubes 
> on a Mac, and also some partial success stories.  However, the
> most recent I can find are from a while ago, with previous versions
> of Qubes, previous OSX, and older Macs.
> 
> Is there an updated Howto or more recent info about this?

Your best bet is to search the mailing list archives and to look at
this page (if you haven't already):

https://www.qubes-os.org/doc/macbook-troubleshooting/

> I have a late 2015 27" Retina iMac (model iMac17,1), i5 processor, 
> Radeon R9 M380 video.  I would like to run Qubes, with Mac OSX, 
> Linux and Win7 guests.  (My current setup is OSX host, with Linux 
> and Win7 guests under VMWare or Parallels; this works OK, but I 
> wanted to try Qubes for security.)
> 

On Mac OS X as a VM, see:

https://github.com/QubesOS/qubes-issues/issues/1982

> I did manage to boot a Qubes-3.2 USB drive, but it stops shortly 
> after the initial (Grub?) bootscreen, when you select "Install..." 
> It says "Xen 4.6.1 (c/s ) EFI loader, using configuration [...], 
> vmlinuz [...], initrd.img [...]"
> 
> (I'm guessing the video is going elsewhere, but I don't know 
> where!)
> 
> Thanks!
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYlxt+AAoJENtN07w5UDAwroIP/jC1MBf/5/yCtCiF1YLFmYft
iBwIRNObcugX3NZqvJqEdQ856b/iKVvMmQFQxFOh/XacsmRBX5BHWYu3HK61OadQ
l38+x9J9QSjfnIgfY8n44HKWw53AmF54FI9cKbG91A7fMeuqvxf9cLiJYwLfNtzn
Sv4CVDeHEL/N3qXt480dp+QpQOju4VJtyDporqK6blTAtpPf5jSGhy+r0QANuHX7
BN7WpeTuCm5sJSrhXy8xWemEQpVJkbHkP9Gns7DiQE6E/YNe/Nm0nqV37IGwWmVv
uE4NEr2db3zEgzz8xj3liWN9EqSqQfU0xM+htlQDSDEeTENHuk90d0t4HLPKKdFE
rx+Zm0zJiVKjOFbBfq+ERS6wmT+ZI20y8K9jZHBK3Xd+SeA5EQW9PFLD70CZ638r
FYHIP0tDKPsrdILZMkMnUOc1p1hRVVx4sdtr0KOFefoQGmxEw8biML6r7SevdsWY
R6/AP4+8hMifhM/imZCgCYvu3SVLw60S3G3wYYvsRDg9yiZmJ0Sv6C6azlqqb3V+
vtsGwARjL8j8iOEnoD8YiWkjPzXfvX9qwiJZxcohpprLsatcyWcJNZLb2Fn1Nns+
3SgahxHLOw8xK/S1R/R73Ui/0Ou6c9gIzf/HfUOOteFZVqh5O6hh3arPZsLGOznE
/Gx13lxAHvtbicNsknzt
=V4JT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c51520f-e3c6-fa06-fdc7-705bd491450a%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] offtopic: need recommendations for relatively secure linux distro for netbook

[Oleg Artemiev]

Hello.

This is definitely an offtopic for this mailing list, but since a lot
of people concerned on security here - I ask for recomendations.

Since this is offtopic - please prefer direct email answers.

I've two old netbooks (those slow laptops that were popular years ago)  and need
to organize relatively secure setup for person to person
communications between these two over internet. What is the most
secure solution for that old slow processing units currently?

Whishlist:

Distribution:

required:
1) linux based
2) plasible deniability
3) luks encription support
4) minimal GUI
5) boot from external usb media shouldn't be a problem
6) good security history and concerned on security

optional:
7) i2p & tor ready out of the box
8) not a Linux from scratch based (not gentoo or similar)

Security tools:

9) usb bootable solution for "check hash and answer: disk and BIOS
readable areas did not change since last boot" even if that is damn
slow.

10) your advise :)

Is there any chances to organize any sort of protection from cold boot
attacks or only real life "keep that computing box out of anyone by
phisically locking access to the unit"?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MwSZ1XFWAcu0dtHdpvx-OL2iC61dhm6FoQDwaZFimZYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.