[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Wednesday, 21 February 2018 12:12:06 CET Wojtek Porczyk wrote: > This is bad UX. This is frustrating, I spent too many emails making the point clear that this is an API level escape token. Not a user-visible one, and then you respond to the thread showing you still completely missed that. So let me be blunt as this is likely the last email from me to qubes anyway; Fact: Variables given to qrexec are going to be replaced with the actual relevant value. For instance bash takes`ls *` and replaces the star with the actual values _before_ calling ls. Ls or any executable does not have to deal with things like star or dollar sign etc. Your and Marek complaints are that you need to escape the variables when you pass them on to the target VM handler. If you are indeed doing that, you are doing it wrong and you can wait for the next security bulletin like the one we are discussing right now. The point of a variable that is passed from a VM to the dom0 qrexec daemon is that your source VM doesn't have to know about who is $adminVM or what is the actually started dispVM's name. QRexec daemon (in dom0) should do the variable replacement before the user request leaves qrexec-daemon running in dom0. Just like bash does the replacement before it forwards the command-line. Again, if you do not do the variable replacement there, but instead pass it through unvalidated and unrelated software, you are going to continue having security flaws. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3526761.85MCzvWFfn%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 19:41:19 CET Marek Marczykowski-Górecki wrote: > > On the 'other' side of qrexec (on dom0) you have perfect control over > > the > > situation and you also don't have any need for recoding or encodings or > > anything like that. It still is just 8 bits data, not encoded. > > And then, after policy evaluation, you pass that data to actual service > to execute the operation (which may be in dom0 or another VM). Yes, WITHOUT the escape character. Remember, you escape the special names of VM names that dom0 will substitute. “$adminvm” doesn't end up being the string you offer to qubesd, the string “dom0” is. Likewise; you don't start a service in Dispvm18431 and send it the text “$dispvm”. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2032074.AZcuCm27fB%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 16:54:36 CET Marek Marczykowski-Górecki wrote: > > The thing you have to rememeber is that the escape character never needs > > to be typed by the user. > > In QRexec you are defining an API, applications like qvm-run are using > > that API. What the user passes into qvm-run and what is actually sent > > to dom0 does not have to be identical. > > In theory yes, but this would introduce more complexity to this code > (taking care where which encoding is used etc). I read the code, there is no encoding. You correctly used the POSIX Portable Character Set for text. So no need for encoding. When you use the qrexec API you just sent a struct with some arrays of bytes for VM names. In your qrexec code you use an array of unsigned chars. Also, no encoding. The point is that you use encodings only when you have **text** with characters > 127. Which you don't allow. The problem you fear doesn't exist. The reason is because when accepting user-input you use encodings. When your app starts talking to qrexec/qubsed there is no longer any encoding. Just an 8-bit bytearray. The text has been standardized. On the 'other' side of qrexec (on dom0) you have perfect control over the situation and you also don't have any need for recoding or encodings or anything like that. It still is just 8 bits data, not encoded. > > I guess you do the translation currently as well; '$' turns into '@' in > > your new code. > > > > The consequence of this is that you don't have to limit yourself to the > > posix list. > > Using the portable characters set for a non-character simply isn't > > needed. > > > > So, knowing that your API is actually based on 8-bit characters and not > > 7 > > bits which you are limiting yourself to, my suggestion is to take > > something above 127 and below 256 as a special char. > > Most fun one would be “ÿ” which is a normal character you can pass on a > > shell script if you must, its actual byte-value is 0xFF > > Until some helpful application (shell or else) will try to interpret it > as UTF-8. Ehm, how would “some helpful application” manage to get in your qrexec policy-frameowork? If you fear that you have bigger issues as they could replace anything with anything... Anyway, to answer your fear. No. UTF-8 doesn't allow 0xFF, it will just tell you the stream is broken. (see attached example file) Or, more likely, it will just switch off utf-8. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2513384.SI2geNoQLk%40strawberry. For more options, visit https://groups.google.com/d/optout. �b
[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 14:04:03 CET Wojtek Porczyk wrote: > On Tue, Feb 20, 2018 at 01:21:30PM +0100, 'Tom Zander' via qubes-devel wrote: > > On Tuesday, 20 February 2018 01:49:37 CET Marek Marczykowski-Górecki wrote: > > > We've decided to deprecate the '$' character from qrexec-related > > > usage. > > > Instead, to denote special tokens, we will use the '@' character, > > > which we believe is less likely to be interpreted in a special way > > > by the relevant software. > > > > I would argue against the @ sign on account that it is a special > > character in bash as well. > > > > I don't immediately see a way to exploit it, but why risk it? > > We absolutely need a special character that is not allowed in qube name to > make the special tokens immediately obvious in policy. The process I used > was to list available characters (POSIX Portable Character Set [1]) [] > If I missed something, could you please point out? I know shell just good > enough to know that it's not possible to know every shell quirk. :) The thing you have to rememeber is that the escape character never needs to be typed by the user. In QRexec you are defining an API, applications like qvm-run are using that API. What the user passes into qvm-run and what is actually sent to dom0 does not have to be identical. I guess you do the translation currently as well; '$' turns into '@' in your new code. The consequence of this is that you don't have to limit yourself to the posix list. Using the portable characters set for a non-character simply isn't needed. So, knowing that your API is actually based on 8-bit characters and not 7 bits which you are limiting yourself to, my suggestion is to take something above 127 and below 256 as a special char. Most fun one would be “ÿ” which is a normal character you can pass on a shell script if you must, its actual byte-value is 0xFF -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5355623.KmoKho9gXC%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak
On Tuesday, 20 February 2018 01:49:37 CET Marek Marczykowski-Górecki wrote: > We've decided to deprecate the '$' character from qrexec-related usage. > Instead, to denote special tokens, we will use the '@' character, > which we believe is less likely to be interpreted in a special way > by the relevant software. I would argue against the @ sign on account that it is a special character in bash as well. Search for it here; https://linux.die.net/man/1/bash I don't immediately see a way to exploit it, but why risk it? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4514339.zi2rDXN2r4%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0 backup vm to USB from dom0
On Saturday, 10 February 2018 09:05:51 CET Yuraeitha wrote: > On Saturday, February 10, 2018 at 6:51:47 AM UTC+1, cybe...@national.shitposting.agency wrote: > > I have a usb drive attached to sys-usb, lets say its mounted at /mnt on > > sys-usb and im trying to backup a vm named MyVm from dom0 the command: > > > > sudo qvm-backup sys-usb:/mnt MyVm > > > > returns the error: > > > > The backup directory does not exist > > > > how can i make a backup to USB when USB devices are not exposed to dom0? > > and yes, this works for USB too. Just ensure the USB is mounted inside > your AppVM, and then just throw the path to your USB which it is mounted > on :-) I just wanted to point out that the GUI backup app has exactly the same problem. I tried to make a backup a coupele of days ago. The GUI tool correctly notices I have a sys-usb and I used it to browse to the directory there to do the backup. All that worked fine. Until I pressed the final button to start the backup, it just failed saying it could not find the directory... I ended up giving up on doing a backup. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6961393.CzZMHb5EV0%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Wednesday, 7 February 2018 08:17:11 CET Andrew David Wong wrote: > Are you using the `-a` option? > > qvm-run -a > > This starts the VM if it's powered off, then runs the command in it. > Working fine for me on 3.2. As I wrote, qvm-start works fine, the VM is active and working. You just can t actually “run” anything on it. The reasons seems to be that there is some magic thing that starts when you log into xfce4, and only xfce4. See the screenshot attached elsewhere in this thread of qubes manager dying on startup due to the same issue. Tested on Rc4. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5810037.nmPg43q2Ws%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Tuesday, 6 February 2018 11:32:07 CET 'awokd' via qubes-users wrote: > I'm not getting past the first step of: > > Verify you are cutting through the sys-net VM firewall by looking at its > counters (column 2) Yes, that sounds familiar. The problem isn't limited to sys-net either, using netcat to listen on any port on any (fedora based) appvm I could not get anything to connect to those ports. So, for instance, starting netcat on sys-firewall I could not connect to it from sys-net. Similarly, listening on a random VM and connecting to it from sys-firewall failed too. And I tried a lot of ways to convince the iptables to accept it... I mostly used archlinux templates for appvms, which do not have the qubes networking packages and thus the iptables list is empty. [1] Listening there and connecting from it worked fine. Hope that helps. 1) Personally I would say that simpler is better, or least surprises is better. The current design where any appvm gets those complex firewall rules is a bug. Only VMs that expose their network (providing) should run it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2307203.OnATnpnmTp%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 04:34:35 CET Tim W wrote: > People complain about doc being outdated..then fix them. If someone can figure out how to port-forward in 4.0, please do update the docs. I never managed to get that working. The firewall page can also be a bit more detailed as-is, it assumes people already know the actual setup of the qubes firewall ruleset. I don't, thats why I went to that page. > Tom has built a Qubes Controller (manager) based on the 4.0 code and went > so far as to add in library package so other coding can be used to build. > He has been super open to adding functions based on comments. If > another person or two could help him with coding now that its not needed > to just be python it could become the defacto Qubes GUI to manage the > qubes system. That would take it off the plate of the core system devs. > i plan to use his controller and if the QM does not work well I will stay > with his controller. Thanks for the kind words, I too would like to see it become the default. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2100635.UGIMOZXGtA%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 08:00:35 CET 'awokd' via qubes-users wrote: > Why are you complaining about bugs when running a ".0rc" version? They're > to be expected; if not the point of release candidates. Actually... https://en.wikipedia.org/wiki/Software_release_life_cycle#Release_candidate Release candidates are, like the word describes, not made unless the developers are thinking that its ready to release but needs more real-world testing to make sure. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1850398.zmgnZS8haS%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Sunday, 4 February 2018 21:00:55 CET 'awokd' via qubes-users wrote: > Working on it (where other contributors haven't already)! Am about halfway > through now. Sweet! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12985717.lppHrPCCKh%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0 / Qubes in general
On Monday, 5 February 2018 12:21:51 CET Tim W wrote: > I am currently going thru all the setup script qubes build template > options to find what templates compile correctly and what ones have bugs. > After that I am happy to write up a markdown page for how to compile and > install the Qubes Controller and use it. That can then be submitted to > be added to the Qubes 4.0 Docs. Awesome! You should be able to get a lot of detials from this; https://github.com/QubesController/qubes-api-cpp-lib/blob/master/Install.md -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1659041.GGZUbeKTOT%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 02:33:02 CET Unman wrote: > You are, of > course, free to rewrite Qubes and its components in a language you're > comfortable with. Don't be so dramatic, I m not suggesting any such thing. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2625249.9gTKQABKm0%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Monday, 5 February 2018 00:55:34 CET Unman wrote: > On Sun, Feb 04, 2018 at 08:14:57PM +0100, 'Tom Zander' via qubes-users wrote: > > * Having nothing but python APIs for your operating system is something > > that makes no sense. Python was never meant for servers, or even big > > applications. Finding a full-stack python developer is more rare than > > finding a Bitcoin C++ developer. > > I'm not sure how much of this is just trolling. It is not trolling. > You obviously dont mean uses like Google, DropBox, YouTube, Reddit etc. > Perhaps you dont know about Eve Online? Mercurial? Blender? Absolutely none of these use python for anywhere near the same percentage of components as Qubes does. Google is a good example, for instance they shipped proto-buffers. Which have bindings in a long list of languages (20 or so). Check wikipedia for those examples, reality is much more sobering that you think. > There are exceptional developers working in many companies -Google, > NASA, Astra Zeneca, to name a few, all using python. The fact that > you arent comfortable with it is fine, but not a reason to reject it. Thats moving the goalpost. Naturally there are many experienced python developers. Let me re-state the point for your benefit; Having nothing but python bindings and having practically all your components written in python is without a doubt very realistically limiting the amount of people you can get hacking on Qubes. Add on top of that the content matter, which is highly complex and in many cases includes networking or cross-VM communication or hard-core linux components and you limit the amount of people even more, to the extend I mentioned above. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1610076.pebm5Wnf9q%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?
On Sunday, 4 February 2018 18:10:44 CET Yuraeitha wrote: > Also it's been explicitly said that no Qubes 4 existing features will be > added to the new-old Qube Manager. Which might also hint towards no > changes coming to Qube Manager. If anything, it has to be re-made almost > entirely to work well with Qubes 4+, and currently no one is doing that. The Qubes Manager is written to Qt4, which is equally outdated as the backends of Qubes it used (3.x). I started a project using Qubes4-api and Qt5 APIs, though. See Ps at the bottom of the mail. [start rant] The biggest issue i ran into is that Qubes4 is just too immature to actually use for more than browsing and email. It was too painful for my desktop full-time work machine. I tried for 2 months, my significant other stated that I had been extraordinary patient with Qubes when I finally stopped using it ;) My problems are widespread; * the admin-api is very immature and poorly implemented. Getting a stack- trace in the server logs and no answer is just unacceptable. Unit tests, anyone? * system-tray is hopelessly broken. Losing apps because they don't show in the system-tray up when you close them was fun! * The design of qubes-daemon is too fragile, it starts/stops VMs and patiently waits and hopes everything will work. I expected a much more 'hands-on' approach (at least for Linux kernels) with much more reporting. I also lost data because apps aren't being quit, they are being killed on VM shutdown. * Why do I see 'lock'-icons for most of my windows in the task-bar? * the documentation is very out-of-date. * I don't know how, it may be fedora packaging, it may be qubes packaging or configs, but the amount of KDE (apps running in dom0) crashes I had in the 2 months of using Qubes is greater than the amount i had in the previous 5 years. This boggles the mind... * The graphics pipeline is hopelessly outdated. Its about a decade behind the industry. * Poor quality of many tools, the icon-copier copying the 22px icon from a VM instead of the 256 one that was also there is just... sad. * The amount of services, bash-scripts, config files, duplicated data in qubes and then again in the system is horrible, under documented mess. * rexecd validation being implemented using bash is a joke (mostly felt because its extremely slow) * total lack of mature end-user-focused tools. Swear to God. There are zero today. * Having nothing but python APIs for your operating system is something that makes no sense. Python was never meant for servers, or even big applications. Finding a full-stack python developer is more rare than finding a Bitcoin C++ developer. end-rant. Qubes is an amazing idea, has some fantastic and genius concepts in it. I hope many of those things will get fixed, although the list has grown so long that I'm not sure it can without being forked. ps. https://github.com/QubesController is the place where I wrote an already pretty decent "Qubes Controller" using the new APis. I'm open to adding anyone to the approved committers list that wants to work on it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9861258.aloPWp28RD%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 11:19:18 CET 'Tom Zander' via qubes-users wrote: > There were a bunch more updates in the repo 4.0 current-testing this > morning which I applied and I rebooted, but no change. > Still no icons in my systray, still not able to start any apps on any VMs. Oh, I focused into the issue. I logged into xfce for 2 seconds and the Qubes app showed up. Then logging out and logging back into KDE and stuff still works. If you don't log into xfce you get the attached error from qubes-manager. Maybe someone made a mistake and used an xfce specific thing? I'm a bit worried that the system can become so broken. That thing that logging into xfce started should likely be auto-triggered and happen, not on login, but on need. Still really looking forward to Qubes getting more stable... -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1826574.hMNDsBkHFt%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 01:05:39 CET 'Tom Zander' via qubes-users wrote: > I can start a VM using qvm-start, but when I use qvm-run nothing happens, > it hangs forever. Even commands that don't need a X server. > For any qube of the various OSs I run. > > The Qubes icons also no longer show in my system-tray. > I can still update dom0 via yum, though. Thats a relief. > Is this a known issue? Can I expect a fix soon? There were a bunch more updates in the repo 4.0 current-testing this morning which I applied and I rebooted, but no change. Still no icons in my systray, still not able to start any apps on any VMs. does anyone know if its possible to tell qubes-dom0-update to go back to the stable version (4.0 current instead of testing)? I tried switching one of my VMs back to the previous kernel. No change. guid log states; ``` Icon size: 128x128 libvchan_is_eof Icon size: 128x128 domain dead Failed to connect to gui-agent ``` pacat logs look ok, but nothing shows up in my dom0 mixer app vchan log has repeated series of; ``` vchan closed reconnecting vchan closed ``` qrexec (after a while) has this log ``` Unable to connect to X server Unable to connect to X server eintr ``` I'll switch to my old ArchLinux OS, until Qubes gets more stable. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3072269.2ckbBL5Sd1%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] after update no VM 'starts' apps anymore.
On Tuesday, 30 January 2018 02:51:06 CET 'awokd' via qubes-users wrote: > Enable Debug mode? I always wondered what this was, anyone know what effect it has to set this to true? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4033376.ZqIuirrLiM%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] connect to other VMs in qubes by using vm name
On Saturday, 27 January 2018 15:45:27 CET Yoganandam Marava wrote: > by adding forward rules at sysfirewall we can ping each other VM through > ip address but not using VM name. Is this some thing possible with Qubes > 4? I am naive in networking.please suggest if there is a way? Each VM has a static IP address that won't change. What you could do is add a line to your /etc/hosts for each VM to match its name to the IP. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3027465.EVIPjTjbbe%40cherry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] after update no VM 'starts' apps anymore.
Is this a known issue? I can start a VM using qvm-start, but when I use qvm-run nothing happens, it hangs forever. Even commands that don't need a X server. For any qube of the various OSs I run. The Qubes icons also no longer show in my system-tray. I can still update dom0 via yum, though. Thats a relief. Is this a known issue? Can I expect a fix soon? If not, are there any log files anywhere I can look at? The only relevant part I found was in qrexec.Work.log some lines saying "Unable to connect to X server". Trial and error shows this is due to some timeout, as it only appears after a substantial amount of seconds. Would be really happy to get my system properly working again as this is my work workstation :( Some related questions; what is 'anaconda' ? I thought it was the installer, but if it is then why is it running on dom0? Is there any way to connect to the VM and get a tty? Think serial-line fallback. is it known that grubs advanced menu doesn't get updated when new kernels are installed? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5091490.V4NiCZqDXe%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes 3.2: qubes-vm-manager not consistent
On Tuesday, 30 January 2018 00:19:58 CET ludwig jaffe wrote: > Ok I found the file, backed it up and want to edit it. > Do you know an xml ediitor with folding to edit this with more comfort, > as there is no in the xml, just spaghetti. > A vim for xml with folding or something like that with curses text gui > woud be best. $ xmllint -format < in.xml > out.xml $ vim out.xml :set foldmethod=syntax -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20247273.4H386KnXkH%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Newbie question on KDE configuration
On Saturday, 27 January 2018 18:14:23 CET billol...@gmail.com wrote: > First, while KDE seems to be working well, I noticed that I can't download > and install new themes, widgets, etc. through the KDE GUI. It can't > connect to the KDE server. I'm assuming that this is because dom0 > doesn't actually have a network connection (which I think I read > somewhere). It's not the end of the world for me to download the stuff > from kde.org and install it from file, but it's more convenient to use > the gui interface. What I need to know is if it is possible or should I > move on and just do it by hand. The AdminVM (dom0) indeed has no network, the reason for this is that it is the one completely trusted place. I would advice against installing anything you downloaded from KDE directly, as that basically works around all the security you get by running qubes in the first place. > Second, I really liked that convention in the default window manager for > having a different color for the title bar for each domain. That got > lost when I moved to KDE, though the domain is still *listed* in the > title bar. I know how to set colors in kwin on an application by > application basis, but I don't know how to do it on a domain basis. Is > there a mechanism for that in KDE? This got readded in a recent update in the 'testing' repo, but only on the default window-manager decorations called Breeze. So make sure you are up-to-date and make sure you are using Breeze. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2759472.AhVYJc1rjo%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 Documentation
On Thursday, 25 January 2018 19:28:58 CET 'awokd' via qubes-users wrote: > Resuming working my way through splitting up the documentation now that > the 3.2 vs. 3.3 question has been mostly settled. Some general questions: Awesome! I was thinking about the qubes docs when I saw a wiki that had a banner for articles (or sections) that were known to be "disputed". I was wondering if it might be useful to have such a concept on the doc pages, it may invite people to actually add their knowledge. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2186960.iXCjZ6PEC1%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] blanking screen with dpms off induces locking - how to disable?
On Monday, 22 January 2018 15:56:06 CET 'Guillaume Bertin' via qubes-users wrote: > My ideal configuration for my standalone home computer would be "dpms > after 10 minutes" and "lock after 120 minutes". I'm not sure if this is the kind of answer you are looking for; xscreensaver is a really really old application and there are plenty of better ones, some likely do have the kind of features you and awod are looking for. I personally use kde which does this all. It has a "lock automatically (x min)" separate from "require password after locking (x seconds)" and "dim screen", "turn off screen" etc are all separately configurable. And, yes, on Q4 I run kde in dom0. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3821375.Ho9g2hPL09%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.4 custom install
On Tuesday, 23 January 2018 03:32:12 CET 'Xaver' via qubes-users wrote: > I'm going to be switching over to Qubes 4.4 from 3.2 once its released and > I have 2 questions about custom installation using thin pools. > > 1) First question is about creating a Swap partition. Would I create Swap > as a thin pool? I tested thin pools and they are immensely slow. Like 20 minutes to copy 4GB between two thin-pools slow. This is fine for more simple usages, this is deadly for swap. (or in my case holding the bitcoin cash blockchain sized 150GB). I ended up using native partitions instead. But then, I only store data there that is already public and don't encrypt it. I'm personally a strong believer of not using swap at all. > Or a standard logical volume without thin provisioning > > sudo lvcreate -L 4G -n swap qubes_dom0 I didn't try this. I suggest creating a simple filesystem on it and copying maybe 10GB of data onto it to see how fast it is. > 2) Second question is about registering the thin pools. Do I do this > during installation right after I create the thin pool? Or is registering > the thin pool done after first boot? > > qvm-pool --add pool_name lvm_thin -o > volume_group=vg_name,thin_pool=thin_pool_name qvm-pool is simply creating some data in a database and it doesn't really touch disk much. Don't expect many error messages from it. So the proper answer is; you need to create the qvm-pool before you do a 'qvm-create'. Related; https://github.com/QubesOS/qubes-issues/issues/3438 and https://groups.google.com/d/msgid/qubes-users/2932962.V7N4gufabA%40cherry -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1617673.kuhsKDcQjG%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: XFCE Settings menu gone
On Saturday, 20 January 2018 23:25:55 CET Unman wrote: > You are probably missing the desktop files from /usr/share/applications > You can copy the files from out of a Fedora based qube if you have one. Ohh, smart, I didn't think about that. I did this to get the majority of them back; ``` cd qvm-run -p sys-net 'tar cf - /usr/share/applications' | tar xvf - qvm-run -p sys-net 'tar cf - /usr/share/app-info/icons/fedora/' | tar xvf - and then you can copy or move the files from $HOME/usr/share/ into the system dir. I'll add the suggestion to double check they do what they are supposed to be doing (check the Exec line). -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1543717.SWleCcofj4%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager
On Saturday, 20 January 2018 20:03:31 CET Davidson wrote: > Hey, thanks again for your work, much appreciated. > > Another thought just occurred to me, a collapsible tree like option. I > have like "work" VMs (one for libre office stuff, another for email, > another for vid confer) and for general communications (one for IRC, > another for Signal, another for personal email) and anon stuff (crypto > wallets, email via tor, browser, etc), the list I have is really quite > long and I find myself sorting/re-sorting naming etc. I use tree-style > addon in firefox which has the fantastic option to let you stack tabs > among other things, considering that and how I have my file manager > setup to show a tree of the folders I have it would really be quite > handy to organize VMs into a collapsible tree. As my list of VMs is growing, this speaks to me. I really like this idea. Thanks for sharing it! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33700686.oUyV2A9qP9%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU?
On Saturday, 20 January 2018 10:40:36 CET Foppe de Haan wrote: > Since I am unable to estimate the security aspects of any given approach, > and you do, have you seen this approach? > https://forum.level1techs.com/t/looking-glass-guides-help-and-support/122 > 387 That looks exactly like the approach my (very naive) proposal was thinking of; but these guys actually seem to know their GL and went ahead and did it :) Their proof-of-concept showing that the result is *faster* (much less bandwidth) than the Qubes approach is very exciting. Thanks for the link! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1829903.i5khPQVWEZ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No network (HELP)
On Friday, 19 January 2018 16:38:54 CET Marek Marczykowski-Górecki wrote: > Specifically qmemman was broken in qubes-core-dom0 in 4.0.16 and 4.0.17. Can confirm it works much better 4.0.18 than it ever did before :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3763763.oUbUMMdPzh%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No network (HELP)
On Friday, 19 January 2018 11:48:56 CET aaq via qubes-users wrote: > What can I do Could this have something to do with the broken qmemman? Try turning off memory-management and give the sys-net an initial amount of something like 800MB. also check if xentop has anything weird in the first line with memory usage. Good luck! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11847609.GmVBfOX6Xq%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Moving dom0 screenshots immediately to VMs
On Friday, 19 January 2018 12:48:27 CET wordswithn...@gmail.com wrote: > Qubes already has built-in the capability to screenshot the entire desktop > (Printscreen) or the current window (Ctrl+Printscreen). Yes, it does. But this is not something you should use and then send to a VM becuase that VM then suddenly gets knowledge about all the other windows on screen that may be from another VM. Imagine having your Vault VM window open with all your passwords and then you auto-upload a screenshot of that into a compromised VM which then causes the screenshot to be uploaded to a server. I'm not aware of any way to avoid this data-leakage using the screenshot application in dom0. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/10316388.tD1Ru9rIBq%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU?
On Sunday, 14 January 2018 08:12:24 CET r...@tuta.io wrote: > Is qubes able to use the computing power of the gpu or is the type of gpu > installed a waste in this issue? Relevant here is an email I wrote recently; https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ The context is a GSoC proposal proposal to modernize the painting pipeline of Qubes. Today GL using software uses [llvmpipe] to compile and render GL inside of a Qube, completely in software and then push the 2d image to dom0. This indeed wastes the GPU. [llvmpipe]: https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1970768.QL1Wn2a4Hl%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Graphic Tablet Compatibility (basic features)
I think I know why you get that error. any part of the kernel (and drivers are part of the kernel) are off-limits to change for any Qube VM. To avoid loading a module you don't have to remove it, you can just blacklist a module. Your distro may have a specific way of doing it, but a little googling showed me this and that looks about right to me; https://linux-audit.com/kernel-hardening-disable-and-blacklist-linux-modules/ On Tuesday, 16 January 2018 14:28:41 CET Fabrizio Romano Genovese wrote: > when I tried to remove > /lib/modules/4.9.56-21.pvops.qubes.x86_64/kernel/drivers/input/tablet/waco > m_serial4.ko > > I get the error > > rm: cannot remove > '/lib/modules/4.9.56-21.pvops.qubes.x86_64/kernel/drivers/input/tablet/wa > com_serial4.ko': Read-only file system -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2100592.U4tyHCJJMU%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] template vm private.img file weighs (size) 171.8 MB, not 3 GB, can you save data?
On Sunday, 14 January 2018 15:02:48 GMT jerr...@disroot.org wrote: > can you somehow save the data? is it a corrupt file? when i put this file > in the template folder in /var/lib/qubes, the data is not there. 'private.img' is the contens of /home and /rw you may be looking for 'root.img' if you are talking about a template. Not sure if this command is available on 3.2, but qvm-volume is useful too. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/18950202.ngMElmZk0O%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to reinstall template? (i think it's not enabled by repo)
On Sunday, 14 January 2018 03:07:09 GMT jerr...@disroot.org wrote: > the template is whonix-ws > when running command > sudo qubes-dom0-update --action=reinstall qubes-template-package-name This is quite broken in 4.0 and you have to be a bit clever to work around this; here are some tips. Reinstall doesn't work, you should delete and install instead. But this is still quite tricky :) So, first you want to do a sudo yum remove qubes-template-NAME the tricky part is that the RPM also calls 'qvm-revove' and refuses to continue when that fails. If you hit that case where you already deleted your VM, all you need to do is calling 'qvm-create' with the name it expects and just make it follow the standard template etc. The goal is to have an empty VM, just to allow the qvm-remove that yum calls to pass. You should be able to do a simple 'qubes-dom0-update' to install the whonix template after this which probably includes downloading it. Good luck! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1516748.CqIyHg4BlZ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Friday, 12 January 2018 13:09:35 GMT Holger Levsen wrote: > I'm not so sure, why not use git branches? That has my preference still, but I'm ok for any workable solution. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/22624025.OBojS6ySok%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Friday, 12 January 2018 11:18:19 GMT 'awokd' via qubes-users wrote: > Would it be of value if I went through the published Docs and added these > version headers? Should newer versions be added at the top (so 4.0 before > 3.2 content)? 4.0 might just be "TBD". I think that would be wonderful, my main issue is with the not knowing if the current docs are actually applicable still. If someone could do as much as flag known out of date content as 3.2 only, this would be a huge help. The problem of knowing / identifying what isn't actually applicable anymore is the main one that I think is causing pain right now. Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1727079.pSIrDA7H5a%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Thursday, 11 January 2018 18:16:04 GMT Unman wrote: > On the VPN case your own comment confirms that it would be better to > provide a separate section, rather than trying to put "exceptions" in to > the existing text. Thank you for explaining that unman, much clearer indeed. While I agree on the general statement above, I feel its not the best solution in this case where 4.0 have massive changes in all layers of the technology. In many cases the about half of the text will be duplicated between the 3.2 and the 4.x sections, albeit with major changes. This will not help the reader much. More importantly, I fear that the new users (potential contributors) that have not used 3.2 will have a hard time deciding what to do with information that clearly doesn't represent the current state of technology. Asking people to put a lot of effort into reformatting documentation that may or may not actually be useful to anyone using an older version is a big ask in a volunteer project. I personally prefer the solution where a git repo is cloned for 3.2 as "legacy" which is then attached to the website under a subdirectory and people can edit that for maintainance and fixes. http://qubes-os.org/doc/3/ or somesuch. The majority of changes would then be in the 'master' branch which people can edit and they can add references to the github issues concerning known bugs. We can mark known issues with the pages like the VPN one I described and people reading the docs will actually be aware of pitt-falls. In my opinion there is only one thing worse than no documentation, it is official looking documentation that is wrong. > Also, that once 3.0 is retired, it will be simple to remove the 3.0 > relevant material, rather than filleting our bits from each page. This would be even better, if qubes ever wants to they can just remove the subrepository. What do others think? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11311960.j3zXc7upma%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: memory management in dom0 ?
On Thursday, 11 January 2018 14:07:57 GMT Vít Šesták wrote: > For your case, I have few questions: > > * What's dom0 swap usage? Qmemman includes this amount in memory > requirements. My dom0 has no swap, I didn't disable it, it just never had any. I guess thats because in the installer I didn't assign any swap partition. > * Where does your “1.3 GB is in use” claim come from? Top :) The "in use" is what top claims. Add the "buff/cache" amount (1MB) to it and the "free" amount (1.6MB) and I do get to the total reported in both top and xentop. > * How much of memory does the AppVM use? I looked at it at the time I got repeated crashes, it had some 800MB assigned to it. > What is the memory limit for the > AppVM? See VM settings » Advanced » Initial memory. The settings are 1GB initial and 4GB max. I "solved" it by closing some VMs and my chromium got more space assigned. - The qmemman has some more room for growth. For instance I have one "Work" VM where I compile C++ code. I assigned it 16GB of memory and then qmemman came and only gave me 2GB. I start a compile (8 cores times 0.6GB of mem used) and maybe 10 seconds later I get out-of-memory issues. To my annoyance xentop shows me that there is still >10 GB free, unallocated. For some reason it just doesn't seem to allow growth of memory fast enough, regardless of my settings. I "solved" that by turning off memory management for that VM and just setting it to 12GB always :( -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1851645.2lrfOOeRYL%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] memory management in dom0 ?
I understand that there is a memory-manager to balance the memory between VM spaces. Does anyone know if dom0 is being managed this way? Currently there is 4GB assigned to dom0, of which 1.3 GB is in use. At the same time I have chromium getting out-of-memory errors in an AppVM. I'd like to actually use that 2½GB that dom0 now claims but doesn't use, anyone got ideas how? Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1525819.gA7xBjyaEC%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Upgrading directly from Fedora 23 to 26 ?
On Thursday, 11 January 2018 06:39:02 GMT brutellealexan...@gmail.com wrote: > I don't seem to be able to download the 26 template either... It says all > mirrors have been used and it fails. This is definitely the direction you want to go, download the template from dom0 using sudo qubes-dom0-update qubes-template-fedora-26 after it installed the new template, you should start a terminal in iit and run the following inside of that template; sudo yum upgrade --best --allowerasing more info; https://www.qubes-os.org/news/2018/01/06/fedora-26-upgrade/ If that faiils, please specify what you did and how it failed, this avoids guessing on our side :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2669430.f8Qn7f0c1A%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Thursday, 11 January 2018 03:42:11 GMT Andrew David Wong wrote: > On 2018-01-10 12:53, 'Tom Zander' via qubes-users wrote: > > I poked the Qubes guys about providing a separate dir on the website to > > make it clear what is 3.x and what is 4.x specific, but they stated we > > should instead put notices about exceptions in the document pages. > > That's not exactly right. Please see: .. > > In other words, do not just add notices in the text about exceptions. > Instead, make clearly-labeled sections for 3.x and 4.x so that users > can easily find the right information no matter which version of Qubes > they're using. > > > So I guess things like ProxyVMs should be mentioned to be old and AppVM > > is the new. Ok, I am having problem seeing your solution and my explanation of it as any different, in practice. Maybe I'm missing the obvious, I'm just not seeing it. In this specific case of the VPN page. https://www.qubes-os.org/doc/vpn/ * in v.4 there is no "NetVM". * There is no "ProxyVM" * The create qubes screenshot is considerably different. * adding 'meminfo-writer' and 'network-manager' are not needed (AFAIK). * does not use iptables anymore. Ok, going to stop now. I got to half the page and some 80% of the text and screenshots are wrong for v4. How would you solve that in line with the QubesOS policy? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15007549.cTkGlXaZ1X%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
On Wednesday, 10 January 2018 18:32:39 GMT Chris Laprise wrote: > I also have a download-able project that makes the scripted/antileak > setup fairly simple in Qubes R4.0: Please consider updating the docs repo with this :-) I poked the Qubes guys about providing a separate dir on the website to make it clear what is 3.x and what is 4.x specific, but they stated we should instead put notices about exceptions in the document pages. So I guess things like ProxyVMs should be mentioned to be old and AppVM is the new. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5012141.s6n0VTKdtO%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multiple usability issues Qubes 4RC3
On Tuesday, 9 January 2018 08:54:02 GMT aaq via qubes-users wrote: > Okay, so I found the documentation for bind-dirs > (https://www.qubes-os.org/doc/bind-dirs/), but was still wondering if > you meant binding the AppVMs /usr/bin and /usr/local/bin, or was thinking > of something else? > > I would assume I need to bind all dirs that a given application is going > to write to (such as potentionally /usr/share, /var/lib, etc). Let me give you an example usage; I have the binary build "keybase" app in its own AppVM. It installs the majority of its files in /opt, as such I bind that dir. (restart before install!). There are a dozen files also being copied into the /usr/ dir-structure. I copied those files into the /rw/keybase/usr/ dir structure and I edited /rw/config/rc.local to copy those files back onto the /usr dir-structure at vm-boot. This was enough for this app, your actual usage may depend on how your app installs itself. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2618527.1rHtBk9TLS%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Graphic Tablet Compatibility (basic features)
On Tuesday, 9 January 2018 01:54:40 GMT Fabrizio Romano Genovese wrote: > Hello all, > This looks like an old issue: > https://github.com/QubesOS/qubes-issues/issues/2715 > > I'd be interested in using only the basic tablet features (essentially > moving the mouse and clicking around using the tablet would be enough). > In the issue linked above it is said that > > "this in theory should be easy (a matter adding proper metadata - min/max > - to the protocol handshake, and filtering events based on this info)" > > I'd like to help with this, but I am no coder. I just know a bit of bash > scripting and trying to check the code in > > https://github.com/QubesOS/qubes-app-linux-input-proxy/blob/master/src/pro > tocol.h#L17-L28 > > didn't really help. I understand that developers are quite busy with much > more hardcore problems to solve, but if someone could at least point me > to the right research direction I could try to investigate this by > myself. From; http://linuxwacom.sourceforge.net/index_old.php/howto/theory > Initially at least, the USB Wacom tablet is an HID compliant device, and > when first connected to the computer, will identify itself as such. > Unfortunately, this is not what you want because in this mode, you will > not get any of the fancy features. The hid-core.c, mousedev.c, and > usbmouse.c kernel drivers contain exceptions for the wacom; when the > device is detected, they ignore the tablet. So maybe you can use that website to find out how to configure your wacom to just be a HID (human interface device) and make it send those mouse clicks. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3164963.Ui2e7s9DGh%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multiple usability issues Qubes 4RC3
On Monday, 8 January 2018 13:29:02 GMT 'Ahmed Al Aqtash' via qubes-users wrote: > * One I call 'trusted' which is based on debian sid (unstable) that I > install everything I use for daily usage (firefox, libreoffice, mpv, > emacs, other open source tools). Primarily AppVM's will be based out of > this template. > > * One I call 'untrusted' that is going to be a clone of 'trusted', and > that I install proprietary software in, that I also use on a daily basis > (e.g. spotify). Also AppVM's out of this, but probably only 1 to start > with. An alternative solution is to make your "untrusted" VM an AppVM and you install the software in there using bind-dirs. Then you *only* use that VM for running that software and you likely store no personal data there (other than maybe your spotify cridentials). Additional bonus would be to open any webpages in disposable VMs, should you click on a link in any of those apps. > * I will probably create a standalone VM based off of 'trusted' that I use > for development. So I will install stuff like docker, golang, and all > other > stuff I would otherwise use for developing. I may be wrong, but all those development tools are open source and likely shipped by your distro. In which case I wonder what the benefit is to putting them into its own VM? In short, maybe the simplest way is to create; * TemplateVM: debian9 * Work AppVM based on debian9 * Untrusted AppVM based on debian9, adds untrusted apps using binds * any other AppVMs you need... All based on the same debian9 template. > NOTE: I use zsh with oh my zsh and spacemacs. Both of which are git repos > that are cloned to the homedir of the user (meaning they are git repos > cloned to /etc/skel) Using /etc/skel just causes the data to be copied to the appvm homedir on first start. You end up duplicating the data anyway, maybe you can use a different way to copy everthing between VM homedirs. Notice that you can just do a qvm-copy [dir] which copies recursively. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2937565.vjQbnCdrbL%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multiple usability issues Qubes 4RC3
On Monday, 8 January 2018 13:29:02 GMT 'Ahmed Al Aqtash' via qubes-users wrote: > But issues like moving a templates home directory to /etc/skel (meaning > that appvm's inherit /etc/skel as home dir from the template) left me > baffled with my first install.. Homedirs are completely separated from your template homedir. I personally ended up setting up things like chrome and konsole, bashrc etc. Making a tar off my setup and uncompressing it on other qubes. Usage of /etc/skel is not something I suggest, that is *only* for first initialisation of an AppVM and never gets updated again. Bottom line; your homedir is unique and different in each and every VM. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1587531.ENQz9nrnvL%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Big if true: AMD reportedly allows disabling of the PSP (its Intel ME equivalent)
On Monday, 8 January 2018 10:10:17 GMT qubestheb...@tutanota.com wrote: > Hi. > > https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option > It's still yet not known whether this disabling is effective and whether > it disables the PSP in its entirety. > > But if it does, then that would make the most recent AMD processors one of > the best choices for Qubes 4.x usage. In context; https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability https://www.phoronix.com/scan.php?page=news_item&px=Linux-Tip-Git-Disable-x86-PTI So its an up / down :) * AMD is faster (no PTI) * AMD has a remote code execution issue, at least until you can turn off PSA using a bios update. * Bios updates are not much seen in the wild. Time will tell. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3608826.gtipCf02p4%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: how to get the update proxy working again
On Monday, 8 January 2018 06:53:46 GMT khmartin...@gmail.com wrote: > Is your new net vm different than "sys-net"? This caused me problems too. > One solution is to rename the new net vm to "sys-net" or you can edit > this file in dom0: > > /etc/qubes-rpc/policy/qubes.UpdatesProxy > > In that file there is a line that says target=sys-net. > I changed it to the same name as my net vm. That did the trick! Thanks, I would never have found that... -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5511262.ciHnklDXiN%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] how to get the update proxy working again
I needed space on my dom0 (Q4) drive, so I ended up using qvm-clone to copy my fedora25 template, my sys-net & sys-firewall to a different pool. I naturally also copied the setup from the config dialog. Everything seemed to work for a while, so I removed the sys-net /firewall originals. Now I have a problem, updates in templates no longer work. The magic proxy fails me and I can't figure out how that thing actually was designed in order to make it work again. My first thinking was to assign the original IP addresses to the cloned VMs, but qvm-prefs refuses to overwrite the qid property. :-( The docs on the website talk about a service "qubes-yum-proxy" can't find that one, though. I guess its a 3.2 property. Anyone here able to explain how this proxy works? Would make a nice doc on the website too! I'd love some suggestions on how to fix this... Thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4020213.iHnCjNg7BT%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes 4 qvm-trim not exist
On Sunday, 7 January 2018 19:40:27 GMT Yuraeitha wrote: > But there are still some > issues, i.e. no visual interface to show your overall disk space useage > (the other month, you had to pull and combine several commands to make it > show accurately). I'm not sure if this disk space useage reporting issue > has been fixed today though. * https://github.com/QubesOS/qubes-issues/issues/1872 (open) Implement UI Notifications for cases of a Qube disk full * https://github.com/QubesOS/qubes-issues/issues/1053 (open) Improve usability of VM disk space / increasing disk size * https://github.com/QubesOS/qubes-issues/issues/3438 (open) Qubes storage pools of type LVM issues This one is closed, but as I point out in the collection of issues (3438) this is not yet fixed; https://github.com/QubesOS/qubes-issues/issues/2016 (closed) Create dom0 API to detect global disk space available And, yeah, it also still needs a user-interface. The simplest way to get the space usage if you are using a LVM based pool (which requires completely manual setup at the moment) is sudo lvs and you can read under the column "Data%" how much actual usage you reached. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4269306.bpYcQdtx5U%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes app menu keeps old templatevm entries.
On Saturday, 6 January 2018 23:19:54 GMT pixel fairy wrote: > The app menu, top left, keeps entries for old template VMs. is there a way > to get rid of them? You find the data backing this in $HOME/.local/share/qubes-appmenus/ -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1716821.WnKjKGyYoC%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] hey, Please confirm we cannot install Qubes 4.0 on DVD, and the minimum on flash drive to install
On Saturday, 6 January 2018 17:42:00 GMT russlyatos...@gmail.com wrote: > hey, Please confirm we cannot install Qubes 4.0 on DVD, and the minimum > on flash drive to install Qubes 4.0 we must have 32GB? thanks Not sure if this is helpful; the minimum size harddrive I've installed Qubes on was 21GiB. But you have to skip the debian and the whonix templates and I turned off swap. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3687512.A40YJjNSdJ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4.0 rc3 (current testing) - power off/ suspend issues.
On Saturday, 6 January 2018 10:56:13 GMT haaber wrote: > 2) Reboots hang systematically at "Reached target shutdown" and has to > be rebooted via a coldboot. I've been seeing this too, although sometimes it goes on after half a minute only to hang at some other point (after loads of messages). I noticed that if I manually shut down all qubes, INCLUDING, sys-net, before logging out then this problem is avoided. Next time you reboot, can you try that and let us know if this isn't just me? That may help with debugging. Cheers! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1691880.VtDucUss21%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager
On Friday, 5 January 2018 23:43:58 GMT Zrubi wrote: > > I'll attach two sceenshots of the tool, to give you a bit of an > > idea of what it already does and maybe if its worth your time to > > compile > > Probably this is very subjective, but: > For me, the most important parts/feature of the current Qubes Manager > are (in order of importance): > > - Full overview of the state of the VMs in ONE screen, without clicking. > The new widget is failing on this badly, just as your proposal. My aim has so far been to show which VMs are there, which type they are and if they are running. This is visible in one go. Including even which VM has a high CPU usage. I'm not happy yet with the way that the netVM is visualized, as you say it costs clicks on each VM. > - Changing the NetVM of a given VM. Great idea! > - Starting programs from a given VM. Fully agreed, this is what I added last week. I'm using it all the time. Much more convenient than the start menu. > - start/stop VMs Present :) > - attaching/detaching devices. Yes, definitely. > - reading VM logs. Good to know. > Probably these are only my personal preferences. Hence I have no time > to write a new manager for the Qubes 4.x I just shared my use case. > Feel free to ignore them if you don't like 'em They are excellent ideas, thanks! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11479443.jBHdx6CR7K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dns in qubes
On Friday, 5 January 2018 15:37:37 GMT Unman wrote: > Look at the nat table in the upstream netvm. > You'll see that sys-net NATs these requests to the NS used by sys-net. Ah, that hint was enough, I didn't expect NAT, thanks! Got it working now. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1933751.YPqAdZ1Hvv%40mail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] dns in qubes
I'm trying to figure out how this works, and I am stuck. In every qube (except sys-net) there is a resolv.conf that points to two name servers. 10.139.1.1 and .2 This raises two questions; * how does sys-net handle these requests on this odd address. No 'ip ad' network seems to listen on this address. * how can I change this in indidivual qubes in the correct matter. I have some qubes routing through sys-vpn and I adjusted the vpn VM to find the DNS, but users of the vpn can't find any DNS service now. Any help appreciated. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65877894.cAG3c6iG4f%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Tweak Tool not working as expected after upgrade to Fedora 26
On Thursday, 4 January 2018 02:11:16 GMT Mark Malcom wrote: > I downloaded fedora-26 template and after that my gnome-tweak-tool is > completely ignored: no themes, no windows scaling anymore. Not just the > Tweak Tool, but if I try to change the scale factor with gnomesettings, > that is also ignored. Lets check if its an environment issue; if you start a terminal on a VM. In that terminal do an; export GDK_SCALE=2.3 and then start something like chromium or any gtk app. does that work? If yes, then you know its most likely a problem with environment variables in your VM in one way or another. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1643950.2kKg6ph7nQ%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 rc3 boot and performance is quite slow
On Thursday, 4 January 2018 11:49:45 GMT Fabrizio Romano Genovese wrote: > Looking at the console messages at startup, it looks like the problem is > that Qubes takes more than one minute to boot sys-net, sys-firewall, > sys-usb and sys-whonix. That was not the case in 3.2. > > Also, when giving > qvm-start someVM > the startup time is again quite slow. Could it be that my VMs are based on > Fedora26? Can you try giving your VMs more initial memory? I saw that the default of 400MB is causing VMs to swap like crazy on startup. I change it to 1000MB and stuff starts significantly faster. I also removed swap in fstab on all templates, the only effect this has had so far is show that the memory balancer is in need of work. It fails to give hosts memory when they use significantly more than others. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4469951.fVkcPeMF00%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install and configure a template vm in Qubes 4?
On Thursday, 4 January 2018 10:40:56 GMT 'Ahmed Al Aqtash' via qubes-users wrote: > In 3.2 you could allow network access in a template rather easily through > the GUI, and thus be able to pull software from other destinations than > just repos. The same functionality is present in Qubes4, just not via a GUI. open a terminal in dom0 (adminvm) and type; qvm-prefs -s YOURVMNAME netvm sys-firewall When you are done downloading consider unsetting the netvm with; qvm-prefs -s YOURVMNAME netvm "" I'll add the warning that you should be careful what you do in a TemplateVM, anything you run or download has sudo and can install or change data which then will cause all your VMs based on this template to be contaminated. Be safe. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6475371.V95BB4TYbR%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Donations with Bitcoin (Cash) - BCH
On Thursday, 4 January 2018 12:28:27 GMT evas...@openmailbox.org wrote: > Happy New Year Qubes Community! > > Due to high fees and heavy losses to donator at Bitcoin Core (BTC) network > I suggest to at Bitcoin Cash (BCH) donation address as alternative. > Nobody want to donate 50$ and lose 40$ as fees. As a long time Bitcoin developer, I completely agree with this sentiment. I want to also add that the current address publicly displayed will work just fine on Bitcoin Cash, which may be useful to know. Big companies like bitpay (biggest bitcoin payment processor) have already stated they will no longer accept any Bitcoin internet payments under $100, which you can understand means it can no longer be used for the majority of Internet payments. They are working on switching to Bitcoin Cash instead. Curiously, looking at the Qubes donation page I see that the address you have shows that the Qubes organization in actual fact already owns a some funds in Bitcoin Cash (BCH). https://bch.btc.com/3GakuQQDUGyyUnV1p5Jc3zd6CpQDkDwmDq Around € 700 worth. To the Qubes-guys; please consider updating your website and if you post it on something like reddits rBtc forum, you likely will get some more publicity out of it as well. If you want any details, feel free to ask me more in private email. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1537277.lEZcpCop9W%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4rc3: More space needed on the / filesystem.
On Wednesday, 3 January 2018 16:16:13 GMT Fabrizio Romano Genovese wrote: > I am trying to install texlive on a fedora-26 template vm. The package is > quite big, nevertheless it is correctly downloaded. After this, when the > actual installation process would be supposed to start, it fails with the > message: > > At least *MB more space needed on the / filesystem Have you considered making the root filesystem of your VM have more space? In the settings dialog for a VM its the "System storage max size" item which you can change. Be aware that the VM likely needs to restart to access the extra space. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1746454.YCgnGZCP08%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Disable root password on fedora-25-minimal (Qubes 4.0rc3)
On Tuesday, 2 January 2018 18:26:27 CET Fabrizio Romano Genovese wrote: > ...But how? The naming is confusing as the root password is not really removed at all. What happens is that a service called 'sudo' is configured to allow you to do anything without a password. Make sure you have this content at /etc/sudoers.d/qubes) https://www.qubes-os.org/doc/vm-sudo/ also I suggest double checking that sudo is actually installed. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1593640.XvPIAPtHh8%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installation security : Usb optical vs sata optical vs usb drive
On Tuesday, 2 January 2018 06:20:46 CET mmm...@gmail.com wrote: > So from the installation security guide I read the following: > And for USB Drive: > "Untrustworthy firmware. (Firmware can be malicious even if the drive is > new. Plugging a drive with rewritable firmware into a compromised machine > can also compromise the drive. Installing from a compromised drive could > compromise even a brand new Qubes installation.)" > > Do usb optical drives not also have the same problem firmware wise? The problem with USB is that its universal. An attacker can make his device look like its anything USB based. For intance a rarely used web-camera. The problem with that is that each brand has its own driver in the Linux Kernel and most of those drivers are hardly checked for exploits. As such, an innocent looking thing that connects on USB could root your kernel with unknown exploits in any usb driver shipped by the kernel. Just using a different firmware. This is why there is the suggestion to have a sys-usb qube to isolate those drivers, should you fear your hardware in future falling in the hands of bad people. > What about sata? I hope someone else can answer this. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12053226.DA0ORK4ZM7%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How find out addresses to limit outgoing connections
On Saturday, 30 December 2017 04:55:59 CET Stumpy wrote: > In the end, I want to have say a VM for email, where the firewall blocks > everything but access to the email service, and do the same for my > "banking VM" or "bitcoin wallet vm" > > I'm at a bit of a loss so would be greatful for help. Using gmail in your browser is indeed quite difficult to allow specifically. Even using another protocol to a provider like google is practically speaking not possible. So I think you started on the hardest problem. Instead, if you were to use for instance kolabnow.com, you'd be able to limit your outgoing to just two hosts (imap.kolabnow.com and smtp.kolabnow.com) which is a short list of IP addresses. (I personally use 'dig' to find out all IP addresses of a DNS). Same with the Bitcoin wallet VM, you need to find out a series of trusted IP addresses and only allow outgoing connections from them, and likely no incoming connections at all. Those IPs would be someting from friends, or some you find on; https://bitnodes.earn.com/ But notice you need to then tell your bitcoin software to actually connect to those IPs and likely skip any DNS lookup. Hope that helps! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19704108.RhNjRlVOSx%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Detached LUKS header
On Monday, 1 January 2018 18:14:27 CET spi...@gmail.com wrote: > I did look at this link as I already said. > But the thing is that there are no info on how to install it > without using the GUI. if you get to the installer you can use alt-f1 to get to a native TTY. There are several of them and at least one is a bling bash which has root. Not sure how easy it is to use, but that may just be the entry point you were looking for. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6674491.ZHgf7Uu3eD%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Install Rtlwifi new
On Sunday, 31 December 2017 20:57:36 GMT davidmizr2...@gmail.com wrote: > I can see e permission problem here > "/net/wireless/realtek/rtlwifi/rtl_pci.ko' Read-only file system, That is not a permission problem. Nobody can write to a read-only filesystem. Try to make sure that you configured your compile correctly. The path starting with /net makes little sense to me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4847878.CPfFngQe5g%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: new Desktop build recommendation
On Friday, 29 December 2017 19:23:01 CET taii...@gmx.com wrote: > I am sure the massive > markup over parts cost is worth it for a "tested working properly" > system right? Yes. Yes it is. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2639293.tW9BGqeZ3M%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: Mozilla (was: Re: [qubes-users] Password security/disposable vm security)
On Thursday, 28 December 2017 03:49:07 CET cooloutac wrote: > chrome doesn't have a good track record either. Not to be confused with the project “Chromium” which is based on the open source version of google-Chrome. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1563903.oqRGAcKBYx%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Weak connection. Cannot reinstall borked template, download will not resume.
On Wednesday, 27 December 2017 03:02:57 CET dangmad...@gmail.com wrote: > Opted to reinstall template, but I cannot download it without my > connection dropping, and thus timing me out. dnf does not resume the > download, despite it claiming to be saving the download to cache. > > I have put keepcache=true in dnf.conf, with no results. > > > cannot wget from dom0. Should I wget from some other VM? You should definitely be able to install a template you downloaded and copied via whatever means into dom0. Please be aware that download-resumes are a feature on the server as much as on the client. Your wget should be able to tell you if a resume is possible serverside by just testing it (ctrl-c it after 100KB, and use the --continue flag on second try. I ve seen the qubes builder create a script that installs an rpm directly from local file, hence I know it is possible. Just don' t know how. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1947346.PResNbeEAm%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: Mozilla (was: Re: [qubes-users] Password security/disposable vm security)
On Wednesday, 27 December 2017 00:34:38 CET Leo Gaspard wrote: > > I'm more concerned that they tried then how they failed. > > It leaves a bad taste in my mouth. > tl;dr: please do google for “looking glass” and “mozilla” Its good we agree on all the technical details, and I agree intent is tricky to guess about. I definitely will not advice people either way, my opinion is irrelevant and browsers are not my specialty. The situation left a bad taste in my mouth, I had to conclude that their priorities are not aligned with mine. Your millage may vary. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11327008.TsmdWpZAG9%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to install software on templates (Qubes 4.0)
On Tuesday, 26 December 2017 23:58:36 CET Eric Scoles wrote: > Sorry, I guess I'm not understanding your answer. The 'usual way' to > install in an upstream distro would be to connect to the network. Your ‘yum’, ‘pacman’, ‘apt-get’ have access to the internet via a proxy solution. Please give it a try. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/22619918.86Z0RbBJyT%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to install software on templates (Qubes 4.0)
In short, software is to be installed in your template exactly the same as you would do it in the ‘upstream’ way. So if you are using a debian template, you’d be able to go to the debian wiki pages that explain how to do it. So your question 1 and two are answers with; “like in the upstream distro". > 3. What if we need to install a package that's not available via a repo? This opens a bit more complex situation because software not available for a public repo may cause the issue of it not being trusted. I don’t trust skype, for instance. Technically the installation is not too difficult, you just follow the instructions from the place you find the software. But it is important to assess how much you trust this software and its installer because changes made in a template will have an effect on ALL qubes that are based on it. Installing untrusted software in a template may end up exposing your data in the “work” qube that is based on it. You may consider creating a new AppVM where you install the software (again, using the instructions from the place where you find the software). Check the /rw/config dir, there is a binds configuration that allows you to specify which files or directories are kept between restarts. Hope this helps. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4259797.hveZSERC7u%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Password security/disposable vm security
On Tuesday, 26 December 2017 00:56:30 CET mmm...@gmail.com wrote: > "So make sure your software is from a trusted source." > Right but even if it is trusted at one point it can become less > trustworthy later(infection) so I wanted to keep it perfectly "fresh" by > using disposables. Aha. In Qubes you *use* AppVM based virtual machines. Those are unable to change software because the actual software is owned by a TemplateVM. As such this idea of keeping it fresh is already done by normal daily usage of Qubes. The disposable VM concept goes one step up by isolating changes to your private data (downloaded files, config, etc). For your goal the dispVM doesn't add anything, AppVMs already do what you want. > "Personally, I' d avoid thunderbird and anything from mozilla, but thats > just me." > Do they have a bad track record(I planned on researching my apps later > =p). Just last month they added an invisible plugin in their binary builds which was programmed to not show up in the 'add-on' screen and had the ability to alter page content. Someone didn't actually program it well enough and the whole thing got leaked and after a lot of heat, a lot of bad press they eventually apologised. I'm more concerned that they tried then how they failed. It leaves a bad taste in my mouth. Google for "looking glass" and "mozilla" if you want to know more. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2452051.NKi2Ta5ZWQ%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trying to download new Whonix templates and fedora 23 gets updated?
On Sunday, 24 December 2017 02:33:26 CET Sven Semmler wrote: > On 12/09/2017 08:38 PM, vel...@tutamail.com wrote: > > Dependencies resolved. Nothing to do. > > Did you include the --enablerepo parameter as shown below? > > sudo qubes-dom0-update --enablerepo=qubes-community-templates > qubes-template-whonix-ws qubes-template-whonix-gw And be sure to read the output fully, sometimes it says it will remove certain packages but then if your read the full text you notice that it actually doesn t do so and you have to pass in two more parameters to get it to actually resolve conflicts... -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3361966.yVHOLScUyE%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Password security/disposable vm security
On Sunday, 24 December 2017 23:14:21 CET mmm...@gmail.com wrote: > Okay so I read all of that lol, and I understood it all but what if there > was an e-mail client that used the browser method? You get logged in to > all your emails without retrieving anything then switch to cookie > authentication and forget the password, that way when the zero-day > happens you only lose your cookie which is probably not as powerful as > the actual password(ie I dont think you can change your password with > just the cookie) plus the zero day can't "permanently" compromise > thunderbird cause you opened it in a disposable , just only after this > odd login method over and over again =p. Maybe that's overdoing it > butI don't want to change my passwords ever so laziness commands me > to want such a thing XD. I think you may have misunderstood the idea behind the initial post you quoted; > "there is absolutely no point in not allowing e.g. Thunderbird to remember the password – if it got compromised it would just steal it the next time I manually enter it" The thought behind that quote is that you have to trust your open software running on your machine and there is no way around that. As the quote says, feel free to let it remember your password. No point in trying to be smart. So if you run thunderbird in a qube that has (access to) password and/or emails, you better trust that open source software with that information. So make sure your software is from a trusted source. Personally, I' d avoid thunderbird and anything from mozilla, but thats just me. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2283324.qrAAk4daPN%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Password security/disposable vm security
On Sunday, 24 December 2017 01:58:36 CET mmm...@gmail.com wrote: > Can't we just create disposable thunderbirds to protect the password? The protection you want is against the evil software leaking the password. A disposable VM would not help in this case as you enter the password, or you let it remember your site passwords, then it would just send it out t the evil website immediately. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2233978.iWJVDZlCSV%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] pools, how to use
On Sunday, 24 December 2017 02:09:54 CET Marek Marczykowski-Górecki wrote: > > sudo lvcreate -L 390.5g -n data Slow > > You need yo create those as thin pools, not standard volumes. For > example this way: > lvcreate -L 37g --thinpool systems qubes_dom0 Thanks, that fixed it :-) It took some more puzzling and I now have some VMs on LVM pools instead of everything as huge files in my dom0 filesystem. Great success. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2149218.s4zhisSmft%40strawberry. For more options, visit https://groups.google.com/d/optout. signature.asc Description: This is a digitally signed message part.
[qubes-users] pools, how to use
Hi, I've set up a new qubes install and created two LVM volume groups. I wanted to try and see how this works with qubes and I tried out the pools concept. The problem is that I think I did everything according to the docs, but the qvm-create command gives me an error message. Can someone find out what I did wrong? sudo vgs -a VG #PV #LV #SN Attr VSize VFree Slow 1 1 0 wz--n- 391.51g 391.01g qubes_dom0 1 2 0 wz--n- 59.33g 37.33g sudo lvcreate -L 37g -n systems qubes_dom0 sudo lvcreate -L 390.5g -n data Slow sudo lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert dataSlow -wi-a- 390.50g adminvm qubes_dom0 -wi-ao 22.00g systems qubes_dom0 -wi-a- 37.00g qvm-pool -a qubes_ssd lvm_thin -o volume_group=qubes_dom0,thin_pool=systems,revisions_to_keep=0 qvm-pool -a data lvm_thin -o volume_group=Slow,thin_pool=data,revisions_to_keep=0 qvm-create -P qubes_ssd --template fedora-25 -l green --class AppVM test app: Error creating VM: b' Logical volume qubes_dom0/systems is not a thin pool.\n' Any help appreciated! -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2932962.V7N4gufabA%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Which 3.2 VMs to backup and for eventual 4.0 migration?
On Friday, 22 December 2017 02:42:57 CET yreb...@riseup.net wrote: > assuming > 4.0 is going to come out of the box with like Debian 9 and Fed 26? Fedora 26 is not going to be used in 4.0, maybe in 4.1 source; https://groups.google.com/forum/#!msg/qubes-devel/13PZgSOaajA/RvBh02ANCAAJ -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36072167.FdIqrO2KI0%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
On Thursday, 21 December 2017 19:02:23 CET Unman wrote: > This helps protect against user error - for example, opening a browser in > Template by mistake, and using it to browse the web. A separate thought occured to me, if Qubes is worried about users misusing templates, I'd argue that free sudo-access should be removed from templates so you benefit from standard user protection. In other words, you'd need a privilege escalation to compromise your template. While today the bar is much much lower. Naturally, an AppVM based on a template would have to have full sudo access. What do people think about this? -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4630734.vq5SLFKYRq%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
Thanks for your mail! I think we are getting to the core of our little discussion :-) On Thursday, 21 December 2017 19:02:23 CET Unman wrote: > Since templates can be customized by the user it is not true that they > cannot contain private data. They can contain private data, because they have harddrive space. So technically speaking you are not wrong. Do you have any reason to believe there is any incentive to store your private data, your account info (password) etc in a template? > It's a moot point to what extent Templates do > contain identifying material, even when not customized. The entire point of Qubes is compartmentalization, which means actively choosing where you have your login data, your keys and your private messages. A security worry that assumes people will copy their darkest secrets in inappropriate qubes is a bit... odd. And that is exactly what you say when you argue placing material you want to keep secret in a template is a moot point. > It isn't true that Templates CANT contain listening services, This is true only if you pick your words very specifically. It is true that template can try to listen to someone out there. But its pointless because the Qubes system doesn't allow anyone to connect to your templates. There is no port forwarding to your templates. Just connecting to sys-net will not make that magically happen. Bottom line is that no hacker can connect to your services on your template. And thus you can’t get remote hacked by doing nothing. > or services > that make outbound connections without user intervention. Debian > Templates will start some services on installation, for example, and > there are other "aids" that may initiate outbound connections without > the user's knowledge. There are circumstances where this could be > extremely undesirable. Interesting to hear, you maintain the Debian RPM for Qubes, right? Can you explain which services are started automatically and do outbound connections in that template? You seem sure, so please share that info. > If (e.g) you use a web browser in a Template there is every chance that a > hacker may install bad software without your knowledge. I highly doubt that. If that were true most Ubuntu boxes would have been turned into bots. But more importantly, the advice to only run software to update your template stands. The template VM is started for updating your operating system, it is not for playing a flash game or running Skype. This was always the advice. > If the Template is compromised then all the AppVMs that use it > will be compromised. This thought is not false, but your thoughts of how a template can get compromised are clearly unfounded. As you have admitted multiple times; all these technical things that make basic tasks more difficult are there only to protect the user from user-mistakes. To be clear, I can get on board with the idea that users should be discouraged from *using* templates. User training you called it. I think the two different schools of thought here are that you work with rules a lot. Decide that users can't do X or Y or Z, and you solve the problem. This works in a company, this works for a certain set of users. I come from a different background, after 17 years of doing open source I learned that telling people what NOT to do will always lead to disappointment. :-) Finding more user friendly ways of telling people what is a better way to solve a problem is the direction I'm leaning towards. Lead, not punish. As a quick example; make templates have a config file that indicate which software is the ‘updater-GUI’ and make the icon-updater use this info to only show a limited set of start-menu-items for template VMs. A second icon associated from a template would be “create VM based on this...”. My thinking is that we have to work *with* people, not against them. Provide more useful options, don't take away ones you think are dangerous. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40945027.Ov4JLljASd%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] template /home/user is not copied when creating appvm
On Tuesday, 19 December 2017 20:22:02 CET Dave C wrote: > Whenever a TemplateBasedVM is created, the contents of the /home > directory of its parent TemplateVM are copied to the child > TemplateBasedVM’s /home... > > Is this true in Qubes 4.0 rc3? > > In my experience, changes made to /home/user in the template are not > copied to the appvm when it is created. This mirrors my experience, AppVMs don’t inherit the homedir. I believe that the design has changed (i.e. the docs are outdated). Template VMs are means to be used purely for its operating system and the software going with it, the homedir should have no personal data or app-configs because you should not use the template for anything other than updating packages. Notice that disposable VMs no longer use templateVMs, they are based on an AppVM instead. You will likely end up creating an AppVM which will be a template for disposable VMs launched by the system. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3068604.OtRxxK0urg%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Attempting to securely wipe drives, running into issue.
On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote: > oh, and if you want to securly erase data, use /dev/random, not > /dev/urandom. This is not good advice, your /dev/random device creates true randomness, but it only generates a very small amount of data. Bytes per minute. Creating enough to write to a many gigabytes data would take centuries. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/79673397.0iQst3c43i%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Attempting to securely wipe drives, running into issue.
On Tuesday, 19 December 2017 22:09:31 CET David wrote: > I'm attempting to wield a command from the archlinux wiki and getting > access denied, even with sudo in front, and even when on dom0 (against > my better judgment). Any thoughts? A complex series like this is best just to run as root in a shell. First run something like; # sudo su which should give you a shell that is owned by root. Type who ami to confirm. Then you can copy/paste the line from the archlinux wiki to do the work. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3256594.W4lDGWArza%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes GUI for v4
On Wednesday, 20 December 2017 08:25:44 CET Matteo wrote: > but before you code it you should talk to joanna to be sure it will be > accepted and used. I sent an email to the dev mailinglist at the same time I sent one here (no reply so far) so at minimum she knows about it. But I have to say that I’m programming this for myself and for people that have indicated they want a similar solution. It would be nice if it were packaged in Qubes, but I’m not depending on it. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12525626.MbyXGMKWBx%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
On Tuesday, 19 December 2017 16:33:49 CET Unman wrote: > Tom > > Ive suggested before that if you give this advice you should > clearly state the consequences. Ok, no worries. Here you go: The consequences is that the template, which has no personal or identifying information, can be used to run apps that make outbound connections. Don’t worrry! No inbound connections are possible. In short; * There is no possibility of loss of private data (since there is none). * There is no possibility of a remote hacking attack (b/c no listening services). * There is no possibility of a hacker installing bad software in your template (only you can do that). Bottom line is that there is no additional risk when a user uses a corporate firewall and a http proxy to allow him to download updates. Unman, being paranoid is fine, but making users unable to update their system unless they do it the very complicated way you approve of will not help security. We are dealing with people, lets keep that in mind. Specifically, the result of being too strict on this is that they will end up either not updating (and missing security updates) or maybe just giving up and using the simple route of throwing security out the window and just getting the job done. Perfection is the enemy of good enough. And since I’m being nasty today, lets focus on another illusion in this email. You wrote; > sys-net will not enforce a firewall Basically true, sys-net indeed bypasses sys-firewall. But you are mistaken if you think that sys-firewall adds security. Sys-firewall adds the _option_ of allowing you to _manually_ add security. IF you have the know-how on how to do so. Which most people don’t. sys-firewall allows you to block remote hosts by IP-address, manually. And optionally. Making people believe that having sys-firewall makes them more secure is selling an illusion of security, which is really bad for actual security because it follows that people will believe they are magically secured. In reality the configuration of the firewall is a highly specialized and low- level task that most people without sys-admin-training will simply not do. Security is not about following a rulebook, it is about people first and foremost. Lets not lose focus of that, please. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2682772.EKl5eY0fiO%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy
On Monday, 18 December 2017 10:13:48 CET pr0xy wrote: > I am still a bit stuck concerning the Qubes Update Proxy. Where would I > set the environment variables for my corporate proxy so that I could > update dom0, templates and VMs? You should add sys-net to your template VM if you want that since the proxy that is in place today is to avoid your template VM from accessing the intranet or internet outside of your own machine. Then google on where the template operating system (Fedora or Debian etc) sets proxies for doing the command-line update, the configuration is the same as Fedora or Debian etc. I don’t know fedora at all, in archlinux you’ll have a file in /etc/pacman/ which sets the current proxy, in debian you’ll likely have one in /etc/apt/ grep -R -i PROXY /etc/* may be useful too. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/floweethehub -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3673012.sFe5jTk4l6%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora 26 VLC/mplayer fullscreen problem
On Sunday, 17 December 2017 19:59:36 CET donoban wrote: > Any idea? If you hit the ‘f’ key to go full screen, or use the application menu, then you end up doing this using the application in the Qube. Try to do it using the menu on the titlebar, which makes the trusted-window- manager be the one to instruct the full-screen option. That tends to work better. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/floweethehub -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11660533.ZimtETrxDG%40strawberry. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes GUI for v4
Last weeks there was a lot of talk about a lot of us missing the qubes-manager, or frankly any sort of useful graphical user interface. As I’m a long time programmer I decided to just give this a go and try to get something useful going. My approach is one where I talk directly to the Admin-API (at least when running in dom0) from this code which happens to have been written using Qt in C++, the code will be GPL licensed. The GUI is showing some usefulness already, the ‘start’, ‘pause’ and ‘stop’ buttons are functional. I just wanted to show some progress, hope you like it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4703087.nNqGHXKHql%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)
On Saturday, 16 December 2017 03:25:46 CET Yuraeitha wrote: > Initially, this is all the reasons I can think of for wanting V-GPU. ... > - Extending a single Qubes machine around the house or company, using > multiple of screens, keyboards/mouses or other thinkable means. This sounds inherently unsafe. Not sure what your usecase is, but there has to be a better way than allowing a multitude of foreign, not-directly-connected hardware from accessing various very security sensitive channels. ... > - Cryptocoin miners who wish to utilize a single machine > for all round purposes. To build a proper crypto-mining rig based on GPUs, you would not run an OS on the machine. It literally drains money out of your system to use it on the same hardware as you main desktop. If you install 8 GPUs on a mainboard, you have to realize that the mainboard ends up costing a fraction of the total. Reusing it for non-mining purposes (while mining) just doesn't make any sense. Both from an economics as well as a security point of view. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8533554.PhlilUoQuC%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)
On Sunday, 17 December 2017 11:59:26 CET Yuraeitha wrote: > f, but from what I understand, complex software is hard to make secure, > compared to well-made hardware minimizing use of software. If Qubes > hypothetically were to adopt these, would the hardware approach be more > secure here? The question isn't really about software vs hardware. The overall design and concept is what is more important. The actual approach of how to do this makes or breaks the security mode. >From that approach follows what parts are required to be in hardware (to still be fast and secure). I claim no expertise in the domain you address in this thread, so apologies for the generic answer. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1828191.tAHdXYOLUq%40cherry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Release date for qube os 4
On Thursday, 14 December 2017 01:14:55 CET Jon Solworth wrote: > On Tuesday, December 12, 2017 at 9:05:30 PM UTC-5, Andrew David Wong wrote: > > We'll announce this as soon as we can. We usually can't say > > for certain whether an in-place upgrade will be possible until very > > close to the stable release. > > Andrew, now that the schedule for 4.0rc4 is out, it would be good to know > what work remains to be done before 4.0 can be replaced. I would (and > I'm sure the community would) appreciate a few words on this. There is a wealth of information on the github pages. For instance the ‘milestone’ for the 4.0 release still has a large number of open bugs. https://github.com/QubesOS/qubes-issues/milestone/17 Speaking from experience, the devs may bump the less important ones to the next release, so don’t see that as “written in stone”. Also hae to make clear that I see very little communication from the core devs, so I have no idea about their thinking here. My thinking is that since the milestone is there, it likely is important to someone :) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/floweethehub -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2692764.xq8zzqKEmm%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Wednesday, 13 December 2017 00:49:14 CET Connor Page wrote: > I’ll disagree with comparison of btrfs to lvm. there is a very significant > difference between btrfs and lvm. btrfs is like a namespace and lvm > volumes are block devices. one can put a namespace on a block device. but > yes, layers and layers of metadata processing required. > > BTW, has anyone started a btrfs driver for storage pools? I think it could > very tricky if at all possible. related; https://github.com/QubesOS/qubes-issues/issues/3334 -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5232241.G1l38BtH0a%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB Keyboard thoughts...
On Tuesday, 12 December 2017 16:24:16 CET cooloutac wrote: > well I'm no expert but with ps/2 keyboard it will be the only thing > attached, unlike usb which can have multiple devices on same controller, > spoofed as other devices. Is there a better option? The attack modes are two very different ones. Taiidan is thinking about someone coming in, installing a snooping device and waiting for you to type something critical. In contrary your ps2 solution is one which protects against people at any time entering your OS through compromised (usb) hardware. Either by giving you a pen, or entering the pen themselves. It seems that if you drop usb pens in the parking lot of a mall or company, you have a very very high chance some unsuspecting person will insert it in their machine. With the amount of bad USB drivers in the linux tree (not to mention in Windows) this is a worrying attack allowing the machine to be rooted without the attacker even being physically present. sys-usb limits this attack. > USB to ps/2 adapter works, i apologize if it is a too simple and > practical cheap solution. If you are oldschool you probably have some > laying around the house. I think thats a great solution for the more common attack. -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2076848.empXumHRCm%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Tuesday, 12 December 2017 16:18:25 CET Connor Page wrote: > so in short, first create a qubes storage pool > qvm-pool --add In the spirit of a “howto”, can you fill in the actual values to allow one to add a second drive as the ‘private’ (home) partition *only* of a Qube? > if you go for a thin pool, create it first and use volume group and thin > pool names as options for qvm-pool. As the storage pools doc is missing readability, I have to say I have no clue what a “thin pool” is. What a “volume group” is. Last, how does one create a btrfs filesystem on their “home” drive when using this pool concept? > P.S. I’m not sure lvm backend operates properly. File-based backend can > also be used instead. Just mount the secondary drive in dom0 and use the > old trusty file driver if worried. Using a file is going to cause lots of fragmentation and adds an unneeded layer that will just be able to introduce issues. What is the benefit of using pools? Doing a backup of a 1TB homedir can be done without the backup tool too ;) -- Tom Zander Blog: https://zander.github.io Vlog: https://vimeo.com/channels/tomscryptochannel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20728576.2Otm7ilaGg%40strawberry. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
On Monday, 11 December 2017 15:10:17 GMT Connor Page wrote: > I hope you do understand that there is no encryption in what you propose. Thats why I wrote; > I assume you already partitioned and did everything you need with the > drive, it should be available to dom0. I cowerdly leave the full-disk encryption details to be done by people before they start the howto :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1813860.0epH4JKW6K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 17:48:45 GMT Unman wrote: > This is a case where "making stuff work a lot nicer" isn't necessarily a > good idea. The "log nicer" is that it is quite a bit faster and error handling is much better. > I don't think you should advise against this without explaining the risks. Can you perhaps explain what you think those risks are? To me it boils down to; don't run any software except for "software upgrades" in your template. I'm wondering if this is a "protect the user from himself" or something real. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4356475.d642LDFU23%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 11:31:22 GMT Connor Page wrote: > templates establish a connection to a proxy running in some netvm defined > in dom0 over a vchan. Would you be able to repeat that in English ? :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1868560.ghOpRHun3K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 12:43:37 GMT haaber wrote: > On 12/11/2017 06:31 AM, Connor Page wrote: > > did you update it in R4 before cloning and upgrading? > > > > templates establish a connection to a proxy running in some netvm defined > > in dom0 over a vchan. > yes, I did. I had to run apt-get dist-upgrade -d a dozen times (and > spread over half a day) to fetch all ~800 packages. Now that they are > there, I can install normally. I got the impression that changing > identify in anon-browser (and hence resetting tor connections) improved > the #{of error messages} per apt-get run. But this is no science, just > a feeling. Bernhard I still have not figured this out myself, but I can help you with one step of the puzzle. In the archlinux template I noticed a config file is re-created every time I boot by someone. The config file for the package manager sets a (http) proxy to localhost, port 8082 Removing that config (so it stops using the proxy) and enabling the networking on the qube makes stuff work a lot nicer. Also, do check if you updated your /etc/apt/sources to use a local mirror. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4307300.ehHCCX5zbd%40mail. For more options, visit https://groups.google.com/d/optout.