[qubes-users] Re: requesting i3-gaps package

[Yethal]

W dniu środa, 15 kwietnia 2020 09:30:31 UTC+2 użytkownik Frédéric Pierret 
napisał:
>
>
>
> On 2020-04-15 08:59, Mr CapsLock wrote: 
> > Hi, I'm a Qubes-OS user. It's the best OS that I had. 
> > 
> > Thanks for this project. 
>
> Welcome! 
>
> First of all, if you were not aware, please CC at least Qubes users 
> mailing list for such request. 
>
> > I like tiling window manager like i3, but it's not very impressive 
> without gaps. How can I request to add i3-gaps package officially for 
> Qubes-OS? 
>
> I would suggest you to create an issue here: 
> https://github.com/QubesOS/qubes-issues/issues/ 
>
>
> > I'm not pro user but maybe i can help to add this, but can you help me 
> on that? 
> > 
> > In new release, i mean new release that have gui manager, is it possible 
> to use i3-gaps on Qubes-OS? 
>
> I'm not sure about what you are talking about for 'gui manager', maybe you 
> refer to the Gui domain called GuiVM in upcoming 4.1 release? In all the 
> cases, it's already possible to use i3 as primary desktop (I'm using it) 
> and packages are available in official Qubes repositories. We don't provide 
> i3-gaps yet but that could be possible. We don't aim to provide every 
> desktop but that could possible into QubesOS-contrib repository. 
>
> So first of all, please create an issue as we can exchange about 
> possibilities on it. 
>
> Best, 
> Frédéric 
>
> i3-gaps is not really a best choice for Qubes as it by default hides 
titlebars from all the windows. On regular Linux distros it's not really an 
issue however on Qubes where the titlebar is used to identify parent AppVM 
of a given window this is a potential security issue. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df570c4e-f0ff-4af2-be74-64ca469572db%40googlegroups.com.

Re: [qubes-users] Creating ones own Insurgo

[David Hobach]

On 4/15/20 6:05 PM, Catacombs wrote:

I purchased a refurbished Lenovo X 230 Core I5, 4 GB RAM, and a spinning hard 
drive, Windows 7 Pro for $228.00.

I ordered 16 GB RAM for about a hundred dollars. I thought the RAM would be 
less expensive.

My first mistake was to raise the BIOS/EFI to 2.77.  Turns out Intel encrypts 
something to prevent one from rolling back the BIOS/EFI.

The option I had before was to run a jailbreak on the Lenovo that should allow 
me to neutralize the Intel Management Engines ability to get updates from 
Intel.  Intel also had a whitelist that limits which WiFi chip it will allow to 
be used.  I guess to make sure the Intel Management Engine can talk to the 
mothership.That jailbreak does not one to take apart the laptop. The 
jailbreak is on github 1vyrain.  The site says do not attempt to use the 
jailbreak unless one has the allowed, correct, lower version of BIOS/EFI or it 
will brick it.  As I write this I see some folks who say (Lenovo Forum) they 
have -done something - to roll back BIOS/EFI to 2.6.  So they could use 
1vyrain.  Jailbreak 1vyrain actually accomplishes two of the big items I 
require. Prevent Intel from changing my X230 to something I do not want.  And 
allow me to use another WiFi chip.


The jailbreak doesn't even require hardware access. So no pi, Pomona etc.

However it cannot disable Intel ME if I recall correctly. Just check 
their site.



Flashing the Lenovo X230 BIOS/EFI w
ith an EEPROM is git hub Skulls.  Which requires I spend money. And the 
documentation for doing that is not obvious, and old.

I decided I should buy a PI to program the X230.  I started to buy one from 
Amazon  and cancelled that when I saw the voltage on the power supply was 2.5 
volts and someone said not use 3.3 Or less as the flash might not work 
correctly.  Someone suggested ADA Fruit for the Pi. But the more complete ones 
are not
In stock. I am waiting on Corona money to buy one so I wil keep looking.  I had 
a link once suggested by Insurgo. But it came from China, and took many weeks 
before the Corona started.

My first questions. I had thought while looking at the Skulls there would be an 
option for Core I5 versus Core I7. I haven’t seen it so far.  Does that matter?


For coreboot it doesn't matter which CPU you have.

For Qubes OS i7 quad core is usually a lot better than i5 dual core on 
these old platforms. The latter might make Qubes OS almost unusable.


However you'll have to make sure the CPU supports VT-d. There are some 
which don't - usually the gamer models. Check ark.intel for that.



Clearly states to remove the battery, but did not say the coin CMOS battery.  
In fact I have not found that little turkey.


I'd recommend to also remove that. Check the tons of youtube videos on 
X230 disassembly on where to find it. There's also a Lenovo hardware 
maintenance manual describing all steps.



I want to have enough in my bank account to afford a replacement MOBO if I 
brick this one and can’t unbrick it.


There's probably even youtube videos flashing the X230 out there.

And usually unbricking always works with hardware access to the 
firmware/BIOS chip.



Mostly the available documentation might have some flaw I am not experienced 
enough to catch.


One thing is obvious, while I my income may be to low to buy one, Insurgo 
products are not overpriced.  This project is a lot of trouble.  Parts. Tools. 
are not free.


True.


Anyone have recent experience with flashing Skulls onto Lenovo X230?


I didn't try skulls (it's just coreboot pre-compiled for the X230 if I 
recall correctly) as I don't like flashing some untrusted binaries from 
the Internet.


But I have some coreboot flashing experience (!= X230 though).

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97fb4b49-a9c5-6c7a-d1d5-92c9a73bef8a%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

[qubes-users] Creating ones own Insurgo

[Catacombs]

I purchased a refurbished Lenovo X 230 Core I5, 4 GB RAM, and a spinning hard 
drive, Windows 7 Pro for $228.00.

I ordered 16 GB RAM for about a hundred dollars. I thought the RAM would be 
less expensive. 

My first mistake was to raise the BIOS/EFI to 2.77.  Turns out Intel encrypts 
something to prevent one from rolling back the BIOS/EFI.  

The option I had before was to run a jailbreak on the Lenovo that should allow 
me to neutralize the Intel Management Engines ability to get updates from 
Intel.  Intel also had a whitelist that limits which WiFi chip it will allow to 
be used.  I guess to make sure the Intel Management Engine can talk to the 
mothership.That jailbreak does not one to take apart the laptop. The 
jailbreak is on github 1vyrain.  The site says do not attempt to use the 
jailbreak unless one has the allowed, correct, lower version of BIOS/EFI or it 
will brick it.  As I write this I see some folks who say (Lenovo Forum) they 
have -done something - to roll back BIOS/EFI to 2.6.  So they could use 
1vyrain.  Jailbreak 1vyrain actually accomplishes two of the big items I 
require. Prevent Intel from changing my X230 to something I do not want.  And 
allow me to use another WiFi chip.   

Flashing the Lenovo X230 BIOS/EFI w
ith an EEPROM is git hub Skulls.  Which requires I spend money. And the 
documentation for doing that is not obvious, and old.  

I decided I should buy a PI to program the X230.  I started to buy one from 
Amazon  and cancelled that when I saw the voltage on the power supply was 2.5 
volts and someone said not use 3.3 Or less as the flash might not work 
correctly.  Someone suggested ADA Fruit for the Pi. But the more complete ones 
are not
In stock. I am waiting on Corona money to buy one so I wil keep looking.  I had 
a link once suggested by Insurgo. But it came from China, and took many weeks 
before the Corona started.  

My first questions. I had thought while looking at the Skulls there would be an 
option for Core I5 versus Core I7. I haven’t seen it so far.  Does that matter? 
  

Clearly states to remove the battery, but did not say the coin CMOS battery.  
In fact I have not found that little turkey. 

I want to have enough in my bank account to afford a replacement MOBO if I 
brick this one and can’t unbrick it.  

Mostly the available documentation might have some flaw I am not experienced 
enough to catch.  


One thing is obvious, while I my income may be to low to buy one, Insurgo 
products are not overpriced.  This project is a lot of trouble.  Parts. Tools. 
are not free.

Anyone have recent experience with flashing Skulls onto Lenovo X230?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97ee1152-79a0-496a-be06-71f2650269a0%40googlegroups.com.

Re: [EXT] [qubes-users] Re: Neuer Artikel über Qubes OS

[GWeck]

Hi,

since the original post concerrned a paper written in German, it seemed 
somewhat natural to reply in German. But you're right: The hint to this 
paper might be of interest to non-German speaking forum members. So, sorry 
for violating the netiquette, although the whole subject was not private at 
ll.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/569190b7-fb89-431e-840b-16235be3e5b5%40googlegroups.com.

Re: [EXT] [qubes-users] Re: Neuer Artikel über Qubes OS

[GWeck]

Hi,

since the oroginal post concerrned a paper written in German, it seemed 
somewhat natural to reply in German. But you're right: The hint to this 
paper might be of interest to non-German speaking forum members. So, sorry 
for violating the netiquette, although the whole subject was not private at 
ll.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c23b2374-51b9-4ace-bc77-d71a46090521%40googlegroups.com.

Re: [qubes-users] Privacy Beast vs Nitropad comparison?

[Andrew Sullivan]

No apology necessary!  I would also be interested in this information - 
given that I currently have time on my hands (!) and that second-hand X230s 
are quite inexpensice, maybe I'll try the DIY route.

BTW, I am only interested in the Nitropad and the Insurgo machines, I'd 
previously ruled out the Purism/Librem...

On Wednesday, 15 April 2020 14:49:35 UTC+1, Catacombs wrote:
>
> Librem pricing shows two prices for including a Nitrokey  sending key 
> separately or with laptop.  I assumed that would be to verify shipment had 
> not been tampered with.  I guess I misunderstood how that really worked. 
>  If it is not encrypted properly. Then that would not be close enough to 
> Insurgo options.  
>
> Apologies for changing the subject.  But this would be a good time to ask 
> the last poster, or anyone else, do you have any experience with the 
> project, I now face, flashing Core Boot onto a Lenovo X 230?  Last Poster 
> seems to have more knowledge than I in hardware.   
>
> Thanks for correction. Details are more important than impressions.   
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fb3c647-86fa-4717-9b56-68941a1bea31%40googlegroups.com.

Re: [qubes-users] Privacy Beast vs Nitropad comparison?

[Catacombs]

Librem pricing shows two prices for including a Nitrokey  sending key 
separately or with laptop.  I assumed that would be to verify shipment had not 
been tampered with.  I guess I misunderstood how that really worked.  If it is 
not encrypted properly. Then that would not be close enough to Insurgo options. 
 

Apologies for changing the subject.  But this would be a good time to ask the 
last poster, or anyone else, do you have any experience with the project, I now 
face, flashing Core Boot onto a Lenovo X 230?  Last Poster seems to have more 
knowledge than I in hardware.   

Thanks for correction. Details are more important than impressions.   

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3dad6377-d0cf-48f8-b6ce-2e5d304ec932%40googlegroups.com.

Re: [qubes-users] Privacy Beast vs Nitropad comparison?

[Maillist]

Hello,

unfortunately no, they do not end up the same.

just a very quick summary from what i have to assume according to what
is stated on the Nitropad website:

In general,  i see the following issues:

Assuming they use Heads' Pursim code for generic key generation/export
of the public key/insertion into the ROM and flashing it back:

1: That would mean they use default Pins, therefor its possible to
intercept the whole process at any point (compromising the firmware and
resealing the key)

2: No reproducible builds.

3: Were can the code be found, which version?

No public CI, no public builds artifacts.

Also, about the shipping: I cant see any security benefit  the way they
do it (Qr code not send by secure communication)?

Keep in Mind, i might be wrong with this assumptions, as i dont have a
Nitropad/ cant install their Image  because of the issues i mentioned (2/3)


About installing a different OS: Thats possible.

About the Wifimodule: Apart from other reasons,the default Intel 6205
sucks anyway, I suggest Atheros 9380.

Pursim products cant compare security wise with the PrivacyBeast/
Nitropad/ any x30 series Lenovo with coreboot because of the hardware
architecture they use.

cheers


On 4/14/20 1:36 PM, Andrew Sullivan wrote:
> Hello
>
> I'm thinking of trying my hand at Qubes (currently a long-time Linux
> Mint user), and I need a new laptop anyway so I'm thinking of the
> Nitropad or Insurgo machines. 
>
> You say that the Insurgo is "more secure" and "exceeds" the
> requirements of Qubes certification; in what ways is this?  Is it just
> the reownership process (which I admit does look more stringent in the
> as of the Insurgo, but they end up re-owned just the same?).
>
> If I got one of these machines and for some reason decided that Qubes
> wasn't for me, would it be easy to "nuke" the Qubes and just install
> Linux Mint or whatever?  Would a Linux installer have any problems
> with Coreboot etc?
>
> Thanks in advance
>
> Andrew
>
> On Wednesday, 8 April 2020 11:40:23 UTC+1, Maillist wrote:
>
> Hello,
>
> the Privacy Beast is more secure. As they write, it meets and exceeds
> the Qubes os certification, the Nitropad only meets them.They
> differ in
> the OEM reownership process.
>
>
> cheers.
>
> On 4/8/20 1:03 AM, 'dcon' via qubes-users wrote:
> > Are there any significant differences between the two? It seems
> that Nitropad has more hardware configuration options. With ME
> inactivation, is there any reason to swap out the WiFi module?
> >
> > I’d like to thank both vendors for bringing these to the market!  
> >
> > Noobs need Qubes! 
> >
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/93fd27f8-2838-43c3-9f84-0c3865382d0d%40googlegroups.com
> .

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a17b43e8-ee81-73ea-d25c-853d0c494493%40cryptogs.de.

Re: [qubes-users] Audio Intel PCH card 0 disappeared in DOM0

[FredGarr]

On 4/14/20 1:25 AM, 'awokd' via qubes-users wrote:

Possibly try an older kernel in dom0? See
https://www.qubes-os.org/doc/software-update-dom0/#changing-default-kernel
if needed.


Hi awokd,

Thank you for your suggestion.
In fact I already tried with latest kernel 4.19.107 for Qubes 4.0 rather 
than an older kernel, but this had no effect on the issue...


kind regards

Fred.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25f9e81f-dc92-68ed-8d10-ab4e65187f5e%40gmail.com.

Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

[taran1s]

Chris Laprise:
> On 4/9/20 3:34 AM, taran1s wrote:
>>
>>
>> Chris Laprise:
>>> On 4/8/20 6:25 AM, taran1s wrote:
 I try to set the VPN in my laest qubes with your guide on
 https://github.com/tasket/Qubes-vpn-support. I use the version
 1.4.3. and followed the guide.

 My setting from mullvad is UDP (default) for Linux. No IPs.

 When asked, I entered correct login. The link but doesn't go up,
 no popup notification LINK IS UP when restarting the proxy VM.

 I also added vpn-handler-openvpn to the proxy VM services as required.

 Executing systemctl status returns this:

 [user@ovpn ~]$ systemctl status qubes-vpn-handler
 ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM
  Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service;
 enabled; vendor preset: disabled)
     Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
  └─00_example.conf
  Active: activating (auto-restart) (Result: exit-code) since Tue
 2020-04-07 15:30:15 CEST; 4s ago
     Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
 --check-firewall (code=exited, status=0/SUCCESS)
     Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
 --pre-start (code=exited, status=0/SUCCESS)
     Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec
 (code=exited, status=1/FAILURE)
     Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup
 --post-start (code=exited, status=0/SUCCESS)
     Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup
 --post-stop (code=exited, status=0/SUCCESS)
    Main PID: 3110 (code=exited, status=1/FAILURE)

 Any idea how to set this up properly?

>>>
>>> The one exception I can think of for setting up with a Mullvad account
>>> is that they use a single-character "m" password for everyone. So if you
>>> typed something into the password prompt other than "m" or left it
>>> blank, then it won't connect.
>>>
>>> To see a more detailed log you should use 'journalctl -u
>>> qubes-vpn-handler'.
>>>
>>
>> Yes Chris, mullvad uses the "m" for password and I put this in when
>> asked. I checked this in the pass file from mullvad.
>>
>> I did the following. I downloaded the default UDP settings for "All
>> countries" from mullvad as adviced, without ticking the IPs. Than I took
>> one of the countries from the downloaded list and copied this particular
>> country to the vpn-client.conf with sudo cp whatver-country.ovpn
>> vpn-client.conf. But it doesn't connect.
> 
> Did you do the link testing suggested in Step 2?
> 
>>
>> Is this setup ok for me-tor-vpn situation?
> 
> These network representations can easily get reversed in people's heads.
> Best thing to do is look at your 'Networking' setting for your VPN VM.
> If its set to 'sys-whonix' then UDP won't work.
> 
>>
>> I executed the command in the proxyVM (fedora-30 based) with following
>> results:
>>
>> [user@ovpn ~]$ journalctl -u qubes-vpn-handler
>> Hint: You are currently not seeing messages from other users and the
>> system.
>>    Users in groups 'adm', 'systemd-journal', 'wheel' can see all
>> messages.
>>    Pass -q to turn off this notice.
>> -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09
>> 09:21:21 CE>
>> -- No entries --
>> lines 1-2/2 (END)
>>
>> I tried also the micahflee guide and it connects so the settings should
>> be ok.
>>
> 
> Sorry, you need to put 'sudo' in front of the 'journalctl' command.
> 

In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide
there is the cd Qubes-vpn-support command as the first one. This assumes
that the file is unzipped already, right? So I unzip it in the
/home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and
execute sudo bash ./install. Than proceed to the restart. Is this how it
was meant?

This is the output from the sudo journalctl -u qubes-vpn-handler in teh
openvpn VM.

[user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler
-- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15
12:22:55 CE>
Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM...
Apr 15 12:22:12 ovpn qubes-vpn-setup[789]: STARTED network forwarding!
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: EXEC /usr/sbin/openvpn --cd
/rw/conf>
Apr 15 12:22:12 ovpn systemd[1]: Started VPN Client for Qubes proxyVM.
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Wed Apr 15 12:22:12 2020
Note: optio>
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: --ca fails
with 'mull>
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: Please correct
these >
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Use --help for more information.
Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Main process
exited>
Apr 15 12:22:12 ovpn qubes-vpn-setup[801]: STOPPED network forwarding!
Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Failed with
result >
Apr 15 

[qubes-users] XSAs 313, 314, 316, and 318 do not affect the security of Qubes OS

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published Xen Security Advisories 313, 314, 316,
and 318 (XSA-313, XSA-314, XSA-316, and XSA-318, respectively). These
XSAs do *not* affect the security of Qubes OS, and no user action is
necessary.

These XSAs have been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#313
https://www.qubes-os.org/security/xsa/#314
https://www.qubes-os.org/security/xsa/#316
https://www.qubes-os.org/security/xsa/#318

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/04/15/xsa-313-314-316-318-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl6W10wACgkQ203TvDlQ
MDAukRAAlLMv7+tEiSO9ue4ahy84jzu6vNojWLBr+uFCVU0/Fri4bBngzg2ZJ4lG
j0tfbqkVIhSlIZ/SowdITnRYoNDId2zImhNTWq/KgTF+11Xjyp3XJN8LI1ozCqMi
eRNlvq70lWg+kUkIKA4rcdL2x5CUZtHmmvlKDsDJX9nBTjXAGTGUy3/g2h471tF4
x3qWJHFAsPnCjnKXvKt63+x72v98Fq6yNuuajkvTBRz8/VQNCOwLnQcvPHqWai2O
Bd6O4rlYFilzGkb6npXgupOcHucewJb5DC1Svstg9r96uIlt7ZLF/tNVbMaVp6WC
V6XGp3vduGtL+UiKZwsKxk1rC71Z0zW6YNwgF8I69+dHiugIKK5b5+Ht2vojI1zV
B4jXdpyYMs8QZmIGx104qlhCauvnyNnwwa3P7dedSuf2MjnOzf3fgsWObBWI6rZY
E8Qrh8N0BIRlPBkOdQSI50oRdSAxCtF6ZC+KawLDG2R+RcjOyl0WFhlGqHRl3jDe
QoYbNF1rZBlvgTM6mM+0x158DontJCOcGRXBzCgU4Wiv75Zifc2Rxz5kuoQVqUoG
/iCccRlS8c8/S1m5B+a0qMh7uRBHGmtgYl6OuX5x4lFPliSGJZxDQ6YylbFDoBUa
Bb9NRuggvF4bLzVipCBac+0aiLFfFjsn0T4gzIq9DR2iwS4bVZc=
=TKRJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f935386f-9f89-0f13-d022-bef96bee85fb%40qubes-os.org.

[qubes-users] Qubes Canary #23

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have published Qubes Canary #23. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).

View Qubes Canary #23 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-023-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canaries/

```


---===[ Qubes Canary #23 ]===---


Statements
- ---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is April 9, 2020.

2. There have been 56 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of September 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
- --

None.

Disclaimers and notes
- --

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
- ---

Thu, 09 Apr 2020 01:16:49 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Politicians Call for Fewer Climate Protections During Coronavirus Crisis
Coronavirus: En refusant les eurobonds, l’Allemagne fait preuve d’égoïsme, 
d’obstination et de lâcheté
Coronavirus: El rechazo alemán de los eurobonos es insolidario, mezquino y 
cobarde
New York City: Eight Days in the New Capital of Corona
Coronavirus: Il rifiuto tedesco degli Eurobond è non solidale, gretto e 
vigliacco

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Saudi Arabia, Hit by Coronavirus, Declares Cease-Fire in Yemen: Live Updates
Saudi Arabia Declares Cease-Fire in Yemen, Citing Fears of Coronavirus
Eight U.K. Doctors Died From Coronavirus. All Were Immigrants.
Some of Europe, ‘Walking a Tightrope,’ Will Loosen Coronavirus Restrictions
China’s Coronavirus Battle Is Waning. Its Propaganda Fight Is Not.

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Coronavirus: WHO chief urges end to 'politicisation' of virus
Bernie Sanders suspends presidential campaign
Yemen: Saudi-led coalition announces ceasefire
Woman who revealed Clinton-Lewinsky scandal dies
Coronavirus: How Russia's ballet wasn't shut down despite lockdown

Source: Reuters: World News (http://feeds.reuters.com/reuters/worldnews)
WHO head defends handling of coronavirus pandemic against Trump criticism
Brazil turns to local industry to build ventilators as China orders fall through
Ecuador's Moreno calls for probe into handling of corpses in coronavirus 
outbreak
Australian police take 'black box' off cruise ship in coronavirus homicide probe
Mexico registers 3,181 cases of coronavirus and 174 deaths

Source: Blockchain.info
000d88e12aee57e8aa90ceea6b74b962a39427c5f2fdb6d0


Footnotes
- --

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/04/15/canary-23/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS

Re: [qubes-users] Build USB install with kernel 5+

[Frédéric Pierret]

On 2020-04-15 08:09, Max Andersen wrote:
> 
> 
>> Den 14. apr. 2020 kl. 08.02 skrev Frédéric Pierret 
>> :
>>
>> Hi,
>> I used to build newer ISO in the past for such troubles with kernel-latest 
>> embedded. If you are interested, I can build you an 4.0.3 with 
>> kernel-latest-5.6 for try?
> 
> When I try, the builder script fails horribly. Can you write a stepguide? 
> Maybe just commands and selections on how you build it(if it is not too much 
> of a hassle)?

Sure, here are the procedure for building latest Qubes 4.0.3 ISO with already 
built packages (templates included) using Qubes OS official repositories:

1) In a working directory, e.g. `/home/user/`, clone `qubes-builder`:

git clone https://github.com/QubesOS/qubes-builder

2) Download specific builder conf file for such process:

wget 
https://raw.githubusercontent.com/QubesOS/qubes-release-configs/master/R4.0/qubes-os-iso-full-online.conf
 -O /home/user/qubes-builder/builder.conf

3) Enable QubesOS testing packages for the build and specify release branch for 
the installer:

echo 'USE_QUBES_REPO_TESTING=1' >> /home/user/qubes-builder/builder.conf
echo 'BRANCH_installer_qubes_os=release4.0' >> 
/home/user/qubes-builder/builder.conf

4) Get sources:

cd /home/user/qubes-builder/
make get-sources

5) Enable `kernel-latest` in the ISO build process:

sed -i 's#\(kernel-latest.*$\)#\1mandatory\2#' 
qubes-src/installer-qubes-os/conf/comps-qubes.xml

6) Build ISO:

make iso

7) Get your freshly built ISO in `/home/user/qubes-builder/iso`

The current kernel-5.6 is still at PR stage. If you want to try it you need to 
build it:

3.1) Add `linux-kernel` in `COMPONENTS`:

echo 'COMPONENTS+=linux-kernel'

3.2) Change URL and BRANCH of the git repository:

echo 'URL_linux_kernel=https://github.com/fepitre/qubes-linux-kernel' >> 
/home/user/qubes-builder/builder.conf
echo 'BRANCH_linux_kernel=kernel-5.6' >> 
/home/user/qubes-builder/builder.conf

4.1) Get sources of it:

make get-sources

4.2) Build it:

make linux-kernel

Those extra steps X.Y) can be added into the whole ISO build process. Else, it 
can be done after you have installed the ISO previously built (or downloaded 
ISO from official website) with official Qubes packages and install the built 
kernel manually by copying the RPMs create into 
`/home/user/qubes-builder/qubes-src/linux-kernel/pkgs/dom0-fc25/x86_64/`.

I've probably written typo. Don't hesitate to ask in any case.

Best,
Frédéric

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df39babb-03c3-ab0b-2157-d7d915292a02%40qubes-os.org.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Re: requesting i3-gaps package

[Frédéric Pierret]

On 2020-04-15 08:59, Mr CapsLock wrote:
> Hi, I'm a Qubes-OS user. It's the best OS that I had.
> 
> Thanks for this project.

Welcome!

First of all, if you were not aware, please CC at least Qubes users mailing 
list for such request.

> I like tiling window manager like i3, but it's not very impressive without 
> gaps. How can I request to add i3-gaps package officially for Qubes-OS?

I would suggest you to create an issue here: 
https://github.com/QubesOS/qubes-issues/issues/


> I'm not pro user but maybe i can help to add this, but can you help me on 
> that?
> 
> In new release, i mean new release that have gui manager, is it possible to 
> use i3-gaps on Qubes-OS?

I'm not sure about what you are talking about for 'gui manager', maybe you 
refer to the Gui domain called GuiVM in upcoming 4.1 release? In all the cases, 
it's already possible to use i3 as primary desktop (I'm using it) and packages 
are available in official Qubes repositories. We don't provide i3-gaps yet but 
that could be possible. We don't aim to provide every desktop but that could 
possible into QubesOS-contrib repository.

So first of all, please create an issue as we can exchange about possibilities 
on it.

Best,
Frédéric

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a879828-0fa1-c387-b873-f5d32596c423%40qubes-os.org.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Build USB install with kernel 5+

['Max Andersen' via qubes-users]

> Den 14. apr. 2020 kl. 08.02 skrev Frédéric Pierret 
> :
> 
> Hi,
> I used to build newer ISO in the past for such troubles with kernel-latest 
> embedded. If you are interested, I can build you an 4.0.3 with 
> kernel-latest-5.6 for try?

When I try, the builder script fails horribly. Can you write a stepguide? Maybe 
just commands and selections on how you build it(if it is not too much of a 
hassle)?

I would love to build it on my own, so I can do it in the future, since my 
hardware is so new

Thank you very much
Max

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1C62A5AB-20E7-4C68-BA0B-80F4E6B3C64B%40militant.dk.