[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak

2018-02-21 Thread 'Tom Zander' via qubes-users
On Wednesday, 21 February 2018 12:12:06 CET Wojtek Porczyk wrote:
>  This is bad UX.

This is frustrating, I spent too many emails making the point clear that 
this is an API level escape token. Not a user-visible one, and then you 
respond to the thread showing you still completely missed that.

So let me be blunt as this is likely the last email from me to qubes anyway;

Fact: Variables given to qrexec are going to be replaced with the actual 
relevant value.
For instance bash takes`ls *` and replaces the star with the actual values 
_before_ calling ls. Ls or any executable does not have to deal with things 
like star or dollar sign etc.

Your and Marek complaints are that you need to escape the variables when you 
pass them on to the target VM handler.
If you are indeed doing that, you are doing it wrong and you can wait for 
the next security bulletin like the one we are discussing right now.

The point of a variable that is passed from a VM to the dom0 qrexec daemon 
is that your source VM doesn't have to know about who is $adminVM or what is 
the actually started dispVM's name.
QRexec daemon (in dom0) should do the variable replacement before the user 
request leaves qrexec-daemon running in dom0.
Just like bash does the replacement before it forwards the command-line.


Again, if you do not do the variable replacement there, but instead pass it 
through unvalidated and unrelated software, you are going to continue having 
security flaws.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3526761.85MCzvWFfn%40strawberry.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak

2018-02-20 Thread 'Tom Zander' via qubes-users
On Tuesday, 20 February 2018 19:41:19 CET Marek Marczykowski-Górecki wrote:
> > On the 'other' side of qrexec (on dom0) you have perfect control over
> > the
> > situation and you also don't have any need for recoding or encodings or
> > anything like that. It still is just 8 bits data, not encoded.
> 
> And then, after policy evaluation, you pass that data to actual service
> to execute the operation (which may be in dom0 or another VM).

Yes, WITHOUT the escape character.

Remember, you escape the special names of VM names that dom0 will 
substitute. “$adminvm” doesn't end up being the string you offer to qubesd, 
the string “dom0” is.

Likewise; you don't start a service in Dispvm18431 and send it the text 
“$dispvm”.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2032074.AZcuCm27fB%40strawberry.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak

2018-02-20 Thread 'Tom Zander' via qubes-users
On Tuesday, 20 February 2018 16:54:36 CET Marek Marczykowski-Górecki wrote:
> > The thing you have to rememeber is that the escape character never needs
> > to be typed by the user.
> > In QRexec you are defining an API, applications like qvm-run are using
> > that API. What the user passes into qvm-run and what is actually sent
> > to dom0 does not have to be identical.
> 
> In theory yes, but this would introduce more complexity to this code
> (taking care where which encoding is used etc).

I read the code, there is no encoding.
You correctly used the  POSIX Portable Character Set for text. So no need 
for encoding.
When you use the qrexec API you just sent a struct with some arrays of bytes 
for VM names.
In your qrexec code you use an array of unsigned chars. Also, no encoding.

The point is that you use encodings only when you have **text** with 
characters > 127. Which you don't allow.

The problem you fear doesn't exist.

The reason is because when accepting user-input you use encodings.

When your app starts talking to qrexec/qubsed there is no longer any 
encoding. Just an 8-bit bytearray. The text has been standardized.

On the 'other' side of qrexec (on dom0) you have perfect control over the 
situation and you also don't have any need for recoding or encodings or 
anything like that. It still is just 8 bits data, not encoded.

> > I guess you do the translation currently as well; '$' turns into '@' in
> > your new code.
> > 
> > The consequence of this is that you don't have to limit yourself to the
> > posix list.
> > Using the portable characters set for a non-character simply isn't
> > needed.
> > 
> > So, knowing that your API is actually based on 8-bit characters and not
> > 7
> > bits which you are limiting yourself to, my suggestion is to take
> > something above 127 and below 256 as a special char.
> > Most fun one would be “ÿ” which is a normal character you can pass on a
> > shell script if you must, its actual byte-value is 0xFF
> 
> Until some helpful application (shell or else) will try to interpret it
> as UTF-8.

Ehm, how would “some helpful application” manage to get in your qrexec 
policy-frameowork? If you fear that you have bigger issues as they could 
replace anything with anything...

Anyway, to answer your fear.

No. UTF-8 doesn't allow 0xFF, it will just tell you the stream is broken. 
(see attached example file) Or, more likely, it will just switch off utf-8.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2513384.SI2geNoQLk%40strawberry.
For more options, visit https://groups.google.com/d/optout.
�b


[qubes-users] Re: [qubes-devel] Re: [qubes-announce] QSB #38: Qrexec policy bypass and possible information leak

2018-02-20 Thread 'Tom Zander' via qubes-users
On Tuesday, 20 February 2018 14:04:03 CET Wojtek Porczyk wrote:
> On Tue, Feb 20, 2018 at 01:21:30PM +0100, 'Tom Zander' via qubes-devel 
wrote:
> > On Tuesday, 20 February 2018 01:49:37 CET Marek Marczykowski-Górecki 
wrote:
> > > We've decided to deprecate the '$' character from qrexec-related
> > > usage.
> > > Instead, to denote special tokens, we will use the '@' character,
> > > which we believe is less likely to be interpreted in a special way
> > > by the relevant software.
> > 
> > I would argue against the @ sign on account that it is a special
> > character in bash as well.
> > 
> > I don't immediately see a way to exploit it, but why risk it?
> 
> We absolutely need a special character that is not allowed in qube name to
> make the special tokens immediately obvious in policy. The process I used
> was to list available characters (POSIX Portable Character Set [1])
[]
> If I missed something, could you please point out? I know shell just good
> enough to know that it's not possible to know every shell quirk. :)

The thing you have to rememeber is that the escape character never needs to 
be typed by the user.
In QRexec you are defining an API, applications like qvm-run are using that 
API. What the user passes into qvm-run and what is actually sent to dom0 
does not have to be identical.
I guess you do the translation currently as well; '$' turns into '@' in your 
new code.

The consequence of this is that you don't have to limit yourself to the 
posix list.
Using the portable characters set for a non-character simply isn't needed.

So, knowing that your API is actually based on 8-bit characters and not 7 
bits which you are limiting yourself to, my suggestion is to take something 
above 127 and below 256 as a special char.
Most fun one would be “ÿ” which is a normal character you can pass on a 
shell script if you must, its actual byte-value is 0xFF

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5355623.KmoKho9gXC%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 4.0 backup vm to USB from dom0

2018-02-11 Thread 'Tom Zander' via qubes-users
On Saturday, 10 February 2018 09:05:51 CET Yuraeitha wrote:
> On Saturday, February 10, 2018 at 6:51:47 AM UTC+1, 
cybe...@national.shitposting.agency wrote:
> > I have a usb drive attached to sys-usb, lets say its mounted at /mnt on
> > sys-usb and im trying to backup a vm named MyVm from dom0 the command:
> > 
> > sudo qvm-backup sys-usb:/mnt MyVm
> > 
> > returns the error:
> > 
> > The backup directory does not exist
> > 
> > how can i make a backup to USB when USB devices are not exposed to dom0?
> 
> and yes, this works for USB too. Just ensure the USB is mounted inside
> your AppVM, and then just throw the path to your USB which it is mounted
> on :-)

I just wanted to point out that the GUI backup app has exactly the same 
problem.
I tried to make a backup a coupele of days ago. The GUI tool correctly 
notices I have a sys-usb and I used it to browse to the directory there to 
do the backup. All that worked fine.

Until I pressed the final button to start the backup, it just failed saying 
it could not find the directory...

I ended up giving up on doing a backup.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6961393.CzZMHb5EV0%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] after update no VM 'starts' apps anymore.

2018-02-07 Thread 'Tom Zander' via qubes-users
On Wednesday, 7 February 2018 08:17:11 CET Andrew David Wong wrote:
> Are you using the `-a` option?
> 
>   qvm-run -a  
> 
> This starts the VM if it's powered off, then runs the command in it.
> Working fine for me on 3.2.

As I wrote, qvm-start works fine, the VM is active and working.

You just can t actually “run” anything on it. The reasons seems to be that 
there is some magic thing that starts when you log into xfce4, and only 
xfce4.
See the screenshot attached elsewhere in this thread of qubes manager dying 
on startup due to the same issue.

Tested on Rc4.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5810037.nmPg43q2Ws%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-06 Thread 'Tom Zander' via qubes-users
On Tuesday, 6 February 2018 11:32:07 CET 'awokd' via qubes-users wrote:
> I'm not getting past the first step of:
> 
> Verify you are cutting through the sys-net VM firewall by looking at its
> counters (column 2)

Yes, that sounds familiar.

The problem isn't limited to sys-net either, using netcat to listen on any 
port on any (fedora based) appvm I could not get anything to connect to 
those ports.
So, for instance, starting netcat on sys-firewall I could not connect to it 
from sys-net.
Similarly, listening on a random VM and connecting to it from sys-firewall 
failed too.
And I tried a lot of ways to convince the iptables to accept it...

I mostly used archlinux templates for appvms, which do not have the qubes 
networking packages and thus the iptables list is empty. [1]
Listening there and connecting from it worked fine.

Hope that helps.



1) Personally I would say that simpler is better, or least surprises is 
better. The current design where any appvm gets those complex firewall rules 
is a bug. Only VMs that expose their network (providing) should run it.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2307203.OnATnpnmTp%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-05 Thread 'Tom Zander' via qubes-users
On Monday, 5 February 2018 04:34:35 CET Tim W wrote:
> People complain about doc being outdated..then fix them.

If someone can figure out how to port-forward in 4.0, please do update the 
docs. I never managed to get that working.

The firewall page can also be a bit more detailed as-is, it assumes people 
already know the actual setup of the qubes firewall ruleset. I don't, thats 
why I went to that page.

> Tom has built a Qubes Controller (manager) based on the 4.0 code and went
> so far as to add in library package so other coding can be used to build.
>  He has been super open to adding functions based on comments.   If
> another person or two could help him with coding now that its not needed
> to just be python it could become the defacto Qubes GUI to manage the
> qubes system.  That would take it off the plate of the core system devs. 
> i plan to use his controller and if the QM does not work well I will stay
> with his controller.

Thanks for the kind words, I too would like to see it become the default.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2100635.UGIMOZXGtA%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-05 Thread 'Tom Zander' via qubes-users
On Monday, 5 February 2018 08:00:35 CET 'awokd' via qubes-users wrote:
> Why are you complaining about bugs when running a ".0rc" version? They're
> to be expected; if not the point of release candidates.

Actually...

https://en.wikipedia.org/wiki/Software_release_life_cycle#Release_candidate

Release candidates are, like the word describes, not made unless the 
developers are thinking that its ready to release but needs more real-world 
testing to make sure.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1850398.zmgnZS8haS%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-05 Thread 'Tom Zander' via qubes-users
On Sunday, 4 February 2018 21:00:55 CET 'awokd' via qubes-users wrote:
> Working on it (where other contributors haven't already)! Am about halfway
> through now.

Sweet!

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12985717.lppHrPCCKh%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 4.0 / Qubes in general

2018-02-05 Thread 'Tom Zander' via qubes-users
On Monday, 5 February 2018 12:21:51 CET Tim W wrote:
> I am currently going thru all the setup script qubes build template
> options to find what templates compile correctly and what ones have bugs.
>  After that I am happy to write up a markdown page for how to compile and
> install the Qubes Controller and use it.  That can then be submitted to
> be added to the  Qubes 4.0 Docs.

Awesome!

You should be able to get a lot of detials from this;
https://github.com/QubesController/qubes-api-cpp-lib/blob/master/Install.md

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1659041.GGZUbeKTOT%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-05 Thread 'Tom Zander' via qubes-users
On Monday, 5 February 2018 02:33:02 CET Unman wrote:
> You are, of
> course, free to rewrite Qubes and its components in a language you're
> comfortable with.

Don't be so dramatic, I m not suggesting any such thing.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2625249.9gTKQABKm0%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-04 Thread 'Tom Zander' via qubes-users
On Monday, 5 February 2018 00:55:34 CET Unman wrote:
> On Sun, Feb 04, 2018 at 08:14:57PM +0100, 'Tom Zander' via qubes-users 
wrote:
> > * Having nothing but python APIs for your operating system is something
> > that makes no sense. Python was never meant for servers, or even big
> > applications. Finding a full-stack python developer is more rare than
> > finding a Bitcoin C++ developer.
> 
> I'm not sure how much of this is just trolling.

It is not trolling.

> You obviously dont mean uses like Google, DropBox, YouTube, Reddit etc.
> Perhaps you dont know about Eve Online? Mercurial? Blender?

Absolutely none of these use python for anywhere near the same percentage of 
components as Qubes does.
Google is a good example, for instance they shipped proto-buffers. Which 
have bindings in a long list of languages (20 or so).

Check wikipedia for those examples, reality is much more sobering that you 
think.

> There are exceptional developers working in many companies -Google,
> NASA, Astra Zeneca, to name a few, all using python. The fact that
> you arent comfortable with it is fine, but not a reason to reject it.

Thats moving the goalpost. Naturally there are many experienced python 
developers.

Let me re-state the point for your benefit;

Having nothing but python bindings and having practically all your 
components written in python is without a doubt very realistically limiting 
the amount of people you can get hacking on Qubes. Add on top of that the 
content matter, which is highly complex and in many cases includes 
networking or cross-VM communication or hard-core linux components and you 
limit the amount of people even more, to the extend I mentioned above.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1610076.pebm5Wnf9q%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Manager / Qubes 4.0 R3 ?

2018-02-04 Thread 'Tom Zander' via qubes-users
On Sunday, 4 February 2018 18:10:44 CET Yuraeitha wrote:
> Also it's been explicitly said that no Qubes 4 existing features will be
> added to the new-old Qube Manager. Which might also hint towards no
> changes coming to Qube Manager. If anything, it has to be re-made almost
> entirely to work well with Qubes 4+, and currently no one is doing that.

The Qubes Manager is written to Qt4, which is equally outdated as the 
backends of Qubes it used (3.x).

I started a project using Qubes4-api and Qt5 APIs, though. See Ps at the 
bottom of the mail.

[start rant]

The biggest issue i ran into is that Qubes4 is just too immature to actually 
use for more than browsing and email. It was too painful for my desktop 
full-time work machine.
I tried for 2 months, my significant other stated that I had been 
extraordinary patient with Qubes when I finally stopped using it ;)

My problems are widespread;
* the admin-api is very immature and poorly implemented. Getting a stack-
trace in the server logs and no answer is just unacceptable. Unit tests, 
anyone?
* system-tray is hopelessly broken. Losing apps because they don't show in 
the system-tray up when you close them was fun!
* The design of qubes-daemon is too fragile, it starts/stops VMs and 
patiently waits and hopes everything will work. I expected a much more 
'hands-on' approach (at least for Linux kernels) with much more reporting. I 
also lost data because apps aren't being quit, they are being killed on VM 
shutdown.
* Why do I see 'lock'-icons for most of my windows in the task-bar?
* the documentation is very out-of-date.
* I don't know how, it may be fedora packaging, it may be qubes packaging or 
configs, but the amount of KDE (apps running in dom0) crashes I had in the 2 
months of using Qubes is greater than the amount i had in the previous 5 
years. This boggles the mind...
* The graphics pipeline is hopelessly outdated. Its about a decade behind 
the industry.
* Poor quality of many tools, the icon-copier copying the 22px icon from a 
VM instead of the 256 one that was also there is just... sad.
* The amount of services, bash-scripts, config files, duplicated data in 
qubes and then again in the system is horrible, under documented mess.
* rexecd validation being implemented using bash is a joke (mostly felt 
because its extremely slow)
* total lack of mature end-user-focused tools. Swear to God. There are zero 
today.
* Having nothing but python APIs for your operating system is something that 
makes no sense. Python was never meant for servers, or even big 
applications. Finding a full-stack python developer is more rare than 
finding a Bitcoin C++ developer.

end-rant.

Qubes is an amazing idea, has some fantastic and genius concepts in it.
I hope many of those things will get fixed, although the list has grown so 
long that I'm not sure it can without being forked.

ps. https://github.com/QubesController is the place where I wrote an already 
pretty decent "Qubes Controller" using the new APis.
I'm open to adding anyone to the approved committers list that wants to work 
on it.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9861258.aloPWp28RD%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] after update no VM 'starts' apps anymore.

2018-01-30 Thread 'Tom Zander' via qubes-users
On Tuesday, 30 January 2018 11:19:18 CET 'Tom Zander' via qubes-users wrote:
> There were a bunch more updates in the repo 4.0 current-testing this
> morning which I applied and I rebooted, but no change.
> Still no icons in my systray, still not able to start any apps on any VMs.

Oh, I focused into the issue.

I logged into xfce for 2 seconds and the Qubes app showed up.
Then logging out and logging back into KDE and stuff still works.

If you don't log into xfce you get the attached error from qubes-manager.

Maybe someone made a mistake and used an xfce specific thing?
I'm a bit worried that the system can become so broken.
That thing that logging into xfce started should likely  be auto-triggered 
and happen, not on login, but on need.


Still really looking forward to Qubes getting more stable...
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1826574.hMNDsBkHFt%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] after update no VM 'starts' apps anymore.

2018-01-30 Thread 'Tom Zander' via qubes-users
On Tuesday, 30 January 2018 01:05:39 CET 'Tom Zander' via qubes-users 
wrote:
> I can start a VM using qvm-start, but when I use qvm-run nothing happens,
> it hangs forever. Even commands that don't need a X server.
> For any qube of the various OSs I run.
> 
> The Qubes icons also no longer show in my system-tray.
> I can still update dom0 via yum, though. Thats a relief.
> Is this a known issue? Can I expect a fix soon?

There were a bunch more updates in the repo 4.0 current-testing this morning 
which I applied and I rebooted, but no change.
Still no icons in my systray, still not able to start any apps on any VMs.

does anyone know if its possible to tell qubes-dom0-update to go back to the 
stable version (4.0 current instead of testing)?



I tried switching one of my VMs back to the previous kernel.  No change.
guid log states;
```
Icon size: 128x128
libvchan_is_eof
Icon size: 128x128
domain dead
Failed to connect to gui-agent
```

pacat logs look ok, but nothing shows up in my dom0 mixer app

vchan log has repeated series of;
```
vchan closed
reconnecting
vchan closed
```

qrexec (after a while) has this log
```
Unable to connect to X server
Unable to connect to X server
eintr
```

I'll switch to my old ArchLinux OS, until Qubes gets more stable.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3072269.2ckbBL5Sd1%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] after update no VM 'starts' apps anymore.

2018-01-30 Thread 'Tom Zander' via qubes-users
On Tuesday, 30 January 2018 02:51:06 CET 'awokd' via qubes-users wrote:
> Enable Debug mode?

I always wondered what this was, anyone know what effect it has to set this 
to true?

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4033376.ZqIuirrLiM%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] connect to other VMs in qubes by using vm name

2018-01-29 Thread 'Tom Zander' via qubes-users
On Saturday, 27 January 2018 15:45:27 CET Yoganandam Marava wrote:
> by adding forward rules at sysfirewall we can ping each other VM through
> ip address but not using VM name. Is this some thing possible with Qubes
> 4? I am naive in networking.please suggest if there is a way?

Each VM has a static IP address that won't change.
What you could do is add a line to your /etc/hosts for each VM to match its 
name to the IP.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3027465.EVIPjTjbbe%40cherry.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] after update no VM 'starts' apps anymore.

2018-01-29 Thread 'Tom Zander' via qubes-users
Is this a known issue?

I can start a VM using qvm-start, but when I use qvm-run nothing happens, it 
hangs forever. Even commands that don't need a X server.
For any qube of the various OSs I run.

The Qubes icons also no longer show in my system-tray.
I can still update dom0 via yum, though. Thats a relief.
Is this a known issue? Can I expect a fix soon?


If not,  are there any log files anywhere I can look at?
The only relevant part I found was in qrexec.Work.log some lines saying 
"Unable to connect to X server".
Trial and error shows this is due to some timeout, as it only appears after 
a substantial amount of seconds.


Would be really happy to get my system properly working again as this is my 
work workstation :(


Some related questions;

what is 'anaconda' ? I thought it was the installer, but if it is then why 
is it running on dom0?

Is there any way to connect to the VM and get a tty? Think serial-line 
fallback.

is it known that grubs advanced menu doesn't get updated when new kernels 
are installed?

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5091490.V4NiCZqDXe%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: qubes 3.2: qubes-vm-manager not consistent

2018-01-29 Thread 'Tom Zander' via qubes-users
On Tuesday, 30 January 2018 00:19:58 CET ludwig jaffe wrote:
> Ok I found the file, backed it up and want to edit it.
> Do you know an xml ediitor with folding to edit this with more comfort,
> as there is no  in the xml, just spaghetti.
> A vim for xml with folding or something like that with curses text gui
> woud be best.

$ xmllint -format < in.xml > out.xml
$ vim out.xml
:set foldmethod=syntax

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20247273.4H386KnXkH%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Newbie question on KDE configuration

2018-01-28 Thread 'Tom Zander' via qubes-users
On Saturday, 27 January 2018 18:14:23 CET billol...@gmail.com wrote:
> First, while KDE seems to be working well, I noticed that I can't download
> and install new themes, widgets, etc. through the KDE GUI.  It can't
> connect to the KDE server.  I'm assuming that this is because dom0
> doesn't actually have a network connection (which I think I read
> somewhere).  It's not the end of the world for me to download the stuff
> from kde.org and install it from file, but it's more convenient to use
> the gui interface.  What I need to know is if it is possible or should I
> move on and just do it by hand.

The AdminVM (dom0) indeed has no network, the reason for this is that it is 
the one completely trusted place.
I would advice against installing anything you downloaded from KDE directly, 
as that basically works around all the security you get by running qubes in 
the first place.
 
> Second, I really liked that convention in the default window manager for
> having a different color for the title bar for each domain.  That got
> lost when I moved to KDE, though the domain is still *listed* in the
> title bar.  I know how to set colors in kwin on an application by
> application basis, but I don't know how to do it on a domain basis.  Is
> there a mechanism for that in KDE?

This got readded in a recent update in the 'testing' repo, but only on the 
default window-manager decorations called Breeze.

So make sure you are up-to-date and make sure you are using Breeze.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2759472.AhVYJc1rjo%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 Documentation

2018-01-27 Thread 'Tom Zander' via qubes-users
On Thursday, 25 January 2018 19:28:58 CET 'awokd' via qubes-users wrote:
> Resuming working my way through splitting up the documentation now that
> the 3.2 vs. 3.3 question has been mostly settled. Some general questions:

Awesome!

I was thinking about the qubes docs when I saw a wiki that had a banner for 
articles (or sections) that were known to be "disputed".

I was wondering if it might be useful to have such a concept on the doc 
pages, it may invite people to actually add their knowledge.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2186960.iXCjZ6PEC1%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] blanking screen with dpms off induces locking - how to disable?

2018-01-24 Thread 'Tom Zander' via qubes-users
On Monday, 22 January 2018 15:56:06 CET 'Guillaume Bertin' via qubes-users 
wrote:
> My ideal configuration for my standalone home computer would be "dpms
> after 10 minutes" and "lock after 120 minutes".

I'm not sure if this is the kind of answer you are looking for;

xscreensaver is a really really old application and there are plenty of 
better ones, some likely do have the kind of features you and awod are 
looking for.

I personally use kde which does this all.
It has a "lock automatically (x min)" separate from
"require password after locking (x seconds)"
and "dim screen", "turn off screen" etc are all separately configurable.

And, yes, on Q4 I run kde in dom0.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3821375.Ho9g2hPL09%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.4 custom install

2018-01-23 Thread 'Tom Zander' via qubes-users
On Tuesday, 23 January 2018 03:32:12 CET 'Xaver' via qubes-users wrote:
> I'm going to be switching over to Qubes 4.4 from 3.2 once its released and
> I have 2 questions about custom installation using thin pools.
> 
> 1) First question is about creating a Swap partition. Would I create Swap
> as a thin pool?

I tested thin pools and they are immensely slow.
Like 20 minutes to copy 4GB between two thin-pools slow.

This is fine for more simple usages, this is deadly for swap. (or in my case 
holding the bitcoin cash blockchain sized 150GB).
I ended up using native partitions instead. But then, I only store data 
there that is already public and don't encrypt it.

I'm personally a strong believer of not using swap at all.

> Or a standard logical volume without thin provisioning
> 
> sudo lvcreate -L 4G -n swap qubes_dom0

I didn't try this. I suggest creating a simple filesystem on it and copying 
maybe 10GB of data onto it to see how fast it is.

> 2) Second question is about registering the thin pools. Do I do this
> during installation right after I create the thin pool? Or is registering
> the thin pool done after first boot?
> 
> qvm-pool --add pool_name lvm_thin -o
> volume_group=vg_name,thin_pool=thin_pool_name

qvm-pool is simply creating some data in a database and it doesn't really 
touch disk much. Don't expect many error messages from it.
So the proper answer is; you need to create the qvm-pool before you do a 
'qvm-create'.

Related;
https://github.com/QubesOS/qubes-issues/issues/3438
and 
https://groups.google.com/d/msgid/qubes-users/2932962.V7N4gufabA%40cherry

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1617673.kuhsKDcQjG%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: XFCE Settings menu gone

2018-01-21 Thread 'Tom Zander' via qubes-users
On Saturday, 20 January 2018 23:25:55 CET Unman wrote:
> You are probably missing the desktop files from /usr/share/applications
> You can copy the files from out of a Fedora based qube if you have one.

Ohh, smart, I didn't think about that.

I did this to get the majority of them back;
```
cd
qvm-run -p sys-net 'tar cf - /usr/share/applications' | tar xvf -
qvm-run -p sys-net 'tar cf - /usr/share/app-info/icons/fedora/' | tar xvf -

and then you can copy or move the files from $HOME/usr/share/
into the system dir.
I'll add the suggestion to double check they do what they are supposed to be 
doing (check the Exec line).

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1543717.SWleCcofj4%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager

2018-01-20 Thread 'Tom Zander' via qubes-users
On Saturday, 20 January 2018 20:03:31 CET Davidson wrote:
> Hey, thanks again for your work, much appreciated.
> 
> Another thought just occurred to me, a collapsible tree like option. I
> have like "work" VMs (one for libre office stuff, another for email,
> another for vid confer) and for general communications (one for IRC,
> another for Signal, another for personal email) and anon stuff (crypto
> wallets, email via tor, browser, etc), the list I have is really quite
> long and I find myself sorting/re-sorting naming etc. I use tree-style
> addon in firefox which has the fantastic option to let you stack tabs
> among other things, considering that and how I have my file manager
> setup to show a tree of the folders I have it would really be quite
> handy to organize VMs into a collapsible tree.

As my list of VMs is growing, this speaks to me.
I really like this idea.

Thanks for sharing it!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/33700686.oUyV2A9qP9%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] GPU?

2018-01-20 Thread 'Tom Zander' via qubes-users
On Saturday, 20 January 2018 10:40:36 CET Foppe de Haan wrote:
> Since I am unable to estimate the security aspects of any given approach,
> and you do, have you seen this approach?
> https://forum.level1techs.com/t/looking-glass-guides-help-and-support/122
> 387

That looks exactly like the approach my (very naive) proposal was thinking 
of; but these guys actually seem to know their GL and went ahead
and did it :)

Their proof-of-concept showing that the result is *faster* (much less 
bandwidth) than the Qubes approach is very exciting.

Thanks for the link!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1829903.i5khPQVWEZ%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] No network (HELP)

2018-01-19 Thread 'Tom Zander' via qubes-users
On Friday, 19 January 2018 16:38:54 CET Marek Marczykowski-Górecki wrote:
> Specifically qmemman was broken in qubes-core-dom0 in 4.0.16 and 4.0.17.

Can confirm it works much better 4.0.18 than it ever did before :)

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3763763.oUbUMMdPzh%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] No network (HELP)

2018-01-19 Thread 'Tom Zander' via qubes-users
On Friday, 19 January 2018 11:48:56 CET aaq via qubes-users wrote:
> What can I do 

Could this have something to do with the broken qmemman?

Try turning off memory-management and give the sys-net an initial amount of 
something like 800MB.

also check if xentop has anything weird in the first line with memory usage.

Good luck!

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11847609.GmVBfOX6Xq%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Moving dom0 screenshots immediately to VMs

2018-01-19 Thread 'Tom Zander' via qubes-users
On Friday, 19 January 2018 12:48:27 CET wordswithn...@gmail.com wrote:
> Qubes already has built-in the capability to screenshot the entire desktop
> (Printscreen)  or the current window (Ctrl+Printscreen).

Yes, it does.

But this is not something you should use and then send to a VM becuase that 
VM then suddenly gets knowledge about all the other windows on screen that 
may be from another VM.

Imagine having your Vault VM window open with all your passwords and then 
you auto-upload a screenshot of that into a compromised VM which then causes 
the screenshot to be uploaded to a server.

I'm not aware of any way to avoid this data-leakage using the screenshot 
application in dom0.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/10316388.tD1Ru9rIBq%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] GPU?

2018-01-18 Thread 'Tom Zander' via qubes-users
On Sunday, 14 January 2018 08:12:24 CET r...@tuta.io wrote:
> Is qubes able to use the computing power of the gpu or is the type of gpu
> installed a waste in this issue?

Relevant here is an email I wrote recently;
https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ

The context is a GSoC proposal proposal to modernize the painting 
pipeline of Qubes.

Today GL using software uses [llvmpipe] to compile and render GL inside of 
a Qube, completely in software and then push the 2d image to dom0.
This indeed wastes the GPU.


[llvmpipe]: 
https://groups.google.com/forum/#!msg/qubes-devel/40ImS390sAw/Z7M0E8RiAQAJ

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1970768.QL1Wn2a4Hl%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Graphic Tablet Compatibility (basic features)

2018-01-16 Thread 'Tom Zander' via qubes-users
I think I know why you get that error.

any part of the kernel (and drivers are part of the kernel) are off-limits to 
change for any Qube VM.

To avoid loading a module you don't have to remove it, you can just blacklist a 
module.
Your distro may have a specific way of doing it, but a little googling showed 
me this and that looks about right to me;

https://linux-audit.com/kernel-hardening-disable-and-blacklist-linux-modules/


On Tuesday, 16 January 2018 14:28:41 CET Fabrizio Romano Genovese wrote:
> when I tried to remove
> /lib/modules/4.9.56-21.pvops.qubes.x86_64/kernel/drivers/input/tablet/waco
> m_serial4.ko
> 
> I get the error
> 
> rm: cannot remove
> '/lib/modules/4.9.56-21.pvops.qubes.x86_64/kernel/drivers/input/tablet/wa
> com_serial4.ko': Read-only file system


-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2100592.U4tyHCJJMU%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] template vm private.img file weighs (size) 171.8 MB, not 3 GB, can you save data?

2018-01-14 Thread 'Tom Zander' via qubes-users
On Sunday, 14 January 2018 15:02:48 GMT jerr...@disroot.org wrote:
> can you somehow save the data? is it a corrupt file? when i put this file
> in the template folder in /var/lib/qubes, the data is not there.

'private.img' is the contens of /home and /rw

you may be looking for 'root.img' if you are talking about a template.

Not sure if this command is available on 3.2, but qvm-volume is useful too.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18950202.ngMElmZk0O%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] how to reinstall template? (i think it's not enabled by repo)

2018-01-14 Thread 'Tom Zander' via qubes-users
On Sunday, 14 January 2018 03:07:09 GMT jerr...@disroot.org wrote:
> the template is whonix-ws
> when running command
> sudo qubes-dom0-update --action=reinstall qubes-template-package-name

This is quite broken in 4.0 and you have to be a bit clever to work around 
this; here are some tips.

Reinstall doesn't work, you should delete and install instead.
But this is still quite tricky :)

So, first you want to do a 
  sudo yum remove qubes-template-NAME
the tricky part is that the RPM also calls 'qvm-revove' and refuses to 
continue when that fails.
If you hit that case where you already deleted your VM, all you need to do 
is calling 'qvm-create' with the name it expects and just make it follow the 
standard template etc.
The goal is to have an empty VM, just to allow the qvm-remove that yum calls 
to pass.

You should be able to do a simple 'qubes-dom0-update' to install the whonix 
template after this which probably includes downloading it.

Good luck!

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1516748.CqIyHg4BlZ%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0-rc3

2018-01-12 Thread 'Tom Zander' via qubes-users
On Friday, 12 January 2018 13:09:35 GMT Holger Levsen wrote:
> I'm not so sure, why not use git branches?

That has my preference still, but I'm ok for any workable solution.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22624025.OBojS6ySok%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0-rc3

2018-01-12 Thread 'Tom Zander' via qubes-users
On Friday, 12 January 2018 11:18:19 GMT 'awokd' via qubes-users wrote:
> Would it be of value if I went through the published Docs and added these
> version headers? Should newer versions be added at the top (so 4.0 before
> 3.2 content)? 4.0 might just be "TBD".

I think that would be wonderful,

my main issue is with the not knowing if the current docs are actually 
applicable still.
If someone could do as much as flag known out of date content as 3.2 only, 
this would be a huge help.

The problem of knowing / identifying what isn't actually applicable anymore 
is the main one that I think is causing pain right now.

Thanks!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1727079.pSIrDA7H5a%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0-rc3

2018-01-11 Thread 'Tom Zander' via qubes-users
On Thursday, 11 January 2018 18:16:04 GMT Unman wrote:
> On the VPN case your own comment confirms that it would be better to
> provide a separate section, rather than trying to put "exceptions" in to
> the existing text.

Thank you for explaining that unman, much clearer indeed.

While I agree on the general statement above, I feel its not the best 
solution in this case where 4.0 have massive changes in all layers of the 
technology.
In many cases the about half of the text will be duplicated between the 3.2 
and the 4.x sections, albeit with major changes.
This will not help the reader much.
More importantly, I fear that the new users (potential contributors) that 
have not used 3.2 will have a hard time deciding what to do with information 
that clearly doesn't represent the current state of technology.

Asking people to put a lot of effort into reformatting documentation that 
may or may not actually be useful to anyone using an older version is a big 
ask in a volunteer project.

I personally prefer the solution where a git repo is cloned for 3.2 as 
"legacy" which is then attached to the website under a subdirectory and 
people can edit that for maintainance and fixes.
  http://qubes-os.org/doc/3/ 
or somesuch.

The majority of changes would then be in the 'master' branch which people 
can edit and they can add references to the github issues concerning known 
bugs. We can mark known issues with the pages like the VPN one I described 
and people reading the docs will actually be aware of pitt-falls.

In my opinion there is only one thing worse than no documentation, it is 
official looking documentation that is wrong.

> Also, that once 3.0 is retired, it will be simple to remove the 3.0
> relevant material, rather than filleting our bits from each page.

This would be even better, if qubes ever wants to they can just remove the 
subrepository.


What do others think?
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11311960.j3zXc7upma%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: memory management in dom0 ?

2018-01-11 Thread 'Tom Zander' via qubes-users
On Thursday, 11 January 2018 14:07:57 GMT Vít Šesták wrote:
> For your case, I have few questions:
> 
> * What's dom0 swap usage? Qmemman includes this amount in memory
> requirements. 

My dom0 has no swap, I didn't disable it, it just never had any.
I guess thats because in the installer I didn't assign any swap partition.

> * Where does your “1.3 GB is in use” claim come from?

 Top :)
The "in use" is what top claims. Add the "buff/cache" amount (1MB) to it and 
the "free" amount (1.6MB) and I do get to the total reported in both top and 
xentop.

> * How much of memory does the AppVM use? 

I looked at it at the time I got repeated crashes, it had some 800MB 
assigned to it.

> What is the memory limit for the
> AppVM? See VM settings » Advanced » Initial memory.
The settings are 1GB initial and 4GB max.

I "solved" it by closing some VMs and my chromium got more space assigned.

-

The qmemman has some more room for growth.
For instance I have one "Work" VM where I compile C++ code. I assigned it 
16GB of memory and then qmemman came and only gave me 2GB.
I start a compile (8 cores times 0.6GB of mem used) and maybe 10 seconds 
later I get out-of-memory issues.
To my annoyance xentop shows me that there is still >10 GB free, 
unallocated. For some reason it just doesn't seem to allow growth of memory 
fast enough, regardless of my settings.
I "solved" that by turning off memory management for that VM and just 
setting it to 12GB always :(

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1851645.2lrfOOeRYL%40mail.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] memory management in dom0 ?

2018-01-11 Thread 'Tom Zander' via qubes-users
I understand that there is a memory-manager to balance the memory between VM 
spaces.
Does anyone know if dom0 is being managed this way?

Currently there is 4GB assigned to dom0, of which 1.3 GB is in use.
At the same time I have chromium getting out-of-memory errors in an AppVM.
I'd like to actually use that 2½GB that dom0 now claims but doesn't use, 
anyone got ideas how?

Thanks!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1525819.gA7xBjyaEC%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Upgrading directly from Fedora 23 to 26 ?

2018-01-11 Thread 'Tom Zander' via qubes-users
On Thursday, 11 January 2018 06:39:02 GMT brutellealexan...@gmail.com wrote:
> I don't seem to be able to download the 26 template either... It says all
> mirrors have been used and it fails.

This is definitely the direction you want to go, download the template from 
dom0 using
sudo qubes-dom0-update qubes-template-fedora-26

after it installed the new template, you should start a terminal in iit and 
run the following inside of that template;
   sudo yum upgrade --best --allowerasing


more info;
https://www.qubes-os.org/news/2018/01/06/fedora-26-upgrade/

If that faiils, please specify what you did and how it failed, this avoids 
guessing on our side :)

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2669430.f8Qn7f0c1A%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0-rc3

2018-01-11 Thread 'Tom Zander' via qubes-users
On Thursday, 11 January 2018 03:42:11 GMT Andrew David Wong wrote:
> On 2018-01-10 12:53, 'Tom Zander' via qubes-users wrote:

> > I poked the Qubes guys about providing a separate dir on the website to
> > make it clear what is 3.x and what is 4.x specific, but they stated we
> > should instead put notices about exceptions in the document pages.
> 
> That's not exactly right. Please see:
..
> 
> In other words, do not just add notices in the text about exceptions.
> Instead, make clearly-labeled sections for 3.x and 4.x so that users
> can easily find the right information no matter which version of Qubes
> they're using.
> 
> > So I guess things like ProxyVMs should be mentioned to be old and AppVM
> > is the new.

Ok, I am having problem seeing your solution and my explanation of it as any 
different, in practice.
Maybe I'm missing the obvious, I'm just not seeing it.

In this specific case of the VPN page. https://www.qubes-os.org/doc/vpn/
* in v.4 there is no "NetVM".
* There is no "ProxyVM"
* The create qubes screenshot is considerably different.
* adding 'meminfo-writer' and 'network-manager' are not needed (AFAIK).
* does not use iptables anymore.

Ok, going to stop now.  I got to half the page and some 80% of the text and 
screenshots are wrong for v4.

How would you solve that in line with the QubesOS policy?
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15007549.cTkGlXaZ1X%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Multiple usability issues Qubes 4RC3

2018-01-09 Thread 'Tom Zander' via qubes-users
On Tuesday, 9 January 2018 08:54:02 GMT aaq via qubes-users wrote:
> Okay, so I found the documentation for bind-dirs
> (https://www.qubes-os.org/doc/bind-dirs/), but was still  wondering if
> you meant binding the AppVMs /usr/bin and /usr/local/bin, or was thinking
> of something else?
> 
> I would assume I need to bind all dirs that a given application is going
> to write to (such as potentionally /usr/share, /var/lib, etc).

Let me give you an example usage;

I have the binary build "keybase" app in its own AppVM.
It installs the majority of its files in /opt, as such I bind that dir. 
(restart before install!).

There are a dozen files also being copied into the /usr/ dir-structure.
I copied those files into the /rw/keybase/usr/ dir structure
and I edited /rw/config/rc.local to copy those files back onto the /usr
dir-structure at vm-boot.

This was enough for this app, your actual usage may depend on how your app 
installs itself.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2618527.1rHtBk9TLS%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Graphic Tablet Compatibility (basic features)

2018-01-09 Thread 'Tom Zander' via qubes-users
On Tuesday, 9 January 2018 01:54:40 GMT Fabrizio Romano Genovese wrote:
> Hello all,
> This looks like an old issue:
> https://github.com/QubesOS/qubes-issues/issues/2715
> 
> I'd be interested in using only the basic tablet features (essentially
> moving the mouse and clicking around using the tablet would be enough).
> In the issue linked above it is said that
> 
> "this in theory should be easy (a matter adding proper metadata - min/max
> - to the protocol handshake, and filtering events based on this info)"
> 
> I'd like to help with this, but I am no coder. I just know a bit of bash
> scripting and trying to check the code in
> 
> https://github.com/QubesOS/qubes-app-linux-input-proxy/blob/master/src/pro
> tocol.h#L17-L28
> 
> didn't really help. I understand that developers are quite busy with much
> more hardcore problems to solve, but if someone could at least point me
> to the right research direction I could try to investigate this by
> myself.

From;
http://linuxwacom.sourceforge.net/index_old.php/howto/theory

> Initially at least, the USB Wacom tablet is an HID compliant device, and
> when first connected to the computer, will identify itself as such.
> Unfortunately, this is not what you want because in this mode, you will
> not get any of the fancy features. The hid-core.c, mousedev.c, and
> usbmouse.c kernel drivers contain exceptions for the wacom; when the
> device is detected, they ignore the tablet.

So maybe you can use that website to find out how to configure your wacom to 
just be a HID (human interface device) and make it send those mouse clicks.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3164963.Ui2e7s9DGh%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Multiple usability issues Qubes 4RC3

2018-01-08 Thread 'Tom Zander' via qubes-users
On Monday, 8 January 2018 13:29:02 GMT 'Ahmed Al Aqtash' via qubes-users 
wrote:
>   * One I call 'trusted' which is based on debian sid (unstable) that I
> install everything I use for daily usage (firefox, libreoffice, mpv,
> emacs, other open source tools). Primarily AppVM's will be based out of
> this template.
> 
> * One I call 'untrusted' that is going to be a clone of 'trusted', and
> that I install proprietary software in, that I also use on a daily basis
> (e.g. spotify). Also AppVM's out of this, but probably only 1 to start
> with.

An alternative solution is to make your "untrusted" VM an AppVM and you 
install the software in there using bind-dirs.
Then you *only* use that VM for running that software and you likely store 
no personal data there (other than maybe your spotify cridentials).

Additional bonus would be to open any webpages in disposable VMs, should you 
click on a link in any of those apps.

> * I will probably create a standalone VM based off of 'trusted' that I use
> for development. So I will install stuff like docker, golang, and all
> other
> stuff I would otherwise use for developing.

I may be wrong, but all those development tools are open source and likely 
shipped by your distro. In which case I wonder what the benefit is to putting 
them into its own VM?

In short, maybe the simplest way is to create;

* TemplateVM: debian9
* Work AppVM based on debian9
* Untrusted AppVM based on debian9, adds untrusted apps using binds
* any other AppVMs you need... All based on the same debian9 template.

> NOTE: I use zsh with oh my zsh and spacemacs. Both of which are git repos
> that are cloned to the homedir of the user (meaning they are git repos
> cloned to /etc/skel)

Using /etc/skel just causes the data to be copied to the appvm homedir on 
first start.
You end up duplicating the data anyway, maybe you can use a different way to 
copy everthing between VM homedirs.
Notice that you can just do a qvm-copy [dir] which copies recursively.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2937565.vjQbnCdrbL%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Multiple usability issues Qubes 4RC3

2018-01-08 Thread 'Tom Zander' via qubes-users
On Monday, 8 January 2018 13:29:02 GMT 'Ahmed Al Aqtash' via qubes-users 
wrote:
> But issues like moving a templates home directory to /etc/skel (meaning
> that appvm's inherit /etc/skel as home dir from the template) left me
> baffled with my first install..

Homedirs are completely separated from your template homedir.

I personally ended up setting up things like chrome and konsole, bashrc etc.
Making a tar off my setup and uncompressing it on other qubes.
Usage of /etc/skel is not something I suggest, that is *only* for first 
initialisation of an AppVM and never gets updated again.

Bottom line; your homedir is unique and different in each and every VM.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1587531.ENQz9nrnvL%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Big if true: AMD reportedly allows disabling of the PSP (its Intel ME equivalent)

2018-01-08 Thread 'Tom Zander' via qubes-users
On Monday, 8 January 2018 10:10:17 GMT qubestheb...@tutanota.com wrote:
> Hi.
> 
> https://www.phoronix.com/scan.php?page=news_item=AMD-PSP-Disable-Option
> It's still yet not known whether this disabling is effective and whether
> it disables the PSP in its entirety.
> 
> But if it does, then that would make the most recent AMD processors one of
> the best choices for Qubes 4.x usage.

In context;

https://www.phoronix.com/scan.php?page=news_item=AMD-PSP-2018-Vulnerability

https://www.phoronix.com/scan.php?page=news_item=Linux-Tip-Git-Disable-x86-PTI

So its an  up / down :)
* AMD is faster (no PTI)
* AMD has a remote code execution issue, at least until you can turn off PSA 
using a bios update.
* Bios updates are not much seen in the wild.

Time will tell.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3608826.gtipCf02p4%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: how to get the update proxy working again

2018-01-08 Thread 'Tom Zander' via qubes-users
On Monday, 8 January 2018 06:53:46 GMT khmartin...@gmail.com wrote:
> Is your new net vm different than "sys-net"? This caused me problems too.
> One solution is to rename the new net vm to "sys-net" or you can edit
> this file in dom0:
> 
> /etc/qubes-rpc/policy/qubes.UpdatesProxy
> 
> In that file there is a line that says target=sys-net.
> I changed it to the same name as my net vm.

That did the trick!
Thanks, I would never have found that...
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5511262.ciHnklDXiN%40mail.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] how to get the update proxy working again

2018-01-07 Thread 'Tom Zander' via qubes-users
I needed space on my dom0  (Q4) drive, so I ended up using qvm-clone to copy 
my fedora25 template, my sys-net & sys-firewall to a different pool.
I naturally also copied the setup from the config dialog.

Everything seemed to work for a while, so I removed the sys-net /firewall 
originals.

Now I have a problem, updates in templates no longer work. The magic proxy 
fails me and I can't figure out how that thing actually was designed in order 
to make it work again.

My first thinking was to assign the original IP addresses to the cloned VMs, 
but qvm-prefs refuses to overwrite the qid property. :-(

The docs on the website talk about a service "qubes-yum-proxy" can't find 
that one, though. I guess its a 3.2 property.

Anyone here able to explain how this proxy works? Would make a nice doc on 
the website too!
I'd love some suggestions on how to fix this...

Thanks!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4020213.iHnCjNg7BT%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: qubes 4 qvm-trim not exist

2018-01-07 Thread 'Tom Zander' via qubes-users
On Sunday, 7 January 2018 19:40:27 GMT Yuraeitha wrote:
> But there are still some
> issues, i.e. no visual interface to show your overall disk space useage
> (the other month, you had to pull and combine several commands to make it
> show accurately). I'm not sure if this disk space useage reporting issue
> has been fixed today though.

* https://github.com/QubesOS/qubes-issues/issues/1872
(open) Implement UI Notifications for cases of a Qube disk full 

* https://github.com/QubesOS/qubes-issues/issues/1053
(open) Improve usability of VM disk space / increasing disk size

* https://github.com/QubesOS/qubes-issues/issues/3438
(open) Qubes storage pools of type LVM issues

This one is closed, but as I point out in the collection of issues (3438) 
this is not yet fixed;
https://github.com/QubesOS/qubes-issues/issues/2016
(closed) Create dom0 API to detect global disk space available

And, yeah, it also still needs  a user-interface.


The simplest way to get the space usage if you are using a LVM based pool 
(which requires completely manual setup at the moment) is
  sudo lvs
and you can read under the column "Data%" how much actual usage you reached.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4269306.bpYcQdtx5U%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes app menu keeps old templatevm entries.

2018-01-07 Thread 'Tom Zander' via qubes-users
On Saturday, 6 January 2018 23:19:54 GMT pixel fairy wrote:
> The app menu, top left, keeps entries for old template VMs. is there a way
> to get rid of them?

You find the data backing this in
$HOME/.local/share/qubes-appmenus/

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1716821.WnKjKGyYoC%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] hey, Please confirm we cannot install Qubes 4.0 on DVD, and the minimum on flash drive to install

2018-01-06 Thread 'Tom Zander' via qubes-users
On Saturday, 6 January 2018 17:42:00 GMT russlyatos...@gmail.com wrote:
>  hey,  Please confirm we cannot install Qubes 4.0 on DVD, and the minimum
> on flash drive to install Qubes 4.0 we must have 32GB?  thanks

Not sure if this is helpful; the minimum size harddrive I've installed Qubes 
on was 21GiB.
But you have to skip the debian and the whonix templates and I turned off 
swap.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3687512.A40YJjNSdJ%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Q4.0 rc3 (current testing) - power off/ suspend issues.

2018-01-06 Thread 'Tom Zander' via qubes-users
On Saturday, 6 January 2018 10:56:13 GMT haaber wrote:
> 2) Reboots hang systematically at "Reached target shutdown" and has to
> be rebooted via a coldboot.

I've been seeing this too, although sometimes it goes on after half a minute 
only to hang at some other point (after loads of messages).

I noticed that if I manually shut down all qubes, INCLUDING, sys-net, before 
logging out then this problem is avoided.

Next time you reboot, can you try that and let us know if this isn't just 
me?
That may help with debugging.

Cheers!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1691880.VtDucUss21%40mail.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Qubes Controller as the new Qubes-Manager

2018-01-05 Thread 'Tom Zander' via qubes-users
On Friday, 5 January 2018 23:43:58 GMT Zrubi wrote:
> > I'll attach two sceenshots of the tool, to give you a bit of an
> > idea of what it already does and maybe if its worth your time to
> > compile 
> 
> Probably this is very subjective, but:
> For me, the most important parts/feature of the current Qubes Manager
> are (in order of importance):
> 
> - Full overview of the state of the VMs in ONE screen, without clicking.
> The new widget is failing on this badly, just as your proposal.

My aim has so far been to show which VMs are there, which type they are and 
if they are running. This is visible in one go. Including even which VM has 
a high CPU usage.
I'm not happy yet with the way that the netVM is visualized, as you say it 
costs clicks on each VM.

> - Changing the NetVM of a given VM.

Great idea!
 
> - Starting programs from a given VM.

Fully agreed, this is what I added last week. I'm using it all the time. 
Much more convenient than the start menu.

> - start/stop VMs

Present :)
 
> - attaching/detaching devices.

Yes, definitely.

> - reading VM logs.

Good to know.

> Probably these are only my personal preferences. Hence I have no time
> to write a new manager for the Qubes 4.x I just shared my use case.
> Feel free to ignore them if you don't like 'em 

They are excellent ideas, thanks!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11479443.jBHdx6CR7K%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dns in qubes

2018-01-05 Thread 'Tom Zander' via qubes-users
On Friday, 5 January 2018 15:37:37 GMT Unman wrote:
> Look at the nat table in the upstream netvm.
> You'll see that sys-net NATs these requests to the NS used by sys-net.

Ah, that hint was enough, I didn't expect NAT, thanks!

Got it working now.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1933751.YPqAdZ1Hvv%40mail.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] dns in qubes

2018-01-05 Thread 'Tom Zander' via qubes-users
I'm trying to figure out how this works, and I am stuck.

In every qube (except sys-net) there is  a resolv.conf that points to two 
name servers.
10.139.1.1 and .2

This raises two questions;

* how does sys-net handle these requests on this odd address. No 'ip ad' 
network seems to listen on this address.

* how can I change this in indidivual qubes in the correct matter.
I have some qubes routing through sys-vpn and I adjusted the vpn VM to find 
the DNS, but users of the vpn can't find any DNS service now.

Any help appreciated.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/65877894.cAG3c6iG4f%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Tweak Tool not working as expected after upgrade to Fedora 26

2018-01-04 Thread 'Tom Zander' via qubes-users
On Thursday, 4 January 2018 02:11:16 GMT Mark Malcom wrote:
> I downloaded fedora-26 template and after that my gnome-tweak-tool is
> completely ignored: no themes, no windows scaling anymore. Not just the
> Tweak Tool, but if I try to change the scale factor with gnomesettings,
> that is also ignored.

Lets check if its an environment issue;

if you start a terminal on a VM.
In that terminal do an;
  export GDK_SCALE=2.3
and then start something like chromium or any gtk app.
does that work?

If yes, then you know its most likely a problem with environment variables 
in your VM in one way or another.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1643950.2kKg6ph7nQ%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 rc3 boot and performance is quite slow

2018-01-04 Thread 'Tom Zander' via qubes-users
On Thursday, 4 January 2018 11:49:45 GMT Fabrizio Romano Genovese wrote:
> Looking at the console messages at startup, it looks like the problem is
> that Qubes takes more than one minute to boot sys-net, sys-firewall,
> sys-usb and sys-whonix. That was not the case in 3.2.
> 
> Also, when giving
> qvm-start someVM
> the startup time is again quite slow. Could it be that my VMs are based on
> Fedora26?

Can you try giving your VMs more initial memory?
I saw that the default of 400MB is causing VMs to swap like crazy on 
startup. I change it to 1000MB and stuff starts significantly faster.

I also removed swap in fstab on all templates, the only effect this has had 
so far is show that the memory balancer is in need of work. It fails to give 
hosts memory when they use significantly more than others.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4469951.fVkcPeMF00%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I install and configure a template vm in Qubes 4?

2018-01-04 Thread 'Tom Zander' via qubes-users
On Thursday, 4 January 2018 10:40:56 GMT 'Ahmed Al Aqtash' via qubes-users 
wrote:
> In 3.2 you could allow network access in a template rather easily through
> the GUI, and thus be able to pull software from other destinations than
> just repos.

The same functionality is present in Qubes4, just not via a GUI.

open a terminal in dom0 (adminvm) and type;

qvm-prefs -s YOURVMNAME netvm sys-firewall

When you are done downloading consider unsetting the netvm with;
qvm-prefs -s YOURVMNAME netvm ""


I'll add the warning that you should be careful what you do in a TemplateVM, 
anything you run or download has sudo and can install or change data which 
then will cause all your VMs based on this template to be contaminated.
Be safe.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6475371.V95BB4TYbR%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Donations with Bitcoin (Cash) - BCH

2018-01-04 Thread 'Tom Zander' via qubes-users
On Thursday, 4 January 2018 12:28:27 GMT evas...@openmailbox.org wrote:
> Happy New Year Qubes Community!
> 
> Due to high fees and heavy losses to donator at Bitcoin Core (BTC) network
> I suggest to at Bitcoin Cash (BCH) donation address as alternative.
> Nobody want to donate 50$ and lose 40$ as fees.

As a long time Bitcoin developer, I completely agree with this sentiment.


I want to also add that the current address publicly displayed will work 
just fine on Bitcoin Cash, which may be useful to know.

Big companies like bitpay (biggest bitcoin payment processor) have already 
stated they will no longer accept any Bitcoin internet payments under $100, 
which you can understand means it can no longer be used for the majority of 
Internet payments. They are working on switching to Bitcoin Cash instead.

Curiously, looking at the Qubes donation page I see that the address you 
have shows that the Qubes organization in actual fact already owns a some 
funds in Bitcoin Cash (BCH).
https://bch.btc.com/3GakuQQDUGyyUnV1p5Jc3zd6CpQDkDwmDq
Around € 700 worth.

To the Qubes-guys; please consider updating your website and if you post it 
on something like reddits rBtc forum, you likely will get some more 
publicity out of it as well.

If you want any details, feel free to ask me more in private email.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1537277.lEZcpCop9W%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4rc3: More space needed on the / filesystem.

2018-01-03 Thread 'Tom Zander' via qubes-users
On Wednesday, 3 January 2018 16:16:13 GMT Fabrizio Romano Genovese wrote:
> I am trying to install texlive on a fedora-26 template vm. The package is
> quite big, nevertheless it is correctly downloaded. After this, when the
> actual installation process would be supposed to start, it fails with the
> message:
> 
> At least *MB more space needed on the / filesystem

Have you considered making the root filesystem of your VM have more space?

In the settings dialog for a VM its the "System storage max size" item which 
you can change. Be aware that the VM likely needs to restart to access the 
extra space.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1746454.YCgnGZCP08%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Disable root password on fedora-25-minimal (Qubes 4.0rc3)

2018-01-02 Thread 'Tom Zander' via qubes-users
On Tuesday, 2 January 2018 18:26:27 CET Fabrizio Romano Genovese wrote:
> ...But how?

The naming is confusing as the root password is not really removed at all.
What happens is that a service called 'sudo' is configured to allow you to 
do anything without a password.

Make sure you have this content at /etc/sudoers.d/qubes)

https://www.qubes-os.org/doc/vm-sudo/

also I suggest double checking that sudo is actually installed.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1593640.XvPIAPtHh8%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installation security : Usb optical vs sata optical vs usb drive

2018-01-02 Thread 'Tom Zander' via qubes-users
On Tuesday, 2 January 2018 06:20:46 CET mmm...@gmail.com wrote:
> So from the installation security guide I read the following:

> And for USB Drive:
> "Untrustworthy firmware. (Firmware can be malicious even if the drive is
> new. Plugging a drive with rewritable firmware into a compromised machine
> can also compromise the drive. Installing from a compromised drive could
> compromise even a brand new Qubes installation.)"
> 
> Do usb optical drives not also have the same problem firmware wise?

The problem with USB is that its universal. An attacker can make his device 
look like its anything USB based. For intance a rarely used web-camera.
The problem with that is that each brand has its own driver in the Linux 
Kernel and most of those drivers are hardly checked for exploits.

As such, an innocent looking thing that connects on USB could root your 
kernel with unknown exploits in any usb driver shipped by the kernel.
Just using a different firmware.
This is why there is the suggestion to have a sys-usb qube to isolate those 
drivers, should you fear your hardware in future falling in the hands of bad 
people.


> What about sata?

I hope someone else can answer this.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12053226.DA0ORK4ZM7%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How find out addresses to limit outgoing connections

2018-01-02 Thread 'Tom Zander' via qubes-users
On Saturday, 30 December 2017 04:55:59 CET Stumpy wrote:
> In the end, I want to have say a VM for email, where the firewall blocks
> everything but access to the email service, and do the same for my
> "banking VM" or "bitcoin wallet vm"
> 
> I'm at a bit of a loss so would be greatful for help.

Using gmail in your browser is indeed quite difficult to allow specifically.
Even using another protocol to a provider like google is practically 
speaking not possible.
So I think you started on the hardest problem.

Instead, if you were to use for instance kolabnow.com, you'd be able to 
limit your outgoing to just two hosts (imap.kolabnow.com and 
smtp.kolabnow.com) which is a short list of IP addresses. (I personally use 
'dig' to find out all IP addresses of a DNS).

Same with the Bitcoin wallet VM, you need to find out a series of trusted IP 
addresses and only allow outgoing connections from them, and likely no 
incoming connections at all.
Those IPs would be someting from friends, or some you find on;
https://bitnodes.earn.com/
But notice you need to then tell your bitcoin software to actually connect 
to those IPs and likely skip any DNS lookup.

Hope that helps!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19704108.RhNjRlVOSx%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Detached LUKS header

2018-01-02 Thread 'Tom Zander' via qubes-users
On Monday, 1 January 2018 18:14:27 CET spi...@gmail.com wrote:
> I did look at this link as I already said.
> But the thing is that there are no info on how to install it
> without using the GUI.

if you get to the installer you can use alt-f1 to get to a native TTY. There 
are several of them and at least one is a bling bash which has root.
Not sure how easy it is to use, but that may just be the entry point you 
were looking for.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6674491.ZHgf7Uu3eD%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Install Rtlwifi new

2018-01-01 Thread 'Tom Zander' via qubes-users
On Sunday, 31 December 2017 20:57:36 GMT davidmizr2...@gmail.com wrote:
> I can see e permission problem here
> "/net/wireless/realtek/rtlwifi/rtl_pci.ko' Read-only  file system,

That is not a permission problem.

Nobody can write to a read-only filesystem.
Try to make sure that you configured your compile correctly. The path 
starting with /net makes little sense to me.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4847878.CPfFngQe5g%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: new Desktop build recommendation

2017-12-29 Thread 'Tom Zander' via qubes-users
On Friday, 29 December 2017 19:23:01 CET taii...@gmx.com wrote:
>  I am sure the massive
> markup over parts cost is worth it for a "tested working properly"
> system right?

Yes. Yes it is.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2639293.tW9BGqeZ3M%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Weak connection. Cannot reinstall borked template, download will not resume.

2017-12-27 Thread 'Tom Zander' via qubes-users
On Wednesday, 27 December 2017 03:02:57 CET dangmad...@gmail.com wrote:
> Opted to reinstall template, but I cannot download it without my
> connection dropping, and thus timing me out. dnf does not resume the
> download, despite it claiming to be saving the download to cache.
> 
> I have put keepcache=true in dnf.conf, with no results.
> 
> 
> cannot wget from dom0. Should I wget from some other VM?

You should definitely be able to install a template you downloaded and copied 
via whatever means into dom0.

Please be aware that download-resumes are a feature on the server as much as 
on the client. 
Your wget should be able to tell you if a resume is possible serverside by 
just testing it (ctrl-c it after 100KB, and use the --continue flag on second 
try.

I ve seen the qubes builder create a script that installs an rpm directly 
from local file, hence I know it is possible. Just don' t know how.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1947346.PResNbeEAm%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: Mozilla (was: Re: [qubes-users] Password security/disposable vm security)

2017-12-27 Thread 'Tom Zander' via qubes-users
On Wednesday, 27 December 2017 00:34:38 CET Leo Gaspard wrote:
> > I'm more concerned that they tried then how they failed.
> > It leaves a bad taste in my mouth.

> tl;dr: please do google for “looking glass” and “mozilla”

Its good we agree on all the technical details, and I agree intent is tricky 
to guess about.

I definitely will not advice people either way, my opinion is irrelevant and 
browsers are not my specialty.

The situation left a bad taste in my mouth, I had to conclude that their 
priorities are not aligned with mine. Your millage may vary.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11327008.TsmdWpZAG9%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to install software on templates (Qubes 4.0)

2017-12-26 Thread 'Tom Zander' via qubes-users
On Tuesday, 26 December 2017 23:58:36 CET Eric Scoles wrote:
> Sorry, I guess I'm not understanding your answer. The 'usual way' to
> install in an upstream distro would be to connect to the network.

Your ‘yum’, ‘pacman’, ‘apt-get’ have access to the internet via a proxy 
solution.

Please give it a try.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22619918.86Z0RbBJyT%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to install software on templates (Qubes 4.0)

2017-12-26 Thread 'Tom Zander' via qubes-users
In short, software is to be installed in your template exactly the same as 
you would do it in the ‘upstream’ way.

So if you are using a debian template, you’d be able to go to the debian 
wiki pages that explain how to do it.

So your question 1 and two are answers with; “like in the upstream distro".

> 3. What if we need to install a package that's not available via a repo?

This opens a bit more complex situation because software not available for a 
public repo may cause the issue of it not being trusted. I don’t trust 
skype, for instance.

Technically the installation is not too difficult, you just follow the 
instructions from the place you find the software.
But it is important to assess how much you trust this software and its 
installer because changes made in a template will have an effect on ALL 
qubes that are based on it.
Installing untrusted software in a template may end up exposing your data in 
the “work” qube that is based on it.

You may consider creating a new AppVM where you install the software (again, 
using the instructions from the place where you find the software). Check the 
/rw/config dir, there is a binds configuration that allows you to specify 
which files or directories are kept between restarts.

Hope this helps.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4259797.hveZSERC7u%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Password security/disposable vm security

2017-12-26 Thread 'Tom Zander' via qubes-users
On Tuesday, 26 December 2017 00:56:30 CET mmm...@gmail.com wrote:
> "So make sure your software is from a trusted source."
> Right but even if it is trusted at one point it can become less
> trustworthy later(infection) so I wanted to keep it perfectly "fresh" by
> using disposables.

Aha.

In Qubes you *use* AppVM based virtual machines. Those are unable to change 
software because the actual software is owned by a TemplateVM.
As such this idea of keeping it fresh is already done by normal daily usage 
of Qubes.

The disposable VM concept goes one step up by isolating changes to your 
private data (downloaded files, config, etc).

For your goal the dispVM doesn't add anything, AppVMs already do what you 
want.
 
> "Personally, I' d avoid thunderbird and anything from mozilla, but thats
> just me."
> Do they have a bad track record(I planned on researching my apps later
> =p).

Just last month they added an invisible plugin in their binary builds which 
was programmed to not show up in the 'add-on' screen and had the ability to 
alter page content.
Someone didn't actually program it well enough and the whole thing got 
leaked and after a lot of heat, a lot of bad press they eventually 
apologised.

I'm more concerned that they tried then how they failed.
It leaves a bad taste in my mouth.

Google for "looking glass" and "mozilla" if you want to know more.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2452051.NKi2Ta5ZWQ%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Trying to download new Whonix templates and fedora 23 gets updated?

2017-12-25 Thread 'Tom Zander' via qubes-users
On Sunday, 24 December 2017 02:33:26 CET Sven Semmler wrote:
> On 12/09/2017 08:38 PM, vel...@tutamail.com wrote:
> > Dependencies resolved. Nothing to do.
> 
> Did you include the --enablerepo parameter as shown below?
> 
> sudo qubes-dom0-update --enablerepo=qubes-community-templates
> qubes-template-whonix-ws qubes-template-whonix-gw

And be sure to read the output fully, sometimes it says it will remove 
certain packages but then if your read the full text you notice that it 
actually doesn t do so and you have to pass in two more parameters to get it 
to actually resolve conflicts...


-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3361966.yVHOLScUyE%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Password security/disposable vm security

2017-12-25 Thread 'Tom Zander' via qubes-users
On Sunday, 24 December 2017 23:14:21 CET mmm...@gmail.com wrote:
> Okay so I read all of that lol, and I understood it all but what if there
> was an e-mail client that used the browser method? You get logged in to
> all your emails without retrieving anything then switch to cookie
> authentication and forget the password, that way when the zero-day
> happens you only lose your cookie which is probably not as powerful as
> the actual password(ie I dont think you can change your password with
> just the cookie) plus the zero day can't "permanently" compromise
> thunderbird cause you opened it in a disposable , just only after this
> odd login method over and over again =p. Maybe that's overdoing it
> butI don't want to change my passwords ever so laziness commands me
> to want such a thing XD.

I think you may have misunderstood the idea behind the initial post you 
quoted;

> "there is absolutely no point in not allowing e.g. Thunderbird to remember 
the password – if it got compromised it would just steal it the next time I 
manually enter it"

The thought behind that quote is that you have to trust your open software 
running on your machine and there is no way around that. As the quote says, 
feel free to let it remember your password. No point in trying to be smart.

So if you run thunderbird in a qube that has (access to) password and/or 
emails, you better trust that open source software with that information.

So make sure your software is from a trusted source.

Personally, I' d avoid thunderbird and anything from mozilla, but thats just 
me.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2283324.qrAAk4daPN%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Password security/disposable vm security

2017-12-25 Thread 'Tom Zander' via qubes-users
On Sunday, 24 December 2017 01:58:36 CET mmm...@gmail.com wrote:
> Can't we just create disposable thunderbirds to protect the password?

The protection you want is against the evil software leaking the password.
A disposable VM would not help in this case as you enter the password, or 
you let it remember your site passwords, then it would just send it out t 
the evil website immediately.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2233978.iWJVDZlCSV%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] pools, how to use

2017-12-24 Thread 'Tom Zander' via qubes-users
On Sunday, 24 December 2017 02:09:54 CET Marek Marczykowski-Górecki wrote:
> > sudo lvcreate -L 390.5g -n data Slow
> 
> You need yo create those as thin pools, not standard volumes. For
> example this way:
> lvcreate -L 37g --thinpool systems qubes_dom0

Thanks, that fixed it :-)

It took some more puzzling and I now have some VMs on LVM pools instead of 
everything as huge files in my dom0 filesystem.

Great success.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2149218.s4zhisSmft%40strawberry.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


[qubes-users] pools, how to use

2017-12-23 Thread 'Tom Zander' via qubes-users
Hi,

I've set up a new qubes install and created two LVM volume groups. I wanted to 
try and see how this works with qubes and I tried out the pools concept.

The problem is that I think I did everything according to the docs, but the 
qvm-create command gives me an error message.

Can someone find out what I did wrong?


sudo vgs -a
  VG #PV #LV #SN Attr   VSize   VFree
  Slow 1   1   0 wz--n- 391.51g 391.01g
  qubes_dom0   1   2   0 wz--n-  59.33g  37.33g
sudo lvcreate -L 37g -n systems qubes_dom0
sudo lvcreate -L 390.5g -n data Slow
sudo lvs
  LV  VG Attr   LSize   Pool Origin Data%  Meta%  Move Log 
Cpy%Sync Convert
  dataSlow   -wi-a- 390.50g
  adminvm qubes_dom0 -wi-ao  22.00g
  systems qubes_dom0 -wi-a-  37.00g

qvm-pool -a qubes_ssd lvm_thin -o 
volume_group=qubes_dom0,thin_pool=systems,revisions_to_keep=0
qvm-pool -a data lvm_thin -o 
volume_group=Slow,thin_pool=data,revisions_to_keep=0

qvm-create -P qubes_ssd --template fedora-25 -l green --class AppVM test
app: Error creating VM: b'  Logical volume qubes_dom0/systems is not a thin 
pool.\n'


Any help appreciated!
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2932962.V7N4gufabA%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Which 3.2 VMs to backup and for eventual 4.0 migration?

2017-12-22 Thread 'Tom Zander' via qubes-users
On Friday, 22 December 2017 02:42:57 CET yreb...@riseup.net wrote:
>  assuming
> 4.0 is going to come out of the box with like Debian 9 and Fed 26?

Fedora 26 is not going to be used in 4.0, maybe in 4.1

source;
https://groups.google.com/forum/#!msg/qubes-devel/13PZgSOaajA/RvBh02ANCAAJ

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36072167.FdIqrO2KI0%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes in a corporate network behind HTTP proxy

2017-12-21 Thread 'Tom Zander' via qubes-users
On Thursday, 21 December 2017 19:02:23 CET Unman wrote:
> This helps protect against user error - for example, opening a browser in
> Template by mistake, and using it to browse the web.

A separate thought occured to me,

if Qubes is worried about users misusing templates, I'd argue that free 
sudo-access should be removed from templates so you benefit from standard 
user protection. In other words, you'd need a privilege escalation to 
compromise your template. While today the bar is much much lower.

Naturally, an AppVM based on a template would have to have full sudo access.

What do people think about this?
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4630734.vq5SLFKYRq%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes in a corporate network behind HTTP proxy

2017-12-21 Thread 'Tom Zander' via qubes-users
Thanks for your mail!

I think we are getting to the core of our little discussion :-)


On Thursday, 21 December 2017 19:02:23 CET Unman wrote:
> Since templates can be customized by the user it is not true that they
> cannot contain private data. 

They can contain private data, because they have harddrive space. So 
technically speaking you are not wrong.
Do you have any reason to believe there is any incentive to store your 
private data, your account info (password) etc in a template?

> It's a moot point to what extent Templates do
> contain identifying material, even when not customized.

The entire point of Qubes is compartmentalization, which means actively 
choosing where you have your login data, your keys and your private 
messages.
A security worry that assumes people will copy their darkest secrets in 
inappropriate qubes is a bit... odd.
And that is exactly what you say when you argue placing material you want to 
keep secret in a template is a moot point.

> It isn't true that Templates CANT contain listening services,

This is true only if you pick your words very specifically.
It is true that template can try to listen to someone out there.
But its pointless because the Qubes system doesn't allow anyone to connect 
to your templates. There is no port forwarding to your templates. Just 
connecting to sys-net will not make that magically happen.

Bottom line is that no hacker can connect to your services on your template.
And thus you can’t get remote hacked by doing nothing.

> or services
> that make outbound connections without user intervention. Debian
> Templates will start some services on installation, for example, and
> there are other "aids" that may initiate outbound connections without
> the user's knowledge. There are circumstances where this could be
> extremely undesirable.

Interesting to hear, you maintain the Debian RPM for Qubes, right?
Can you explain which services are started automatically and do outbound 
connections in that template?
You seem sure, so please share that info.

> If (e.g) you use a web browser in a Template there is every chance that a
> hacker may install bad software without your knowledge.

I highly doubt that. If that were true most Ubuntu boxes would  have been 
turned into bots.

But more importantly, the advice to only run software to update your 
template stands.
The template VM is started for updating your operating system, it is not for 
playing a flash game or running Skype. This was always the advice.

> If the Template is compromised then all the AppVMs that use it 
> will be compromised.

This thought is not false, but your thoughts of how a template can get 
compromised are clearly unfounded.
As you have admitted multiple times; all these technical things that make 
basic tasks more difficult are there only to protect the user from 
user-mistakes.

To be clear, I can get on board with the idea that users should be 
discouraged from *using* templates. User training you called it.


I think the two different schools of thought here are that you work with 
rules a lot. Decide that users can't do X or Y or Z, and you solve the 
problem.
This works in a company, this works for a certain set of users.

I come from a different background, after 17 years of doing open source I 
learned that telling people what NOT to do will always lead to 
disappointment. :-)

Finding more user friendly ways of telling people what is a better way to 
solve a problem is the direction I'm leaning towards. Lead, not punish.

As a quick example; make templates have a config file that indicate which 
software is the ‘updater-GUI’ and make the icon-updater use this info to 
only show a limited set of start-menu-items for template VMs.
A second icon associated from a template would be
“create VM based on this...”.


My thinking is that we have to work *with* people, not against them. Provide 
more useful options, don't take away ones you think are dangerous.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40945027.Ov4JLljASd%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] template /home/user is not copied when creating appvm

2017-12-20 Thread 'Tom Zander' via qubes-users
On Tuesday, 19 December 2017 20:22:02 CET Dave C wrote:
> Whenever a TemplateBasedVM is created, the contents of the /home
> directory of its parent TemplateVM are copied to the child
> TemplateBasedVM’s /home...
> 
> Is this true in Qubes 4.0 rc3?
> 
> In my experience, changes made to /home/user in the template are not
> copied to the appvm when it is created.

This mirrors my experience, AppVMs don’t inherit the homedir.

I believe that the design has changed (i.e. the docs are outdated). Template 
VMs are means to be used purely for its operating system and the software 
going with it, the homedir should have no personal data or app-configs 
because you should not use the template for anything other than updating 
packages.

Notice that disposable VMs no longer use templateVMs, they are based on an 
AppVM instead. You will likely end up creating an AppVM which will be a 
template for disposable VMs launched by the system.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3068604.OtRxxK0urg%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Attempting to securely wipe drives, running into issue.

2017-12-20 Thread 'Tom Zander' via qubes-users
On Wednesday, 20 December 2017 11:59:26 CET Holger Levsen wrote:
> oh, and if you want to securly erase data, use /dev/random, not
> /dev/urandom.

This is not good advice, your /dev/random device creates true randomness, 
but it only generates a very small amount of data.
Bytes per minute.

Creating enough to write to a many gigabytes data would take centuries.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79673397.0iQst3c43i%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Attempting to securely wipe drives, running into issue.

2017-12-20 Thread 'Tom Zander' via qubes-users
On Tuesday, 19 December 2017 22:09:31 CET David wrote:
> I'm attempting to wield a command from the archlinux wiki and getting
> access denied, even with sudo in front, and even when on dom0 (against
> my better judgment). Any thoughts?

A complex series like this is best just to run as root in a shell.

First run something like;
# sudo su 
which should give you a shell that is owned by root. Type  who ami to 
confirm.
Then you can copy/paste the line from the archlinux wiki to do the work.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3256594.W4lDGWArza%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes GUI for v4

2017-12-20 Thread 'Tom Zander' via qubes-users
On Wednesday, 20 December 2017 08:25:44 CET Matteo wrote:
> but before you code it you should talk to joanna to be sure it will be
> accepted and used.

I sent an email to the dev mailinglist at the same time I sent one here (no 
reply so far) so at minimum she knows about it.

But I have to say that I’m programming this for myself and for people that 
have indicated they want a similar solution.
It would be nice if it were packaged in Qubes, but I’m not depending on it.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12525626.MbyXGMKWBx%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes in a corporate network behind HTTP proxy

2017-12-19 Thread 'Tom Zander' via qubes-users
On Tuesday, 19 December 2017 16:33:49 CET Unman wrote:
> Tom
> 
> Ive suggested before that if you give this advice you should
> clearly state the consequences.

Ok, no worries. Here you go:

The consequences is that the template, which has no personal or identifying 
information, can be used to run apps that make outbound connections. Don’t 
worrry! No inbound connections are possible.

In short;
* There is no possibility of loss of private data (since there is none).
* There is no possibility of a remote hacking attack (b/c no 
listening services).
* There is no possibility of a hacker installing bad software in 
your template (only you can do that).

Bottom line is that there is no additional risk when a user uses a corporate 
firewall and a http proxy to allow him to download updates.

Unman, being paranoid is fine, but making users unable to update their system 
unless they do it the very complicated way you approve of will not help 
security.
We are dealing with people, lets keep that in mind.
Specifically, the result of being too strict on this is that they will end up 
either not updating (and missing security updates) or maybe just giving up 
and using the simple route of throwing security out the window and just 
getting the job done.

Perfection is the enemy of good enough.


And since I’m being nasty today, lets focus on another illusion in this 
email. You wrote;
> sys-net will not enforce a firewall 

Basically true, sys-net indeed bypasses sys-firewall.
But you are mistaken if you think that sys-firewall adds security.
Sys-firewall adds the _option_ of allowing you to _manually_ add security.
IF you have the know-how on how to do so. Which most people don’t. 
sys-firewall allows you to block remote hosts by IP-address, manually. And 
optionally.

Making people believe that having sys-firewall makes them more secure is 
selling an illusion of security, which is really bad for actual security 
because it follows that people will believe they are magically secured.
In reality the configuration of the firewall is a highly specialized and low-
level task that most people without sys-admin-training will simply not do.

Security is not about following a rulebook, it is about people first and 
foremost. Lets not lose focus of that, please.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2682772.EKl5eY0fiO%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes in a corporate network behind HTTP proxy

2017-12-19 Thread 'Tom Zander' via qubes-users
On Monday, 18 December 2017 10:13:48 CET pr0xy wrote:
> I am still a bit stuck concerning the Qubes Update Proxy. Where would I
> set the environment variables for my corporate proxy so that I could
> update dom0, templates and VMs?

You should add sys-net to your template VM if you want that since the proxy 
that is in place today is to avoid your template VM from accessing the 
intranet or internet outside of your own machine.

Then google on where the template operating system (Fedora or Debian etc) 
sets proxies for doing the command-line update, the configuration is the same 
as Fedora or Debian etc.
I don’t know fedora at all,
in archlinux you’ll have a file in /etc/pacman/ which sets the current proxy, 
in debian you’ll likely have one in /etc/apt/

grep -R -i  PROXY /etc/*

may be useful too.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/floweethehub

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3673012.sFe5jTk4l6%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 26 VLC/mplayer fullscreen problem

2017-12-19 Thread 'Tom Zander' via qubes-users
On Sunday, 17 December 2017 19:59:36 CET donoban wrote:
> Any idea?

If you hit the ‘f’ key to go full screen, or use the application menu, then 
you end up doing this using the application in the Qube.
Try to do it using the menu on the titlebar, which makes the trusted-window-
manager be the one to instruct the full-screen option.

That tends to work better.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/floweethehub

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11660533.ZimtETrxDG%40strawberry.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes GUI for v4

2017-12-19 Thread 'Tom Zander' via qubes-users
Last weeks there was a lot of talk about a lot of us missing the
qubes-manager, or frankly any sort of useful graphical user interface.

As I’m a long time programmer I decided to just give this a go and try to 
get something useful going.
My approach is one where I talk directly to the Admin-API (at least when 
running in dom0) from this code which happens to have been written using Qt 
in C++, the code will be GPL licensed.

The GUI is showing some usefulness already, the ‘start’, ‘pause’ and ‘stop’ 
buttons are functional.

I just wanted to show some progress, hope you like it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4703087.nNqGHXKHql%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)

2017-12-17 Thread 'Tom Zander' via qubes-users
On Saturday, 16 December 2017 03:25:46 CET Yuraeitha wrote:
> Initially, this is all the reasons I can think of for wanting V-GPU.
...
> - Extending a single Qubes machine around the house or company, using
> multiple of screens, keyboards/mouses or other thinkable means.

This sounds inherently unsafe.
Not sure what your usecase is, but there has to be a better way than 
allowing a multitude of foreign, not-directly-connected hardware from 
accessing various very security sensitive channels.

...
> - Cryptocoin miners who wish to utilize a single machine
> for all round purposes. 

To build a proper crypto-mining rig based on GPUs, you would not run an OS 
on the machine. It literally drains money out of your system to use it on 
the same hardware as you main desktop.
If you install 8 GPUs on a mainboard, you have to realize that the mainboard 
ends up costing a fraction of the total.
Reusing it for non-mining purposes (while mining) just doesn't make any 
sense. Both from an economics as well as a security point of view.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8533554.PhlilUoQuC%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] GPU Passthrough Status - (Purely a meta-discussion, no specifics)

2017-12-17 Thread 'Tom Zander' via qubes-users
On Sunday, 17 December 2017 11:59:26 CET Yuraeitha wrote:
> f, but from what I understand, complex software is hard to make secure,
> compared to well-made hardware minimizing use of software. If Qubes
> hypothetically were to adopt these, would the hardware approach be more
> secure here?

The question isn't really about software vs hardware.
The overall design and concept is what is more important.
The actual approach of how to do this makes or breaks the security mode. 
>From that approach follows what parts are required to be in hardware (to 
still be fast and secure).

I claim no expertise in the domain you address in this thread, so apologies 
for the generic answer.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1828191.tAHdXYOLUq%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.

2017-12-13 Thread 'Tom Zander' via qubes-users
On Wednesday, 13 December 2017 00:49:14 CET Connor Page wrote:
> I’ll disagree with comparison of btrfs to lvm. there is a very significant
> difference between btrfs and lvm. btrfs is like a namespace and lvm
> volumes are block devices. one can put a namespace on a block device. but
> yes, layers and layers of metadata processing required.
> 
> BTW, has anyone started a btrfs driver for storage pools? I think it could
> very tricky if at all possible.

related;
https://github.com/QubesOS/qubes-issues/issues/3334

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5232241.G1l38BtH0a%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Keyboard thoughts...

2017-12-12 Thread 'Tom Zander' via qubes-users
On Tuesday, 12 December 2017 16:24:16 CET cooloutac wrote:
> well I'm no expert but with ps/2 keyboard it will be the only thing
> attached,  unlike usb which can have multiple devices on same controller,
> spoofed as other devices.  Is there a better option?

The attack modes are two very different ones.

 Taiidan is thinking about someone coming in, installing a snooping device 
and waiting for you to type something critical.

In contrary your ps2 solution is one which protects against people at any 
time entering your OS through compromised (usb) hardware.

Either by giving you a pen, or entering the pen themselves.
It seems that if you drop usb pens in the parking lot of a mall or company, 
you have a very very high chance some unsuspecting person will insert it in 
their machine.

With the amount of bad USB drivers in the linux tree (not to mention in 
Windows) this is a worrying attack allowing the machine to be rooted without 
the attacker even being physically present.

sys-usb limits this attack.

> USB to ps/2 adapter works,  i apologize if it is a too simple and
> practical cheap solution.   If you are oldschool you probably have some
> laying around the house.

I think thats a great solution for the more common attack.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2076848.empXumHRCm%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.

2017-12-12 Thread 'Tom Zander' via qubes-users
On Tuesday, 12 December 2017 16:18:25 CET Connor Page wrote:
> so in short, first create a qubes storage pool
> qvm-pool --add

In the spirit of a “howto”, can you fill in the actual values to allow one to 
add a second drive as the ‘private’ (home) partition *only* of a Qube?
 
> if you go for a thin pool, create it first and use volume group and thin
> pool names as options for qvm-pool.

As the storage pools doc is missing readability, I have to say I have no 
clue what a “thin pool” is.
What a “volume group” is.

Last, how does one create a btrfs filesystem on their “home” drive when using 
this pool concept?
 
> P.S. I’m not sure lvm backend operates properly. File-based backend can
> also be used instead. Just mount the secondary drive in dom0 and use the
> old trusty file driver if worried.

Using a file is going to cause lots of fragmentation and adds an unneeded 
layer that will just be able to introduce issues.
What is the benefit of using pools?

Doing a backup of a 1TB homedir can be done without the backup tool too ;)
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20728576.2Otm7ilaGg%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.

2017-12-11 Thread 'Tom Zander' via qubes-users
On Monday, 11 December 2017 15:10:17 GMT Connor Page wrote:
> I hope you do understand that there is no encryption in what you propose.

Thats why I wrote;
> I assume you already partitioned and did everything you need with the
> drive, it should be available to dom0.

I cowerdly leave the full-disk encryption details to be done by people before 
they start the howto :-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1813860.0epH4JKW6K%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Q4: vm-templates and updates

2017-12-11 Thread 'Tom Zander' via qubes-users
On Monday, 11 December 2017 17:48:45 GMT Unman wrote:
> This is a case where "making stuff work a lot nicer" isn't necessarily a
> good idea.

The "log nicer" is that it is quite a bit faster and error handling is much 
better.

>  I don't think you should advise against this without explaining the risks.

Can you perhaps explain what you think those risks are?

To me it boils down to; don't run any software except for "software upgrades" 
in your template.

I'm wondering if this is a "protect the user from himself" or something real.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4356475.d642LDFU23%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Q4: vm-templates and updates

2017-12-11 Thread 'Tom Zander' via qubes-users
On Monday, 11 December 2017 11:31:22 GMT Connor Page wrote:
> templates establish a connection to a proxy running in some netvm defined
> in dom0 over a vchan.

Would you be able to repeat that in English ? :-)


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1868560.ghOpRHun3K%40mail.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.

2017-12-11 Thread 'Tom Zander' via qubes-users
Lots of things changed in Qubes4, and I think I am finding out things lots of 
others will need to find out at one point too.
So for them, as well as for my own memory, I'll write some howto emails.


The task;

as I run Qubes on a machine with a relatively small SSD and large spinning 
disk, I want to make my homedir (/home/user) be completely stored on the 
spinning disk.
I have two main Qubes which require storage. A Private and a Work qube.
Each gets one partition on my 2TB drive.
I assume you already partitioned and did everything you need with the drive, 
it should be available to dom0.

1) Create and start a Qube "Work".
2) open a terminal in the Work qube.
3) do an ls /dev/xv*

4) Start a terminal for dom0;
5) run in dom0 in a terminal;
  a) qvm-block
this shows a listing of drives with their names. Mine is; "dom0:sdb1"
 b) qvm-block a --persistent -- Work dom0:sdb1

The 'persistent' part here is a new 4.0 feature, seems undocumented but it 
means you only ever have to do the add once. Futher reboots and restarts of 
the Qube will automatically re-attach the drive.

6) in the terminal for Work, rerun the ls from step 3 and check which device 
was added. Possibly "xvdi"
7) edit (as root) the file /rw/config/rc.local and add this line;
  mount /dev/xvdi /rw/home/user/
Using the device you found in 6 instead of xvdi should it be different.

8) make the /rw/config/rc.local file executable.
You can do this by running;
   sudo chmod 755 /rw/config/rc.local

9) Now shutdown and restart the Work qube and start a new terminal
10) (optionally) in the terminal type;
chown user.user /home/user

All done!

known issue; it looks like the rc.local isn't always finished executing when 
the first app is started. This looks like a bug to me.
So if your first app is firefox, for instance, you won't get your personal 
settings (plugins/bookmarks) until you start it the second time :-(
My suggestion; make this qube autostart on login.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7417874.HcD3Z0RdmU%40mail.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to create DVM Templates in Qubes OS 4?

2017-12-10 Thread 'Tom Zander' via qubes-users
On Sunday, 10 December 2017 07:09:35 CET qbertq...@gmail.com wrote:
> What I don't understand

Just want to point out that the 4.0 support for dispVMs is extremely basic 
and honestly quite broken.
The concept works, most of the tools don't or are just shitty.

Happy to hear you made it work :)
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2576609.luoT2bi4Tg%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to create DVM Templates in Qubes OS 4?

2017-12-09 Thread 'Tom Zander' via qubes-users
On Saturday, 9 December 2017 23:03:38 CET qbertq...@gmail.com wrote:
> In Qubes OS 3, the documented way of creating DVM Templates is to use
> qvm-create-default-dvm (see
> https://www.qubes-os.org/doc/dispvm-customization/)
> 
> qvm-create-default-dvm was removed in Qubes OS 4, so what's the new way to
> create DVM Templates (https://www.qubes-os.org/doc/glossary/)?
> 
> I would like to install something in a TemplateVM, configure it in a DVM
> Template, and run it in a disposable VM.


The documentation is outdated, there is an article that explains the 4.0 
way;
https://blog.invisiblethings.org/2017/10/03/core3.html
See heading; "Disposable VMs redesigned"

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12519664.jrfMYDFmUQ%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] What happened to domain manager in 4?

2017-12-08 Thread 'Tom Zander' via qubes-users
On Friday, 8 December 2017 14:56:00 CET Chris Laprise wrote:
> > I also know that the “state of the art” in creating user interfaces has
> > moved on and the technology used in the old app is end-of-lifed for some
> > years now.
> 
> Which end-of-life technology would that be?

In Qt5 (released 19 December 2012) the qwidget module was split off onto its 
own and the APIs  in that module have been frozen ever since.
This details the module; https://doc.qt.io/qt-5/qtwidgets-index.html

Newer applications using Qt are suggested to use the declarative APIs which 
have the added benefit of using the massive speedups Qt GUIs get from using 
modern hardware and new architecture.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8505819.xTjMXsjhq2%40strawberry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] VM's fail to start after fixing chock-full LVM thinpool

2017-12-08 Thread 'Tom Zander' via qubes-users
On Friday, 8 December 2017 01:05:32 CET Patrick wrote:
> I found the problem!  My /var/lib/qubes/qubes.xml file was corrupted, so
> it could not be parsed correctly by qubesd. I restored a previous version
> from /var/lib/qubes/backup and now I am back in business! Thanks anyway
> for checking out my problem.  :-)

Thanks for reporting this!

This looks like a show-stopper bug to me.
The system should never be able to corrupt a critical file like that due to 
disk-full.

I reported it to the qubes devs;
https://github.com/QubesOS/qubes-issues/issues/3376

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3429712.PcA1Q6VB4G%40strawberry.
For more options, visit https://groups.google.com/d/optout.


  1   2   >