Re: [qubes-users] Re: Is it possible to build any BSD template on QubesOS?

[J Holsapple]

Yeah, a more integrated BSD OS would be nice. Something like Windows tools. 
The only gui I'd be interested in though is macos.

In this case, I'm just running the cli and using the webapp for management. 
Sure it's a HVM and is more isolated and more resource hungry. Yet it's a 
lot like my stand alone pfSense box. It just works. And over the months 
I've gone back to my integration guide/script and refined it.

Keep in mind that I answered the OP's question for the use case where "any" 
means a HVM with a CLI and using a webapp for "gui" management. The 
integration guide/script is optional for people wanting to replicate my 
implementation of pfSense/OPNsense.

BTW, could you expound a little on your concern for xnf(4) (netfront) and 
xbf(4) (blkfront) drivers? Or point me to a reference? I wish to better 
understand your concern for threat vectors.

On Tuesday, May 17, 2022 at 1:35:52 PM UTC-4 Demi Marie Obenour wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Sun, May 08, 2022 at 08:01:08PM -0700, J Holsapple wrote:
> > I have pfSense (BSD) installed, and working fine for over 6 mos now, as 
> my 
> > network IDPS on the external interface. Went OCD and created a complete 
> > installation guide and integration script.
> > It's a bit long and detailed but it works like a charm:
> > https://github.com/jcholsap/freemod/issues/1#issue-1016495279
>
> I managed to get an OpenBSD template sort of working a while back. I
> was able to get networking and storage to work, and X11 worked via
> emulated VGA, but I ultimately gave up because of some clashes on the
> OpenBSD mailing lists. A proper integration would require substantial
> additions to the OpenBSD kernel:
>
> - - nullfs (BSD version of bind mounts) for /home and /usr/local. The
> workaround (a loopback NFS mount) is not something I would be okay
> with for production use.
> - - Hardened xnf(4) (netfront) and xbf(4) (blkfront) drivers. The current
> drivers are not safe in the presence of malicious backends.
> - - Userspace access to Xen event channels and grant tables, so that
> libvchan and gui-agent can work.
>
> Additionally, a Xen-aware bootloader would be needed if booting other
> than in HVM mode is desired.
> - -- 
> Sincerely,
> Demi Marie Obenour (she/her/hers)
> Invisible Things Lab
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmKD3PIACgkQsoi1X/+c
> IsFFlA/+P76WfNwmIKDoTdoP3J9SQ1e5PQ+fMDF+phjeQmli4AB3MErGMUn0LcOX
> kTT+8E0o/+OiUmEjKpPTlxhVWsXqDDwsbqqiipSg9mZBygWzoECXMP6g6Rd3I38F
> WQV0Hpm2W0ha7a/oqPdlE5Kklnk76VTAdr6DhIlXvcAc31hEZklUdfUifRNAMmpQ
> prKiNdwYBcC+k+PUMwITgzvwP2CgiUc+Hf8wDt7Hj+CjVoi9uVkg0lv4KSRQI9Dj
> w3Dxvt6S59P86fPqfce7DwBnGM+hBHem/brkV+mrH+ZTmhSZLxW4DyT28x7/65JM
> hgggZxiZ9Z6pfiavZ1CKQaArX+Yc7WzUpigLEZnv6dMZHysbEf44v4uD3T1tz77k
> EPv4qtyEXGyKQplmuLWo+eoK8eJxDCHBly2fKef3QEtji+F9HWLs66oVpWyaT6r0
> IP5k8ew+oWTcLhgvu0mSKwztJWFaWzw4vmKD0X2vikGybXlKmICffD14OOPuVpL4
> gCbh/aU615glPMn+u1vhIYjGrbFZLi8/wCQCfI1rp4rX/ElzoVpA7SvCmc5Cy5b2
> oE+ylbLkxe5opfkkJICpCUNRbWDe0Do+54aKdJCQn4pl6qhAGMwI3nYPQ0jbM30y
> /0lOYqwqYTlwiZFASIxATZYftUZMzddeNmFoV4fSUN14FCQ8tIU=
> =gLNM
> -END PGP SIGNATURE-
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4aab4e5d-c2e1-41dd-9d63-e9c3f04ffce4n%40googlegroups.com.

[qubes-users] Fedora 34 has reached EOL

[Andrew David Wong]

Dear Qubes Community,

As a reminder following our previous announcement [1], Fedora 34 has now
reached EOL (end-of-life [2]). If you have not already done so, we
strongly recommend upgrading [3] all remaining Fedora 34 templates and
standalones to Fedora 35 immediately.

We provide fresh Fedora 35 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions [4]. Alternatively, we also provide
step-by-step instructions for performing an in-place upgrade [5] of an
existing Fedora template. After upgrading your templates, please
remember to switch all qubes that were using the old template to use the
new one [6].

For a complete list of template releases that are supported for your
specific Qubes release, see our supported template releases [7].

Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL [8].


[1] 
https://www.qubes-os.org/news/2022/05/26/fedora-34-approaching-eol-fedora-35-templates-available/

[2] https://fedoraproject.org/wiki/End_of_life
[3] https://www.qubes-os.org/doc/templates/fedora/#upgrading
[4] https://www.qubes-os.org/doc/templates/fedora/#installing
[5] https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/
[6] https://www.qubes-os.org/doc/templates/#switching
[7] https://www.qubes-os.org/doc/supported-releases/#templates
[8] https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/06/07/fedora-34-eol/

--
Andrew David Wong
Community Manager
The Qubes OS Project
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd9a65dd-5a85-2638-b944-997a9e508076%40qubes-os.org.