date:20170207

I can't help you with the troubleshooting, but I can tell you that you can get 
the 4.8.12 kernel from qubes-dom0-unstable.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/101e507c-c177-4dfb-ace2-ee8636873f60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: traveling - best practice

2017-02-07 Thread pixel fairy

On Tuesday, February 7, 2017 at 5:09:45 AM UTC-8, haaber wrote:
> Hello,  I wonder how you behave when traveling, for example in places
> with cameras all around. I feel uncomfortable to enter my passwords in
> such situations. Of course I can simply not turn my computer on.  But

most "security" cameras cant see much. but the cloud of cell phones 
and any cameras worn by those looking to do this will have little trouble
seeing and hearing your passphrases. 

you could use a yubikey to type your passphrase in, though be careful of
pick pockets. 

you could also velcro some cloth around the lid like this, 
https://goo.gl/photos/py8qdxRPtoz3PGL19

if you do, make sure theres some going around the front too. then use it with 
your back to two corners. 

someone could still pick up your typing with a good directional mic, but then
you have a different threat model.

in this case, you could have your laptop unlocked and suspended, with a 
qrexec service to shut it down should it leave, for example, the vicinity of 
your cell phone or NFC implant.

> sometimes you have several hours in an airport ..  I thought about 3
> options.
> 
> 0) Change all (disk / user) pwd before & after traveling (how do I
> change the disk pwd?).

everything you ever wanted to know about luks, 
https://gitlab.com/cryptsetup/cryptsetup

> 1) Pull out my tails usbkey and surf with that?

yes. or, better yet, tails on a dummy netbook or chromebook.

> 
> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?

this goes back some earlier discussions. easiest way is to dual boot 
your laptop. 

> 
> how do you cope with that? Thank you, Bernhard

leave it off, walk around, see the local art. sample the chocolate and coffee.
try not to work. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f778e42-ae04-4d12-ac5e-ae60e41c675f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Update VM Kernel and Use VM Kernel

2017-02-07 Thread nicola99999

I've just started using Qubes and I find it awsome, but I'm having problems 
updating the Debian Template Kernel and it seems to me this is a very important 
topic, since Qubes principle is isolation and simply some VMs doesn't have to 
support functionality you don't use and new kernels are always bigger, but they 
include interesting fixes and security improvements, so I'd like to reduce the 
attacking surface and still be able to use new kernels.


I have to say I've followed the Officials Docs:
Qubes Docs  -> https://www.qubes-os.org/doc/managing-vm-kernel/
Debian Docs -> https://www.debian.org/releases/stable/i386/ch08s06.html.en

I've tried multiple ways:
1) Compiling the kernel the good old way, importing the current Qubes kernel 
configs and apply some changes
2) Compiling the kernel the debian way
3) Compiling the kernel the good old way, using the default configs (make 
defconfig)
4) Installing linux-image package

All these failed.



I installed 'grub2-xen' in dom0, then:


1-2) Compiling the kernel with custom configs

I installed 'linux-header*', 'linux-source packages' and 
'qubes-kernel-vm-support',
then I extracted the archive in /usr/src, 
I apllied the patch provided by debian and 
I extracted and copied the Qubes Kernel current configs in '/proc/config.gz' 
into the linux-source dir with the name '.config'.

I ran 'make' and 'make install' and I encountered an error:

error: illegal package name 
'linux-image-4.8.15-rt10-11.pvops.qubes.x86_64': 
 character '_' not allowed


So, I tried to the debian way, I installed 'fakeroot' and 'kernel-package'.
I ran 'make menuconfig' and I made some changes, then
I ran 'fakeroot make-kpkg --initrd --revision=2.0' and I encountered the same 
error as above:

This is kernel package version 13.014+nmu1.
install -p -d -o root -g root  -m  755 
/usr/src/linux-source-4.8/debian/linux-image-4.8.15-rt10-11.pvops.qubes.x86_64/DEBIAN
sed -e 's/=V/4.8.15-rt10-11.pvops.qubes.x86_64/g'-e 's/=IB//g' \
-e 's/=ST/linux/g'  -e 's/=R//g' \
-e 's/=KPV/13.014+nmu1/g'   \
-e 's/=K/vmlinuz/g'  \
-e 's/=I/YES/g' -e 's,=D,/boot,g'\
-e 's@=A@amd64@g'   \
-e 's@=B@x86_64@g' \
...
dpkg-gencontrol: error: illegal package name 
'linux-image-4.8.15-rt10-11.pvops.qubes.x86_64':
 character '_' not allowed
debian/ruleset/targets/image.mk:230: recipe for target 
'debian/stamp/binary/linux-image-4.8.15-rt10-11.pvops.qubes.x86_64' failed
make: *** 
[debian/stamp/binary/linux-image-4.8.15-rt10-11.pvops.qubes.x86_64] Error 255



3) Compiling the kernel with default configs

I ran 'make defconfig', then
I ran 'make' and it went all good,
but when I ran 'sudo make install' I encountered some errors, so I remembered 
the Qubes Docs and I tried to use DKMS, so
I ran 'sudo dkms autoinstall -k  -a amd64', but I didn't see any 
output unlike the one showed by the Qubes Docs, so I stopped here.



4) Installing the debian 'linux-image' package

I ran 'sudo apt-get install linux-image-amd64', but during the installation the 
terminal disappeared and the VMs led state turned to yellow, so I tried to 
reboot the machine, but the light was still yellow.
I checked the logs, I dind't see any errors and the VM reached the login, but 
the dom0 show an error related to the id.

So, I attached to the VM console from dom0 with 'sudo xl console debian-8-test',
I tried to make 'dkpg' finish the installation with 'dpkg --configure -a' and 
it finished it, but it told me that 'WITH THIS INITRAM, THE PC WILL NEVER 
BOOT', so
I ran 'grub-update', I set 'pvgrub2' as kernel in VM Manager and tried to 
reboot, but the machine couldn't mount root, as the error above had announced.

What's up with with the initramfs?



I think I've tried a lot and I can't still understand why the procedures showed 
in the Officials Docs didn't work, maybe I've missed something or I've done 
something wrong.


Is really possible to use a custom built kernel iniside a VM?
If yes, how can we manage to do it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a43a87a-d6c6-4552-89e5-9d54692bc7cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How do you work with the vault?

2017-02-07 Thread Keith Ramphal

On Tuesday, February 7, 2017 at 2:22:45 PM UTC-8, elsieb...@gmail.com wrote:
> How do you work with the vault?
> 
> I created an index.html in the vault, it contains links with login 
> information. I want to open the file in the vault with Firefox and then the 
> links open in a disposable vm by default. 
> 
> In reality what happens is I click the file, it opens in dispvm and (it 
> retains the black border instead of red) then I have to open up an outside 
> line... 
> 
> I've tried 
> https://github.com/kulinacs/qubes-desktop/blob/master/qvm-open-in-dvm.desktop
> Then
> https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/
> 
> 
> Anyone tell me what I've done wrong? Or is this the best it gets?

I use KeePassX in the vault along with instructions here: 

https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/#more-943

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52107b8a-613d-41b3-97f5-dd6a95365384%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Asus Z97-PRO Gamer G10265

2017-02-07 Thread Ben Utzmich

Hey,
everything works fine, TPM is untested.
Many thx for your Qubes-OS development.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3ae9f98-2db6-4497-9524-cd4ed54510db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASUS-Z97-PRO-Gamer-20170206-133838.yml
Description: Binary data

Re: [qubes-users] traveling - best practice

2017-02-07 Thread taii...@gmx.com




On 02/07/2017 03:36 PM, Jake wrote:

On 02/07/2017 08:43 AM, Franz wrote:

>
>
> On Tue, Feb 7, 2017 at 10:09 AM, haaber >
> wrote:
>
> Hello, I wonder how you behave when traveling, for example in places
> with cameras all around. I feel uncomfortable to enter my passwords in
> such situations. Of course I can simply not turn my computer on.  But
> sometimes you have several hours in an airport ..  I thought about 3
> options.
>
> 0) Change all (disk / user) pwd before & after traveling (how do I
> change the disk pwd?).
>
> 1) Pull out my tails usbkey and surf with that?
>
> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?
>
> how do you cope with that? Thank you, Bernhard
>
>
> But is the resolution of these cameras high and fast enough to be able to read
> the movements of my 10 fingers all working together and covering the whole
> keyboard?
>
> I installed a high definition security ethernet camera in my home, but
> resolution and speed are not that spectacular.
>
> There are mini-cameras that can be hidden, but resolution is worse.
>
> So cameras can be easily identified and  I suppose it is enough to avoid
> sitting down  having a camera just over your shoulders.

i am a strong proponent of entirely removing both microphones and cameras in all
computing devices. even with a hardware switch, you can't know it's actually
disabled, whereas when you remove the mics and cameras, you can be confident
they are disabled.

this can be done to pretty much any laptop, but it may void your warranty, so if
you care about that kind of stuff, keep that in mind. it typically takes 1-2
hours to disassemble and reassemble a laptop when doing this.

It doesn't void your warranty unless you damage something, the "warranty 
void if removed" stickers have no legal backing in most countries due to 
1970's automobile repair laws in regards to the "authorized repair 
center" bullshit.


It takes around 10 minutes for every laptop I have done it on, certainly 
not hours and hours.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0b69bbd-2ac4-f819-c438-eb4f5321b003%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Asus Q170M-C

2017-02-07 Thread ecneladis ecneladis

Hi,

generally everything works of of the box.

I didn't test:
- Anti Evil Maid (TPM 2.0 onboard)
- sleeping

I had to manually enable Intel VT-d and disable Intel AMT in Bios
configuration.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CADRrKfoBbh8mSDgt8sGS7oD%3Du1ubSx929oDe2WPVPTofGGhsTA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-System_manufacturer-System_Product_Name-20170207-233714.yml
Description: application/yaml

[qubes-users] How do you work with the vault?

How do you work with the vault?

I created an index.html in the vault, it contains links with login information. 
I want to open the file in the vault with Firefox and then the links open in a 
disposable vm by default. 

In reality what happens is I click the file, it opens in dispvm and (it retains 
the black border instead of red) then I have to open up an outside line... 

I've tried 
https://github.com/kulinacs/qubes-desktop/blob/master/qvm-open-in-dvm.desktop
Then
https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/


Anyone tell me what I've done wrong? Or is this the best it gets?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/576318ae-5a5d-41a1-9bca-6efb2eb0fc9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What? Can I access a windows USB drive?

What? Can I access a windows USB drive?

I really didn't want to add a windows vm, just wanted to get some of my stuff 
off from it. I found how to "add block devices", but after that I'm guessing it 
won't read windows file system...

I'm hoping there's an easy way to do this... ???

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4751efb-a4a1-499b-b24c-7da247bb632d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

2017-02-07 Thread Jake

On 02/07/2017 08:43 AM, Franz wrote:

On Tue, Feb 7, 2017 at 10:09 AM,
haaber
wrote:
Hello,
I wonder how you behave when traveling, for example in
places
with cameras all around. I feel uncomfortable to enter my
passwords in
such situations. Of course I can simply not turn my
computer on. But
sometimes you have several hours in an airport .. I
thought about 3
options.

0) Change all (disk / user) pwd before & after
traveling (how do I
change the disk pwd?).

1) Pull out my tails usbkey and surf with that?

2) maybe it woud be nice to have an additional "single
cube"
usr/password : when using this user name, one would get a
single
disposable untrusted VM, no dom0 acces, no USB, and so
forth. Is that
feasable / reasonable?

how do you cope with that? Thank you, Bernhard

But is the resolution of these cameras high and fast
enough to be able to read the movements of my 10 fingers
all working together and covering the whole keyboard?

I installed a high definition security ethernet camera
in my home, but resolution and speed are not that
spectacular.

There are mini-cameras that can be hidden, but
resolution is worse.

So cameras can be easily identified and I suppose it
is enough to avoid sitting down having a camera just over
your shoulders.

i am a strong proponent of entirely removing both microphones and
cameras in all computing devices. even with a hardware switch, you
can't know it's actually disabled, whereas when you remove the mics
and cameras, you can be confident they are disabled.

this can be done to pretty much any laptop, but it may void your
warranty, so if you care about that kind of stuff, keep that in
mind. it typically takes 1-2 hours to disassemble and reassemble a
laptop when doing this.

Best

Fran

--
You received this message because you are subscribed
to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAizi%2B%2BkUxeCpwiZvT%3DgvEFVPHaDhqDQGWb1AqC2FGjBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b4d8801-05d7-5c08-11e7-be6a896f507f%40companyzero.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

2017-02-07 Thread Connor Page

if you're afraid of cameras, just cover it all when entering sensitive 
information like citizen four did.
don't ever enter LUKS passphrase if someone else had an opportunity to boot 
your laptop without your direct supervision.in that case yes, a live USB drive 
is your friend until it is safe to confirm that boot sequence wasn't altered 
and you can trust the bootloader, kernel etc.
I am not that paranoid, so just use a yubikey as a second factor for crowded 
places and under cameras.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2fa85933-7a19-4a24-8aa0-8c1a9a534d57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

2017-02-07 Thread Connor Page

if you're afraid of cameras, just cover it all when entering sensitive 
information like citizen four did.
don't ever enter LUKS passphrase if someone else had an opportunity to boot 
your laptop without your direct supervision.in that case yes, a live USB drive 
is your friend until it is safe to confirm that boot sequence wasn't altered 
and you can trust the bootloader, kernel etc.
I am not that paranoid, so just use a yubikey as a second factor for crowded 
places and under cameras.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df582865-94b2-43d3-af6c-77e0d6be401b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: I have a bank vm, how do you restrict

Don't know what I did exactly, but both vm(s) (email and banking) are now 
working. Which didn't make sense why neither would connect.

In the end, I made two proxyvm(s) where I "denied all but..." and added the 
domains as they didn't connect until they did.

My original problem was, after getting the banking vm working, I started 
working on the email vm, then neither would connect. That's what didn't make 
sense. If both vms were not connected to each other, then how could one stop 
the other from connecting?

Well, they both work now...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/734eb3f5-5aa7-4cf0-bb8d-cc5bda3ca890%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question to Mirage OS firewall users

On Tuesday, February 7, 2017 at 6:22:53 PM UTC+1, Thomas Leonard wrote:
> On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> > On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've 
> > > > allocated 60mb ram, but it crashes within 2-8 hours here, which is kind 
> > > > of disappointing.
> > > 
> > > Do the logs show an out-of-memory error when that happens? I haven't seen 
> > > one for a long time now, but maybe torrents stress it more than usual.
> > > 
> > > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > > there's a Mirage hackathon next month and I'm hoping to get some time to 
> > > work on this there.
> > 
> > Yes. "Fatal error: out or memory. Mirage exiting with status 2"
> 
> By the way, what version of the firewall are you using?
> If it's not qubes-mirage-firewall v0.2 then try upgrading first - there were 
> lots of OOM problems in v0.1.
> 
> > That said, 2 minutes earlier the log notes that memory use was still only 
> > at 16.7/38.2 MB.
> 
> The annoying thing about hashtables is the way they suddenly double in size. 
> Since you're allocating 60 MB to the firewall (I only use 20 MB for mine), 
> you could try adjusting the thresholds at these two lines:
> 
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47
> 
> Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If the 
> NAT table is the cause, that should make the problem go away.
> 
> > (Most of the log -- 90-95% -- consists of 'Failed to parse frame' messages, 
> > btw.)
> 
> "Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) packet 
> and therefore didn't handle it. Another thing I'm hoping to fix soon... 
> https://github.com/yomimono/mirage-nat/issues/15

I built it using docker about 2 days ago. Will do the other things you 
mentioned, report back when I know more :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd070260-c820-41ed-a082-f2b364122c46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Thomas Leonard

On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> > > 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> > > disappointing.
> > 
> > Do the logs show an out-of-memory error when that happens? I haven't seen 
> > one for a long time now, but maybe torrents stress it more than usual.
> > 
> > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > there's a Mirage hackathon next month and I'm hoping to get some time to 
> > work on this there.
> 
> Yes. "Fatal error: out or memory. Mirage exiting with status 2"

By the way, what version of the firewall are you using?
If it's not qubes-mirage-firewall v0.2 then try upgrading first - there were 
lots of OOM problems in v0.1.

> That said, 2 minutes earlier the log notes that memory use was still only at 
> 16.7/38.2 MB.

The annoying thing about hashtables is the way they suddenly double in size. 
Since you're allocating 60 MB to the firewall (I only use 20 MB for mine), you 
could try adjusting the thresholds at these two lines:

https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47

Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If the 
NAT table is the cause, that should make the problem go away.

> (Most of the log -- 90-95% -- consists of 'Failed to parse frame' messages, 
> btw.)

"Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) packet 
and therefore didn't handle it. Another thing I'm hoping to fix soon... 
https://github.com/yomimono/mirage-nat/issues/15

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d9792a2-f1b4-41c8-9ded-7da8e5891122%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question to Mirage OS firewall users

On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> > 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> > disappointing.
> 
> Do the logs show an out-of-memory error when that happens? I haven't seen one 
> for a long time now, but maybe torrents stress it more than usual.
> 
> If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - there's 
> a Mirage hackathon next month and I'm hoping to get some time to work on this 
> there.

Yes. "Fatal error: out or memory. Mirage exiting with status 2"
That said, 2 minutes earlier the log notes that memory use was still only at 
16.7/38.2 MB. (Most of the log -- 90-95% -- consists of 'Failed to parse frame' 
messages, btw.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1da50871-83ea-4c94-bea9-3943455a30af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Thomas Leonard

On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> disappointing.

Do the logs show an out-of-memory error when that happens? I haven't seen one 
for a long time now, but maybe torrents stress it more than usual.

If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - there's a 
Mirage hackathon next month and I'm hoping to get some time to work on this 
there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f6a43d9-e479-4ea6-bd23-233f13d9b4b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question to Mirage OS firewall users

Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 60mb 
ram, but it crashes within 2-8 hours here, which is kind of disappointing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1eedc93d-54ac-4897-a99f-6f2ab7519717%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: create new sys-net

2017-02-07 Thread Michael Carbone

haaber:
> On 01/28/2017 07:05 PM, Michael Carbone wrote:
>> haaber:
>>> On 01/27/2017 09:47 PM, taii...@gmx.com wrote:
 On 01/27/2017 10:11 AM, '01v3g4n10' via qubes-users wrote:
> On Friday, January 27, 2017 at 7:19:10 AM UTC-6, Bernhard wrote:
>> Hello,
>>
>> I still have my system bricked due to a dead sys-net.
>>
>> Could somebody help me to generate a new one, please?
>>
>> thank you, Bernhard
> Create a new VM : Name it, click the NetVM button then choose a color
> and template.
>
> Change sys-firewall to your new sys-net vm and use networkmanager or
> other means to establish connection.
>
 Don't forget to check the "start on boot" option if you desire that.

>>> Thank you that worked! Now my bricked system is only half-bricked :)
>>>
>>> 1) fedora-24 is still in koma: it shows the mysterious  "ERROR: Cannot
>>> execute qrexec-daemon" and stays yellow.I consider (a) renaming it
>>> old-fedora, (b) moving it to the harddrive (to make space on SSD), (c)
>>> symlink it (d) install a fresh fedora-24 template.
>>>  
>>> Does this sound right / the most easy solution to you?
>>>
>>> 2) my new debian based SYS-net can only acces ethernet. I installed the
>>> iwl-firmware in the template, and made sure the hardware is accessible
>>> in it. But that does not yet help. Do I have to verify the firmware
>>> in dom0 ?
>>> (wireless = intel 7620)
>>> Thank you, Bernhard
>> Bernhard,
>>
>> Specifying your wireless card (Intel 7620) is necessary for others to
>> help you with hardware troubleshooting, so in the future please lead
>> with such information.
>>
>> This card has issues with older versions of iwlwifi (in other distros
>> like debian, ubuntu, fedora, etc), so you will want to run the newest
>> version of iwlwifi possible, which is most easily done using debian
>> templates.
>>
>> What you are going to want to do is: (1) create a debian-9 template, (2)
>> install firmware-iwlwifi in that template, (3) make sure it is
>> up-to-Hidate, and then (4) base your sys-net on that template.
>>
>> In more detail:
>>
>> 1. follow all steps of:
>> https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
>>
>> 2. [you@debian-9 $] sudo apt install firmware-iwlwifi
>>
>> 3. [you@debian-9 $] sudo apt update && sudo apt upgrade
>>
>> shutdown your debian-9 template.
>>
>> 4. turn off your existing sys-net. change its template to debian-9 in VM
>> Manager > VM Settings. ensure that there is your wireless network
>> controller assigned to it in VM Settings > Devices. (If no network
>> controller exists, go into your BIOS and see if there are any settings
>> associated with your wireless card that you need to enable.) once there
>> is a wireless network controller that exists and is assigned to sys-net,
>> restart your sys-net.
>>
>> Michael
>>
> Hi Michael, I was for a long while in no-internet-land. Once back I gave
> it a try and it worked! Thanks a lot. I have been using debian-8 on the
> same machine since it was early-testing, and the wifi always worked. I
> do not understand that under qubes-debian I need a strech, but OK,
> "whatever works!" as Woody Allen says :)  Bernhard

glad it worked for you! in the future reply to list so that others who
encounter the same issue will know it worked.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c357032-f95c-137a-59bd-cde7f337034d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

2017-02-07 Thread Franz

On Tue, Feb 7, 2017 at 10:09 AM, haaber  wrote:

> Hello,  I wonder how you behave when traveling, for example in places
> with cameras all around. I feel uncomfortable to enter my passwords in
> such situations. Of course I can simply not turn my computer on.  But
> sometimes you have several hours in an airport ..  I thought about 3
> options.
>
> 0) Change all (disk / user) pwd before & after traveling (how do I
> change the disk pwd?).
>
> 1) Pull out my tails usbkey and surf with that?
>
> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?
>
> how do you cope with that? Thank you, Bernhard
>
>
But is the resolution of these cameras high and fast enough to be able to
read the movements of my 10 fingers all working together and covering the
whole keyboard?

I installed a high definition security ethernet camera in my home, but
resolution and speed are not that spectacular.

There are mini-cameras that can be hidden, but resolution is worse.

So cameras can be easily identified and  I suppose it is enough to avoid
sitting down  having a camera just over your shoulders.
Best
Fran

> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAizi%2B%2BkUxeCpwiZvT%3DgvEFVPHaDhqDQGWb1AqC2FGjBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qvm-run fails silently with chromium

2017-02-07 Thread marc

Hi,

I installed chromium browser in a debian-8 based standalone VM called 'work'. 
If I run, from dom0:

```
qvm-run work chromium
```

it outputs:

```
Running command on VM: 'work'...
```

but nothing happens. It is the same if I use shortcut desktop menu (which I 
guess executes the same command).

If, instead, I run `chromium` from within a terminal in 'work' it works fine.

I thought maybe it was a permissions problem with folder `~/.config/chromium`, 
but I granted everything to everybody just to check it and nothing changes.

I'm quite lost because, as there is nothing in dom0 stderr, I don't know how I 
could debug it.

I would be thankful for any help.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5b368ffd-7035-43c5-83de-d672ce9fcccd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes regularry attaches and detaches usb card reader

> On 2017-02-04 20:22, Oleg Artemiev wrote:
>> Currently I've all usb controllers attached to Dom0.
>> Subj:
>>
>> Is there any process that should do it usually in Dom0?
>>
>
> Sorry, I'm not sure what you mean. Are you asking about how to create
> a USB qube?
>
> https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube
No. I've no need in USB qube in current treat model.

I'm surprised by regular attached/detached messages pointing to card reader.

Question is: what Dom0 regular operation may give such a message (all
other drives not flipping,
card reader has a stub in it w/ no card inside the stub. If I get the
stub in then out I see the same message.

Qubes R3.0

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NuBf02aJG-jNbz3G_Ugx%3DbF7VBwZ2GHKDP7BwSj0x8Kg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

2017-02-07 Thread haaber

Hello,  I wonder how you behave when traveling, for example in places
with cameras all around. I feel uncomfortable to enter my passwords in
such situations. Of course I can simply not turn my computer on.  But
sometimes you have several hours in an airport ..  I thought about 3
options.

0) Change all (disk / user) pwd before & after traveling (how do I
change the disk pwd?).

1) Pull out my tails usbkey and surf with that?

2) maybe it woud be nice to have an additional  "single cube"
usr/password : when using this user name, one would get a single
disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
feasable / reasonable?

how do you cope with that? Thank you, Bernhard

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

2017-02-07 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Feb 06, 2017 at 01:46:59PM -0500, Jean-Philippe Ouellet wrote:
> I started an effort to automate HCL updating a few months ago and
> thought I'd pass on my notes in case anyone finds them useful.
> 
> First, you'll probably want a complete and incrementally-updateable
> local mailing list archive. The most reliable way I've found to dump
> google groups is with [1] (amusingly implemented in bash).
> 
> To decode the mails to extract the HCL files, I tried to use ripmime
> [2], but hit cases in our archives that crashed it [3]. I got
> sidetracked trying to produce a minimal case reproducing the crash and
> determine if it was exploitable, but other priorities took over.

If using mutt, it should be also not so hard to write a macro for this.
But it wont be pretty.
Generally it's a good idea to automate it somehow. Filling some fields
(works/doesn't work etc) still needs to be manual, but for example link
to the message could be extracted automatically.

> The crashing cases in our archives included the following (which are not 
> HCLs):
> - https://groups.google.com/forum/#!msg/qubes-users/8n9i1GiIl7s/jvIkXCiV0awJ
> - https://groups.google.com/forum/#!msg/qubes-users/h_5wX9IN-MI/XRlekv-GcU4J
> - https://groups.google.com/forum/#!msg/qubes-users/jr8BWxhmQq4/KteMXP5nxd8J
> - https://groups.google.com/forum/#!msg/qubes-users/v739hab0FDo/Yru2TDVAEX8J

This could be avoided by filtering first on "HCL" keyword in the
subject.

> Reported upstream, but maybe you want to use a different mime-decoder
> regardless.
> 
> [1]: https://github.com/icy/google-group-crawler
> [2]: http://www.pldaniels.com/ripmime/
> [3]: 
> https://gist.githubusercontent.com/anonymous/239a136df2479d36f085e075ddc52287/raw/d6a2fb64ce9e64a8fa1de2962f8bc447e395d14e/ripmime-crash.txt
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYmawJAAoJENuP0xzK19csT1EH/2U0sNoOUjWn12trLUqqZPiX
1P13Pi/qOaJLEtlS1hSE1Nr9beAux5C2h7+kIOZekrLwq36+34HYVmerQT7yz3uz
8NuAWllNWofwfwDde7s9/T28K8YaG3e0+PoMBb0ygWYSsOWMhW3SLJCtWQKSBi/L
qpdaLY+dcmjPvn6z72aBL8N4zcdiHM132lnnT8kdjRO0JL8JXmxkbd22fBot1CQv
pZSHSPHTk6uo9m9e7MI7RPzQAaRhQM1Ju7gO2tDJxRe120afx8Czg7WF4zNoG5+D
NRGgc957r2oRpkdstMlnV4zYdyONssokuo7rcm+ciEzb8AtSuBzrNxhuovV0RUs=
=aqgm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170207111417.GB12171%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Audio CD via USB drive

2017-02-07 Thread timo.verhoeven via qubes-users

I tried it already with the same result. 

Is there no way to prevent Qubes from exposing a block device? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e74ffa31-aeb4-47ed-a74c-175ffce8f86c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-07 00:11, elsiebuck...@gmail.com wrote:
> I have a bank vm, how do you restrict the browser from being able 
> to go else where? Do you add the iprules in the vm or do you
> create a proxyvm and add the iprules there?
> 
> I've tried both, and created an email vm with iprules "deny 
> everything except"
> 
> But then neither vm(s) will connect.
> 
> Is there a proper way to do this?
> 
> Or will I have to do the tinyproxy thing I've read elsewhere ?
> 

Previously discussed here:

https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmapOAAoJENtN07w5UDAwQKkP/Rk9PPLXAPtTagkGJssRoOXU
jF50PkiCXSRRGbksmq0KUIAp5JIIlVybMha9RQUdx01z3q4fngSnaU/ORoZx6phN
RwzEc2ADjczAbvRyGZfFnA4dAGyypGlGm5gKMS6qKxDVs5IoI8ja6QK5d4R4QJfq
QD+RwRegRh1f9s5A2j33V5lPHfofgqUQydYdWEz/kEu3PsziDmGu0pptVpxIAERK
O3JzYB8fo0eqzLKduZTiH2IefhH8ZLkjytSe6ddCD0nHCDo9B+8qq6kHTDIhLT5q
vnamGnvv54I11x3KgOXsF4Ld0EYZaMJpSYT4c+Bd6WkH5/mNu736vTVkZ+od6DNA
BT807UeqKi93sMyjc8m5kX0S25wxxs/hfzdf/EV6t7BIA/RsmXM+xrr+4XTTsBch
m3VgxAEBXpgXKQKMMqHyuvfuy3JSzt7SUwLBgryxGYku0Ho+pmMENMBZSIaVUWCp
WuA3a51FwxXoz4QYqmEZriMn5JKQlyFq4NPQ2CXPKdtyW43D+vB0YdsN1j6bAGNW
eusbFrK0CC3Qa/ZAmqetCf78n1HjDCMMCYItVYzFcdYWdSj3ORy70OcVVMTMrwQz
tw8K89TqK6XzqcLmyJEhxEUEP/943HHYasy1ormkNclRqb6xmJZ/O0AK5Sd1FjqD
jDoaX1uRJYumry8UOgFB
=1vaM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/210d590b-dcbf-525e-2b77-091b1bd83a65%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Cloned VMs do not appear in Qubes VM Manager

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-06 18:14, Grzesiek Chodzicki wrote:
> W dniu wtorek, 7 lutego 2017 01:57:31 UTC+1 użytkownik Unman
> napisał:
>> On Mon, Feb 06, 2017 at 04:31:31PM -0800, Grzesiek Chodzicki
>> wrote:
>>> After running qvm-clone somevm somevm2 somevm2 does not appear
>>> on the VM list in Qubes VM manager. somevm2 does appear in the
>>> XFCE applications menu. Restarting Qubes VM Manager does not
>>> resolve the issue, however restarting the physical machine
>>> does.
>>> 
>> 
>> It does for me - both in manager and on menu. What version are
>> you running? Qubes package versions?
> 
> Qubes 3.2 I'm using Qubes Manager package from
> qubes-dom0-current-testing repository.
> 

It might be that qubes.xml is not updating correctly, similar to:

https://github.com/QubesOS/qubes-issues/issues/2054

You may have to manually edit /var/lib/qubes.xml, but be very careful
if you do.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmal5AAoJENtN07w5UDAw39cP/RXCEnZ1whCxfu6DpxthRq08
sllt92avOJYRCMbSRsLEQJNh2cQjpNmqZ1Qm+PxrhG4EncRg69KyrsTveWX59dcT
YdsLIV4dyAwVcqQyx3NQFxbXlCa8K8jKRpCkNPUFp+Tz//89ztuU7MTVRtgi3IQx
2TOJCktKEgwK+7odXLSraI937nGU6JUcSMq4Eotore91w+Ce5EB8Ku9P/B/AcOni
OGi5UDd0slYQTG4/hc4DrBlQMMpmMZ33+/fV4E8RVUIm1x2g6rJeNrMZBZ8+X7iQ
qYRnVbJk//mdAck7mRc9wb5sPPlgceDG++Tov5JrXPYfmVUYqrDr0fJK5YdhE7MC
fXsPHcih1NNKViQBr0R5SCl/SvWH7ghhXu/XNORNpbRQ7G/uxbUNPHbo/JTM4cvw
NAlx94PxRkSkXz6ADRODb111oehFBSnMkuYfLjjMRefctG9jxR3kVNBQT3ygv1wC
shOsi4LBWvZqLGq0696s7jXl2VvF2F/tVc5poIS/mO0rQpTZiJkdeuqWsin27hbP
AHZr5gZVdkb/IYMNNGXjQZQzwDSG2fDCHICU3gX6/7yWYEin1SoHtGXNOzy3LfgY
l7lJ6If4srqXq3Fzd+jttkARd9emqDgM/CvNrFRVN4x8QjzrJv6Fhtsmo5rQ/fY8
sYNzFVtWnO5mm+vEboaa
=Dvh5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e47352c-b1c1-6575-a874-4ccb08d3df54%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Audio CD via USB drive

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-06 12:02, timo.verhoeven via qubes-users wrote:
> Hi qubes-users!
> 
> I'm trying to extract audio from a cd on my qubes (3.2) notebook. After 
> reading thru the various pages of the docs section and searching the 
> mailing-list, I thought the following setup would be my best option:
> 
> * usb-dvd-drive attached to a USB 2 port
> * use a sys-usb vm
> * attach the drive-device via qvm-usb to a target appvm (fedora-24 based)
> * start "sound-juicer" in appvm to extract audio
> 
> Unfortunately, I now have to following problem: When I insert a cd into the 
> drive, qubes immediately takes control of it, so that sound-juicer can no 
> longer access the drive.
> 
> I can see, that a /dev/sr0 device pops up in the appvm, which the 
> sound-juicer app then tries to access. But qubes attempts to expose the drive 
> as a block device makes it unaccessible to sound-juicer.
> 
> Is there a way to prevent this? E. g. prevent qubes from exposing a certain 
> device in a certain appvm?
> 
> Best regards,
> Timo
> 

Not sure if this is an option for you, but have you tried running Sound
Juicer in sys-usb?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmahsAAoJENtN07w5UDAwdtgQAK85ds4ytapu5zAVV1m1ALkM
4zwEb1D9AN32L83OdxzEH1jUpydHFX2S5FMHb1j8tn3rsRwxjSlwujRz1Rp14/2j
oJU7eoG6divTcm+N7NG0PYRzxHaOGmMvoLNIDbTSfV3fy6WJL8GcEgn8HLgsRhGv
FDabRFv5CXCN0ZSCTXHMe4lbQGIa7IFmHDtRG2xxohLYle/qkA1iv0h/HpV369FD
Jg2RL7IwAZLhGwSzfyhwog1VOhbG0UhRHcsnPuWvFlK71qZCh07zreyt64QP3VJK
HCL+oI4krJoQswR4KLN17KK/m6iw1zxmw/+HaW4ymEKyCAOjESrI1uBr1voY5T+B
Bb3Indzkk47ffo4dd67O6o7Xw7hH3yHCra3ZJe+qpBb4SLNZ/KakWBQ60BHiKOaA
aJjG8YtljHUek1fYjFhk3uKWhnSRQpe4zjwqNW+FQtSdMvkTyfU5ZNtO6DdBFLwO
TbiuaRdaPkll7HLGFDN6Yabxd/gGcNNhkoAvfwd/XKfmbhJpIn5r/zXRqaZs8rCH
JwVRIIDYSLiTiAhGJqtlpEQ9G1sRoxlGe7E4rvtcLG2O7vdkCVEE0pnT/aQeG/w4
PD8Pc8ykWkXPlgL32fGlbX+MWSw9a1opXlJFB/040/ky9GHVf5QfOGc6nwLU+/JC
eIwzoL6UmnvMXtmn9s1R
=3qEY
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d07ddb6-fdf0-3859-ac6d-bb8c0cda7b74%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

[Please keep the list CCed.]

On 2017-02-06 12:31, Oleg Artemiev wrote:
>>> In general everyone using qubes (at least qubes 3.0 is using 
>>> virtual desktops) uses virtual desktops: Xfce has virtual 
>>> desktops and KDE has.
>> Just because they're included in the DE by default doesn't mean 
>> everyone uses them.
> Last time I installed was long ago. After install you have no 
> desktops on a panel? If you have at least two - you use them.

I imagine some people choose to disable them or simply ignore them
(e.g., by keeping all windows on the first virtual desktop), just like
many other features that are on by default.

> virtual desktop is a classic thing. Gnome made them unneed with
> their mouse operated window list (need to get mouse pointer into
> left upper conner), but gnome is not an option for Qubes (and I
> dislike the way them designed that).
> 
>>> KDE has ability to stick application to a desktop from the box,
>>>  but KDE is heavy and is not a default choice for Qubes
>>> anymore.
>> Indeed, but you can still use KDE on Qubes 3.2, if you want.
> Heavy manager + unrecomended.
> 
>>> why do we use operating systems at all? Because them provide
>>> some set of default pretty functionality/environment from the
>>> box. Why each time I power down my PC and power it up back I
>>> have to waste time on placing windows between desktops? Why the
>>> hell I can't power on and smoke then get back and see
>>> everything same way organised as I had on my last power up?
>> Well, you can install Devilspie2 (or equivalent) in dom0 and 
>> automate your setup. (Remember, the foregoing discussion is about
>>  whether it should be installed *by default*.)
> Yep. KDE by default has this from the box. Xfce has nothing for
> this. That's why "by default"
> 

Hm, then perhaps it's really Xfce who should integrate this upstream?

It seems like it would be suboptimal for the Qubes Project to try to
maintain a fork of Xfce that goes beyond Qubes-specific functions.

>>> The only thing I would like is having choice on restore as it
>>> was and run new session. People at firefox made good work and 
>>> algorithm is well known, why not to apply this to Qubes: On
>>> start show what is going to be started, if user chooses
>>> "restore last state"  - exactly that set left at session
>>> abort/power off is shown, if user is in doubt - new tab is
>>> always available. if user doesn't want to start same or partial
>>> set - give him/her clean new session. What a problem to do same
>>> way w/ desktop placement and VM autorun? People spend a lot of
>>> time starting same things on next power up. Firefox behaviour
>>> in case when  firefox configured "restore previouse state" and
>>> was killed/aborted is best behaviour I've seen on restoring
>>> workspace.
>> This sounds like it would indeed be a nice feature. Care to 
>> contribute a patch?
> Not. :( A lot of questions appear to understand where to make
> changes at 1st. Unsure that I'll be able to make such a patches.
> 
>>> Locking application to some desktop set is a very good feature
>>>  and, afair and adding this functionality via some utility in
>>> Dom0 default package set is work in progress for current qubes.
>>> Just choose one app we're okay with, hug it with qubes vm
>>> manager and users will love ability to use it. :) I don't vote
>>> for this one utility - I vote for similar functionality
>>> available to user _by_default_ .
>> Why _by default_? As I explained above, we need to take a 
>> disciplined approach in deciding which features get included by 
>> default. If we include by default everything that everyone wants,
>>  Qubes will suffer from the consequent software bloat and feature
>>  creep.
> That is not what every one want but this is what _everyone_
> usually wastes time on - when powered down and powered up to
> continue .
> 
>> We must resist the temptation to push for the default inclusion
>> of features simply because *we* like them. There has to be a
>> stronger reason than that. We have to ask ourselves the hard
>> questions: Why do you want it to be the default? To save you from
>> having to configure it yourself? Because you think other people
>> should share your personal preferences?
> Isn't the reason "every one wastes time that way" above is not
> enough to add in whish list "make life better for every one" by
> enabling option to restore last state of running VMs this way"?
> 

It sounds like you're conflating a few different ideas here: including
Devilspie2 by default, locking apps to virtual desktops, and saving state.

I think the case for the last one is probably stronger than the first
two (given what has been said so far), but maybe this is a question
for the UX experts.

> 
>> Also, why is it so important to restrict certain domains to
>> certain virtual desktops?
> All these restrictions are about:
> 
> 0. Save time - all appears same place (mean desktop set) - no 
> annoying

Re: [qubes-users] I haven't received updates for dom0 for more than 3 weeks!

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

[Please keep the list CCed.]

On 2017-02-06 10:25, Lolint wrote:
> Thanks a lot Andrew
> 
> Last question: Can I now just go back to the onion repos?

Should be fine.

> Also how would the dom0 update process work given that it launches 
> in sys-firewall which isn't connected to whonix-gw but to sys-net?

In that case, you can set your UpdateVM as a ProxyVM that uses
sys-whonix as its NetVM. You can just create a new ProxyVM for this
purpose.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmaFzAAoJENtN07w5UDAwUksQAIr0hZq21NHgyXy5bteDyO4/
L+68R2cDDvLQUlSACsCTkOKBXiHD0r/YlNPSZHdBIZ+6w3msJX0CMW1a4boZXCtH
Bf8iRb3sxmvS43HJ/Ues85roB9Bl+dwJwl8TYwyx14DPxT2rVsoQGTnBWWkwPArZ
j5K/Ee9jDdNtP5xDg4Zu7tEkIr7yL42JV8gvhVHU9OLlTXOz26G9aw94jkHvOMKX
sV3ZYUQwbU2XVnMjNrlfxxhzmy63oVa+HwI5DQtLW+225vOuLAbXULVU5TOfo9Ju
1qB97Fo8meJdu64lpqgbTxiTGCy9hY7xcSXIny8j4vbTV/ts8jchdNZGW4NgC0KH
Okb1j8b4EJJkQYFznKZEIYGKw9LwDfQeOYgzg997VM3FK9vUnW1tDZwdH8xq5eHG
Sbxqlvogz7/PD9t7594IGWNiyc605iW7LwsMOH7kqBTfrt6hA+ZmnFxWuHaEKJb5
QzxmbCk/MjIDp2k8mtVLjh6T1UUnpCnGadXpv8F2Wsf4Bg3QO4Zizr0yRiYL4/wz
1sk1a3YcMcTLNilGAcRhVQWz7KUid6SybeRlij2Yk3MOKu7C4mjwONBhnHf7RXsc
RCv8rSTE3G/+f4fmYcTg9IXiRlCZRxvl35vieVe0EP848d1xKm/15Vwq4G3TVxUI
cmZ6LVDIZTaYViiNxFpC
=u1qB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/47f24ca9-1094-5719-5298-e598332d7bfe%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

On Tue, Feb 7, 2017 at 12:51 PM, Zrubi  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 02/07/2017 10:29 AM, Oleg Artemiev wrote:
>
>> Could you, please, point me into what is already automated (repo +
>> path) and related brief dox on how execution is done currently (if
>> any)?
>>
>> My idea how it should look like:
>> a special qubes image:
>> *. preinstalled on some usb stick *. has only a preconfigured VMs:
>> netVM, firefwallVM, user interface is not required.
> Qubes Live USB should do the job - but AFAIK that project is stalled.
(

>> Dom0 has a script in startup scripts that: *. runs HCL *. updates
>> HCL file: old data copied somewhere inside dom0 for user reference
>> *. copies file to net VM,
> These are handled/done by the hcl script itself.
nice

>> VM has a script: *. checks for  HCL file to be present eache
>> minute *. checks that internet is available *. makes a gui request
>> to a user to fill required manual fields (model as the store names
>> it, user name(optional), and so on) *. once confirned - sends HCL
>> file to specially assigned emaili at qubes.org
>
> What we are need from the user is his/her actual experience. All the
> info collected by the hcl script are just pure hardware data. Without
> user experience it is useless.
Some data are 'pure hardware data' but very important (i.e. some sort of
restrictions) are possible only w/ specific CPU features - I'd never buy or
recommend  a laptop that is able to run Qubes but has no  full support for
 all Qubes features.  Having a tool to get this information right at the seller
 store should be nice .

>> Qubes web: *. A sctipt on qubes.org updates some HCL html in
>> predefined format
> Here is the current workflow as i did it before:
> https://groups.google.com/d/msg/qubes-users/RagFsGlhPTY/HXyRCQOUBQAJ
>
> See that old thread for more ideas about a better HCL reporting.
Thank you, 'll look.

Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MWwFuZ7xj2Q%3DnjomKwiHCPiq41jv5M%3DkWMha9aU_yp0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to setup netVM to allow updates

2017-02-07 Thread CF

On 02/05/2017 11:37 AM, CF wrote:
> Hello,
> 
> I have replaced the default netVM with one based on fedora-24-minimal.
> Internet access works fine but update of templateVMs is broken. Any idea
> on how to fix this?
> 
> Thx
> 
> Qubes OS 3.2
> Fedora-24-minimal + recommended packages
> https://www.qubes-os.org/doc/templates/fedora-minimal/
> 

Hi,

Just to say that tinyproxy was missing due to GitHub Issue #2606.
Everything works fine.

Sorry for double posting here and at
https://groups.google.com/forum/#!topic/qubes-users/sR7Z5KkL5NQ

Thx

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f0bfabf-9039-650e-3023-0a52484df896%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] HCL Suggestions?

2017-02-07 Thread Jean-Philippe Ouellet

I started an effort to automate HCL updating a few months ago and
thought I'd pass on my notes in case anyone finds them useful.

First, you'll probably want a complete and incrementally-updateable
local mailing list archive. The most reliable way I've found to dump
google groups is with [1] (amusingly implemented in bash).

To decode the mails to extract the HCL files, I tried to use ripmime
[2], but hit cases in our archives that crashed it [3]. I got
sidetracked trying to produce a minimal case reproducing the crash and
determine if it was exploitable, but other priorities took over.

The crashing cases in our archives included the following (which are not HCLs):
- https://groups.google.com/forum/#!msg/qubes-users/8n9i1GiIl7s/jvIkXCiV0awJ
- https://groups.google.com/forum/#!msg/qubes-users/h_5wX9IN-MI/XRlekv-GcU4J
- https://groups.google.com/forum/#!msg/qubes-users/jr8BWxhmQq4/KteMXP5nxd8J
- https://groups.google.com/forum/#!msg/qubes-users/v739hab0FDo/Yru2TDVAEX8J

Reported upstream, but maybe you want to use a different mime-decoder
regardless.

[1]: https://github.com/icy/google-group-crawler
[2]: http://www.pldaniels.com/ripmime/
[3]:
https://gist.githubusercontent.com/anonymous/239a136df2479d36f085e075ddc52287/raw/d6a2fb64ce9e64a8fa1de2962f8bc447e395d14e/ripmime-crash.txt

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CABQWM_D7EC-NsYB3j7iV4cYGJp7ZKJ4ewWb%3DbJLbnrd4L%2BxS2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

2017-02-07 Thread Zrubi

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/07/2017 10:29 AM, Oleg Artemiev wrote:

> Could you, please, point me into what is already automated (repo + 
> path) and related brief dox on how execution is done currently (if
> any)?
> 
> My idea how it should look like:
> 
> a special qubes image:
> 
> *. preinstalled on some usb stick *. has only a preconfigured VMs:
> netVM, firefwallVM, user interface is not required.

Qubes Live USB should do the job - but AFAIK that project is stalled.


> Dom0 has a script in startup scripts that: *. runs HCL *. updates
> HCL file: old data copied somewhere inside dom0 for user reference 
> *. copies file to net VM,

These are handled/done by the hcl script itself.


> VM has a script: *. checks for  HCL file to be present eache
> minute *. checks that internet is available *. makes a gui request
> to a user to fill required manual fields (model as the store names
> it, user name(optional), and so on) *. once confirned - sends HCL
> file to specially assigned emaili at qubes.org

What we are need from the user is his/her actual experience. All the
info collected by the hcl script are just pure hardware data. Without
user experience it is useless.

> Qubes web: *. A sctipt on qubes.org updates some HCL html in
> predefined format

Here is the current workflow as i did it before:
https://groups.google.com/d/msg/qubes-users/RagFsGlhPTY/HXyRCQOUBQAJ

See that old thread for more ideas about a better HCL reporting.



- -- 
Zrubi
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJYmZicAAoJEH7adOMCkunm19UP/3fNRVfJGnL30LZvY8FD4wou
nflRzK69UClxKagCA9E8tIJnjy/qOn2GjCd71pOwuHjEUXjha8ceSYPq8SVtO6zi
R7bvnRxs0nqDV0/QuIgUJiB5jFlL5g8xJzrM97KKUGzUnjBp4ch9INIo0/6xVOlm
n+ElMa4LsOrf+AljMNq7XiEax5rxEvH/dAqxjcLyKMuZ2ei75hMyfL/unn8BhwHF
WxrElylZa0ZiLhAOLY735JD3MW+1UHjcEeEsgyhMlSfHLtFK+GdkTnc02bWenpQ3
m8m4lcG9uioutrEsNYIgKkqWqsGNrqNkFr2P4q4VSW7+sqca6vr8fFE8E3qLO0eF
0O9jw6xv3vuEg5t8AGwTeFOmbxuMlj8RbYtvugjHOpqN6nf4k8OjNF/tUk5RNDDk
PLyDqC4H9mHev1PFrZTNYf9IYGk+ldCXynxZ8jZjF9cSEQM2FXqfGJRipTgoo2Nj
cVLHq8pghzte6+dwmYz+oNQcyjRPNGW+97+SiXJEoOXnpAq02JJf4Mavndcs81xr
/VmwgcToVMAI0xz0FseeTaQ0mLkC4OfL/e7c265CI3XKeCGFy5ORqsq7yOTZ6Hzx
kmJG1Oo8yT9+hcd8QGdGjhp9IUVkeDZbUyUt33w0iMXaREXn9Fc4TCt2NJAAhydT
Xv6VsNsFoipnYbOANrVp
=4WAz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df000489-df2e-6191-f8c9-e77b9f84c203%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
 wrote:
>> I have a bank vm, how do you restrict the browser from being able to go else
>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>> the iprules there?
>>
>> I've tried both, and created an email vm with iprules "deny everything
>> except"
>>
>> But then neither vm(s) will connect.
>>
>> Is there a proper way to do this?
>>
>> Or will I have to do the tinyproxy thing I've read elsewhere ?
> I've tried both solution some time ago and definitly the tinyproxy solution
> works much better and can handle nicely dns round robin or servers behind
> load balancers. By the way this solution offer an other nice possibility,
> you can use regular expressions and for example allow .*\.mycompany\.com$ on
> the conter-part, you will have to trust the dns resolution.
Look also for modules like 'request policy' and 'no script'  or
'policeman' that implements nice GUI allowing both types in a single
place.

Request policy + 'ask for reload permission' should be enough to
control in a single VM for a few banks in single place.
Not that secure as proxying and denying in some other VM, but easy +
GUI controls + require some configuration work at start.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MEURHmQ38Nc6rY4XpuNEWSknSUdJOCoVUCRV9sQ%2Bq4Tg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

On Sun, Feb 5, 2017 at 3:39 PM, Andrew David Wong  wrote:
> On 2017-02-04 15:10, Oleg Artemiev wrote:
>>> This is a good time to mention that we're in need of an HCL
>>> maintainer. Our longtime volunteer HCL maintainer, Zrubi, no
>>> longer has the time to do it. We all owe Zrubi a debt of
>>> gratitude for keeping up this thankless task for so long! :)
>>> Any volunteers?
>> Why not to just script-out this once and forget?
>>
>> source information: email from someone, output information -> some
>> file to put on the web?
> Some stuff still had to be edited manually, but it could indeed be
> automated better. Can you help us with that? :D
I'm interested in helping automate this. Though can't claim that it
will be fast.

Could you, please, point me into what is already automated (repo +
path) and related brief dox on how
execution is done currently (if any)?

My idea how it should look like:

a special qubes image:

*. preinstalled on some usb stick
*. has only a preconfigured VMs: netVM, firefwallVM, user interface is
not required.

Dom0 has a script in startup scripts that:
*. runs HCL
*. updates HCL file: old data copied somewhere inside dom0 for user reference
*. copies file to net VM,

VM has a script:
*. checks for  HCL file to be present eache minute
*. checks that internet is available
*. makes a gui request to a user to fill required manual fields (model
as the store names it, user name(optional), and so on)
*. once confirned - sends HCL file to specially assigned emaili at qubes.org

Qubes web:
*. A sctipt on qubes.org updates some HCL html in predefined format

PS: I would prefer just a  single HCL usb stick run, that boots, asks
user for input  'seller named model as' and mail result automatically
(now or later if at runtime we had no internet) -
no user interface except this, GUI is optional, all Dom0/VM made in a
single place in modified Dom0, but that is against architecture and
making such an image may require much more
work than scripting this as a chain of small scripts + preconfigured
VMs. BTW: I'd like such an thing also for old versions of Qubes OS -
sooner or later we will face usual store that some
hardware is okay w/ old Qubes but too slow with new.
Alternatively we could have a special preconfigured VM image that does
all VM part above, but require user filling HCL to activate manually.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OFbEzXnqpUOVXJx%2B%3DhCJwhy27KG6Z6tP%2BQyohfT4S4Lg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

2017-02-07 Thread '0xDEADBEEF00' via qubes-users

Hi,
It's my first contribution on this list.

I've tried both solution some time ago and definitly the tinyproxy solution 
works much better and can handle nicely dns round robin or servers behind load 
balancers. By the way this solution offer an other nice possibility, you can 
use regular expressions and for example allow .*\.mycompany\.com$ on the 
conter-part, you will have to trust the dns resolution.

Best,

0xdeadbeef



Sent with [ProtonMail](https://protonmail.com) Secure Email.


 Original Message 
Subject: [qubes-users] I have a bank vm, how do you restrict
Local Time: February 7, 2017 9:11 AM
UTC Time: February 7, 2017 8:11 AM
From: elsiebuck...@gmail.com
To: qubes-users 

I have a bank vm, how do you restrict the browser from being able to go else 
where? Do you add the iprules in the vm or do you create a proxyvm and add the 
iprules there?

I've tried both, and created an email vm with iprules "deny everything except"

But then neither vm(s) will connect.

Is there a proper way to do this?

Or will I have to do the tinyproxy thing I've read elsewhere ?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3a620c9-2fce-45c5-95f9-78a988990849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/i6YOc4MifJ229V8fukuyAnh2WW1cydMAS7dzUA_0L_HhWziUzxCQE-c6rvq7Te117JTKKs-FCSgBkHeTob8KwAH9JHh0z-66GiI6Ii72J6g%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] I have a bank vm, how do you restrict