[qubes-users] yggdrasil & qubes netvm question

[Oleg Artemiev]

1) Has anyone succeeded in enabling the yggdrasil network in NetVM qube?
I'm thinking about Qubes standalone PC as a server machine with the
ability to use NetVM as a shell box via yggdrasil IP.

2) BTW: it should open an attack surface on the NetVM. Is it right
that this will open the attack surface to the NetVM only or yggdrasils
multicast announces are about to interfere with other qubes?

-- 
Bye.
https://keybase.io/grey_olli
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PX2DrmmaKOs%2BQ29tSTpPCCTdHxpP7e6UZ1PDksUpm6Qg%40mail.gmail.com.

[qubes-users] "Cannot connect to qrexec agent for 60 .." - how to change this timeout?

[Oleg Artemiev]

Re all.

I've slow disk on my qubes PC. Sometimes when I start VMs it tells
that it can't connect to qrexec & fails to start automatically - I've
to start again manually & then on the second time the disk reads
faster due to cache & it succeeds. Where can I change the timeout to
90 seconds or even more?

-- 
Bye.Olli.
gpg --search-keys  B6AF9DDC28D8DF4F, use key w/ fingerprint below:
Key fingerprint = 5847 1D08 5671 702C 147E  9A47 B6AF 9DDC 28D8 DF4F
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M1XGz6SW%3DrjkTfGcRRG7Y1n%2B1_GyiHKimpJimiDysf%3DA%40mail.gmail.com.

[qubes-users] AMD with latest Qubes - is it now "all relatively okay"?

[Oleg Artemiev]

I've bought an old AMD PC for games (AMD FX-8350 8-core 4GHz , 16Gb
RAM). It's not a laptop. Today I visited Qubes requirements page &
found it has been renewed since my last visit. It now contains more
detail on AMD requirements. So briefly speaking (I'dn't like to rewind
entire Qubes web site to get a clue) - does AMD PCs (non-laptop), at
most, work with latest Qubes ? Last time I was reviewing documentation
on AMD specifics, it was something like "we have not enough AMD
laptops to test our OS with - we don't support AMD in full yet". And
what's with AMD laptops now? Living in Russia I've generally no access
to certified hardware due to customs restrictions..

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6N-XKKeWyjuPPApwdg5M%3DBUxTEmt98uNrEHkuM50nE1%2BQ%40mail.gmail.com.

Re: [qubes-users] Squares instead of Characters in (?)nautilus

[Oleg Artemiev]

I don't use qubes currently, but my 5 cents:
1. missing fonts or incorrect locale settings. Having said that I guess you
may fix this in two ways:
 a) set locale (LC_*, LANG variables) according to your language in shell
files in app VM in bashrc (or in template VM in /etc),
 b) install missing fonts in template VM.
2. Alternatively you may download the non-minimal template VM and use it
instead - minimal VMs may miss fonts for your locale, using non-minimal VM
may help.


On Sat, Jul 11, 2020 at 9:17 AM Alex Lu  wrote:

> When I try to do anythings that opens "Open Folder" window, I see only
> squares instead of characters. https://i.imgur.com/YdXpIWW.png
>
> This behavior began after I moved from fedora-31 to fedora-32-minimal
> template. I already deleted the previous vm, so I couldn't even check if
> there is something I need to have installed to make it work correctly.
>
> Nautilus itself works fine, though.
>
> --
> Alex
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/dfed79660ef145aba01873b67ff24cfb%40cock.li
> .
>


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PhN6WVoGPGwKNf-PSR5o%2Bjoh7rFM8ApQYt-JugBTwoRQ%40mail.gmail.com.

Fwd: [qubes-users] unproven APT for Qubes 3.x

[Oleg Artemiev]

-- Forwarded message -
From: Oleg Artemiev 
Date: Sun, Dec 9, 2018 at 12:56 PM
Subject: Re: [qubes-users] unproven APT for Qubes 3.x
To: Alex 
Cc: 


In other words: please someone update Qubes 3.x FAQ .

On Sun, Dec 9, 2018 at 12:54 PM Oleg Artemiev  wrote:

> I'm in progress of key revocation. I cannot be alive w/o terminal.
>
> On Sun, Dec 9, 2018 at 12:46 PM Alex  wrote:
>
>> On 12/9/18 8:38 AM, Oleg Artemiev wrote:
>> > A friend of mine told me a story:
>> >
>> > She had unproven APT like when insecure hardware being in use.
>> >
>> > Sorry, my English is not well enough (proven upper intermediate).
>> > I will continue in Russian:
>> > --- quote -
>> > - Прикинь - словил апт в третьих кубиках
>> > - держи меня в курсе
>> > - ну ты же знаешь, что это было на unsupported hardware без usb filter
>> > --- quote -
>> >
>> > BCC: 0x90h
>> >
>> > может пора понять, что использование третих кубиков стало опасно после
>> > того как была опубликована работа по автоматизации их из ансибла (не
>> > упомянутая в Qubes 3 FAQ? Всегда найдуться любители отстрелить себе
>> > гениталии..
>> From what I can gather from your story, it seems that you claim that
>> Qubes R3.x is to be considered insecure, as far as USB hardware is
>> concerned...
>>
>> I'm not sure about this, but the warning to update is implicit in the
>> fact that R4 is out and the last version is typically the best supported
>> one.
>>
>> --
>> Alex
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/a0c2db52-25ea-3881-ea9e-b41b87eb6d24%40gmx.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Bye.Olli.
> gpg --search-keys grey_olli , use key w/ fingerprint below:
> Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
> Blog keys (the blog is mostly in Russian):
> http://grey-olli.livejournal.com/tag/
>


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

Please take care.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PxbsieXkyn50WP-sz0KTJfguZNkvnf0qstfBw8NzPkFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] unproven APT for Qubes 3.x

[Oleg Artemiev]

On Sun, Dec 9, 2018 at 12:46 PM Alex  wrote:

> On 12/9/18 8:38 AM, Oleg Artemiev wrote:
> > A friend of mine told me a story:
> >
> > She had unproven APT like when insecure hardware being in use.
> >
> > Sorry, my English is not well enough (proven upper intermediate).
> > I will continue in Russian:
> > --- quote -
> > - Прикинь - словил апт в третьих кубиках
> > - держи меня в курсе
> > - ну ты же знаешь, что это было на unsupported hardware без usb filter
> > --- quote -
> >
> > BCC: 0x90h
> >
> > может пора понять, что использование третих кубиков стало опасно после
> > того как была опубликована работа по автоматизации их из ансибла (не
> > упомянутая в Qubes 3 FAQ? Всегда найдуться любители отстрелить себе
> > гениталии..
> From what I can gather from your story, it seems that you claim that
> Qubes R3.x is to be considered insecure, as far as USB hardware is
> concerned...
>
> I'm not sure about this, but the warning to update is implicit in the
> fact that R4 is out and the last version is typically the best supported
> one.
>
> --
> Alex
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/a0c2db52-25ea-3881-ea9e-b41b87eb6d24%40gmx.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

квота для Шнайера:
---cut---
Oleg Artemiev
11:22 AM (1 hour ago)

my key is potentially stolen ) It is NOT actually. I'll send you email.
Happy new year. Я брал автограф у Вас на Positive Hack Days. Книга к
сожалению утеряна
---cut---


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OVhTXpXCdfNgYQkNa-0bfYpJrtH3icuciwbN%3DBnR5tcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] unproven APT for Qubes 3.x

[Oleg Artemiev]

In other words: please someone update Qubes 3.x FAQ .

On Sun, Dec 9, 2018 at 12:54 PM Oleg Artemiev  wrote:

> I'm in progress of key revocation. I cannot be alive w/o terminal.
>
> On Sun, Dec 9, 2018 at 12:46 PM Alex  wrote:
>
>> On 12/9/18 8:38 AM, Oleg Artemiev wrote:
>> > A friend of mine told me a story:
>> >
>> > She had unproven APT like when insecure hardware being in use.
>> >
>> > Sorry, my English is not well enough (proven upper intermediate).
>> > I will continue in Russian:
>> > --- quote -
>> > - Прикинь - словил апт в третьих кубиках
>> > - держи меня в курсе
>> > - ну ты же знаешь, что это было на unsupported hardware без usb filter
>> > --- quote -
>> >
>> > BCC: 0x90h
>> >
>> > может пора понять, что использование третих кубиков стало опасно после
>> > того как была опубликована работа по автоматизации их из ансибла (не
>> > упомянутая в Qubes 3 FAQ? Всегда найдуться любители отстрелить себе
>> > гениталии..
>> From what I can gather from your story, it seems that you claim that
>> Qubes R3.x is to be considered insecure, as far as USB hardware is
>> concerned...
>>
>> I'm not sure about this, but the warning to update is implicit in the
>> fact that R4 is out and the last version is typically the best supported
>> one.
>>
>> --
>> Alex
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/a0c2db52-25ea-3881-ea9e-b41b87eb6d24%40gmx.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Bye.Olli.
> gpg --search-keys grey_olli , use key w/ fingerprint below:
> Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
> Blog keys (the blog is mostly in Russian):
> http://grey-olli.livejournal.com/tag/
>


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OWz%3DTeUMYa7eF0pkQBJXA6HotJohk%2BoWis1cRYx2YFxw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] unproven APT for Qubes 3.x

[Oleg Artemiev]

I'm in progress of key revocation. I cannot be alive w/o terminal.

On Sun, Dec 9, 2018 at 12:46 PM Alex  wrote:

> On 12/9/18 8:38 AM, Oleg Artemiev wrote:
> > A friend of mine told me a story:
> >
> > She had unproven APT like when insecure hardware being in use.
> >
> > Sorry, my English is not well enough (proven upper intermediate).
> > I will continue in Russian:
> > --- quote -
> > - Прикинь - словил апт в третьих кубиках
> > - держи меня в курсе
> > - ну ты же знаешь, что это было на unsupported hardware без usb filter
> > --- quote -
> >
> > BCC: 0x90h
> >
> > может пора понять, что использование третих кубиков стало опасно после
> > того как была опубликована работа по автоматизации их из ансибла (не
> > упомянутая в Qubes 3 FAQ? Всегда найдуться любители отстрелить себе
> > гениталии..
> From what I can gather from your story, it seems that you claim that
> Qubes R3.x is to be considered insecure, as far as USB hardware is
> concerned...
>
> I'm not sure about this, but the warning to update is implicit in the
> fact that R4 is out and the last version is typically the best supported
> one.
>
> --
> Alex
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/a0c2db52-25ea-3881-ea9e-b41b87eb6d24%40gmx.com
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O7aH_rQXA-q_qXKZExQx3bDVE_fG1z%2BBJe%3DcTgPnF9Lg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] unproven APT for Qubes 3.x

[Oleg Artemiev]

A friend of mine told me a story:

She had unproven APT like when insecure hardware being in use.

Sorry, my English is not well enough (proven upper intermediate).
I will continue in Russian:
--- quote -
- Прикинь - словил апт в третьих кубиках
- держи меня в курсе
- ну ты же знаешь, что это было на unsupported hardware без usb filter
--- quote -

BCC: 0x90h

может пора понять, что использование третих кубиков стало опасно после того
как была опубликована работа по автоматизации их из ансибла (не упомянутая
в Qubes 3 FAQ? Всегда найдуться любители отстрелить себе гениталии..


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = подлежит замене.
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O4cYr1p7CMc3GeKXu%2BnJ%3DAic%2B61GqSxbUMM7%2BEd2J%3D8g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes r3.2 automation with ansible + gpg->gpg2 questions

[Oleg Artemiev]

Hello, list.

Sorry if this has been already discussed - didn't read the mailing list
long time. I've found myself in need to change templates once again as
templates for too old fedora are not even updating at my side and it
appears I've time to learn Qubes devops.

Since Qubes OS site seem to have no direct link to search dox I used to
yandex 'qubes os automation' and found this link:

https://github.com/Rudd-O/ansible-qubes

As I understood this project  is not from Qubes team and seem to be absent
in official documentation. Has this any security reason?
It could be helpful for those  who already know some ansible (as I do).

Though some of possible  management use cases seem to break Qubes way of
doing things securely (especially Qubes VM -> Qubes dom0):
---quote---

   - Qubes VM -> Qubes VM
   - Qubes VM -> Qubes dom0 (see below for enablement instructions)
   - Qubes dom0 -> Qubes VM
   - Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below)
   - normal desktop Linux -> network (SSH) -> Qubes VM on another Qubes host

---quote---

Also this project claimed to be specific for Qubes  3 (that's not a problem
for me since I prefer to use old but quite stable releases), though an
issue related to Qubes 4.0-rc2 .

The other thing I'm not sure is indirect dependency on gpg2 (via
https://github.com/Rudd-O/qubes-pass which relies on 'pass' program, which
functionality is very promising for me) - is gpg2 is a acceptable
replacement for gpg 1.4 version accepted by most of community? I'm still
comfortable w/ old gpg 1.4, but use of 'pass' program seem to be a
motivation to move. As via
https://apple.stackexchange.com/questions/264350/gpg2-warning-using-insecure-memory/264402#264402
and other yandex searches I see that most difference between gpg and gpg2
is use of external library (also developed by same people who made gpg
1.4). Quick search for CVEs related made me think that most important ones
affect both gpg and gpg2 (may be I'm wrong). Does gpg2 has wide attack
surface in comparision w/ gpg 1.4 ?

Has people used qubes automation with ansible w/ above project already? I
mean some reputation.
The project currently has 23 stars on github  - looks promising, isn't it?
-- 
Bye.Olli.
Please CC personally when replying to the list.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PPPK_np3PKNXf8VxssnzfBifa6n_keKnta%3D0qPt%3DFJ%3DQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] my qubes 3.2 doesn't boot after installing latest Dom0 patches yestarday

[Oleg Artemiev]

On Thu, 19 Apr 2018 11:18 awokd  wrote:

> On Wed, April 18, 2018 4:20 pm, Oleg Artemiev wrote:
> > It hangs w/ NMI watchdog: BUG: softlockup - CPU0 stuck for 22 s
> > [swapper/0:0]
> > Usually it happens after loading Dom0 startup setup or netvm startup.
> >
> >
> > screen photo attached. ​
> > 20180418_190412.jpg
> > <
> https://drive.google.com/file/d/0Bwua3s7WG1liSlVZTjktNmh4c21WZDlJZ2xWTGRK
> > Zi16YThv/view?usp=drive_web>
> > ​
> > Can I get into it and roll back updates w/o reinstalling? I guees booting
> > from Qubes usb stick will get me into it. But which packages should be
> > downgraded - I just installed everything w/o recording - is anywhere a
> > log of last packages installed or a howto w/ downgrade examples?
>
> It may have been a Linux kernel update. If you can choose an earlier
> version from your boot menu, try that.

I did that - same hang for all 3 versions.


To confirm, you can see the
> installation history in /var/log/dnf.log* files. To downgrade specific
> packages, see
>
> https://www.qubes-os.org/doc/software-update-dom0/#how-to-downgrade-a-specific-package
> .
>
Thank you!


If booting the earlier version works for you, you might want to use that
> instead of trying to downgrade packages but look for a way to keep more
> than just 2 versions in your default list or could accidentally lose the
>
Qubes provides 3 kernels to boot w/ by default. In my case all fail.

working one on your next upgrade. I think I saw a way to do that somewhere
> on this list.

Looks I've to protect a kernel package from removal on next upgrade & lock
one boot entry for it in grub menu . Is there a way to mark an rpm
permanent? And since on updates grub menu is overwritten I've to reinstall
grub manually on each upgrade, right?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PCS7KOKNETGTcn32qfTD9Ov%3DbCbi8dVyw4K06KbuZq9A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] my qubes 3.2 doesn't boot after installing latest Dom0 patches yestarday

[Oleg Artemiev]

It hangs w/ NMI watchdog: BUG: softlockup - CPU0 stuck for 22 s
[swapper/0:0]
Usually it happens after loading Dom0 startup setup or netvm startup.

screen photo attached.
​
 20180418_190412.jpg

​
Can I get into it and roll back updates w/o reinstalling? I guees booting
from Qubes usb stick will get me into it. But which packages should be
downgraded - I just installed everything w/o recording - is anywhere a log
of last packages installed or a howto w/ downgrade examples?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian):
http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P%2B6E0REoOckdWMjD4%3DeVc1R-Wt%2BZ1kvAEFskqLBcxd2w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is it really hard to autogenerate apropos data for all qubes utils ?

[Oleg Artemiev]

On Sat, Mar 18, 2017 at 4:11 PM, Unman  wrote:
> On Sat, Mar 18, 2017 at 03:32:54AM -0400, Jean-Philippe Ouellet wrote:
>> Unman is correct.
>>
>> Additionally, mandb index generation may be of lesser quality because
>> our man pages are not actual man pages, but rather lifted from
>> reStructuredText via pandoc, which generate raw *roff formatting
>> macros rather than semantic mdoc (or even man(7)) ones. This is
>> because reStructuredText inherently lacks such semantics, and pandoc
>> does not attempt to heuristically assign any.
>>
>> Example:
>> NAME
>> 
>> qvm-block - list/set VM PCI devices.
>>
>> Turns into:
>> .TH "qvm\-block" "" "" "" ""
>> .SH NAME
>> .PP
>> qvm\-block \- list/set VM PCI devices.
>>
>> Instead of:
>> .Sh NAME
>> .Nm qvm-block
>> .Nd list/set VM PCI devices
>
> Although, of course, apropos seems to work perfectly with that utility as 
> well.
Then this looks like I've missed some required steps in configuring my
Qubes 3.2 system.
I've got that apropos just after clean install. I've changed laptop a
month ago and have the
same missing apropos db.. Guess I've to upgrade something.
What steps are required to get this working by default?
Yes I can start man-db --no-purge , but why this is omitted by default?
BTW: qmemman - nothing in apropos even after man-db --no-purge .

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P7LkjK5Tz9t4f2mxsxb%3Dw0%3D%2BYxFEZkfciR6VCRD96X3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL report for acer aspire v5-572pg

[Oleg Artemiev]

On Mon, Jul 24, 2017 at 6:57 PM, Oleg Artemiev  wrote:
> Hello.
>
> No sound by dedefault, no vt-d
actually sound works, sorry for mistake.

> Though, this is temporary laptop till I'll have fully compatible purism one.
> I'ven't removed any numbers. This laptop is obviously not for Qubes.
>
> It's okay to put this onto the Qubes Web HCL.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OJOvwQO2XSzQ1O1i7Tg9pV37F4FFHguSBG0j32rsDhxw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL report for acer aspire v5-572pg

[Oleg Artemiev]

Hello.

No sound by dedefault, no vt-d

Though, this is temporary laptop till I'll have fully compatible purism one.
I'ven't removed any numbers. This laptop is obviously not for Qubes.

It's okay to put this onto the Qubes Web HCL.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MfunMa_mxwfv_R1Qxu%3DTfEZfFm_X%2BDFRDsiG-UNz1O3g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Qubes release 3.2 (R3.2)

Brand:  Acer
Model:  Aspire V5-572PG
BIOS:   V2.07

Xen:4.6.1
Kernel: 4.4.14-11

RAM:6025 Mb

CPU:
  Intel(R) Core(TM) i3-3217U CPU @ 1.80GHz
Chipset:
  Intel Corporation 3rd Gen Core processor DRAM Controller [8086:0154] (rev 09)

## step w/ loading kernel modules fails, though Qubes OS boots okay failing on 
network.
## sound doesn't work at all.

VGA:
  Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 
09) (prog-if 00 [VGA controller])

Net:
  Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
  Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit 
Ethernet Controller (rev 14)

## By default this doesn't work - require separated VM for realtec related 
network devices.

SCSI:
  ST320LT020-9YG14 Rev: SDM1
  SanDisk SD6SF1M1 Rev: 200 
  External USB HDD Rev: 1.03

HVM:Active
I/O MMU:Not active
HAP/SLAT:   Yes
TPM:Device not found
Remapping:  no

Qubes HCL Files are copied to: 'dom0'
Qubes-HCL-Acer-Aspire_V5_572PG-20170724-183120.yml  - HCL 
Info

Re: [qubes-users] Seeking moderators for unofficial Qubes IRC channels on Freenode and OFTC

[Oleg Artemiev]

i regulary open this channel since it was small in traffic volume. If
I'm not late already I'd like to help.

On Fri, Jul 21, 2017 at 3:27 AM, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear Qubes Community,
>
> We're looking for well-known, trustworthy volunteers from the
> community who would like to be moderators in the unofficial Qubes IRC
> channels on Freenode and OFTC (#qubes on both). We'd like to have at
> least two unrelated moderators who can oversee both channels. If
> you're interested, please let us know.
>
> Best,
> Andrew
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJZcUp0AAoJENtN07w5UDAw5XUP/jVeN7dxhqy8HRl4ciM45as4
> RuSQfVGF98p0L3VURaxZ9UOOKLzecZs4WOSRrfwjnPeL6HuzlB/XEQPMYGNytSCX
> 3QJMhmyuAqePLUv3wHTLKpE2urrLWRpqtbKxY91AeDU4FiSQBlToxw5kzpfsKZ2B
> iphdfuIklB2xxC+E6U27uB6eLm5Z2DMro9O6Pgt08EPrR+MckeU932XAZgjJQzaP
> CCRzBtrewtfpgw8MFGLtd4Nv/mFEsYcL9XEiRHdYwJ1XIkL3uC0Mox+7qkDSOhW4
> AITF5NUFGjZYcmNIpuo6sWan3w4X+Y53KFmCR7xUi1iZbi0vhsBnzq2dB85lR4SY
> 7a972fvGusl4ZAdv1LpW70s2ZQzFRQqGdGdud1psSrB62IEQox1QRrJT50prqHAN
> xXvakzBffx/5kKjU4YG4ngZCk+Y3bt3wNvrsJIdQfz1R0qzBblNzC8ebG/MXp+Yx
> V3v2oex1KprR8IPqAx3BpTd204oTdhOvGhlczNfGj1M4Eh7wcDWlQM+0CT4wfAt8
> 3v8sD5Iwgp5cAii62q1HHjomT7NxUUZf/xmox+NOMOLxfZKl/mYpciFR/K9nzFVw
> aO7G2fkjMSBmgVaH7Kmo+hmNA8N/vbyXt9/lOw9FSkcAtHmtgaIK6pDcjTZVxcz/
> KqB25JSGN4vNlHfjYgUx
> =nokq
> -END PGP SIGNATURE-
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/8ca4d6e6-dcc5-5080-651c-e5f78a489dd4%40qubes-os.org.
> For more options, visit https://groups.google.com/d/optout.



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NGJd8PJ%3DpTiJLPuRecTvddtAGuN1%3DcwNnqbHHA0uMUrw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Thu, Jul 6, 2017 at 5:24 AM, cooloutac  wrote:
> On Wednesday, July 5, 2017 at 10:19:32 PM UTC-4, cooloutac wrote:
>> On Tuesday, July 4, 2017 at 1:34:17 PM UTC-4, Oleg Artemiev wrote:
>> > Hi.
>> >
>> > I'm not very glad w/ defaults provided in Qubes OS.
>> > Are there any chances the situation 'll get fixed?
>> >
>> > Details:
>> > I've no real trust to https - this is reputation scheme.
>> > I've no real trust to tor - exit nodes sniff.
>> >
>> > I've installed new instance w/ tor as default.
>> > I've two network VMs w/ diffrent networking defaults.
>> >
>> > I'm switching my work VM to get run w/o tor.
>> > Ooops - my work VM has now no firewall VM attached.
>> > This is bad default - isn't it?
>> >
>> > Why should I go via tor w/ work VM even when sitting in the office?
>> > Tor exit nodes should not know anything about my work.
>> > Also tor makes things run slower.
>> >
>> > Shouldn't we have have a trigger transparently applying firewall VM
>> > when network VM has changed?
[]
> also I should add,  they have new feature to update with tor.  but I also 
> wonder how better that is because it seems to me tor is attacked with fake 
> keys more then anything.  And all it takes is for the user to hit y one time.
Qubes team keys for Dom0 updates should be preinstalled  - aren't them?

> I can count dozens upon doznes of times i had to make sure i hit n.  and kept 
> trying till I got a verified key. I've mean i posted so much about it on 
> whonix I pissed the guy off.  not just wrong keys but servers going out.   
> But I can only count 1 or 2 times that happened through my regular connection.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O3z60xMZUDO1q0oHUoxU66fEYnWSout8JXYV9OAQTE0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Wed, Jul 5, 2017 at 2:35 PM,   wrote:
> My understanding is that you shouldn't be accessing Tor through anything but 
> anon-whonix or a copy of that VM (this might be wrong). I'm not sure what 
> metadata your work applications may leak that will compromise the anonymity 
> of your Tor connection. You should do some reading up on whonix.
>
> But if you don't trust Tor more than https, when are you using it?
Just to test how it works. W/o using I've no experience - do I?

>
> If you want to create a secure connection to your office, I think the best 
> tool to use is VPN.
>
> I'm not sure what kind of trigger you're looking for, but I'm sure that you 
> could write a script that will make it happen.
Yep. Though scripting for everything sooner or later becomes annoying.
Low in time - give up and use it as it goes .


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M9Pjp-kjVdH2jrkDsmyEZsCOTo7f%3DNtLxOa4khCZ%2B8Mw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Thu, Jul 6, 2017 at 5:25 AM, cooloutac  wrote:
> On Wednesday, July 5, 2017 at 10:24:32 PM UTC-4, cooloutac wrote:
>> On Wednesday, July 5, 2017 at 10:19:32 PM UTC-4, cooloutac wrote:
>> > On Tuesday, July 4, 2017 at 1:34:17 PM UTC-4, Oleg Artemiev wrote:
>> > > Hi.
>> > >
>> > > I'm not very glad w/ defaults provided in Qubes OS.
>> > > Are there any chances the situation 'll get fixed?
>> > >
>> > > Details:
>> > > I've no real trust to https - this is reputation scheme.
>> > > I've no real trust to tor - exit nodes sniff.
>> > >
>> > > I've installed new instance w/ tor as default.
>> > > I've two network VMs w/ diffrent networking defaults.
>> > >
>> > > I'm switching my work VM to get run w/o tor.
>> > > Ooops - my work VM has now no firewall VM attached.
>> > > This is bad default - isn't it?
>> > >
>> > > Why should I go via tor w/ work VM even when sitting in the office?
>> > > Tor exit nodes should not know anything about my work.
>> > > Also tor makes things run slower.
>> > >
>> > > Shouldn't we have have a trigger transparently applying firewall VM
>> > > when network VM has changed?
>> > >
>> > > --
>> > > Bye.Olli.
>> > > gpg --search-keys grey_olli , use key w/ fingerprint below:
>> > > Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
>> > > Blog keys (the blog is mostly in Russian): 
>> > > http://grey-olli.livejournal.com/tag/
>> >
>> > I agree I don't use tor for anything I type a password into.  I use tor 
>> > for random untrusted webpages only.  Sometimes I just use tor to compare a 
>> > key or cert,  a trick I learned from Qubes forums.
>>
>> also I should add,  they have new feature to update with tor.  but I also 
>> wonder how better that is because it seems to me tor is attacked with fake 
>> keys more then anything.  And all it takes is for the user to hit y one time.
>>
>> I can count dozens upon doznes of times i had to make sure i hit n.  and 
>> kept trying till I got a verified key. I've mean i posted so much about it 
>> on whonix I pissed the guy off.  not just wrong keys but servers going out.  
>>  But I can only count 1 or 2 times that happened through my regular 
>> connection.
>
> I don't let my family update dom0 anymore.
haha. Nice )

anyway - all defaults bound on idea of one netvm and one firewall vm.
This is not good for a custom scheme. I miss a network map feature.
Finally when I'm busy I giveup and leave defaults. I currently use tor
w/ whonix blindly trusting them made all right. This is damn slow.
This makes my google and yandex search engines (and lots of other
sites) ask me "you're not a robot". Very annoying. No easy GUI fall
back to non-tor defaults. Hrrm. Next time I'll start w/o Tor layer as
default - the setting finally makes me loose my time.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Pj2eKOtsK10HxKV%2BWave56nuN9NsZz1qX8qa2oODtkug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: certified laptop delivery to Russia

[Oleg Artemiev]

On Sun, Jul 9, 2017 at 6:13 AM, cooloutac  wrote:
> On Saturday, July 8, 2017 at 12:40:31 PM UTC-4, tai...@gmx.com wrote:
>> On 06/26/2017 10:41 AM, cooloutac wrote:
>>
>>
>>
>>   On Saturday, June 24, 2017 at 12:30:48 AM UTC-4, tai...@gmx.com wrote:
>>
>>
>> Ah the smell of disinformation.
I'm sorry. But Qubes is reasonably _SECURE_ for me. I just want all my
QA related stuff be tested and reported on fully compatible certified
hardware. This means no ARM and no AMD. Only Intel. Just because AMD
ignores Qubes OS. Certified laptop is preferable. I've no choice
really. Sorry. I'm glad there's critics around purism. My level of
understanding chip tech is not that deep. :( Finally I'll receive
laptop and ask nearest hardware tech person to review it for covert
things.. Then I'll just install Qubes myself.

>> On 06/23/2017 10:28 AM, cooloutac wrote:
>>
>>
>>
>>   On Thursday, June 22, 2017 at 6:51:27 PM UTC-4, tai...@gmx.com 
>> wrote:
>>
>>
>> On 06/21/2017 10:57 PM, cooloutac wrote:
>>
>>
>>
>>   I agree they are super overpriced  But i'm not sure we can 
>> have 100% libre hardware, at least not for desktops.  I heard the guy Chris 
>> from thinkpenguin talk about on a radio show once,  how there is really only 
>> a couple manufactures that dominate the world.  You would have to make every 
>> single part from scratch.
>>
>> I don't know anything about coreboot or libreboot. Though I know I'd 
>> actually would like to have secure boot,  but I guess I'm crazy.
>>
>>
>>
>> Of course you can, see the TALOS project for libre 
>> hardware/firmware
>> concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware,
>> there are some POWER computers as well.
>>
>> If someone tells you otherwise they don't know what they are talking
>> about, there is nothing stopping a company from making a libre computer
>> even a small company as long as they have the cash, purism could have
>> they just didn't want to.
>>
>> Secure Boot is a marketing term for kernel code signing enforcement and
>> grub already does this, MS "secure" (from you) boot is a way for them to
>> eventually stop people from running linux.
>>
>>
>>   I searched talos project and see stuff about body armor?
>>
>>
>> The TALOS project from raptor engineering was a 100% libre firmware 
>> and
>> hardware PC project that did not meet crowdfunding goals.
>>
>>
>>   The guy from think penguin who sells libre laptops doesn't know 
>> what he is  talking about? I agree he is a little extreme and paranoid,  but 
>> The radio show was focused on wireless devices at the time and the dangers 
>> of the fcc ruling to lock them,  and why purism, nor anybody, truly has a 
>> 100% libre machine.  There is many firmwares integrated and attached to a 
>> mobo, but you are acting as if there is only one.
>>
>>
>> Thinkpenguin and system76 are good honest companies FYI, I would 
>> suggest
>> supporting them if you are interested in a new intel machine for linux.
>> He is not extreme nor paranoid, the fcc thing could mean the end of open
>> source linux drivers and firmware for wifi chips.
>>
>> There is not "many firmwares attached to a mobo" there really is only
>> one most of the time, I know what I am talking about as I am involved in
>> the coreboot project and I own several libre firmware machines.
>> The KGPE-D16 and KCMA-D8 have full functionality with libre firmware and
>> zero blobs, I even play the latest games on mine so that excuse from
>> purism that "oh no one has this" doesn't fly moreso because they haven't
>> even "struck a compromise for the latest hardware" or what not as again
>> their "coreboot" has entirely blobbed hw init making it pointless.
>>
>> The exception to this rule would be a device with for example an
>> integrated storage device, FullMAC (not the SoftMAC AGN atheros types)
>> wireless chip, or a laptop/mobile board with an EC.
>>
>>
>>   I don't know what you mean secure boot is a way to stop linux. It 
>> is supported by all major linux distributions.  Even after that myth is 
>> proven wrong you still perpetuate it?   Even after Richard Stallman himself 
>> says its ok to use secure boot?
>>
>>
>> "supported by all major linux distros"
>> Only by using a red hat supplied signed binary pre-compiled sketchy
>> version of grub.
>> I don't think I should need to ask red hat for permission to run linux
>> do you?
>> A machine that lacks the ability to use even your own bootloader is not
>> really your machine you are simply licensing the use of it.
>>
>> SB 1.0 specs require owner control and method to shut it off and enroll
>> own keys, SB 2.0 doesn't have this requirement so OEM's will eventually
>> not implement it similarly to MS's ARM computers that only allow you to
>> install windows - thus stopping people from using linux so no it isn't a
>> myth.
>>
>>
>>   I don't believe grub2 can take the place of secure boo

[qubes-users] cognitive issues when default is to use tor

[Oleg Artemiev]

Hi.

I'm not very glad w/ defaults provided in Qubes OS.
Are there any chances the situation 'll get fixed?

Details:
I've no real trust to https - this is reputation scheme.
I've no real trust to tor - exit nodes sniff.

I've installed new instance w/ tor as default.
I've two network VMs w/ diffrent networking defaults.

I'm switching my work VM to get run w/o tor.
Ooops - my work VM has now no firewall VM attached.
This is bad default - isn't it?

Why should I go via tor w/ work VM even when sitting in the office?
Tor exit nodes should not know anything about my work.
Also tor makes things run slower.

Shouldn't we have have a trigger transparently applying firewall VM
when network VM has changed?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PF%2BC3yGNS%2BwcUVHitN92rQe5sx2oEKNF6HcrQX%2BhC7Wg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] marketing issue: purism team has no required ISO w/ Qubes currently

[Oleg Artemiev]

Hello.

Could the team please send required image of Qubes to Purism team?
I want my certified laptop asap and currently have to buy it w/ Purism
OS instead of Qubes OS.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MgU7xcEUFGYLVdHt5H_Pwu96FdhZRCZM%2BsMqW3LqZUEA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] certified laptop delivery to Russia

[Oleg Artemiev]

On Thursday, June 15, 2017 at 5:43:42 PM UTC+3, Oleg Artemiev wrote:
> On Wed, Jun 14, 2017 at 9:34 AM, Alex  wrote:
> > On 06/13/2017 10:00 PM, Oleg Artemiev wrote:
> >> Has anyone sent the Qubes certified laptop to Russia?
> >> Are there any delivery or customs issues that Russian citizen should
> >> be aware of?
> >>
> >> How do I check that US vendor hasn't passed implant into device?
> > It's long been a bad idea in general buying computers that are meant to
> > have any appreciable level of security and have them shipped by mail
> > delivery...
> I've spent some time to defend idea that I'll get qubes certified
> laptop paid by my organisation.
> Are there any ideas for anonymouse delivery? I am okay to pay for that.
>
> > And you are planning to buy something from the United States of America
> > (known for the very problem you are asking about),
> No idea how to get that laptop in any other relatively secure way.
> It is shipped worldwide but
>
> > have it delivered to
> > the Russian Federation (not a very believable defender of citizen
> > privacy),
> Yep. This is my second motherland since USSR has been killed by gorby & 
> company.
>
> > and believe it will arrive safe and secure?
> The vendor should provide some security check algorithm I guess..
> I beleave in Qubes. I beleave Qubes team.
> Could anyone from Qubes team buy such a certified laptop for me and
> make delilvery using my money?
> The company I currently work with is okay with any delivery method I choose.
>
> The url with paper for qubes certified laptop delivery:
> https://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-purisms-security-focused-librem-13-laptop/
> How can I check for "hardware implant free" state of delivered laptop?
> I'd reinstall Qubes so software implants are out of this discussion.
>
> > Mmmm... I would not try that :/
> Does anyone know any tor covered anonymous delivery service?
> The question with tor initiated anonymous delivery is reputation.
> Laptop costs about 2k$.
>
> > And I'm sorry, but apart from suspicion I can't really give you any
> > actual advice :( best of luck for your next laptop
> I know that there's no laptop store that sells that laptops in Russia.
> I also know that Qubes QA team should not be bothered by bugreports
> from non-certified hardware .
>
> So better I should buy a laptop from compatible but not certified list?
>
> It looks like buying Qubes certified laptop via any well known to me
> american citizen could be better idea.
>
> But laptop would be delivered cross-customs anyway..
>
> Is there a US law restriction for delivery of librem13 or librem 15 to
> Russia ? I guess not or not yet. At least their buying form has
> Russian Federation in destination country list )
>
> https://www.crowdsupply.com/purism/librem-15
> https://www.crowdsupply.com/purism/librem-13
>
> As I guess librem-15 is the same, but not yet certified? The Qubes
> ceritified list has only librem-13 .
> Also "Aside from compatibility, we do not believe that it should be
> considered any safer than other laptops." is inside the notice on
> qubes web https://www.qubes-os.org/doc/hardware/#qubes-certified-laptops
> .
>
> I'm okay to order delivery of parts and pay someone to build librem-15
> from delivered parts or just do that myself.
>
> Anyway where should I reed vendor instruction on "how to check the
> delivered laptop for hardware implants"?
>
> BTW: I love their claims: https://www.crowdsupply.com/about#user-rights
>
> I don't think that my person is that important to merit goverment
> backdoor from US or Russian Federation.
> Though since that is just possible I should have exact rules how to
> check hardware after delivery.
>
> --
> Bye.Olli.
> gpg --search-keys grey_olli , use key w/ fingerprint below:
> Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
> Blog keys (the blog is mostly in Russian): 
> http://grey-olli.livejournal.com/tag/

I'm sorry for Russian - no unofficial russian speakers mailing list
yet (except telegram group),
 but that is really funny, please google translate this or just ignore:

[ cut from our company #security chat  ]
Олег Артемьев
https://groups.google.com/forum/#!topic/qubes-users/k_WPyUAkW_U
обсуждение параноиков стоит ли покупать в магазине ноутбук с security фичами.
А вдруг там предусмотрено энэсэй в комплекте с ноутом.
А вдруг по дороге деливери сервис с карманами полными имплантов ) (edited)

В студию приглашаются призраки Сноудена и Ассанжа )

[19:07]
ладно.. как самый неуловимый и нафик не нужный Джо я пере

Re: [qubes-users] certified laptop delivery to Russia

[Oleg Artemiev]

On Wed, Jun 14, 2017 at 9:34 AM, Alex  wrote:
> On 06/13/2017 10:00 PM, Oleg Artemiev wrote:
>> Has anyone sent the Qubes certified laptop to Russia?
>> Are there any delivery or customs issues that Russian citizen should
>> be aware of?
>>
>> How do I check that US vendor hasn't passed implant into device?
> It's long been a bad idea in general buying computers that are meant to
> have any appreciable level of security and have them shipped by mail
> delivery...
I've spent some time to defend idea that I'll get qubes certified
laptop paid by my organisation.
Are there any ideas for anonymouse delivery? I am okay to pay for that.

> And you are planning to buy something from the United States of America
> (known for the very problem you are asking about),
No idea how to get that laptop in any other relatively secure way.
It is shipped worldwide but

> have it delivered to
> the Russian Federation (not a very believable defender of citizen
> privacy),
Yep. This is my second motherland since USSR has been killed by gorby & company.

> and believe it will arrive safe and secure?
The vendor should provide some security check algorithm I guess..
I beleave in Qubes. I beleave Qubes team.
Could anyone from Qubes team buy such a certified laptop for me and
make delilvery using my money?
The company I currently work with is okay with any delivery method I choose.

The url with paper for qubes certified laptop delivery:
https://arstechnica.com/gadgets/2015/12/qubes-os-will-ship-pre-installed-on-purisms-security-focused-librem-13-laptop/
How can I check for "hardware implant free" state of delivered laptop?
I'd reinstall Qubes so software implants are out of this discussion.

> Mmmm... I would not try that :/
Does anyone know any tor covered anonymous delivery service?
The question with tor initiated anonymous delivery is reputation.
Laptop costs about 2k$.

> And I'm sorry, but apart from suspicion I can't really give you any
> actual advice :( best of luck for your next laptop
I know that there's no laptop store that sells that laptops in Russia.
I also know that Qubes QA team should not be bothered by bugreports
from non-certified hardware .

So better I should buy a laptop from compatible but not certified list?

It looks like buying Qubes certified laptop via any well known to me
american citizen could be better idea.

But laptop would be delivered cross-customs anyway..

Is there a US law restriction for delivery of librem13 or librem 15 to
Russia ? I guess not or not yet. At least their buying form has
Russian Federation in destination country list )

https://www.crowdsupply.com/purism/librem-15
https://www.crowdsupply.com/purism/librem-13

As I guess librem-15 is the same, but not yet certified? The Qubes
ceritified list has only librem-13 .
Also "Aside from compatibility, we do not believe that it should be
considered any safer than other laptops." is inside the notice on
qubes web https://www.qubes-os.org/doc/hardware/#qubes-certified-laptops
.

I'm okay to order delivery of parts and pay someone to build librem-15
from delivered parts or just do that myself.

Anyway where should I reed vendor instruction on "how to check the
delivered laptop for hardware implants"?

BTW: I love their claims: https://www.crowdsupply.com/about#user-rights

I don't think that my person is that important to merit goverment
backdoor from US or Russian Federation.
Though since that is just possible I should have exact rules how to
check hardware after delivery.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MbUpyEYsDsOpiCmERfFmf85xS-JJNMQ2KupPA%2BQS03kw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] certified laptop delivery to Russia

[Oleg Artemiev]

Hello.

Has anyone sent the Qubes certified laptop to Russia?

Are there any delivery or customs issues that Russian citizen should
be aware of?

How do I check that US vendor hasn't passed implant into device?

My old laptop has gone. My current temporary laptop is not compatible
w/ Qubes (AMD CPU).

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Mk7V8tRpYH4QYfRsikb54b48nbN6%2Bwu6jdP%3D70ZAwj8A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Unofficial qubes os telegram channel

[Oleg Artemiev]

Language: Russian and English.
Channel:   unofficial-qubes-os-telegram

Welcome.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OxXhP4CYdEp%3DWhK0HXe4DpHWeJA1O-A_0k4ANwhcZNtQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] usability request

[Oleg Artemiev]

2017-03-23 13:51 GMT+03:00 Oleg Artemiev :
>> ровно до того момента пока вы считаете корректным использовать
>> несколько способов энкапсуляции смысла. Хочешь узнать о чём - пиши в gpg 
>> формате. Да я считаю гпг способом кодирования смысла. У меня в локации 
>> нельзя использовать шифрование но можно использовать кодирование

Нельзя скрыть смысл оставляя на виду всего лишь один способ
кодирования факта переписки. Вы не хоитет делить личку на уровне не
умею прочитать - не для меня. Но я блин то ещё фидошник. По русски
писать нелья - что за нафиг - типа непонятно никому. Ну и хрен с ним.
Количество совпадений моего желания что-то объяснить и моего желания
чтобы все поняли - сильно не равные множества.

Я готов говоить о характеристиках качества до тех пор пока они разумны
по опыту и не ранее чем они считабельны хотя бы на уровне прикидок в
трёхмерном пространстве.

Понимать физический смысл математики и диффур меня обучили заставив
пересдать диффуры. Спасибо преподавателью за это.

Но блин. Меня утомляет когда я занят формулировать на нативном языке.

Или терпите шум в виде багрепортов в общественном месте

Или сделайте вменяемый вход в вашу пещеру. :))) Чтобы я со стороны
заднего прохода в это множество не пилил как танк. Это именно то,
откуда в России появляется мем веждивые люди.

Стоимость пояснить для себя вне контекста и понять что я уже не совсем
неуловимый джо ну вот по любому - это ж проработать что я

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PR-uN-Z0kWKkH%3DN-1_TRG1pbJ6x-fk9NM3FBAqFR8WaQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] usability request

[Oleg Artemiev]

> ровно до того момента пока вы считаете корректным использовать
> несколько способов энкапсуляции смысла. Хочешь узнать о чём - пиши в gpg 
> формате. Да я считаю гпг способом кодирования смысла. У меня в локации нельзя 
> использовать шифрование но можно использовать кодирование

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OyS%3D%3DVW8FG78yaq2YFaV9RRNWeH1RxbVw6izNgs0Ry3Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] usability request

[Oleg Artemiev]

И я буду анноить Вас отсутствием русского списка рассылки про Qubes
ровно до того момента пока вы считаете корректным использовать
несколько способов энкапсуляции

2017-03-23 13:47 GMT+03:00 Oleg Artemiev :
> В русском каннари намеренно использована машинно непереводимая игра
> смысла с превращением глаголов в существительные не гляда на правила
> грамматики.
> Так надо чтобы вы задумались о том что я мог иметь ввиду в контексте
> Ваших личных надобностей в рамках Qubes проекта.
>
> 2017-03-23 13:40 GMT+03:00 Oleg Artemiev :
>> Please do not try to get a clue why this is sent here. This is
>> thinking flow. I had never ever been doing a meaning full cannary and
>> commitment into a project.
>> I willl test qubes. Since I alreaday do and I enjoy Qubes OS and all
>> the stuff Qubes allow to born in the reality.
>> When you are in fear Qubes is some plcae that can support you. In
>> terns of tunable calm transparency.
>>
>> It is really safe to use Qubes when you do it as designed. It is
>> enough innovative. It is already good enough to be on google summer of
>> code.
>>
>> It's fun. Like linux was when I first met it. Enjoy!
>>
>> Thank you qubes team. I've found that current sort of misfunctioning
>> is enough good to be not a security related problem. I've commited
>> into funs community just becouse  Rutkowska made a cool PoC with her
>> blue pill and red pill. She made me think more in context of my own
>> reasonse.  The real thing is that I've just committed into public that
>> currently I'm enough skilled to solve a pazzle "why this is a bug" and
>> "why this is a usability bug".
>> All okay. We have democracy. We have same models of goverment as a
>> security treat as you do in your geolocation. The laws of math is
>> faster to get an answer and slower to understand is stilll working for
>> me.
>> In this context I think that I made a lot to tell what is already told
>> ))) To finalize the thread from my side I insist:
>>
>> this is the load testing problem. I guess the reason is that Clock VM
>> is allowed to die and no default hook to restart clock VM (thinking it
>> has same clean state) provided
>> As I understand security vs usability - this is all about mistrusts
>> from operating system - to cleanup a block you have to unlock. But
>> where the lock() is subject to search.
>>
>>
>>
>> 2017-03-23 13:25 GMT+03:00 Oleg Artemiev :
>>> On Wed, Mar 22, 2017 at 5:24 PM, Jean-Philippe Ouellet  wrote:
>>>> On Wed, Mar 22, 2017 at 8:31 AM, Oleg Artemiev  wrote:
>>>>> Is this OK to provide a pullrequest for adding VM (qube) functionality
>>>>> for kill / shutdown some VM using window color border as a start
>>>>> point?
>>>>>
>>>>>  I'm spending some time to get into qubes manager just to kill or
>>>>> shutdown some qube. This is a regular task in my workflow.
>>>>
>>>> If you are interested in quickly and easily killing a VM with visible
>>>> windows, then update qubes-core-dom0-linux and add a shortcut in your
>>>> desktop environment for /usr/bin/qvm-xkill. This utility lets you just
>>>> click on a window to kill the corresponding VM.
>>> Yes. I'm interested in exactly that. Some times I've even no time to
>>> wait enough to allow Qubes shutdown normally.
>>>
>>> I'd appreciate if qubes-killall will be implemented as an official
>>> command with these abilities:
>>>
>>> qubes-killall [no option]
>>>
>>> used to report help. No damage by default.
>>>
>>> qubes-killall [--also-system-qubes]
>>>
>>> used to kill all VMs, including even sys-net , sys-whonix, sys-clock .
>>>
>>> Some times I just need to correctly shutdown (not by holding power
>>> button - just via init 0).
>>> This will save alot of my timewaste wating when I'll be sure that only
>>> power eating code are some dumb intel blobs running due to intel
>>> design fencing.
>>> It is not intentionally against me, but even intel has usability bugs.
>>> Well - I've no need in otselot to empty the energy provider.
>>> I've no that super secrets to keep moving only with battery separated
>>> from the computing
>>>
>>> qubes-killall [--only-system-qubes]
>>>
>>> Yes I can script it. But lim(cost of thinking) on hacks(I do) goes
>>> into infinity as till I'm alive.
>>>
>>> That&

[qubes-users] Re: [qubes-devel] usability request

[Oleg Artemiev]

В русском каннари намеренно использована машинно непереводимая игра
смысла с превращением глаголов в существительные не гляда на правила
грамматики.
Так надо чтобы вы задумались о том что я мог иметь ввиду в контексте
Ваших личных надобностей в рамках Qubes проекта.

2017-03-23 13:40 GMT+03:00 Oleg Artemiev :
> Please do not try to get a clue why this is sent here. This is
> thinking flow. I had never ever been doing a meaning full cannary and
> commitment into a project.
> I willl test qubes. Since I alreaday do and I enjoy Qubes OS and all
> the stuff Qubes allow to born in the reality.
> When you are in fear Qubes is some plcae that can support you. In
> terns of tunable calm transparency.
>
> It is really safe to use Qubes when you do it as designed. It is
> enough innovative. It is already good enough to be on google summer of
> code.
>
> It's fun. Like linux was when I first met it. Enjoy!
>
> Thank you qubes team. I've found that current sort of misfunctioning
> is enough good to be not a security related problem. I've commited
> into funs community just becouse  Rutkowska made a cool PoC with her
> blue pill and red pill. She made me think more in context of my own
> reasonse.  The real thing is that I've just committed into public that
> currently I'm enough skilled to solve a pazzle "why this is a bug" and
> "why this is a usability bug".
> All okay. We have democracy. We have same models of goverment as a
> security treat as you do in your geolocation. The laws of math is
> faster to get an answer and slower to understand is stilll working for
> me.
> In this context I think that I made a lot to tell what is already told
> ))) To finalize the thread from my side I insist:
>
> this is the load testing problem. I guess the reason is that Clock VM
> is allowed to die and no default hook to restart clock VM (thinking it
> has same clean state) provided
> As I understand security vs usability - this is all about mistrusts
> from operating system - to cleanup a block you have to unlock. But
> where the lock() is subject to search.
>
>
>
> 2017-03-23 13:25 GMT+03:00 Oleg Artemiev :
>> On Wed, Mar 22, 2017 at 5:24 PM, Jean-Philippe Ouellet  wrote:
>>> On Wed, Mar 22, 2017 at 8:31 AM, Oleg Artemiev  wrote:
>>>> Is this OK to provide a pullrequest for adding VM (qube) functionality
>>>> for kill / shutdown some VM using window color border as a start
>>>> point?
>>>>
>>>>  I'm spending some time to get into qubes manager just to kill or
>>>> shutdown some qube. This is a regular task in my workflow.
>>>
>>> If you are interested in quickly and easily killing a VM with visible
>>> windows, then update qubes-core-dom0-linux and add a shortcut in your
>>> desktop environment for /usr/bin/qvm-xkill. This utility lets you just
>>> click on a window to kill the corresponding VM.
>> Yes. I'm interested in exactly that. Some times I've even no time to
>> wait enough to allow Qubes shutdown normally.
>>
>> I'd appreciate if qubes-killall will be implemented as an official
>> command with these abilities:
>>
>> qubes-killall [no option]
>>
>> used to report help. No damage by default.
>>
>> qubes-killall [--also-system-qubes]
>>
>> used to kill all VMs, including even sys-net , sys-whonix, sys-clock .
>>
>> Some times I just need to correctly shutdown (not by holding power
>> button - just via init 0).
>> This will save alot of my timewaste wating when I'll be sure that only
>> power eating code are some dumb intel blobs running due to intel
>> design fencing.
>> It is not intentionally against me, but even intel has usability bugs.
>> Well - I've no need in otselot to empty the energy provider.
>> I've no that super secrets to keep moving only with battery separated
>> from the computing
>>
>> qubes-killall [--only-system-qubes]
>>
>> Yes I can script it. But lim(cost of thinking) on hacks(I do) goes
>> into infinity as till I'm alive.
>>
>> That's why I memorize only officially supported tool names (and only
>> those that are helpfull to work.
>>
>> BTW: I've just unintentionally reproduced the bug I'm trying to
>> takeover without interrupting my workflow.
>>
>> This is not a single issue. This is a set of business usability issues
>> with different priorities. Below is proof of concept that:
>>
>> 1) I'm enough tired by async workflow model I usually commit my work.
>> 2) I'm enough helpfull to get payd enough even when the

[qubes-users] How do I know - is that a MAJOR usability issue? (subject replaced)

[Oleg Artemiev]

Hello.

Currently I'm not that busy but steel overloaded by technical debt.
I've cleaned the tech debt for some organisation units outside of my
usual daily interest.
всё хорошо. :) Баг не касается ничего существенного. Пошёл в обязательный ребут.
Сходимость очередей на запуск на уровне дребезжания фиксируется
рассчётом сходимости дискретных значений к максимально допустимой
скорости исполнения.
Это не решить костылём. Надо таймауты считать. Это вывод из моего
нагрузочного теста. Этот тест нужен мне потому что я использую Qubes в
продакшене не испытывая существенных проблем. :)

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OKC6KwmFQaHUs6AAjaWTROf%3DxU3Rfc_hY%2BLvXs15Sz7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] usability request

[Oleg Artemiev]

Please do not try to get a clue why this is sent here. This is
thinking flow. I had never ever been doing a meaning full cannary and
commitment into a project.
I willl test qubes. Since I alreaday do and I enjoy Qubes OS and all
the stuff Qubes allow to born in the reality.
When you are in fear Qubes is some plcae that can support you. In
terns of tunable calm transparency.

It is really safe to use Qubes when you do it as designed. It is
enough innovative. It is already good enough to be on google summer of
code.

It's fun. Like linux was when I first met it. Enjoy!

Thank you qubes team. I've found that current sort of misfunctioning
is enough good to be not a security related problem. I've commited
into funs community just becouse  Rutkowska made a cool PoC with her
blue pill and red pill. She made me think more in context of my own
reasonse.  The real thing is that I've just committed into public that
currently I'm enough skilled to solve a pazzle "why this is a bug" and
"why this is a usability bug".
All okay. We have democracy. We have same models of goverment as a
security treat as you do in your geolocation. The laws of math is
faster to get an answer and slower to understand is stilll working for
me.
In this context I think that I made a lot to tell what is already told
))) To finalize the thread from my side I insist:

this is the load testing problem. I guess the reason is that Clock VM
is allowed to die and no default hook to restart clock VM (thinking it
has same clean state) provided
As I understand security vs usability - this is all about mistrusts
from operating system - to cleanup a block you have to unlock. But
where the lock() is subject to search.



2017-03-23 13:25 GMT+03:00 Oleg Artemiev :
> On Wed, Mar 22, 2017 at 5:24 PM, Jean-Philippe Ouellet  wrote:
>> On Wed, Mar 22, 2017 at 8:31 AM, Oleg Artemiev  wrote:
>>> Is this OK to provide a pullrequest for adding VM (qube) functionality
>>> for kill / shutdown some VM using window color border as a start
>>> point?
>>>
>>>  I'm spending some time to get into qubes manager just to kill or
>>> shutdown some qube. This is a regular task in my workflow.
>>
>> If you are interested in quickly and easily killing a VM with visible
>> windows, then update qubes-core-dom0-linux and add a shortcut in your
>> desktop environment for /usr/bin/qvm-xkill. This utility lets you just
>> click on a window to kill the corresponding VM.
> Yes. I'm interested in exactly that. Some times I've even no time to
> wait enough to allow Qubes shutdown normally.
>
> I'd appreciate if qubes-killall will be implemented as an official
> command with these abilities:
>
> qubes-killall [no option]
>
> used to report help. No damage by default.
>
> qubes-killall [--also-system-qubes]
>
> used to kill all VMs, including even sys-net , sys-whonix, sys-clock .
>
> Some times I just need to correctly shutdown (not by holding power
> button - just via init 0).
> This will save alot of my timewaste wating when I'll be sure that only
> power eating code are some dumb intel blobs running due to intel
> design fencing.
> It is not intentionally against me, but even intel has usability bugs.
> Well - I've no need in otselot to empty the energy provider.
> I've no that super secrets to keep moving only with battery separated
> from the computing
>
> qubes-killall [--only-system-qubes]
>
> Yes I can script it. But lim(cost of thinking) on hacks(I do) goes
> into infinity as till I'm alive.
>
> That's why I memorize only officially supported tool names (and only
> those that are helpfull to work.
>
> BTW: I've just unintentionally reproduced the bug I'm trying to
> takeover without interrupting my workflow.
>
> This is not a single issue. This is a set of business usability issues
> with different priorities. Below is proof of concept that:
>
> 1) I'm enough tired by async workflow model I usually commit my work.
> 2) I'm enough helpfull to get payd enough even when there's a
> permanent crisys around.
> 3) That is proven that I committed to wait my current employment for a
> half of a year period
> 4) I do what I really do in a long term period.
>
> Due to that the text below officially supported by using google in
> terms of transparten electronical signing till I've made a
>
> Labelling highly depend to the product type and busness model needs.
>
> From security perspective it is not an issue at all .
>
> I've made a lot of efforts to defend an attack my opinion to get a
> clue at what level should I mark this bug.
>
> Due to stability of your criteria of marking some qube within a
> worflow

Re: [qubes-users] usability major bug?

[Oleg Artemiev]

On Wed, Mar 22, 2017 at 3:32 PM, Holger Levsen  wrote:
> On Wed, Mar 22, 2017 at 03:08:00PM +0300, Oleg Artemiev wrote:
>> > why do you have to reboot?
>> Cost of reboot in __understanding__ what the hell is the reason is
>> less than cost of restoring correct state after reboot.
>>
>> I feel like queue in some code is failing to grow.
>> Usually I detect such things via load testing.
>>
>> As a QA professional I'm ready to commit to:
>>
>> 1) run (some times within free time) load tests
>> 2) provide nummeric results (not raw logs!) on my dom0 - no VM names.
>> Only symbolic handles I'm ok to publish are qubes OS internals - no VM
>> names and similar personal stuff.
>>
>> Only if I do understand the code . Thus the load testing code and
>> final summary report must be available to me + no pipes to pass
>> numbers via any protocol into internet or tor.
>> Better if applied by python, nodejs,bash, or ruby or erlang language .
>
> let me try again:
>
> - how does the reboots happen?
I do reboot manually.

>  you said "you have to reboot", did you mean the
>   machine just sponteaniously reboots and thus forces you into reboots?
No. This _USABILITY_ issue. I need this functionality. It is broken.
=> reboot manually

> - is there anything special you are doing when this happen or does it happen
>   "randomly"?
I've no time to provide detailed report within nearest week and till
this is not subject to some load testing - I think that my time spent
to report will came into a timewaste.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OATkyVCt3rqurUbA1gjwhAbtwqNkhwuT2%3DoyDEdx2FPg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] usability major bug?

[Oleg Artemiev]

On Wed, Mar 22, 2017 at 1:52 PM, Holger Levsen  wrote:
> Hi Oleg,
>
> you missed on important bit of information:
>
> On Wed, Mar 22, 2017 at 12:12:58PM +0300, Oleg Artemiev wrote:
>> I have to reboot Qubes R3.2 a few times a day. What do I do wrong?
>
> why do you have to reboot?
Cost of reboot in __understanding__ what the hell is the reason is
less than cost of restoring correct state after reboot.

I feel like queue in some code is failing to grow.
Usually I detect such things via load testing.

As a QA professional I'm ready to commit to:

1) run (some times within free time) load tests
2) provide nummeric results (not raw logs!) on my dom0 - no VM names.
Only symbolic handles I'm ok to publish are qubes OS internals - no VM
names and similar personal stuff.

Only if I do understand the code . Thus the load testing code and
final summary report must be available to me + no pipes to pass
numbers via any protocol into internet or tor.
Better if applied by python, nodejs,bash, or ruby or erlang language .


>> reproduceable: daily on my workstation
>>
>> impact: ability to run 10-15 VMs is not guaranteed . My harware is
>> strong enough to be able to run that count of qubes  (it is normal to
>> me).
>
>
> --
> cheers,
> Holger



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M%3DZtXj_nFdjaVOBWRLB3ZuhFdPwYgJz-GUG9i91Jx9%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] usability major bug?

[Oleg Artemiev]

I have to reboot Qubes R3.2 a few times a day. What do I do wrong?

reproduceable: daily on my workstation

impact: ability to run 10-15 VMs is not guaranteed . My harware is
strong enough to be able to run that count of qubes  (it is normal to
me).

Has this been already reported?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MyRYEO0sN4mKqGn1HgJ-OCfQeN3w6%2BuXrt%2BXo5iWxTKg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Is it really hard to autogenerate apropos data for all qubes utils ?

[Oleg Artemiev]

The most annoying thing is not that I have to do some manual
intervention to start my music
VM for unknown to me reason.

This :

apropos qmemman
qmemman: nothing appropriate.

is most annoying thing in Qubes project.

when something goes wrong I have to get out of my console and look
into qubes documentation available on the web. Why things origanazed
that bad? Damn, I've to - I will. But with this I need to memorize
Qubes documentation index to get a clue where should I look.

Subj. Is it really hard to autogenerate apropos data for all qubes utils ?


$ cat QubesIncoming/dom0/qubes-wtf.utf8.txt
[olli@dom0 ~]$ qvm-ls grey-olli-music
-+++---+--+---+---++
name | on |  state | updbl | type |  template |
netvm |  label |
-+++---+--+---+---++
 grey-olli-music || Halted |   |  | fedora-23 |
*sys-firewall | yellow |
[olli@dom0 ~]$ qvm-start grey-olli-music
--> Creating volatile image:
/var/lib/qubes/appvms/grey-olli-music/volatile.img...
--> Loading the VM (type = AppVM)...
ERROR: ERROR: Failed to connect to qmemman: [Errno 111] Connection refused
[olli@dom0 ~]$ apropos qmemman
qmemman: nothing appropriate.
[olli@dom0 ~]$




-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P79Ho7OExAU6hKGx0uM3izyM4ZD%2BGUxPzO_9eJ6n1t%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] do I really need these packages in dom0 :?

[Oleg Artemiev]

On Sun, Mar 5, 2017 at 1:29 PM, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> from above only netcf-libs is required indirectly by xen
> related package. So is it safe to drop all other from above
> w/ rpm -e  ?

 Yes. You can start with 'dnf remove initial-setup-gui' - it
 will propose additional packages not needed anymore. But
 carefully review that list before confirming.
>>
>>> Shouldn't those be removed by default as a postinstall step?
>> May I add this (and above sentence as subject) as a feature
>> request in github?
> I waited a couple of days for this but didn't see anything submitted,
> so I've created an issue for it:
>
> https://github.com/QubesOS/qubes-issues/issues/2670
>
> Didn't mean to steal your thunder, but I was afraid it would end up
> falling through the cracks (as so many important issues do).
Thank you. :)  I was quite busy a few days including weekends.
 Also it was unclear for me into which repo I should report this (yes,
this is probably
documented in report bugs). %)

btw: i18n regression should be reported there too?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Ncmc3EM3kvNyCYS8Y99-ffYkSF_sv%2BucSWEdpXDz0diw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] do I really need these packages in dom0 :?

[Oleg Artemiev]

On Fri, Mar 3, 2017 at 12:34 AM, Oleg Artemiev  wrote:
> On Thu, Mar 2, 2017 at 11:01 PM, Marek Marczykowski-Górecki
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Mon, Feb 27, 2017 at 06:23:22AM +0300, Oleg Artemiev wrote:
>>> After installing qubes 3.2 looked into dom0 updates.
>>>
>>> Found some that I possibly ok to remove:
>>>
>>> [olli@dom0 ~]$ rpm -q --whatrequires tigervnc-server-minimal
>>> anaconda-gui-23.19.10-4.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-gui
>>> initial-setup-gui-0.3.37-1.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
>>> no package requires initial-setup-gui
>>> [olli@dom0 ~]$
>>
>> It is used during fist system startup. Later can be removed.
>>
>>> Also, do I really need this in Dom0:
>>>
>>> [root@dom0 olli]# rpm -q --whatrequires openssh
>>> openssh-askpass-7.2p2-3.fc23.x86_64
>>> [root@dom0 olli]# rpm -q --whatrequires openssh-askpass
>>> no package requires openssh-askpass
>>> [root@dom0 olli]#
>>>
>>> ?
>>>
>>> Also I've Network Manager in Dom0 - why - it is designed never have
>>> networking. It is left by anaconda - setup program. Why not to delete
>>> it?
>>
>> See above.
>>
>>> lli@dom0 ~]$ rpm -qa |grep -i net
>>> NetworkManager-wifi-1.0.12-2.fc23.x86_64
>>> NetworkManager-libnm-1.0.12-2.fc23.x86_64
>>> NetworkManager-1.0.12-2.fc23.x86_64
>>> NetworkManager-glib-1.0.12-2.fc23.x86_64
>>> glib-networking-2.46.1-1.fc23.x86_64
>>> libnetfilter_conntrack-1.0.4-5.fc23.x86_64
>>> nettle-3.2-1.fc23.x86_64
>>> netcf-libs-0.2.8-3.fc23.x86_64
>>> NetworkManager-team-1.0.12-2.fc23.x86_64
>>> libnfnetlink-1.0.1-7.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-wifi
>>> anaconda-gui-23.19.10-4.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-libnm
>>> no package requires NetworkManager-libnm
>>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-glib
>>> anaconda-core-23.19.10-4.fc23.x86_64
>>> nm-connection-editor-1.0.10-1.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires nm-connection-editor
>>> anaconda-gui-23.19.10-4.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-core
>>> anaconda-tui-23.19.10-4.fc23.x86_64
>>> anaconda-gui-23.19.10-4.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-tui
>>> anaconda-core-23.19.10-4.fc23.x86_64
>>> initial-setup-0.3.37-1.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup
>>> initial-setup-gui-0.3.37-1.fc23.x86_64
>>> initial-setup-gui-0.3.37-1.fc23.x86_64
>>> initial-setup-launcher-1.0-1.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
>>> no package requires initial-setup-gui
>>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-launcher
>>> no package requires initial-setup-launcher
>>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-team
>>> anaconda-core-23.19.10-4.fc23.x86_64
>>> [olli@dom0 ~]$ rpm -q --whatrequires nettle
>>> no package requires nettle
>>> [olli@dom0 ~]$ rpm -q --whatrequires libnfnetlink
>>> no package requires libnfnetlink
>>> [olli@dom0 ~]$
>>>
>>> from above only netcf-libs is required indirectly by xen related
>>> package. So is it safe to drop all other from above w/ rpm -e  ?
>>
>> Yes. You can start with 'dnf remove initial-setup-gui' - it will propose
>> additional packages not needed anymore. But carefully review that list
>> before confirming.

> Shouldn't those be removed by default as a postinstall step?

May I add this (and above sentence as subject) as a feature request in github?

We should not have non-required packages in Dom0 by default, right?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OZiHRa67N7g%3DQTzX3%3DUnRum1fLYz9fdEpjBNwiFQFeGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] do I really need these packages in dom0 :?

[Oleg Artemiev]

On Thu, Mar 2, 2017 at 11:01 PM, Marek Marczykowski-Górecki
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Mon, Feb 27, 2017 at 06:23:22AM +0300, Oleg Artemiev wrote:
>> After installing qubes 3.2 looked into dom0 updates.
>>
>> Found some that I possibly ok to remove:
>>
>> [olli@dom0 ~]$ rpm -q --whatrequires tigervnc-server-minimal
>> anaconda-gui-23.19.10-4.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-gui
>> initial-setup-gui-0.3.37-1.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
>> no package requires initial-setup-gui
>> [olli@dom0 ~]$
>
> It is used during fist system startup. Later can be removed.
>
>> Also, do I really need this in Dom0:
>>
>> [root@dom0 olli]# rpm -q --whatrequires openssh
>> openssh-askpass-7.2p2-3.fc23.x86_64
>> [root@dom0 olli]# rpm -q --whatrequires openssh-askpass
>> no package requires openssh-askpass
>> [root@dom0 olli]#
>>
>> ?
>>
>> Also I've Network Manager in Dom0 - why - it is designed never have
>> networking. It is left by anaconda - setup program. Why not to delete
>> it?
>
> See above.
>
>> lli@dom0 ~]$ rpm -qa |grep -i net
>> NetworkManager-wifi-1.0.12-2.fc23.x86_64
>> NetworkManager-libnm-1.0.12-2.fc23.x86_64
>> NetworkManager-1.0.12-2.fc23.x86_64
>> NetworkManager-glib-1.0.12-2.fc23.x86_64
>> glib-networking-2.46.1-1.fc23.x86_64
>> libnetfilter_conntrack-1.0.4-5.fc23.x86_64
>> nettle-3.2-1.fc23.x86_64
>> netcf-libs-0.2.8-3.fc23.x86_64
>> NetworkManager-team-1.0.12-2.fc23.x86_64
>> libnfnetlink-1.0.1-7.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-wifi
>> anaconda-gui-23.19.10-4.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-libnm
>> no package requires NetworkManager-libnm
>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-glib
>> anaconda-core-23.19.10-4.fc23.x86_64
>> nm-connection-editor-1.0.10-1.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires nm-connection-editor
>> anaconda-gui-23.19.10-4.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-core
>> anaconda-tui-23.19.10-4.fc23.x86_64
>> anaconda-gui-23.19.10-4.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires anaconda-tui
>> anaconda-core-23.19.10-4.fc23.x86_64
>> initial-setup-0.3.37-1.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup
>> initial-setup-gui-0.3.37-1.fc23.x86_64
>> initial-setup-gui-0.3.37-1.fc23.x86_64
>> initial-setup-launcher-1.0-1.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
>> no package requires initial-setup-gui
>> [olli@dom0 ~]$ rpm -q --whatrequires initial-setup-launcher
>> no package requires initial-setup-launcher
>> [olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-team
>> anaconda-core-23.19.10-4.fc23.x86_64
>> [olli@dom0 ~]$ rpm -q --whatrequires nettle
>> no package requires nettle
>> [olli@dom0 ~]$ rpm -q --whatrequires libnfnetlink
>> no package requires libnfnetlink
>> [olli@dom0 ~]$
>>
>> from above only netcf-libs is required indirectly by xen related
>> package. So is it safe to drop all other from above w/ rpm -e  ?
>
> Yes. You can start with 'dnf remove initial-setup-gui' - it will propose
> additional packages not needed anymore. But carefully review that list
> before confirming.
Shouldn't those be removed by default as a postinstall step?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Pj4h-Gjimd9VeXoJGjpE10pjSpisJgtE%3DipMkV3vvNAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] strange firefox behavior

[Oleg Artemiev]

Firefox asks for "choose what I share" but usual controls are absent
in settings - I cannot disable automatic reporting. What should be a
reason? Feedora 23 template, Qubes 3.2

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MbF6LjXs4pw_1qCO7JedQuycLQQmjE%3Di%3Dp5WNo%3DLbr0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] i18n regression bug in Qubes 3.2 - what details will be helpful?

[Oleg Artemiev]

switching keyboard layouts seem to hang for a few seconds from time to
time , but indication doesn't hang. This is very annoying.

This seem to happen on high loads when 6 or more VMs are running.

 Any extra details to show to localize the bug?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PxiFD3ye4G9Pwk%2Bpy-psxW0X7t5zJJrjfhD9E7brDcZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] fedora installer by abilities = ugly wood

[Oleg Artemiev]

On Tue, Feb 28, 2017 at 2:20 AM, Chris Laprise  wrote:
> On 02/21/2017 12:54 AM, Oleg Artemiev wrote:
\>>> I mean apart from what the installer can support, in your case (I've read
>>> some of your other partitioning messages) it seems unnecessary.
>>
>> Yes, but when I installed opensuse last time I've seeb elegant
>> powerful interface - less things to do by hands.
>
>
> Agreed, they have good admin UIs.
>
>>
>>>>> The idea that you have to treat SSDs as fragile has not withstood the
>>>>> test
>>>>> of time. In fact, SSDs are widely regarded as /more/ durable than HDDs
>>>>> now.
>>>>
>>>> I've bought my hdd 3-4 years ago (don't remember exactly). Newer ssd
>>>> may be better.
>>>> My one.. I just want to pay 1 day for installation and then keep this
>>>> for years. So why not to think twice and make setup that will be just
>>>> better in resource utilization?
>>>
>>> IIRC, about any SSD post 2011 should be quite durable... so a Samsung 830
>>> or
>>> similar vintage should have no particular worries about longevity.
>>
>> nice to hear, but anyway - how long those "no particular worries" go?
>> I mean that ssd by design is less stable to writes than hdd.
>> Why not then to partition just that way when ssd will get less writes?
>> It's not something really hard to make custom partitioning (except you
>> can't do it via installer).
>
> Manufacturer SSD durability estimates have increased greatly, along with the
> length of available warranties.
>
> http://techreport.com/review/27436/the-ssd-endurance-experiment-two-freaking-petabytes/2
>
> http://www.networkworld.com/article/2873551/data-center/debunking-ssd-myths.html
>
>"Exhaustive studies have shown that SSDs have an annual failure rate
>of tenths of one percent, while the AFRs for HDDs can run as high as
>4 to 6 percent."
>
>
> For comparison a Samsung 850 SSD is rated at 1.5 million hrs (EVO) and 2
> million hrs (PRO) MBTF that's at least 50 percent more than a premium
> HDD (although HDD mfgs stopped using MTBF several years ago, probably
> because the SSDs were making them look terrible). The last time I recall
> reports of a surge in SSD failures (about 6 years ago) it wasn't even the
> flash that was at fault... the controllers were overheating, which was a
> common problem with many brands that used Sandforce controllers circa 2011.
>
> The components and algorithms that determine the reliability of consumer
> SSDs has changed a lot for the better. I don't think there is currently
> reason to treat them as being in any way more fragile or wear-prone than
> HDDs.
Finally my terabyte evdo 840 didn't survive last installation when I
completely rewritten it.
it has gone after 5 years. And, damn, things get even easier - amount
of partitioning got
at least twice lower ))  Anyway if I used it w/ btrfs or most writes
going to hdd - it should
be dead even later - last two years I was using Qubes w/ it w/o care
on regular rewrites on VM start stop.

>>> BTW, besides not supporting raid 5/6 (no big deal for me), the other
>>> downside for using Btrfs is still free-space reporting. It still isn't
>>> done
>>> in a realistic manner, IMO... you may need to keep 30-60GB free space at
>>> all
>>> times to avoid the fs going into read-only mode.
>>
>> omg... Thank you - now it looks I don't want btrfs anymore. %) I
>> haven't used btrfs yet - just
>> wat I've read sounds promising. But pay 60Gigs for that - doesn't seem
>> to be what I want.
>> Better I'll go w/ custom lvm + some patching to get r/o root. :)
> I certainly understand that. So far I'm being tolerant of this condition of
> using Btrfs.
> They actually did improve the reporting somewhat with the
> "filesystem usage" command, hoping it gets even better.
>
> Just be aware that thin-provisioned LVM (it is /not/ traditional LVM) is
> also relatively new and has issues.
Thank you - I'm not willing to use thin provsioning - it is repored to
slow down disk i/o in comparision to usual LVM.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MzFk9SfuN6PbEzB5vbHsKEvrFsD9-9%2B0ZSGFHPPMwahw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] is intent to automatically remove empty subdirs in QubesIncoming acceptable?

[Oleg Artemiev]

On Tue, Feb 28, 2017 at 2:12 AM, Marek Marczykowski-Górecki
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Tue, Feb 28, 2017 at 01:23:24AM +0300, Oleg Artemiev wrote:
>> Hello.
>>
>> From anti-forensic point of view empty dir in some app-VM in
>> QubesIncoming (except dom0) leaking fact of presence a VM some time
>> ago.
>>
>> All we need is add command like "rm /home/user/QubesIncoming/*/* -p
>> --ignore-fail-on-non-empty" into default VM startup script for all
>> linux based template VMs.
>
> This particular command looks dangerous - you probably meant rmdir
> instead.
yep

> And probably one '*' less. Or actually more ('**', after
> enabling 'starglob' shell option).
> Maybe something like this instead:
> find /home/user/QubesIncoming -type d -empty -delete
also good. linux rmdir always ignore non-emty directories and all files.

 After reading your reply I changed my opinion - no ''**' - only one
'*' or if made by find - add maxdepth 1 to never touch
sub-dirs below source VM name - user may copy some hierarchy. Though
user usualy has no need to create the 1st level subdir in
 QubesIncoming - this is made by file copy utils.

> Anyway, I don't think it should be enabled by default - automatic
> removal (or in any other way altering) user files in home directory is
> not something we'd like to do. If anything, it should be disabled by
> default.
This is not _user_ content, at least from the moment the user has deleted
 all content of a sub-directory under the QubesIncoming and it is empty.

This _directory_ artefact is created by OS file handling tools on user
intent to copy a _file_ and is unneeded anymore =  is not properly
 cleaned. Even more - having these empty dirs is somewhat attention
stealer - a few months later user may probably spend time doing 'ls'
there - to
be sure nothing forgotten there.

> As for anti-forensic - I'd expect that there are much more places like
> this - like file manager cache/history,
oops.. didn't think about this. Isn't  those expire? QubesIncoming
sub-dirs aren't ever.

> shell history,
only if data copied in both direction.

>  various application's caches etc.
any cache should expire. Directories persist till removal.

> If you want non-persistence (of VM existence
> fact in this case), use DispVMs.
When I copy from some hidden_app_vm to some not-that-hidden-appvm and
want those files be in not-that-hidden-appvm finally - dispVM
 as proxy for copying will solve all. Though if that will be cleaned
up w/o my intervention it could be just better.

>> I could provide a simplest pull requiest if this change will be
>> accepted (good if you point me to a repo where it should go). Should
>> I?
intent not accepted. ok

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O_qgUp_rr6XBZgzAzi_VGwZ7XpLLjYDkwGUJM9mzJLrg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] why some times I have to kill VM before it functions properly?

[Oleg Artemiev]

On Tue, Feb 28, 2017 at 1:02 AM, Oleg Artemiev  wrote:
> On Tue, Feb 28, 2017 at 12:06 AM, Chris Laprise  
> wrote:
>> On 02/27/2017 03:08 PM, Oleg Artemiev wrote:
>>>
>>> [olli@dom0 ~]$ qvm-run -p cherehapa /bin/ls   | head
>>> su: warning: cannot change directory to /home/user: No such file or
>>> directory
>>> b
>>>
>>> xterm and other gui programs do not start. Though if I kill VM the
>>> problem disappear.
>>>
>>> I run Qubes 3.2 with Feb 2017 updates .
>>>
>>
>> Lately, I have had a problem with starting an app + VM where the app window
>> appears for half a second the disappears, and the VM status stays yellow.
>> What does your VM status show in Manager?
> qvm-ls shows running state. VM is green, AFAIR.
could be a permission problem - I mounted private image directly,
executed chown -R 1000:1000 /home/user - next time VM stated ok.
Problem w/ GUI programs were due to X server didn't start.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O0BVghzeeVUEEViypGV%3D4-8kRcBHYM%2Bvftsm1NaznSgg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] is intent to automatically remove empty subdirs in QubesIncoming acceptable?

[Oleg Artemiev]

Hello.

>From anti-forensic point of view empty dir in some app-VM in
QubesIncoming (except dom0) leaking fact of presence a VM some time
ago.

All we need is add command like "rm /home/user/QubesIncoming/*/* -p
--ignore-fail-on-non-empty" into default VM startup script for all
linux based template VMs.

I could provide a simplest pull requiest if this change will be
accepted (good if you point me to a repo where it should go). Should
I?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Obbd57-GZHGBY6C_TcM--dhhk7ziAzK3Y9R%3D%3DgzaK9Pw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] why some times I have to kill VM before it functions properly?

[Oleg Artemiev]

On Tue, Feb 28, 2017 at 12:06 AM, Chris Laprise  wrote:
> On 02/27/2017 03:08 PM, Oleg Artemiev wrote:
>>
>> [olli@dom0 ~]$ qvm-run -p cherehapa /bin/ls   | head
>> su: warning: cannot change directory to /home/user: No such file or
>> directory
>> b
>>
>> xterm and other gui programs do not start. Though if I kill VM the
>> problem disappear.
>>
>> I run Qubes 3.2 with Feb 2017 updates .
>>
>
> Lately, I have had a problem with starting an app + VM where the app window
> appears for half a second the disappears, and the VM status stays yellow.
> What does your VM status show in Manager?
qvm-ls shows running state. VM is green, AFAIR.



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NVxWUza_O1oCYHSxszB4w5jVwH%3DK2Wk_yP9Bz32_RKRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] why some times I have to kill VM before it functions properly?

[Oleg Artemiev]

[olli@dom0 ~]$ qvm-run -p cherehapa /bin/ls   | head
su: warning: cannot change directory to /home/user: No such file or directory
b

xterm and other gui programs do not start. Though if I kill VM the
problem disappear.

I run Qubes 3.2 with Feb 2017 updates .

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OZKHFc-51rGA%2BQkjrCwZunSWjC7ggAXjOhOs0WbbTnUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] do I really need these packages in dom0 :?

[Oleg Artemiev]

After installing qubes 3.2 looked into dom0 updates.

Found some that I possibly ok to remove:

[olli@dom0 ~]$ rpm -q --whatrequires tigervnc-server-minimal
anaconda-gui-23.19.10-4.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires anaconda-gui
initial-setup-gui-0.3.37-1.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
no package requires initial-setup-gui
[olli@dom0 ~]$

Also, do I really need this in Dom0:

[root@dom0 olli]# rpm -q --whatrequires openssh
openssh-askpass-7.2p2-3.fc23.x86_64
[root@dom0 olli]# rpm -q --whatrequires openssh-askpass
no package requires openssh-askpass
[root@dom0 olli]#

?

Also I've Network Manager in Dom0 - why - it is designed never have
networking. It is left by anaconda - setup program. Why not to delete
it?

lli@dom0 ~]$ rpm -qa |grep -i net
NetworkManager-wifi-1.0.12-2.fc23.x86_64
NetworkManager-libnm-1.0.12-2.fc23.x86_64
NetworkManager-1.0.12-2.fc23.x86_64
NetworkManager-glib-1.0.12-2.fc23.x86_64
glib-networking-2.46.1-1.fc23.x86_64
libnetfilter_conntrack-1.0.4-5.fc23.x86_64
nettle-3.2-1.fc23.x86_64
netcf-libs-0.2.8-3.fc23.x86_64
NetworkManager-team-1.0.12-2.fc23.x86_64
libnfnetlink-1.0.1-7.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-wifi
anaconda-gui-23.19.10-4.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-libnm
no package requires NetworkManager-libnm
[olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-glib
anaconda-core-23.19.10-4.fc23.x86_64
nm-connection-editor-1.0.10-1.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires nm-connection-editor
anaconda-gui-23.19.10-4.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires anaconda-core
anaconda-tui-23.19.10-4.fc23.x86_64
anaconda-gui-23.19.10-4.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires anaconda-tui
anaconda-core-23.19.10-4.fc23.x86_64
initial-setup-0.3.37-1.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires initial-setup
initial-setup-gui-0.3.37-1.fc23.x86_64
initial-setup-gui-0.3.37-1.fc23.x86_64
initial-setup-launcher-1.0-1.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires initial-setup-gui
no package requires initial-setup-gui
[olli@dom0 ~]$ rpm -q --whatrequires initial-setup-launcher
no package requires initial-setup-launcher
[olli@dom0 ~]$ rpm -q --whatrequires NetworkManager-team
anaconda-core-23.19.10-4.fc23.x86_64
[olli@dom0 ~]$ rpm -q --whatrequires nettle
no package requires nettle
[olli@dom0 ~]$ rpm -q --whatrequires libnfnetlink
no package requires libnfnetlink
[olli@dom0 ~]$

from above only netcf-libs is required indirectly by xen related
package. So is it safe to drop all other from above w/ rpm -e  ?


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PvoftmsNpoDJ3sAjtgxd%2Bma55Mnq5aRQUPAqE%2Bp4HpOg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Two qubes multinoot

[Oleg Artemiev]

On Sat, Feb 25, 2017 at 6:50 PM, john.david.r.smith
 wrote:
> On 25/02/17 04:14, Oleg Artemiev wrote:
>>
>> Hi.
>>
>> If I want to run VMs from one Qubes in another
> why would you even dualboot two qubesversions?
Some activities are useless to encrypt, i.e. social networking and
some other . Encription gives useless overhead.
I want 1 Qubes OS unencrypted and 1 Qubes OS encrypted for everything
else + activities from unencrypted Qubes also enabled.

>> would it be possible to
>> have different coloring for the same VM in different Qubes OS instances?
> here the questions is, what files you would share?
For example:

 /var/lib/qubes/appvms/public-activity-vm/

or if it does any sense I may share files indiividually:
/var/lib/qubes/appvms/public-activity-vm/*

> i am not sure, where the label is saved, but if you only share the images,
> it should work (but i am still not sure what you are trying to do).
run same VM in diffrent boots of Qubes OS on the same computer.

>> Is this possible from a VM to attack Dom0 by altering VM image files  or
>> this is just files and adversary able to rewrite image in one Qubes has no
>> option to appear outside VM when it is loaded in another Qubes OS
>> instance?
> a vm can always only write data inside of an image.
> if a vm can write data in dom0, your system is owned and you need something
> as aem to protect the other instance.
> but even with aem, i think one qubes dom0 A could compromise the other dom0
> B, since A can somehow read and write files of B.
A is not encrypted, B is encrypted, A never used to mount something
from B and has no clue about B luks password.

> but if you assume both dom0 are secure, i don't see a problem.
A is not that secure as B. If A is compromised I'm not glad, but it's
not very important - all accounts I would use from A are already
somewhat public.

It looks that before booting into B I should check bootloader and
/boot consistency of B w/ some sort of usb stick.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NbAjS5rdoRva0OpNA8%2B6y7HCdD6wKkpu7ParegnQb6_w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Two qubes multinoot

[Oleg Artemiev]

Hi.

If I want to run VMs from one Qubes in another - would it be possible to
have different coloring for the same VM in different Qubes OS instances?

Is this possible from a VM to attack Dom0 by altering VM image files  or
this is just files and adversary able to rewrite image in one Qubes has no
option to appear outside VM when it is loaded in another Qubes OS instance?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Orj8H2iPsnP3oCByY1WRC8%3Db_AzWCz8mutkvMwGkmrBA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-rufus-windows7

[Oleg Artemiev]

On Feb 23, 2017 10:07 PM, "руслан шатдинов"  wrote:

четверг, 23 февраля 2017 г., 20:45:43 UTC+3 пользователь руслан шатдинов
написал:
> hello
> i wrote QubesOS on my USB-flash with DD-form option, but Windows7 doesnt
see this USB-flash-disk
> but
> ACRONIS can see this disk
>
> why it doesnt for windows?


Why you need win7 to bother w/ Qubes?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M48P1S3O86bZnP-LbO6TSLeqRQ%2BcjsA-xph%2BhookBiLQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Dual boot and two swaps?

[Oleg Artemiev]

Say I've one enrypted swap and one not from other linux.

Would Qubes ignore unencrupted swap from other distribution or I should
make it to? If so - how do I?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M50sky3pR9kdWFsHy4b1sMKkQiG1RkoHkocjwZvmQBWw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: shrink ntfs from qubes - what do use for this?

[Oleg Artemiev]

On Sat, Feb 4, 2017 at 7:45 PM, Oleg Artemiev  wrote:
> Last time I wanted such a thing I was using a tool like partition
> magic (boot from toolset disk). It was a few years ago. Is there a
> relatively safe way to shrink a win7 partition from linux w/o
> destroyng already installed win7 or current linux tools for this are
> known to be not stable enough?
>
> Installing windows on my laptop is a long timewaste - once did it for
> games and would like to avpoid it.
finally win7 allows shrinking partitions from its disk management.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Pk6vce1mNW%3DWReiY7kWKxTBqUP%2BQ8TZ4GQ-Cg98-0SrA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disable sys-net autostart?

[Oleg Artemiev]

Just asked the same question and then found this thread. %)Thanks for
answer. Could you be so kind to provide more details:

>> Since I created the net VM I'm unable to boot anymore. It hangs during the 
>> sys-net startup. The error message I get after a few minutes is:
>> BUG: soft lockup - CPU#1 stuck for 22s! [libvirtd:1769]
>> Anyone knows how to debug or fix this? The VM worked fine when started after 
>> the system was fully booted, it just fails if started during booting.
> There are a couple of open issues about this autostart issue.
> The simplest solution is to disable the auto start in
> /etc/systemd/system/qubes-netvm.service - you can edit the file or
> disable the service.
Netvm is autostarted by other qubes it is assigned to.

Is it possible to have something like "ask user" ?

Some times it's not good to have networking, but at the same time I'd
like to start other VMs that have this VM as net VM.

> If you do make sure that you aren't starting any
> other qubes that rely on sys-net. (That would include your clockVM.)
Could you point to a paper in dox that we should review to get a
deeper understanding of VM chains?

 I mean that some times I would like to override default start
procedure - how can I get this?

Is there any alternative to get into single mode and play with VM prefs?

Why the auto-start preference ingored by boot sequence - because OS
needs a clock VM?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P9bMJMmmSjuTxEL8MrA8Z9%2B1T_7%2B3UyC%3DCePcQX-Mr_Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] sys-net, sys-firewall starting independent to start on boot in properties

[Oleg Artemiev]

How do I disable autostart of sys-net, sys-firewall? Qubes manager
setting seem to be ignored.
Qubes r3.2

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NUvw0o%3DSXZF2fq7PPb9eVxmPQHrupMXy9tPv9c11SRkg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] looks like sha-1 is over

[Oleg Artemiev]

a little bit offtopic, everyone is using sha-256, I guess,

http://shattered.it/

but, btw - any comments to this in Qubes contex:

cut-
How is GIT affected?

GIT strongly relies on SHA-1 for the identification and integrity
checking of all file objects and commits. It is essentially possible
to create two GIT repositories with the same head commit hash and
different contents, say a benign source code and a backdoored one. An
attacker could potentially selectively serve either repository to
targeted users. This will require attackers to compute their own
collision.
cut-

?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PdgkbP4AyXWe0%2BWi-_8vsquyTnFP%2BajkAEKzppZ%2BkLQQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] asus n56vz HCL update

[Oleg Artemiev]

On Wed, Feb 22, 2017 at 12:32 PM, Chris Laprise  wrote:

> Since this is an update of his Qubes R2 report already in the HCL, I have
> enough info to include it for R3.2. I have the CPU model (from the body of
> Oleg's first message), the chipset model, graphics, etc.
Okay, please do.

I don't remember exactly what I've already revealed about this peace
of [cansored] that doesn't support VT-d. =)
Next time when I'll decide to spend 1-2k$ for a laptop I'll look
closer to Qubes requirements - last time I just bought and found it's
not what I need half year later when got time to switch to Qubes.
(very nice that usb stick option is available out of the box). Got a
look into 4.0 hardware requirement - found that I have to buy a laptop
when  when 4.0 will appear in downloads.

The only things changed since last report - I probably got either end
of life for my ssd drive after last full rewrite or tools unaware
about SSD made it report so strange things to dumb UEFI, that it
disabled the primary sata channel. (to get a clue I need to check both
alternatives: *) boot into windows and try to check w/ proprietary
software *) check it in some other PC that has no stupid EFI bios
pretending to be clever when I don't want it to)

> But I agree the report file itself should have included a bare minimum with 
> the CPU.
I vote for an option to show HCL info in 2 or 3 variants by user option:

1) as it is now with all details
2) with minumum requirement: model name, cpu info, chipset info, bios
version, built in video info - all w/o exact IDs, no other info
3) just CPU, motherboard, bios information.

And also I think, that ability to send _anonymous_ data  about all
parts w/ user only confirmation required is good thing. When
anonymising report I'd stress on the following:
*)  send via .onion service w/o full unique identificators (optionally
use crypto via temporary created at install time keys (and deleted
right after encryption finished))
*) send one by one each hardware detail w/ random timeout within 24-96
hours(not within one hour!) to a fully automated receiver at vendor
site (continue if rebooted before sending finished)

Zrubi noted  2) and 3) as mostly useless, IIUC .

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MucMOiwHNKezbDzHxwuTRxrbEAZ4eqWZ606yf0UY%2BfvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] asus n56vz HCL update

[Oleg Artemiev]

On Wed, Feb 22, 2017 at 3:29 AM, Zrubi  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>> My idea is that if Qubes team wants to get additional information
>> from users about spare parts - the HCL should get divided by at
>> least two parts:
>> 1) laptop model compatibility list (w/ less information about
>> details (I guess within one model the hardware set is similar)).
> Unfortunately this is not the case in reality.
>
> All the manufacturers are releasing completely different hardware with
> the same model name.
>
> I was working closely with several vendors before, so I have some bad
> real life experience with this.
:(


Okay, but what for should HCL contain info about HDD details?
Ever anyone had problem w/ disk firmware w/ fedora?

>From my understanding, disk stuff is below sata driver - once fedora under Xen
  works w/ sata for some chipset - the HDD shouldn't be a problem - isn't it?

> So I'm still stating that without exact spare part list, the HCL has
> not even worth the effort to collect and publish.
You mean that single device information w/o other parts is not
interested at all and second idea - ability to anonymously report
spare parts
is useless?

> About anonymity:
>
> It is your choice again. But that choice should be done before even
> posting anything on these lists :)
Agree. I'm not hiding that much as I should. )

> The reason behind the current manual and voluntary HCL info gathering
> is to give you the choice. If you send any data or not, if you using
> your real name or not.
Yep, I voluntary agreed to publish this hardware a few years before
using my real name. =)
I don't keep any interesting secrects on a notebook that I use in dual
boot configuration.
At least I think so )

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Nm0BG0rhE1%2BjkxL0ur_nDjhwNZWzdwM2%2BohuYXD5Q45Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes r3.2 i18n (dom0 updates not installed) - delayed switch to alternate language in VM, but not in dom0

[Oleg Artemiev]

Hello.

I've some times to wait a significant amount of time for Russian input
to be available.

Alt Shift and mouse both switch language indicator for Xfce, but
Russian chars are not appearing in VM within a few seconds  when
switching from VM to VM  - all imput is still in English.
asus keyboard, layout applied per window.

Is this already fixed or I should report some details? This is test
installation - I'm about to kill it and reinstall within a day or two.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NBRAwDncM7Uq0RY%3DyHC%2BLz0qzKK_%2B2qpQ2pwSA4si06w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] asus n56vz HCL update

[Oleg Artemiev]

On Tue, Feb 21, 2017 at 3:34 AM, Zrubi  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 02/21/2017 02:59 AM, Oleg Artemiev wrote:
>
>> Attached file has more details. As usually I've replaced some
>> potentially unique numbers w/ XX.
> FYI:
>
>
> The things you are hiding are NOT unique to your device. Instead they
> are the exact device TYPE identifiers. Without those you can't even
> tell what device you are using. Means without those ids the HCL is
> pretty useless.
> Details:
>
> BIOS: what you are masked is the BIOS version.
> Different BIOS versions may affect some very important things like
> vt-d, vt-x, TMP
in my case chipset doesn't support it, not bios, thus no need to publish this.
(this information is available via link on dicscussion that realtes to
my old report, nothing has changed).

> VGA: you masked the PCI ID. It is the only real identification of the
> device:
> http://pci-ids.ucw.cz/
> NET: same as above. Without the proper masked ID you are not even able
> to cheese the right driver.
> SCSI: same again the masked id is the type number of your disk.
Any of these as a single entry are not identifying.

Combination of those could be enough to split target set from
thousands to single hundred .

That is not exact identify for law enforcement, but enough
identification for targeted attack in "spotter" terms  .
At least combining that data razes ease of targeting a single computer
from distribution center.
That is enough reason for me not to post this information even when I
trust Qubes team.

> However this is actually not relevant in Qubes.
Why then this is sent to HCL? Shouldn't we avoid unnecessary
information like HDD details at all (or
just ask for amount of free space (approximate, not exact, as exact
value on system partition may
help identify install) on assigned partitions)?

> Of course you can still decide to not share those - it is up to you.
Yes, I still do - see  'my reasons' below.

> I just wanted to make it clear to avoid confusion.
Thank you.I'll look for details on identification of devices w/ PCI ID.

As about my reasons:

There's difference between identification of a person from:

*) vendor site (any vendor that has made some software ether running
on my laptop)
*) from some government agency like fbi/nsa/fsb/whatever
*) from abilities that give just internet search for any curious hacker.

It's not a big deal to publish that info, since I trust Qubes team and
think I'm not that interesting person to spend time catching my
personal data - that is
probably useless for most of other people .

Though I do not trust Microsoft, but I use their OS for gaming. I do
not trust Google but I use a few android devices. I do not trust lots
of other non-evil-by-intent organizations.
Why? Lets imagine, that once, I become a person to catch by whatever
reason. Then what?

Then any information that I 've sent to the net is ready to use,
stored for the hunter pleasure and I cannot erase anything that once
has been sent to the net . Period.

I see no reason to allow technical reports w/ my personal hardware
details to any vendor (including Qubes) - all vendors usually operate
on more info than them
really need.  HDD information sent via HCL seem to be useless to
decide "is this laptop good enough to be able to Qubes?" Why not to
remove it?

We have a proverbial in Russia - "word is not a bird - once flew - no
chance to catch". Information you reveal into public should be
organized correctly independently to their
current importance level ,

My idea is that if Qubes team wants to get additional information from
users about spare parts - the HCL should get divided by at least two
parts:

1) laptop model compatibility list (w/ less information about details
(I guess within one model the hardware set is similar)).

2) hardware compatibility list w/ spare part list.

 I.e. if we want to know about some laptop model - one case, if we
want to get a list of compatible boards, network adapters, etc. -
another case.

And very important - the second case is subject for anonymization -
it should be hard to make a direct link between an exact spare part
and a user reported it.
Better even have in HCL a FIXME "Yes I'm okay for public link between
my person and data from this report". If this is not what a user want
- publish report anonymously.
BTW, I'm okay for current link from HCL page to a thread - anyone can
get my email and find out what a crappy hardware I use. ;)

Currently reporter is directly pointed via link to google group
discussion (if he/she agreed on that).

 I'm okay to send more details on my hardware once I'm sure:

*) details are not easily traceable to my one laptop from

*) reporter is not  easily traceable from reported entry by vendor

-- 
Bye.Olli.
gpg

Re: [qubes-users] fedora installer by abilities = ugly wood

[Oleg Artemiev]

On Mon, Feb 20, 2017 at 11:09 PM, Chris Laprise  wrote:
>>> On 02/20/2017 09:16 AM, Oleg Artemiev wrote:
> I mean apart from what the installer can support, in your case (I've read
> some of your other partitioning messages) it seems unnecessary.
Yes, but when I installed opensuse last time I've seeb elegant
powerful interface - less things to do by hands.

>>> The idea that you have to treat SSDs as fragile has not withstood the
>>> test
>>> of time. In fact, SSDs are widely regarded as /more/ durable than HDDs
>>> now.
>>
>> I've bought my hdd 3-4 years ago (don't remember exactly). Newer ssd
>> may be better.
>> My one.. I just want to pay 1 day for installation and then keep this
>> for years. So why not to think twice and make setup that will be just
>> better in resource utilization?
> IIRC, about any SSD post 2011 should be quite durable... so a Samsung 830 or
> similar vintage should have no particular worries about longevity.
nice to hear, but anyway - how long those "no particular worries" go?
I mean that ssd by design is less stable to writes than hdd.
Why not then to partition just that way when ssd will get less writes?
It's not something really hard to make custom partitioning (except you
can't do it via installer).


>>> And I don't know of any Qubes Btrfs users (incl. myself) who employ
>>> special
>>> drive geometries or other complicated setups to save SSDs from wear.
>>
>> Okay, now you may memorize me ;) I always attempt to get some extra
>> customization from my PC. =)
>>
>>> With that said, I have found it impossible to get anaconda to do anything
>>> with LUKS+Btrfs beyond the default, one-partition setup.
>>> Even specifying a
>>> single existing Btrfs root partition is probably going to fail.
>>
>> I've got installed Qubes 3.2 for testing purposes on a hdd only w/o
>> encryption just right now w/ root on btrfs. It is possible via fedora
>> installer, but I except:
>> *) had to kill efi partition - not to confuse stupid asus n56vz bios
>> *)  bootloader configuration - I had to install grub2 non efi rpm
>> manually + install grub mnually . Thanks - documentation is pretty
>> accessible from mobile phone - I install grub rarely so was in need on
>> some reference for my dual boot. :)
>>
>>> IMHO, the only way to get Btrfs running with Qubes is to do a plain
>>> install with the
>>> Btrfs option
>>
>> btrfs is just a switch for default partition type for new partitions I
>> guess.
>
> Yes, its just a switch, which anaconda will proceed to handle entirely wrong
> should you have anything 'fancy' specified (existing Btrfs+LUKS, multiple
> volumes, etc).
Last time I wanted something like this I made everything by hands in
console, then made anaconda reread disk,
then just binded mount points to everything that it shows.After that
it's okay to continue w/ setup.

> Usually what happens when I specify Btrfs with anything but
> defaults is anaconda forgets encryption step... Whoops!
hmm.. This time I've installed Qubes 3.2 for testing I didn't check
encryption at all - looks I'm lucky. %)

>>> ---Anything else must be done as adjustments after installation.
>> I prefer to do customisations at install time. After testing I'll
>> records btrfs stats, kill this one Qubes install, repartition and
>> encrypt by hands, then just make installation eat my point of view.
>> That's annoying, but I spent lots of time w/ computers to give up on
>> just ugly installer. ;)
> Just thought I'd offer my experience in case it saves you some time and
> effort.
Nice. Mebbe I'll try once.

> BTW, besides not supporting raid 5/6 (no big deal for me), the other
> downside for using Btrfs is still free-space reporting. It still isn't done
> in a realistic manner, IMO... you may need to keep 30-60GB free space at all
> times to avoid the fs going into read-only mode.
omg... Thank you - now it looks I don't want btrfs anymore. %) I
haven't used btrfs yet - just
wat I've read sounds promising. But pay 60Gigs for that - doesn't seem
to be what I want.
Better I'll go w/ custom lvm + some patching to get r/o root. :)

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MT8%2BAq98tQf0KSrdBh7XTJ0iNFnc_UAUyzZARGzXMA6w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] asus n56vz HCL update

[Oleg Artemiev]

--
Qubes release 3.2 (R3.2)

Brand:ASUSTeK COMPUTER INC.
Model:N56VZ
BIOS: X

Xen:4.6.1
Kernel:4.4.14-11

RAM:   16 Gigabytes

CPU:
  Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
Chipset:
  Intel Corporation 3rd Gen Core processor DRAM Controller [:] (rev XX)
VGA:
  Intel Corporation 3rd Gen Core processor Graphics Controller
[:] (rev XX) (prog-if XX [VGA controller])
  NVIDIA Corporation XX [GeForce GT 650M] [:XXX] (rev XX)
(prog-if XX [VGA controller])

Net:
  Intel Corporation Centrino Wireless-N  (rev XX)
  Qualcomm Atheros AR8161 Gigabit Ethernet (rev XX)

SCSI:
  STX X Rev: X - 1 terabyte

HVM:Active
I/O MMU:   Not active
HAP/SLAT:Yes
TPM: Device not found
--


works - yes, but no VT-d, still worse linux driver for build in NIC;

thanks for a good work to Qubes team  - Qubes 3.2 is much better
from user experience. :)

Attached file has more details. As usually I've replaced some
potentially unique numbers w/ XX.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P9KQUvCg2wb8Da%3DiBPReWS_BC33fgxDTWGjgWXxrVGPg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASUSTeK_COMPUTER_INC_-N56VZ-20170220-202310.yml
Description: application/yaml

Re: [qubes-users] fedora installer by abilities = ugly wood

[Oleg Artemiev]

On Mon, Feb 20, 2017 at 4:01 PM, Chris Laprise  wrote:
> On 02/20/2017 09:16 AM, Oleg Artemiev wrote:
>>
>> once uefi detected in BIOS  - no chance to make it install non-uefi
>> version of grub - no chance to continue w/o special efi partition
>>
>> btrfs partitioning has no option to tweak raid level for data and
>> metadata - only both. Custom partitioning made non intuitive and
>> uncomfortable.
>
>
> I agree that anaconda Fedora installer isn't very good (to say the least).
> But I'd also say that what you're asking it to do is rather advanced and I
> think unnecessary.
"necessary" is prerogative of human, not program. Fedora installer
makes me fill like I'm disabled person. )
Comparing to open suse installer - it is worser then ever.

> The idea that you have to treat SSDs as fragile has not withstood the test
> of time. In fact, SSDs are widely regarded as /more/ durable than HDDs now.
I've bought my hdd 3-4 years ago (don't remember exactly). Newer ssd
may be better.
My one.. I just want to pay 1 day for installation and then keep this
for years. So why not to think twice and make setup that will be just
better in resource utilization?

> And I don't know of any Qubes Btrfs users (incl. myself) who employ special
> drive geometries or other complicated setups to save SSDs from wear.
Okay, now you may memorize me ;) I always attempt to get some extra
customization from my PC. =)

> With that said, I have found it impossible to get anaconda to do anything
> with LUKS+Btrfs beyond the default, one-partition setup.

> Even specifying a
> single existing Btrfs root partition is probably going to fail.
I've got installed Qubes 3.2 for testing purposes on a hdd only w/o
encryption just right now w/ root on btrfs. It is possible via fedora
installer, but I except:
*) had to kill efi partition - not to confuse stupid asus n56vz bios
*)  bootloader configuration - I had to install grub2 non efi rpm
manually + install grub mnually . Thanks - documentation is pretty
accessible from mobile phone - I install grub rarely so was in need on
some reference for my dual boot. :)

> IMHO, the only way to get Btrfs running with Qubes is to do a plain install 
> with the
> Btrfs option
btrfs is just a switch for default partition type for new partitions I guess.

> ---Anything else must be done as adjustments after installation.
I prefer to do customisations at install time. After testing I'll
records btrfs stats, kill this one Qubes install, repartition and
encrypt by hands, then just make installation eat my point of view.
That's annoying, but I spent lots of time w/ computers to give up on
just ugly installer. ;)

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PDgtZ74uWMgJdyO2iObHBOW_qk-eFXzO5PVF7KpO%2BVFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes partitioning questsion

[Oleg Artemiev]

On Mon, Feb 20, 2017 at 1:10 PM, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>> I'm about to upgrade from Qubes 3.0 to Qubes 3.2 now.
>>
>> I've two terabites (1 ssd and 1 hdd) in my laptop and 16Gigs of
>> memory. Is separation to different mount points as proposed below
>> is a good idea? Please note if you think that something could also be
>> moved to ssd. My criteria for ssd stuff is "oftenly read, very rare
>> write".
>>
>>
>> As everything is encrypted , thus no need in gpt - dos partition table.
>>
>> ssd:
>> /   - 400Мb
>> /usr - 5G0b
>> /boot - 300Mb
>> /var/lib/qubes/vm-templates - 350Gb
>> /var/lib/qubes/vm-kernels   - 3.5Gb
>> /var/lib/rpm- 100Mb
>> /var/lib/yum- 50Mb
>>
>> individual catalogues under /home// - up to 100 mount points ,
>> unsure which ones are rewritten rarely an thus worth moving to ssd,
>> thus will move after upgrade.
>>
>> hdd:
>> /a_copy_of_/boot - 300Mb
>> /tmp - 32Gb - looks like it has to be not less
>> then biggest VM size
>> swap - 32Gb
>> /home - 100Мб
>> /var/log - 300Mb
>> /var/log/
>>
>> BTW: Looks like LVM thin provisioning gives at least two times slower
>> writes, so I'm about to use usual LVM.
>>
>
> Take a look at this, if you haven't already:
>
> https://www.qubes-os.org/doc/custom-install/
Thank you, missed this when reviewing dox. At least this defines at
which level encription should be used.

 BTW: I made in 2014 a step by step example for my environment in a
blog post: http://grey-olli.livejournal.com/867831.html#cutid1  .
You may reference this thread in qubes-users as a link for more sample
information. I've similar sample howto
for fedora (as its ugly install program make me feel like disabled
person): http://grey-olli.livejournal.com/691018.html .

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P6hTSckgvXCMvS5bg3dnQh%3DSUFkqoMVDtOC70u9AZ06w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] fedora installer by abilities = ugly wood

[Oleg Artemiev]

once uefi detected in BIOS  - no chance to make it install non-uefi
version of grub - no chance to continue w/o special efi partition

btrfs partitioning has no option to tweak raid level for data and
metadata - only both. Custom partitioning made non intuitive and
uncomfortable.

and comparing to open suse installer fedora one is woody moron -
nothing has changed in last 3 years to get better w/ fedora installer.


finally I've to install by hands at least in half - prepare all
partitioning, mount points, bootloader configuration and then just
mount (and omit to install bootloader from installation gui) those in
installer.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Ox1w87KMzC-OKfjyQ_XXQ3V8DuT18webqJNx8K-oBOWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Riseup Services Likely Compromised

[Oleg Artemiev]

On Fri, Feb 17, 2017 at 4:21 PM, Michael Carbone  wrote:
> Me:
>> Michael Carbone:
>>> Me:
 Qubes users beware. Riseup Services (including email)are likely
 compromised by State actors.
 For more info and to verify above statement visit
 https://riseup.net/canary {here you'll see that the canary statement
 hasn't been updated quarterly as promised} and here
 https://www.whonix.org/blog/riseup.
 Google the topic and you'll see lots of other statements that Riseup is
 no longer trusted.
 Stay Safe
>>>
>>> https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/
>>>
>>> which includes statements from the Riseup team.
>>>
>>> It sounds like they were served with something boring, but because of
>>> how they defined their warrant canary they had to not update it.
>>> Removing a warrant canary does not mean compromise, which is one of the
>>> weaknesses of poorly defined (and followed) warrant canaries.
>>>
>> The Intercept may be correct. However they do not publish this tweet
>> from Riseup "listen to the hummingbird, whose wings you cannot see,
>> listen to the hummingbird, don't listen to me." It doesn't take a rocket
>> scientist to intepret this. In any case, I have my doubts about the
>> integrity of The Intercept; which is funded by the owner of PAYPAL; that
>> well known privacy activist! who in the past hast blocked donations to
>> Wikileaks et al
>
> and riseup has been ungaged regarding their court order:
>
> https://riseup.net/en/about-us/press/canary-statement
>
> "After exhausting our legal options, Riseup recently chose to comply
> with two sealed warrants from the FBI, rather than facing contempt of
> court (which would have resulted in jail time for Riseup birds and/or
> termination of the Riseup organization). The first concerned the public
> contact address for an international DDoS extortion ring. The second
> concerned an account using ransomware to extort money from people."
Unrelated to the possible compromize due to your notice I've found technical
details page on the bitmask vpn (I've posted offtopic question relaated bitmask
here why people are asking for invite). Now will look about tech details on
how them pretend to technically prove bitmask is better than other vpn
solutions.
I'm surprised that direct link to
https://leap.se/en/docs/get-involved/project-ideas
is not near of those market claims.

BTW: I'm  1st time realized a canary being a little helpful. :)
BTW2:  've reviewed qubes os dox due to upgrade in progress and amused that
project is moving to distributed state. Perfect!

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NN4JqrThuAPWaqaeDAU93YD5v_Pdyr_2Hk7q%3DPKVDK8g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to launch qubes AppVM without qubes os?

[Oleg Artemiev]

On Sun, Feb 19, 2017 at 1:10 PM, Arqwer  wrote:
> *By all files I mean those that were in /var/lib/qubes/appvms/
you will be able to run that programs seamless only by using same
Linux distro that was used as a template VM for your appVM.
Also you will need all dependent package to be present in your current linux.
mount appvm private image, tar /home/user , untar to some new user
home dir in your Linux, then try to login as that user and run those
programs from console.
If lucky - them start seamless. If not (most probably) you 'll have
some erors in console about missing libraries and so on,
Sure there could be other problems, but if you're lucky you'll be able
to add dependencies.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MadrhpwCB_FjOsU%3DzqFKfQe2Um4Kn7dKdonH%2Bs2JU2aQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] what is better - btrfs or ssd cache w/ qubes? (was qubes partitioning questsion)

[Oleg Artemiev]

. The only difference is that
LUKS is easier to manage, and allows multiple access keys per
partition.

With the old format, no configuration header is embedded in an
encrypted partition. It does not even store a trace of its single key
on the disk ... Unless you're turned off by the
single-unchangeable-key restriction, you should use the old format.
The above is somewhat ubuntu specific, but paper has enough for better
understanding.

And If I understand things right, the most tunable alternative is 3 or
4 as 1 require some patches to be applied (to have fully read only
Dom0 (see https://groups.google.com/forum/#!topic/qubes-devel/wfqKiOYgV8Y)).
Looks like 4) should be faster than 3) and since btrfs has its own
implementation for most (or everything?) lvm has - this should be
preferable. And 5 is probably not supported by Qubes boot scripts (I'm
not sure about this), but
should be faster as luks gives little overhead (never compared myself,
but a friend of mine told that he has better operations when
encryption w/o luks). Also when you don't use luks - it seems better
fitting into plausible deniability - looks like no
trace of encryption is on the disk - no luks standard container is
visible on the raw disk read. More reading here:
https://help.ubuntu.com/community/EncryptedFilesystemHowto

Russian speaking users could look at
http://www.bog.pp.ru/work/LUKS.html for review on luks (+ there're
links to English papers from there).


>> On February 18, 2017 8:21:10 AM PST, Oleg Artemiev 
>> wrote:
>>>
>>> Hello,
>>>
>>> I'm about to upgrade from Qubes 3.0 to Qubes 3.2 now.
>>>
>>> I've two terabytes (1 ssd and 1 hdd) in my laptop and 16Gigs of
>>> memory. Is separation to different mount points as proposed below
>>> is a good idea? Please note if you think that something could also be
>>> moved to ssd. My criteria for ssd stuff is "oftenly read, very rare
>>> write".
>>> As everything is encrypted , thus no need in gpt - dos partition table.
>>>
>>> ssd:
>>> /   - 400Мb
>>> /usr - 5G0b
>>> /boot - 300Mb
>>> /var/lib/qubes/vm-templates - 350Gb
>>> /var/lib/qubes/vm-kernels   - 3.5Gb
>>> /var/lib/rpm- 100Mb
>>> /var/lib/yum- 50Mb
>>>
>>> individual catalogues under /home// - up to 100 mount points ,
>>> unsure which ones are rewritten rarely an thus worth moving to ssd,
>>> thus will move after upgrade.
>>>
>>> hdd:
>>> /a_copy_of_/boot - 300Mb
>>> /tmp - 32Gb - looks like it has to be not less
>>> then biggest VM size
>>> swap - 32Gb
>>> /home - 100Мб
>>> /var/log - 300Mb
>>> /var/log/
>>>
>>> BTW: Looks like LVM thin provisioning gives at least two times slower
>>> writes, so I'm about to use usual LVM.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OwoK0XPTgZP-j1aF3nyUfHMKN8k4nQYkTt%3DS%2Bs%3DhHRZw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes partitioning questsion

[Oleg Artemiev]

On Sat, Feb 18, 2017 at 9:59 PM, Oleg Artemiev  wrote:
>
>
> On Feb 18, 2017 21:07, "Manuel Amador (Rudd-O)"  wrote:
>
> Separate /usr is not supported.
>
> I have separated /usr over 2 years and had no problem. Unix like OS allows
> this by design. What do you mean by 'not supported'?
>
>
> There is no point in sub mount points under /var/lib/qubes. /var/lib/Qubes
> is enough as a single mountpoint.
>
> Unless we talk about read and write optimizations in hdd vs ssd.
>
>
> There is no point in /var/lib/* sub mount points. Or /var/log for that
> matter.
>
> /var/log separation is must have.  Once you have some repeating log events
> overflowed  your root you will understand why. I had a problem w/ not
> separated /var/log w/ older qubes - no need to step over same trap.
>
>
> You don't have to have /home under a mountpoint. Dom0 /home should be empty
> if you are using Qubes right.
>
> /home/username is subject to often write operations by window manager and
> all user software - like I'm any other unix-like  when you login all user
> settings and some temp files are stored under /home/username. Having this on
> sad saves time, but smokes out ssd life - as usual - smoking is pretty
> habbit, but kills your health in long term - same w/ regular writes on ssd .
>
>
>
> Use btrfs instead of LVM. That way you can do subvolumes.
>
>
> Is btrfs is stable enough?
I've reviewed some user notes on btrfs and found it has some disadvantages:

1. fsck is not aware of btrfs and occasional run by hands of fsck on
btrfs may lead to partition corruption.
2. It stores some extra info for each file, so volumes w/ a lot of
smal files appear to use more space than on ext3/ext4  .

3. tools for btrfs are still in active development, so I should be
careful to never appear to be using an alfa- or betta- grade versions
if I
want to be sure all is sage enough. I even consider for myself ext4 is
not stable enough compared to ext3. btrfs is one year younger than
ext4 BTW.
If I enable Qubes development repositories - how can I ensure that
btrfs tools never get newer than I want?

BTW - to the moment I don't understand - is it possible to tune btrfs
in such a way, when it will use most oftenly writed meta data stuff
via  hdd only?
I.e /dev/sda is hdd , sdb is ssd - is it possible to create a btrfs
partition that will put its metadata on ssd


> Separation below is due to faster reads from ssd . Also ssd drives degrade
> in terms of stability if writes are made too often . Thus I want separate
> app VM /template VM storage - template VMs are changed rarely. BTW - I'm not
> sure where temporary images are stored when Qubes starts an App VM. The idea
> is get most reads from ssd and most writes to hdd.
This is noted here:
https://groups.google.com/forum/#!topic/qubes-devel/hG93VcwWtRY and
(today/yesterday) in reply to similar quesion around Subj in
qubes-developers:
https://groups.google.com/forum/#!topic/qubes-devel/wfqKiOYgV8Y


> On February 18, 2017 8:21:10 AM PST, Oleg Artemiev 
> wrote:
>>
>> Hello,
>>
>> I'm about to upgrade from Qubes 3.0 to Qubes 3.2 now.
>>
>> I've two terabites (1 ssd and 1 hdd) in my laptop and 16Gigs of
>> memory. Is separation to different mount points as proposed below
>> is a good idea? Please note if you think that something could also be
>> moved to ssd. My criteria for ssd stuff is "oftenly read, very rare
>> write".
>>
>>
>> As everything is encrypted , thus no need in gpt - dos partition table.
>>
>> ssd:
>> /   - 400Мb
>> /usr - 5G0b
>> /boot - 300Mb
>> /var/lib/qubes/vm-templates - 350Gb
>> /var/lib/qubes/vm-kernels   - 3.5Gb
>> /var/lib/rpm- 100Mb
>> /var/lib/yum- 50Mb
>>
>> individual catalogues under /home// - up to 100 mount points ,
>> unsure which ones are rewritten rarely an thus worth moving to ssd,
>> thus will move after upgrade.
>>
>> hdd:
>> /a_copy_of_/boot - 300Mb
>> /tmp - 32Gb - looks like it has to be not less
>> then biggest VM size
>> swap - 32Gb
>> /home - 100Мб
>> /var/log - 300Mb
>> /var/log/
>>
>> BTW: Looks like LVM thin provisioning gives at least two times slower
>> writes, so I'm about to use usual LVM.



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O0nGXO5-UYQAcYoKj0v0Fnhnf%3D5DeHaXoJwV86g8S6ig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes partitioning questsion

[Oleg Artemiev]

On Feb 18, 2017 21:07, "Manuel Amador (Rudd-O)"  wrote:

Separate /usr is not supported.

I have separated /usr over 2 years and had no problem. Unix like OS allows
this by design. What do you mean by 'not supported'?


There is no point in sub mount points under /var/lib/qubes. /var/lib/Qubes
is enough as a single mountpoint.

Unless we talk about read and write optimizations in hdd vs ssd.


There is no point in /var/lib/* sub mount points. Or /var/log for that
matter.

/var/log separation is must have.  Once you have some repeating log events
overflowed  your root you will understand why. I had a problem w/ not
separated /var/log w/ older qubes - no need to step over same trap.


You don't have to have /home under a mountpoint. Dom0 /home should be empty
if you are using Qubes right.

/home/username is subject to often write operations by window manager and
all user software - like I'm any other unix-like  when you login all user
settings and some temp files are stored under /home/username. Having this
on sad saves time, but smokes out ssd life - as usual - smoking is pretty
habbit, but kills your health in long term - same w/ regular writes on ssd .



Use btrfs instead of LVM. That way you can do subvolumes.


Is btrfs is stable enough?

Separation below is due to faster reads from ssd . Also ssd drives degrade
in terms of stability if writes are made too often . Thus I want separate
app VM /template VM storage - template VMs are changed rarely. BTW - I'm
not sure where temporary images are stored when Qubes starts an App VM. The
idea is get most reads from ssd and most writes to hdd.




On February 18, 2017 8:21:10 AM PST, Oleg Artemiev 
wrote:
>
> Hello,
>
> I'm about to upgrade from Qubes 3.0 to Qubes 3.2 now.
>
> I've two terabites (1 ssd and 1 hdd) in my laptop and 16Gigs of
> memory. Is separation to different mount points as proposed below
> is a good idea? Please note if you think that something could also be
> moved to ssd. My criteria for ssd stuff is "oftenly read, very rare
> write".
>
>
> As everything is encrypted , thus no need in gpt - dos partition table.
>
> ssd:
> /   - 400Мb
> /usr - 5G0b
> /boot - 300Mb
> /var/lib/qubes/vm-templates - 350Gb
> /var/lib/qubes/vm-kernels   - 3.5Gb
> /var/lib/rpm- 100Mb
> /var/lib/yum- 50Mb
>
> individual catalogues under /home// - up to 100 mount points ,
> unsure which ones are rewritten rarely an thus worth moving to ssd,
> thus will move after upgrade.
>
> hdd:
> /a_copy_of_/boot - 300Mb
> /tmp - 32Gb - looks like it has to be not less
> then biggest VM size
> swap - 32Gb
> /home - 100Мб
> /var/log - 300Mb
> /var/log/
>
> BTW: Looks like LVM thin provisioning gives at least two times slower
> writes, so I'm about to use usual LVM.
>
>
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OEBXyjGzQPG3dfY61USxwnjzrfB%3DnrPDE2TFCbsLrC3w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes partitioning questsion

[Oleg Artemiev]

Hello,

I'm about to upgrade from Qubes 3.0 to Qubes 3.2 now.

I've two terabites (1 ssd and 1 hdd) in my laptop and 16Gigs of
memory. Is separation to different mount points as proposed below
is a good idea? Please note if you think that something could also be
moved to ssd. My criteria for ssd stuff is "oftenly read, very rare
write".


As everything is encrypted , thus no need in gpt - dos partition table.

ssd:
/   - 400Мb
/usr - 5G0b
/boot - 300Mb
/var/lib/qubes/vm-templates - 350Gb
/var/lib/qubes/vm-kernels   - 3.5Gb
/var/lib/rpm- 100Mb
/var/lib/yum- 50Mb

individual catalogues under /home// - up to 100 mount points ,
unsure which ones are rewritten rarely an thus worth moving to ssd,
thus will move after upgrade.

hdd:
/a_copy_of_/boot - 300Mb
/tmp - 32Gb - looks like it has to be not less
then biggest VM size
swap - 32Gb
/home - 100Мб
/var/log - 300Mb
/var/log/

BTW: Looks like LVM thin provisioning gives at least two times slower
writes, so I'm about to use usual LVM.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MReuC_Q9B2NYjHjKnvRLc%2BJeaWaywxF%3DLV8rYpiT32DQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] offtopic: bitmask vpn

[Oleg Artemiev]

've seen a post asking for invite there.

Got time to read about service. 'ven't found anything much more
interesting than other vpn service.

A lot of market advert claims that show things also available for
other vpn services.

Lack of technical explanation what innovations they made w/ their VPN
compared to other VPN.

Why should one prefer that service to anoher? :?

Since this is offtopic you could prefer to answer directly.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OmdUjghEWKLRRN%2Bub6FWqSTQ-uDmrWW80aATiK8n6wdw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemiev  wrote:
> On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
>> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>>>> I have a bank vm, how do you restrict the browser from being able to go
>>>>> else
>>>>> where? Do you add the iprules in the vm or do you create a proxyvm and
>>>>> add
>>>>> the iprules there?
>>>> I've tried both solution some time ago and definitly the tinyproxy
>>>> solution
>>>> works much better and can handle nicely dns round robin or servers behind
>>>> load balancers. By the way this solution offer an other nice possibility,
>>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>>> on
>>>> the conter-part, you will have to trust the dns resolution.
>>>
>>> Look also for modules like 'request policy' and 'no script'  or
>>> 'policeman' that implements nice GUI allowing both types in a single
>>> place.
>>> Request policy + 'ask for reload permission' should be enough to
>>> control in a single VM for a few banks in single place.
>>> Not that secure as proxying and denying in some other VM, but easy +
>>> GUI controls + require some configuration work at start.
>> Good recommendations. I'll add one to that list: HttpsEverywhere.
>> It will keep you from accidentally accessing pages in unencrypted form. You
>> can also set it to allow only https (although some banks may use a mix of
>> https and http).
> look also for uMatrix, Privacy Badger, force cache loading,  For
> banking use of policeman and https everywhere should be enough. Though
> other firefox modules are also good.
forgot to mention uBlock Origin .


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Mo6oPKD0i7feBm5qpEW_MNYHAZ%2BesTADLG%2BqthXN%3DXsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>
>> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
>>  wrote:
>>>>
>>>> I have a bank vm, how do you restrict the browser from being able to go
>>>> else
>>>> where? Do you add the iprules in the vm or do you create a proxyvm and
>>>> add
>>>> the iprules there?
>>>>
>>>> I've tried both, and created an email vm with iprules "deny everything
>>>> except"
>>>>
>>>> But then neither vm(s) will connect.
>>>>
>>>> Is there a proper way to do this?
>>>>
>>>> Or will I have to do the tinyproxy thing I've read elsewhere ?
>>>
>>> I've tried both solution some time ago and definitly the tinyproxy
>>> solution
>>> works much better and can handle nicely dns round robin or servers behind
>>> load balancers. By the way this solution offer an other nice possibility,
>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>> on
>>> the conter-part, you will have to trust the dns resolution.
>>
>> Look also for modules like 'request policy' and 'no script'  or
>> 'policeman' that implements nice GUI allowing both types in a single
>> place.
>>
>> Request policy + 'ask for reload permission' should be enough to
>> control in a single VM for a few banks in single place.
>> Not that secure as proxying and denying in some other VM, but easy +
>> GUI controls + require some configuration work at start.
>>
>
> Good recommendations. I'll add one to that list: HttpsEverywhere.
>
> It will keep you from accidentally accessing pages in unencrypted form. You
> can also set it to allow only https (although some banks may use a mix of
> https and http).
>
look also for uMatrix, Privacy Badger, force cache loading,  For
banking use of policeman and https everywhere should be enough. Though
other firefox modules are also good.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OeKXvXC%2BJpJopqhMGX4YobP5yJj0-KLzHgXLkis0jhVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration

[Oleg Artemiev]

On Tue, Feb 7, 2017 at 1:41 PM, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> [Please keep the list CCed.]
 why do we use operating systems at all? Because them provide
 some set of default pretty functionality/environment from the
 box. Why each time I power down my PC and power it up back I
 have to waste time on placing windows between desktops? Why the
 hell I can't power on and smoke then get back and see
 everything same way organised as I had on my last power up?
>>> Well, you can install Devilspie2 (or equivalent) in dom0 and
>>> automate your setup. (Remember, the foregoing discussion is about
>>>  whether it should be installed *by default*.)
>> Yep. KDE by default has this from the box. Xfce has nothing for
>> this. That's why "by default"
> Hm, then perhaps it's really Xfce who should integrate this upstream?
It would be nice.

Who will ask them for an integration? I guess unless enough people will do - no
one will decide to implement.

> It seems like it would be suboptimal for the Qubes Project to try to
> maintain a fork of Xfce that goes beyond Qubes-specific functions.
you haven't to fork and maintain Xfce entirely. All you need - an option for
restriction in qubes configuration for a VM and a script that will autogenerate
configuration of restrictions offered by a tool you choose.

1st step is done: you adding a tool allowing such a restriction (the
tool is already selected for a future Qubes, AFAIK)
now the second step: allow users easily automate restrictions based on
that tool via qubes configuration interface.

 The only thing I would like is having choice on restore as it
 was and run new session. People at firefox made good work and
 algorithm is well known, why not to apply this to Qubes: On
 start show what is going to be started, if user chooses
 "restore last state"  - exactly that set left at session
 abort/power off is shown, if user is in doubt - new tab is
 always available. if user doesn't want to start same or partial
 set - give him/her clean new session. What a problem to do same
 way w/ desktop placement and VM autorun? People spend a lot of
 time starting same things on next power up. Firefox behaviour
 in case when  firefox configured "restore previouse state" and
 was killed/aborted is best behaviour I've seen on restoring
 workspace.
>>> This sounds like it would indeed be a nice feature. Care to
>>> contribute a patch?
>> Not. :( A lot of questions appear to understand where to make
>> changes at 1st. Unsure that I'll be able to make such a patches.
>
 Locking application to some desktop set is a very good feature
  and, afair and adding this functionality via some utility in
 Dom0 default package set is work in progress for current qubes.
 Just choose one app we're okay with, hug it with qubes vm
 manager and users will love ability to use it. :) I don't vote
 for this one utility - I vote for similar functionality
 available to user _by_default_ .
>>> Why _by default_? As I explained above, we need to take a
>>> disciplined approach in deciding which features get included by
>>> default. If we include by default everything that everyone wants,
>>>  Qubes will suffer from the consequent software bloat and feature
>>>  creep.
>> That is not what every one want but this is what _everyone_
>> usually wastes time on - when powered down and powered up to
>> continue .
>>
>>> We must resist the temptation to push for the default inclusion
>>> of features simply because *we* like them. There has to be a
>>> stronger reason than that. We have to ask ourselves the hard
>>> questions: Why do you want it to be the default? To save you from
>>> having to configure it yourself? Because you think other people
>>> should share your personal preferences?
>> Isn't the reason "every one wastes time that way" above is not
>> enough to add in whish list "make life better for every one" by
>> enabling option to restore last state of running VMs this way"?
>>
>
> It sounds like you're conflating a few different ideas here:

> including Devilspie2 by default,
you should include by default at least one of tools allowing such a
restriction - choose within Qubes team.
I've no idea which is better automated from outside w/o requirements
for user interaction.

> locking apps to virtual desktops,
Yep.

> and saving state.
Yep.

> I think the case for the last one is probably stronger than the first
> two (given what has been said so far), but maybe this is a question
> for the UX experts.
Yep, every one is wasting time restoring state, not every one needs
desktop-bound appllications.

>>> Also, why is it so important to restrict certain domains to
>>> certain virtual desktops?
>> All these restrictions are about:
>>
>> 0. Save time - all appears same place (mean desktop set) - no
>> annoying window reorder . 1. Easier to group desktops and
>> activities b

[qubes-users] Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)

[Oleg Artemiev]

On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy  wrote:
> On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote:
>> I've heared that new intel mother boards  will have (or already have)
>> ability to access jtag interface via USB.
> yes, skylake and kabylake processors. heres the ccc talk on it.
> https://www.youtube.com/watch?v=2JCUrG7ERIE
thanks! Started listening - got basics, 'll continue later. Very intersting . :)

>> Does this mean that USB qube is now useless as a security border on
>> such a mother board?
> only if the manufacturer has it enabled. the only vendor who got back to me 
> (and knew what i was talking about) when i asked was system76 to confirm that 
> it is disabled on their lemur series.
> puri.sm was aware, but doesnt have any hardware out using those chips.
So finally it is a question of trusting the vendor (and their public
relations personnel who may think that those capabilities are not
really disabled.

Shouldn't these CPUs and motherboards be specially noted as dangerous
in qubes HCL?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OeakZiD2ogZiH7Y3%2B7A2nqFM7yyKChaghFgHL6ejSQ4A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] what about usb to jtag interface?

[Oleg Artemiev]

I've heared that new intel mother boards  will have (or already have)
ability to access jtag interface via USB.

JTAG is about debugging hardware via special interface.

Does this mean that USB qube is now useless as a security border on
such a mother board?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O264MX6%3DqxQp0PpV8%2B1EKk7GQ4GjCGh%3DppZ5Gi_VR3EQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes regularry attaches and detaches usb card reader

[Oleg Artemiev]

> On 2017-02-04 20:22, Oleg Artemiev wrote:
>> Currently I've all usb controllers attached to Dom0.
>> Subj:
>>
>> Is there any process that should do it usually in Dom0?
>>
>
> Sorry, I'm not sure what you mean. Are you asking about how to create
> a USB qube?
>
> https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube
No. I've no need in USB qube in current treat model.

I'm surprised by regular attached/detached messages pointing to card reader.

Question is: what Dom0 regular operation may give such a message (all
other drives not flipping,
card reader has a stub in it w/ no card inside the stub. If I get the
stub in then out I see the same message.

Qubes R3.0

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NuBf02aJG-jNbz3G_Ugx%3DbF7VBwZ2GHKDP7BwSj0x8Kg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Oleg Artemiev]

On Tue, Feb 7, 2017 at 12:51 PM, Zrubi  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 02/07/2017 10:29 AM, Oleg Artemiev wrote:
>
>> Could you, please, point me into what is already automated (repo +
>> path) and related brief dox on how execution is done currently (if
>> any)?
>>
>> My idea how it should look like:
>> a special qubes image:
>> *. preinstalled on some usb stick *. has only a preconfigured VMs:
>> netVM, firefwallVM, user interface is not required.
> Qubes Live USB should do the job - but AFAIK that project is stalled.
(

>> Dom0 has a script in startup scripts that: *. runs HCL *. updates
>> HCL file: old data copied somewhere inside dom0 for user reference
>> *. copies file to net VM,
> These are handled/done by the hcl script itself.
nice

>> VM has a script: *. checks for  HCL file to be present eache
>> minute *. checks that internet is available *. makes a gui request
>> to a user to fill required manual fields (model as the store names
>> it, user name(optional), and so on) *. once confirned - sends HCL
>> file to specially assigned emaili at qubes.org
>
> What we are need from the user is his/her actual experience. All the
> info collected by the hcl script are just pure hardware data. Without
> user experience it is useless.
Some data are 'pure hardware data' but very important (i.e. some sort of
restrictions) are possible only w/ specific CPU features - I'd never buy or
recommend  a laptop that is able to run Qubes but has no  full support for
 all Qubes features.  Having a tool to get this information right at the seller
 store should be nice .

>> Qubes web: *. A sctipt on qubes.org updates some HCL html in
>> predefined format
> Here is the current workflow as i did it before:
> https://groups.google.com/d/msg/qubes-users/RagFsGlhPTY/HXyRCQOUBQAJ
>
> See that old thread for more ideas about a better HCL reporting.
Thank you, 'll look.

Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MWwFuZ7xj2Q%3DnjomKwiHCPiq41jv5M%3DkWMha9aU_yp0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
 wrote:
>> I have a bank vm, how do you restrict the browser from being able to go else
>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>> the iprules there?
>>
>> I've tried both, and created an email vm with iprules "deny everything
>> except"
>>
>> But then neither vm(s) will connect.
>>
>> Is there a proper way to do this?
>>
>> Or will I have to do the tinyproxy thing I've read elsewhere ?
> I've tried both solution some time ago and definitly the tinyproxy solution
> works much better and can handle nicely dns round robin or servers behind
> load balancers. By the way this solution offer an other nice possibility,
> you can use regular expressions and for example allow .*\.mycompany\.com$ on
> the conter-part, you will have to trust the dns resolution.
Look also for modules like 'request policy' and 'no script'  or
'policeman' that implements nice GUI allowing both types in a single
place.

Request policy + 'ask for reload permission' should be enough to
control in a single VM for a few banks in single place.
Not that secure as proxying and denying in some other VM, but easy +
GUI controls + require some configuration work at start.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MEURHmQ38Nc6rY4XpuNEWSknSUdJOCoVUCRV9sQ%2Bq4Tg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Oleg Artemiev]

On Sun, Feb 5, 2017 at 3:39 PM, Andrew David Wong  wrote:
> On 2017-02-04 15:10, Oleg Artemiev wrote:
>>> This is a good time to mention that we're in need of an HCL
>>> maintainer. Our longtime volunteer HCL maintainer, Zrubi, no
>>> longer has the time to do it. We all owe Zrubi a debt of
>>> gratitude for keeping up this thankless task for so long! :)
>>> Any volunteers?
>> Why not to just script-out this once and forget?
>>
>> source information: email from someone, output information -> some
>> file to put on the web?
> Some stuff still had to be edited manually, but it could indeed be
> automated better. Can you help us with that? :D
I'm interested in helping automate this. Though can't claim that it
will be fast.

Could you, please, point me into what is already automated (repo +
path) and related brief dox on how
execution is done currently (if any)?

My idea how it should look like:

a special qubes image:

*. preinstalled on some usb stick
*. has only a preconfigured VMs: netVM, firefwallVM, user interface is
not required.

Dom0 has a script in startup scripts that:
*. runs HCL
*. updates HCL file: old data copied somewhere inside dom0 for user reference
*. copies file to net VM,

VM has a script:
*. checks for  HCL file to be present eache minute
*. checks that internet is available
*. makes a gui request to a user to fill required manual fields (model
as the store names it, user name(optional), and so on)
*. once confirned - sends HCL file to specially assigned emaili at qubes.org

Qubes web:
*. A sctipt on qubes.org updates some HCL html in predefined format

PS: I would prefer just a  single HCL usb stick run, that boots, asks
user for input  'seller named model as' and mail result automatically
(now or later if at runtime we had no internet) -
no user interface except this, GUI is optional, all Dom0/VM made in a
single place in modified Dom0, but that is against architecture and
making such an image may require much more
work than scripting this as a chain of small scripts + preconfigured
VMs. BTW: I'd like such an thing also for old versions of Qubes OS -
sooner or later we will face usual store that some
hardware is okay w/ old Qubes but too slow with new.
Alternatively we could have a special preconfigured VM image that does
all VM part above, but require user filling HCL to activate manually.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OFbEzXnqpUOVXJx%2B%3DhCJwhy27KG6Z6tP%2BQyohfT4S4Lg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] offtopic: need recommendations for relatively secure linux distro for netbook

[Oleg Artemiev]

Hello.

This is definitely an offtopic for this mailing list, but since a lot
of people concerned on security here - I ask for recomendations.

Since this is offtopic - please prefer direct email answers.

I've two old netbooks (those slow laptops that were popular years ago)  and need
to organize relatively secure setup for person to person
communications between these two over internet. What is the most
secure solution for that old slow processing units currently?

Whishlist:

Distribution:

required:
1) linux based
2) plasible deniability
3) luks encription support
4) minimal GUI
5) boot from external usb media shouldn't be a problem
6) good security history and concerned on security

optional:
7) i2p & tor ready out of the box
8) not a Linux from scratch based (not gentoo or similar)

Security tools:

9) usb bootable solution for "check hash and answer: disk and BIOS
readable areas did not change since last boot" even if that is damn
slow.

10) your advise :)

Is there any chances to organize any sort of protection from cold boot
attacks or only real life "keep that computing box out of anyone by
phisically locking access to the unit"?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MwSZ1XFWAcu0dtHdpvx-OL2iC61dhm6FoQDwaZFimZYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes regularry attaches and detaches usb card reader

[Oleg Artemiev]

Currently I've all usb controllers attached to Dom0.

Subj:

Is there any process that should do it usually in Dom0?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OQtMrKsP7Gh7T3AT8e8YUJ%2B5%3DY8qd0ecoOsRe733rzyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Two ways of "true" security.

[Oleg Artemiev]

Hi

On Sat, Feb 4, 2017 at 3:38 PM, Rusty Bird  wrote:
>> > I have successfully castrated ME firmware on 2 Haswell laptops so I'd go 
>> > for something more recent but well supported by Linux, reflash and put a 
>> > non-Intel network card for peace of mind.
>> Could you show the instructions and write here your chipset?
> He's probably referring to https://github.com/corna/me_cleaner
Thanks for link!

Is it possible to make unusable USB-JTAG bridge I've heared about in
modern computers w/ this utility?

I 'd be glad to get rid of intel independent chip abitilty to get
periferal  interface access w/o my pemission, especially network and
usb.

Interesting has anyone made such a surgery operation on asus n56vz w/o
bricking it?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Oy9_uPVp0XwEpeREe_2Oz4UiY-os0SwwXwEf%2BQOxjA4g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] shrink ntfs from qubes - what do use for this?

[Oleg Artemiev]

Last time I wanted such a thing I was using a tool like partition
magic (boot from toolset disk). It was a few years ago. Is there a
relatively safe way to shrink a win7 partition from linux w/o
destroyng already installed win7 or current linux tools for this are
known to be not stable enough?

Installing windows on my laptop is a long timewaste - once did it for
games and would like to avpoid it.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6NCaCM9yKPJS%2BLaJWWzVVFPtL8ig308p3ZX%3DjOfkGW07g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] symlinks in /va/lib/qubes for files

[Oleg Artemiev]

Hello.

I'm thinking about upgrading from 3.0 by reinstalling.

Subj?

 I remember I had some troubles w/ qubes utilities when had install
with many mount points under /var/lib/qubes and attempted to symlink
some dirs to another path in dom0. Sorry - more than 1.5 years ago -
don't remember exactly what was a problem - AFAIR I was interested in
moving file to difrent location and place a symlink to new
location..%)

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6PZLN21h8DKMxYQ4n2oKthF8XAY-tNcFCg3KRBcaBxVvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL Suggestions?

[Oleg Artemiev]

> This is a good time to mention that we're in need of an HCL
> maintainer. Our longtime volunteer HCL maintainer, Zrubi, no longer
> has the time to do it. We all owe Zrubi a debt of gratitude for
> keeping up this thankless task for so long! :)
>
> Any volunteers?
Why not to just script-out this once and forget?

source information: email from someone, output information -> some
file to put on the web?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6ORm1Evhkmm813vum-CzX320dASBD0LspU8N06tL0GVZA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Backup VMs" does not backup salt configuration

[Oleg Artemiev]

Hi.

On Wed, Feb 1, 2017 at 11:56 PM, john.david.r.smith
 wrote:
> On 01/02/17 21:30, qu...@posteo.de wrote:
>> I have now nearly a complete salt configuration for all my templates so I
>> do not need to backup them anymore and save a lot of space by this.
>>
>> So I have ran a backup including dom0 and realized that the salt
>> configuration ("/srv/salt") does not seem to be included because it is much
>> bigger than the MB listed for dom0.
>>
>> Is there a way to back it up right now with this method or do I manually
>> have to copy everything outside of dom0?
>>
>> Thx in advance
>>
>
> i put my files in ~/salt and symlinked them to /srv/salt
> then backups should work

Could you point to source for more information on your work?

Backups work slow (disk/network bottlenecks) & I'm also interested to
backup less.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Of_4KrpHRFSvcpLLd1sWPg6BKqjJiBsBuQvr8F1d2VBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] user behavioral analytics

[Oleg Artemiev]

The only interface to this I can think of is running analysing
software inside a VM and export it to other VM via dom0 scripting.
Also you may mount VM drives inside Dom0 (security risk enen when
mounting r/o!) and monitor file system access w/ some software
designed for this. You also may mount a /proc and other statistical
virtual file systems from VM to Dom0 to some place and monitor it w/
something specially designed for this.

On Thu, Feb 2, 2017 at 12:40 PM, Zbigniew Łukasiak  wrote:
> Is it possible to control one VM form another one enough to do a User
> Behavioral Analysis (one that would include not just net usage but
> also data internal to the anlyzed vm)? I guess this should be possible
> - so further questions - is anyone working on this? Are there any
> plans for tools doing this?
>
> --
> Zbigniew Lukasiak
> http://brudnopis.blogspot.com/
> http://perlalchemy.blogspot.com/
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/CAGL_UUshxg%2BscQh7ONEDpmRc3sF8_aO7ioaBVKUSM92f7NqTpA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6P1iVS2qz%2Ba34%2BOF-q9PpknukS4V%2BKHAOSDPe%2B9RFBBSQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] transparent encripting proxy w/ Qubes?

[Oleg Artemiev]

I've found recently discussion on a forum on trusts for javascript
code that is loaded from network and pretends to realize easy to use
encryption of mail.

Agreed that here you have to trust vendor of the code ultimately.

Question I keep since I'm using Qubes - is it possible anyway to have
no need in trust to vendor?

Intro, required to understand context:

Those old times when irc was the primary channel in our communication
within a team of a few geeks interested also in security one of us
made an encrypting proxy with dynamic key exchange.

>From outside this looks like this:
 1) there is an irc channel - a known place to meet and talk w/o encryption
 2) once two people need to use secure communication they agree on
this (usually opening then a  private 2 person chat separate window).
Each of two clicks a button . The software uses
an encrypting proxy model and takes dynamic key create/exchange +
encryption/decryption phase by encrypting/decrypting talk on the fly.

 The conversation if used on the public channel looks like a dump of
ascii armored encrypted file - just a flow of strings that a 3d party
cannot easily decrypt.

So it was a proxy for encryption and dynamic key exchange.

The basic idea is that only proxy has a clue about encryption and key
exchange.The client uses simple text protocol and all encryption is
seamless - you don't have to change the software itself.

Well, what if we try similar idea when organising secure
communications using 2 computers and diffrent VMS with two Qubes PCs?

The requirement is to have at least one VM in Qubes installed as
usually that never operates w/ unencrypted data after entering
"transparent encryption of data". Is it possible at all?

The main problem is that when we want to make seamless encryption via
proxy the protocol has to be easy separated to data and control
sequences.

I.e. we can connect as keyboard "a  resulting flow of encryption made
in other VM", but the software running inside such a VM will interpret
some of that input as a control sequence and, for example, react to
data like on a special key press. If I get as a proxy into another VM
- I've to read and answer on that VM also.

Any comments?


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M-SgNJBq%2Byzr7w1cFqVnocC2hXn0qovYTogSq264eQdA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes as base for small team work?

[Oleg Artemiev]

I've a stalled business project that has been reincarnated to planning
state last month.

Previously we planned to use qubes as a base OS for our final product.
Though, after a 1.5 year of a project suspend, old target was
re-planned as a few-years-later as business ideas were
changed/reordered.

We're facing the question - is Qubes is ready enough for base of our
workflow inside our project in two roles 1) as a w/s 2) as a hosred
solution .

Release 3.0 is stable enough for role 1 (at least for me).

 - Has current release lost any entry in hardware compatibility list -
i.e. if Qubes OS has been working OK on my current PC - it shouldn't
make any problem to upgrade?
 - Is current version is stable enough from your user expirience?

Questions for role 2:

 - has anyone useed Qubes as an OS for hosted server for small project?
 - is remote management is ready or in progess or in long/short term
todo currently?
 - Do we need a comercial license for such activities?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O0B9aj5yA7TDHU-cDsiP3vxNd5XmV_Y6NZTB%3DiDthQvg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] cross operating system shortcuts in a VM?

[Oleg Artemiev]

 Is it possible to separate linux/wine/windows names w/ a postfix or prefix?

I've added notepad, executed and found that this is not native linux
app - wine configuratuion started.

Is separation of names in Qubes menu possible when app is executed via
Wine or someth. alike ?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OtG9z81aTYZLnw3gu1pmsNE1dzSeCOixTKMZuvv7F6JA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] secure payments w/ qubes via banking VM best practice?

[Oleg Artemiev]

Actually I've banking VM as recommended. I'm even lazy enough not to
rename it to avoid default configurations. )) I use it for all sort of
legal payments and so on.

I've used paypal account on banking VM to pass a paymant to some
service. The service redirects me to paypal . I copy url from personal
vm to banking vm, authorize paypal to pay. When I'm looking into
payment details I'm accidentally opening the receiver company url.

I'm not hidding currently, but this sort of click by occassion to a
link provided by a paymet detalisation is an addon to attack surface.

I can run one VM per bank or payment system. But that is annoying. Any
better ideas?

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OTpLBpQH33nG1cw_Mpxx3Omdh9evFuUo%2BbDTAVNr9EPQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Just realized one of the major disadvantages of Qubes OS...

[Oleg Artemiev]

what about using linux containers as vagrant provider or attempt to
use Xen same way? See thread 'Slow performance of Docker containers in
AppVMs' .

On Thu, Jan 26, 2017 at 7:05 AM, pixel fairy  wrote:
> On Wednesday, January 25, 2017 at 7:12:56 PM UTC-8, jkitt wrote:
>> On Tuesday, 24 January 2017 11:54:34 UTC, qmast...@gmail.com  wrote:
>>
>> > I was sad when installed VirtualBox, tried launching it and it said that 
>> > something like "not supported on Xen hosts"
>>
>> But why would you want to do that? You already have virtual machines at your 
>> disposal..
>
> for development purposes, you might want other kinds. for example, vagrant is 
> a big sticking point. its how we share and collaborate across platforms, so 
> if you want to work on those projects, you better be able to run its 
> vagrantfile. its also used as codified description of processes, sometimes 
> across machines. so you can have a vagrantfile for your a web project that 
> includes a vm for the back end database. more on that here, 
> https://www.vagrantup.com/
>
> another reason you might want it is nested virtualization for its own sake. 
> for example, developing hypervisor management software.
>
> for both cases, i just made a vagrant server to use remotely. but that has 
> obvious limitations.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/9d9aba2e-0e6e-4e77-b549-3d30c12ea788%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6N0r_O52aveoZt8KgF5k6RXSnY28EfKbKm%3DwWKk_nS6_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] fixed desktop numbers for VMs or at least fixed start desktop for a VM?

[Oleg Artemiev]

I'm lazy enough to still use old Qubes. Is it possible to assign fixed
start desktop (or range) for a VM in new Qubes? Ability to bind last
window position for next session start is also a good motivation to
upgrade. Qubrs VM manager may appear on diffrent desktop and this is
annoying.
It would be grate to be able to configure 20 virtual desktops and
assign their ranges to a specific VM.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O79PrwsXw8F0UN%2BfW%2BzhMLnhHYdEOzuJjETLkZGB%3DkrA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.