Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[fiftyfourthparallel]

>
> What can I say, I like doing things the hard way.
>

Some might say it's good for character building--like climbing Everest with 
minimal assistance when you can instead just hire a bunch of Sherpas to 
carry you.


I don't know much about PSP, or ME for that matter, but it seems to me 
> you're mostly screwed either way, so I figured I might as well save some 
> money while I'm at it.


Well, if the motivation is money then I think the amount of time someone 
with your level of knowledge has put into fixing the machine has gone way 
past $200 by now. I think you're in it for the journey.

I was going to say "why not an ARM computer" when I realised that a) there 
isn't a single non-Intel or AMD PC on the HCL, and b) ARM computers are 
hard to come by.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7fb4145d-1b71-4096-911f-37c54679c177%40googlegroups.com.

[qubes-users] Default fedora-30 template asking for password that I don't have

[fiftyfourthparallel]

Hello,

I have a fresh installation of Qubes 4.0.2 on a Dell Inspiron 5593 with an 
untouched fedora-30 template. Aside from some minor hiccups during 
installation, no compatibility issues have been detected. (Note: I know 
more about tech than the layperson, but not enough to call myself a 
'techie').

Following the instructions on the Qubes guide to randomizing my MAC address 
, I cloned the 
template and attempted to modify it for my netVMs. When creating the 
'00-macrandomizer.conf' file in the '/etc/NetworkManager/conf.d' folder, I 
was told that I don't have permission to do so. This struck me as odd, 
since I recently read Joanna's message in the sudoers' folder about 
passwordless root. I tried every password that I've set on the machine 
(including the root password set during installation), but nothing works. 

Anyone have any idea what's going on? In case it's relevant, the command 
line starts with "user".


P.S. Does creating a firewallVM just for TOR connection (i.e. proxy between 
whonix/TAILS appVM and whonix-15-gw netVM) increase security or just waste 
computational resources?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc63be86-1c0f-41ea-9294-04c379c6bf7c%40googlegroups.com.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[Claudia]

January 6, 2020 3:52 AM, fiftyfourthparal...@gmail.com wrote:

>> Inspiron 5575, AMD 2500U
> 
> A newly-released machine with an AMD CPU and GPU? Are you a masochist or 
> someone who's looking to
> perform feats of strength? (Like climbing Everest). Or is Intel really that 
> unpalatable for you?
> From what I've read, AMD's PSP is much more opaque and questionable compared 
> to Intel's ME. Is this
> true?

Now you understand why it's taken me this long! What can I say, I like doing 
things the hard way.

I went with it mainly for cost reasons. The 2500U is roughly equivalent to the 
i5-8250U performance-wise but seems to run about $200 cheaper. And at the time 
I thought Qubes compatibility was about the same for AMD and Intel, which may 
be true for most product lines but not for Ryzen apparently. I don't know much 
about PSP, or ME for that matter, but it seems to me you're mostly screwed 
either way, so I figured I might as well save some money while I'm at it. This 
was even before the recent Intel shit show. Plus, I got a really good deal on 
this particular machine (so admittedly a bit of an impulse buy). And I have to 
say, despite a lot of troubleshooting and a few remaining glitches, it actually 
runs Qubes surprisingly well, all things considered. But... yeah, kids, don't 
try this at home.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2525db23536f8634762989746ae6caee%40disroot.org.

Re: [qubes-users] Perplexed, why do so many here seem to prefer Fedora instead of ?

[Chris Laprise]

On 1/5/20 12:09 PM, gorked wrote:
I thought Fedora was the free publicly available version of the test bed 
for Red Hat Linux?  That is Fedora being the version that will become 
Red Hat?


The way I remember Marek explaining it (and correct me if I'm wrong, 
Marek) is that choosing Fedora was mostly chance bc that's what he was 
used to at the time.


You are right that Fedora is a test bed for Red Hat, and it has some 
pretty serious downsides as a result. Foremost is that TPTB don't allow 
Fedora to cryptographically sign their top level repository manifests. 
This means that any MITM attacker can pick which packages don't receive 
updates, even though the overall update proceeds in an apparently normal 
manner.


Virtually all other distros that are half-way popular sign their repo 
metadata so that any MITM attempts can be prevented.


More downsides are that less quality testing occurs, packages of all 
types (and sizes) get 'dumped' into the update stream much more 
frequently, and the more flagrant mistakes with Red Hat's in-house tech 
like Systemd land right in users' laps (I've found that Debian's Systemd 
releases are less bug-ridden than Fedora's).




I though CentOS and Oracle Linux were free publicly available versions 
of the current stable versions of Red Hat?


Those are two distros came much later on, and they weren't under control 
of Red Hat (although RH did take over CentOS a few years back).




And that basically Red Hat is from only free software sources?  
Excepting some folks might add non-free Firmware drivers if they chose?


Seems like the stable version of Red Hat, renamed something else to make 
the Linux OS available for free, would be more secure.


The problem with both RHEL and CentOS is that they're the opposite of 
Fedora: Very staid, and non-security updates come slowly. That's a 
problem for Qubes since it spent 5+ years charting new territory in the 
hardware features + Linux/Xen compatibility matrix.


I actually think a better overall distro for Qubes is Debian, which is 
available as a Qubes template (but not for dom0). The reason is that its 
'serious' and well tested/supported, but also has layers that allow you 
to install and try newer more experimental versions of software. Due to 
it popularity, Debian also has more software to choose from in its 
repositories. (An example of this in action: 
https://groups.google.com/d/msgid/qubes-users/e050ed1e-181a-45b4-89be-b8250c1924fc%40googlegroups.com 
).


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99920ce0-7e77-584a-0a50-16306783b0b7%40posteo.net.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[fiftyfourthparallel]

>
> Inspiron 5575, AMD 2500U
>

A newly-released machine with an AMD CPU and GPU? Are you a masochist or 
someone who's looking to perform feats of strength? (Like climbing 
Everest). Or is Intel really that unpalatable for you? From what I've read, 
AMD's PSP is much more opaque and questionable compared to Intel's ME. Is 
this true?

Sorry for the barrage of questions--your choice of laptop really piqued my 
curiousity.

Hmm, that's odd. I would recommend starting a new thread.


Thanks--I'll get onto that soon. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cb7a921e-7b38-4477-9097-08abc0224993%40googlegroups.com.

Re: [qubes-users] Re: No Suspend/Resume on Dell Latitude 7400 (i5-8365U) with 4.0.2rc3

[Claudia]

January 6, 2020 3:14 AM, dmoer...@gmail.com wrote:

> On Sunday, January 5, 2020 at 9:49:42 PM UTC-5, Guerlan wrote:
>> can you tell me how you figured this out? I've been trying to fix a suspend 
>> bug in mine and It'd be
>> helpful to know how you debugged things
> 
> Mostly trial and error, trying all the things listed above. Two little tricks 
> to use:
> 
> 1. Look at the end of journalctl right before it tries to suspend. This is 
> where I saw that it was
> going into s2idle, which then brought me to this thread:
> https://groups.google.com/forum/#!msg/qubes-users/TmGDlkluJgM/1BFsQZWNDAAJ;context-place=forum/qubes
> users This Dell did not have the lack of S3 that the new Thinkpads have, but 
> it did still try to
> use s2idle.

/sys/power/mem_sleep will list supported modes, with the default in brackets. 
You can echo to it to set the default at runtime, or use the boot parameter.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c90b972acea666dd9454ad277bb3%40disroot.org.

[qubes-users] Re: No Suspend/Resume on Dell Latitude 7400 (i5-8365U) with 4.0.2rc3

[dmoerner]

On Sunday, January 5, 2020 at 9:49:42 PM UTC-5, Guerlan wrote:

> can you tell me how you figured this out? I've been trying to fix a 
> suspend bug in mine and It'd be helpful to know how you debugged things 
>

Mostly trial and error, trying all the things listed above. Two little 
tricks to use:

1. Look at the end of journalctl right before it tries to suspend. This is 
where I saw that it was going into s2idle, which then brought me to this 
thread: 
https://groups.google.com/forum/#!msg/qubes-users/TmGDlkluJgM/1BFsQZWNDAAJ;context-place=forum/qubes-users
 
This Dell did not have the lack of S3 that the new Thinkpads have, but it 
did still try to use s2idle.

2. Run speaker-test in dom0 before suspending, if you hear sound on resume 
then it's some sort of a screen problem.

What hardware do you have? If it's corebooted you might want to check out 
this thread: 
https://groups.google.com/forum/#!msg/qubes-users/bHJJhK4HtIw/ieQkoJePCgAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6723332-968f-45e1-a376-40cb7cc801c8%40googlegroups.com.

Re: [qubes-users] How to Upgrade an Application in VM

[Ray Joseph]

On Saturday, January 4, 2020 at 10:14:38 PM UTC-6, Chris Laprise wrote:
>
> On 1/4/20 9:31 PM, Ray Joseph wrote: 
> > Qubes R4.0.2 rc3 
> > 
> > I would like to get the latest Sagemath and Jupyter on a VM. 
> > 
> > I am using the Fedora 30 tempateVM which I updated from 29.  I then 
> > cloned the Fedora 30, and added sagemath with: 
> > dnf install sagemath 
> > 
> > Is there a term for this type of installation? 
>
> That's simply "template installation" or perhaps "customized template". 
> This is usually the safest way to add apps. 
>
> > 
> > The next version of sagemath is to have full Python 3 capabilities. 
> > 
> > I am concerned on how to install the latest because when I made the 
> > initial sagemath the newest version was 8.9 but the install was 8.8.   
> > When the next version comes out, I would like to assure I get the 
> latest. 
> > 
> > How do I get the latest? 
> > 
> > What concerns/risks should I consider for this installation? 
>
> This page seems to indicate 8.9 isn't available yet from the fedora 
> site: https://apps.fedoraproject.org/packages/sagemath 
>
> The sage site offers new packages for Debian and Ubuntu (they appear to 
> strongly prefer these two) but not Fedora, which is why I think it 
> becomes available on Debian before Fedora. But downloading directly 
> isn't really secure in this case. 
>
> Probably the easiest route using secure update channels is to install a 
> Qubes Debian 10 template and enable 'Sid' repository which has the 8.9 
> version. However, there is some risk that the template could break so 
> clone the template first. 
>
> Debian 10 instructions: 
>
> 1. Create a file '/etc/apt/apt.conf.d/local' containing this line: 
>
> APT::Default-Release "stable"; 
>
> 2. Edit the file '/etc/apt/sources.list' to add this line: 
>
> deb https://deb.debian.org/debian sid main 
>
> 3. Run 'sudo apt-get update' to refresh the package db. Then you can 
> install the 8.9 version with 'sudo apt-get install sagemath -t sid'. 
>
> -- 
>
> Chris Laprise, tas...@posteo.net  
> https://github.com/tasket 
> https://twitter.com/ttaskett 
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886 
>

Chris,

This sounds like a great path.  I will do it.

Thank you 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a69784dc-2dbf-408d-95c7-0c0bd03e65a1%40googlegroups.com.

[qubes-users] Re: No Suspend/Resume on Dell Latitude 7400 (i5-8365U) with 4.0.2rc3

[Guerlan]

On Saturday, January 4, 2020 at 7:00:54 PM UTC-3, dmoe...@gmail.com wrote:
>
> The suspending problem was s2idle. Adding mem_sleep_default=deep to the 
> kernel= line of /boot/efi/EFI/qubes/xen.cfg fixes the suspend problem.
>
> Installing kernel-latest (5.3.11-1) fixes the last two problems with 
> completing shutdown and with a lack of a bootsplash.
>
> I'll post an HCL in a moment. Everything now works flawlessly.
>
> Daniel
>


can you tell me how you figured this out? I've been trying to fix a suspend 
bug in mine and It'd be helpful to know how you debugged things 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/601cf502-8ac2-4749-9709-fbc534109508%40googlegroups.com.

Re: [qubes-users] Feature request

[*NULL* **]

> January 5, 2020 7:50 PM, "Franz" <169...@gmail.com> wrote:
> 
> > May be it already somehow exists and I am not aware of it, but it would be 
> > very
> > interesting to be able to save backup settings, that is a list of VMs that 
> > contain
> > your current ordinary activity and you want to backup more often and fast.
> > 
> > I mean not everything which in my case is over 250gb, not only vaultVM, 
> > which is easy
> > to set, but lacking other important VMs.
> > 
> > Rather being able to save a list of perhaps 5-7 more important VMs so that 
> > they are
> > ready for a fast backup.
> > 
> > I know there is a CLI that does just that and once even wrote a script for 
> > that, but
> > I am never sure it still works as intended over so many Qubes upgrades and 
> > after
> > every new Qubes installation all my scripts are moved from home to 
> > elsewhere for some
> > reasons that do not understand yet.
> > 
> > So backup is important and any incentive to win backup lazyness is worth 
> > every
> > effort, particularly because automating Qubes backups is impossible or 
> > extremely
> > difficult.
> > 
> > Is it complicated to add this "save backup setting" to the GUI?
> > Best  
> 
> Isn't that sort of what "Qube Settings > Basic > Include in backups by 
> default" does?
> 


Yes it is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/47rXHk5tmqz9rxK%40submission02.posteo.de.

Re: [qubes-users] Pass control to secure VM to enter+hash passwords?

[haaber]

On 1/5/20 8:34 PM, Emma Borhanian wrote:

Hi, I was thinking about writing an application to do spaced repetition
of passwords for my rarely-accessed backup drives etc.

I've read qubes-wiki/data-leaks
 and while I could just store
hashed passwords, the VM that runs my password spaced repetition
software could still exfiltrate data when I enter the passwords.

What if I could have a secure modal pop up in a separate VM, ask me for
the password, hash it, and then pass it back to the VM running my spaced
repetition software, is something like that possible?


Nice question. The passthrough is certainly not a problem, although I
have no ready script for you. But the software you use must then accept
hashed passwords, right? Is this the case? Also, if the hashed pwd is
enough to decode whatever, what is the pwd good for? I mean, the hash
has then the same "leaking value" as the pwd itself! This means that you
need a more sophisticated protocol of "proving that you know something"
without revealing it.

Often, loopback is you friend. Here is an example, I guess qubes-backup
works essentially that way internally:

1) attach and mount a physical device to appVM1
   (so sys-usb / net won't see anymore what you do with the data)
2) in AppVM1, do losetup /dev/loopX  your-encrypted-container-file
   then attach that loopback device to a special decrypt-APPVM
   (that has no network, of course). in decrypt-VM use
   cryptsetup luksOpen to "open" it there.
   This gives a /dev/mapper/SOMENAME file
3) attach that last one to a user-VM.

The user can read/write data, but never sees/enters a pwd. sys-usb only
sees encrypted data-flow, appVM1 as well (this one may be a temporary
one, as well as decrypt-VM).  Bernhard

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a1d8f3a-0f15-f501-af54-346b060a750b%40web.de.

Re: [qubes-users] Feature request

[Claudia]

January 5, 2020 7:50 PM, "Franz" <169...@gmail.com> wrote:

> May be it already somehow exists and I am not aware of it, but it would be 
> very interesting to be
> able to save backup settings, that is a list of VMs that contain your current 
> ordinary activity and
> you want to backup more often and fast.
> 
> I mean not everything which in my case is over 250gb, not only vaultVM, which 
> is easy to set, but
> lacking other important VMs.
> 
> Rather being able to save a list of perhaps 5-7 more important VMs so that 
> they are ready for a
> fast backup.
> 
> I know there is a CLI that does just that and once even wrote a script for 
> that, but I am never
> sure it still works as intended over so many Qubes upgrades and after every 
> new Qubes installation
> all my scripts are moved from home to elsewhere for some reasons that do not 
> understand yet.
> 
> So backup is important and any incentive to win backup lazyness is worth 
> every effort, particularly
> because automating Qubes backups is impossible or extremely difficult.
> 
> Is it complicated to add this "save backup setting" to the GUI?
> Best

Isn't that sort of what "Qube Settings > Basic > Include in backups by default" 
does?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08ab9bda08ab38dc0a70263986dcafaf%40disroot.org.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[Claudia]

January 5, 2020 4:58 PM, fiftyfourthparal...@gmail.com wrote:

> Seems like you're taking the super-comprehensive route (including flashing 
> Coreboot) on a
> low-compatibility machine. Maybe one day I'll have enough proficiency to 
> really make a machine

I personally haven't gotten anywhere near that far with this machine, I was 
just giving you some general examples. I don't think it's even supported by 
Coreboot or AEM. You're right though, is definitely a low-compatibility 
machine. It's also a somewhat new model, so some of the hardware support hasn't 
necessarily made it to Qubes yet.

> mine.Out of curiousity, what model are you working on?

Inspiron 5575, AMD 2500U

> I'll give the Youtube Suspension Test a try once I connect my machine to the 
> net. I'm one step away
> from that, but I'm stuck--I'm trying to follow the instructions on the Qubes 
> site to randomize my
> MAC address, but the fedora-30 template seems to be locked with a password 
> that isn't mine. From
> all that I've read (including Joanna's explanation in the sudoers folder), 
> I'm not supposed to be
> prompted for a password, yet here I am.
> 
> Don't want to make a thread for what could be a trivial Linux mistake that 
> isn't specific to Qubes.
> Would you happen to know anything about this?

Hmm, that's odd. I would recommend starting a new thread. Include the terminal 
output you're seeing, or a screenshot, and what steps got you there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/952bff156901b49eef8fc3618d829277%40disroot.org.

[qubes-users] Feature request

[Franz]

May be it already somehow exists and I am not aware of it, but it would be
very interesting to be able to save backup settings, that is a list of VMs
that contain your current ordinary activity and you want to backup more
often and fast.

I mean not everything which in my case is over 250gb, not only vaultVM,
which is easy to set, but lacking other important VMs.

Rather being able to save a list of perhaps 5-7 more important VMs so that
they are ready for a fast backup.

I know there is a CLI that does just that and once even wrote a script for
that, but I am never sure it still works as intended over so many Qubes
upgrades and after every new Qubes installation all my scripts are moved
from home to elsewhere for some reasons that do not understand yet.

So backup is important and any incentive to win backup lazyness is worth
every effort, particularly because automating Qubes backups is impossible
or extremely difficult.

Is it complicated to add this "save backup setting" to the GUI?
Best

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qDNAW9rDge7SsAjBXdPbBfS0mGz03tdmbZ3RJY7XM5btw%40mail.gmail.com.

[qubes-users] Pass control to secure VM to enter+hash passwords?

[Emma Borhanian]

Hi, I was thinking about writing an application to do spaced repetition of
passwords for my rarely-accessed backup drives etc.

I've read qubes-wiki/data-leaks  and
while I could just store hashed passwords, the VM that runs my password
spaced repetition software could still exfiltrate data when I enter the
passwords.

What if I could have a secure modal pop up in a separate VM, ask me for the
password, hash it, and then pass it back to the VM running my spaced
repetition software, is something like that possible?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAHeAiQ_YKONRx1MmKVCWq3cZ9TofcyWJPdT8nRAKktHz2hTwoQ%40mail.gmail.com.

[qubes-users] Perplexed, why do so many here seem to prefer Fedora instead of ?

[gorked]

I thought Fedora was the free publicly available version of the test bed 
for Red Hat Linux?  That is Fedora being the version that will become Red 
Hat?  

I though CentOS and Oracle Linux were free publicly available versions of 
the current stable versions of Red Hat?  

And that basically Red Hat is from only free software sources?  Excepting 
some folks might add non-free Firmware drivers if they chose?  

Seems like the stable version of Red Hat, renamed something else to make 
the Linux OS available for free, would be more secure.   

One of the big differences being that if one buys Red Hat, versus the free 
version, that one is paying for support, also some of the development 
costs.   

What gives?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e050ed1e-181a-45b4-89be-b8250c1924fc%40googlegroups.com.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[fiftyfourthparallel]

Seems like you're taking the super-comprehensive route (including flashing 
Coreboot) on a low-compatibility machine. Maybe one day I'll have enough 
proficiency to really make a machine *mine*.Out of curiousity, what model 
are you working on?

I'll give the Youtube Suspension Test a try once I connect my machine to 
the net. I'm one step away from that, but I'm stuck--I'm trying to follow 
the instructions on the Qubes site to randomize my MAC address, but the 
fedora-30 template seems to be locked with a password that isn't mine. From 
all that I've read (including Joanna's explanation in the sudoers folder), 
I'm not supposed to be prompted for a password, yet here I am.

Don't want to make a thread for what could be a trivial Linux mistake that 
isn't specific to Qubes. Would you happen to know anything about this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/94975636-4947-40b3-9043-b796b1e7c973%40googlegroups.com.

Re: [qubes-users] fedora template rpm refuses to go away?

['awokd' via qubes-users]

River~~:

> Attempts to remove it with
> 
> dnf remove qubes-template-fedora-30
> 
> initially claim that one package will be removed (so no dependencies,
> right?) saving 5G space. However it goes on to fail as the pre-uninstall
> triggers fail. The error message appears twice.

Nothing in qubes-prefs referencing it? If not, could be a bug.

> I'm also wondering if it's actually a bug in the pre un triggers, and they
> are being over protective; in which case that's a different issue.
> 
> But before raising either as an issue I'd like to understand which (if any)
> of these apply. So my questions are:
> 
> 1. does Dom0 actually depend internally the fedora template somehow, even
> though it is not using it as a template in the normal Qubes way?

Shouldn't!

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e9717cf-06e9-47ff-342e-29efe26b7483%40danwin1210.me.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[Claudia]

January 5, 2020 12:30 PM, fiftyfourthparal...@gmail.com wrote:

>> My HCL report for this machine is now almost six months in the making, all 
>> told.
> 
> If an HCL report is taking someone with your level of knowledge six months to 
> compile, then it's
> probably incredibly discouraging for many, if not most, would-be 
> contributors. I know I'm
> discouraged, despite the fact that my new Inspiron 5593 (Ice Lake) is almost 
> unbelievably
> compatible with Qubes once some minor obstacles during installation have been 
> overcome based on
> what I've experienced so far.
> 
> Is there a simplified HCL report process for someone that's not as 
> technically inclined as someone
> like you are?

It's not the HCL report that takes that long. When I first installed Qubes I 
had my initial HCL report done in a couple of minutes. It's all the 
troubleshooting, much of which is optional depending on your needs. I've been 
continuing to update my report as I fix things, which is why it's taking so 
long. Like you said, there's a lot of luck to it. I had pretty bad luck 
initially, although I've been able to fix a lot of the problems with time. In 
your case, for example, you may find that pretty much everything just works, 
and you can have a fairly complete report done in no time. And if something 
doesn't work, you can just put down "doesn't work," you don't have to fix it 
unless you need to or want to.

Of course, the more thoroughly you test the machine, the more time it will 
take. For example things like setting up AEM, flashing Coreboot, setting up 
LUKS to work with a USB keyboard, can be non-trivial even if you're successful 
on the first try. Even little things can add up: UEFI mode, secure boot, 
firmware updates, wifi, audio, bluetooth, touchscreen, keyboard backlight, HDMI 
video and audio, DisplayPort, USB passthru, USB 3.0 support, wired networking, 
SD card slot, screen power management, webcam and microphone, headphone jack, 
lid switch, multimedia keys, accelerated graphics, WWAN etc.

Like I said, if you suspend/resume with a youtube video playing, you've already 
tested all the most commonly used features. Also you don't have to test 
everything at once. You can always update your report later. On top of that, 
keep in mind everything is subject to change with every update you install.

My advice is don't worry too much, and don't let yourself get discouraged. Do 
what you can, and when you've had enough, just submit what you have so far and 
come back to it later.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ebaff9812b90860bf0454f2d3d921b40%40disroot.org.

Re: [qubes-users] Does the latest Linux kernel improve security for qubes?

[fiftyfourthparallel]

>
> My HCL report for this machine is now almost six months in the making, all 
> told.


If an HCL report is taking someone with your level of knowledge six months 
to compile, then it's probably incredibly discouraging for many, if not 
most, would-be contributors. I know I'm discouraged, despite the fact that 
my new Inspiron 5593 (Ice Lake) is almost unbelievably compatible with 
Qubes once some minor obstacles during installation have been overcome 
based on what I've experienced so far.

Is there a simplified HCL report process for someone that's not as 
technically inclined as someone like you are?

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3a21f7d-7eb8-4845-988d-9fcd9eea326c%40googlegroups.com.

[qubes-users] fedora template rpm refuses to go away?

[River~~]

Hi all,

Just did a new install of the shiny new R 4.0.2 (not the rc!).

((Judging by the date on some of the rpm packages some of the Qubes team
spent Christmas day building packages - a nice present to the community,
thank you and seasons greetings))

I saved all the VMs from rc3 to restore to the new system and so installed
with no extra software, no Debian no Whonix from anaconda. Later on the
first boot I selected the bottom checkbox to not configure anything.

During the install I noticed that anaconda spends quite a long time
installing the fedora template package (the progress bar stools for a
while). This is mildly irritating as I base everything on Debian, apart
from Dom0 of course, bit that does not use a template (or at least not
visibly so)

So, as expected, no fedora template shown in Qube manager. It's still
listed by

dnf list installed

Attempts to remove it with

dnf remove qubes-template-fedora-30

initially claim that one package will be removed (so no dependencies,
right?) saving 5G space. However it goes on to fail as the pre-uninstall
triggers fail. The error message appears twice.

If most of that package is not being used in my use case, it would be nice
to be able to save most of that 5G of space -- so my question is whether
all, most, a little, or none of the package is used by a Qubes system
that's not using fedora templates?

I'm wondering whether to raise an issue to request refactoring of the
template rpm into the parts needed only by the template as a template and
the parts needed by Dom0 or other parts of Qubes.

I'm also wondering if it's actually a bug in the pre un triggers, and they
are being over protective; in which case that's a different issue.

But before raising either as an issue I'd like to understand which (if any)
of these apply. So my questions are:

1. does Dom0 actually depend internally the fedora template somehow, even
though it is not using it as a template in the normal Qubes way?

2. And what approximate proportion of the software in that package is
unused when there is no fedora template?

Happy New Year to all the Qubes devs, and all the unofficial experts who
share their time on this list

R~~

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK3jUKpOQfPjtgMo3X5HyTVVabtbF7Z-KU2iimpOrxYXNbD-QA%40mail.gmail.com.