[qubes-users] Qubes OS 4.0.4 has been released!

2021-03-05 Thread Andrew David Wong

Dear Qubes Community,

We're pleased to announce the release of Qubes OS 4.0.4! This is the
fourth stable release of Qubes 4.0. It includes many updates over the
initial 4.0 release, including:

- All 4.0 dom0 updates to date
- Fedora 32 TemplateVM
- Debian 10 TemplateVM
- Whonix 15 Gateway and Workstation TemplateVMs
- Linux kernel 5.4 by default

Qubes 4.0.4 is available on the downloads page:

https://www.qubes-os.org/downloads/


What is a point release?


A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating [1] it results in the same system as
installing Qubes 4.0.4.


What should I do?
-

If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully
updated [1], then your system is already equivalent to a Qubes
4.0.4 installation. No further action is required.

Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date. Please see
the installation guide [2] for detailed instructions.

Thank you to all the release candidate users for testing this release
and reporting issues [3]!


[1] https://www.qubes-os.org/doc/updating-qubes-os/
[2] https://www.qubes-os.org/doc/installation-guide/
[3] https://www.qubes-os.org/doc/reporting-bugs/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/03/04/qubes-4-0-4/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/235b6cc8-6904-d20f-132d-dd5bb8b651b1%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] XSAs released on 2021-03-04

2021-03-04 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project released one or more new Xen Security Advisories (XSAs) 
on 2021-03-04.

The security of Qubes OS *is not affected* by these XSAs.
Therefore, *no user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

 - (None)


XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


 - XSA-367 (not affected; Qubes uses PVH/HVM)
 - XSA-369 (DoS only)


Related links
-


 - Qubes Security Pack (qubes-secpack): 
https://www.qubes-os.org/security/pack/
 - Qubes Security Bulletins (QSBs): 
https://www.qubes-os.org/security/bulletins/

 - XSA Tracker: https://www.qubes-os.org/security/xsa/


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/03/04/xsas-released-on-2021-03-04/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55b3a113-89cb-6f8d-5d84-ffb8c157e03e%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB-066: XML injection through libvirt domain configuration

2021-03-03 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 066:
XML injection through libvirt domain configuration.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack 
(qubes-secpack).


View QSB-066 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-066-2021.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

```


 ---===[ Qubes Security Bulletin 066 ]===---

 2021-03-03


 XML injection through libvirt domain configuration


User action required
=

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0:
  - qubes-core-dom0 package, version 4.0.58-1

  For Qubes 4.1:
  - qubes-core-dom0 package, version 4.1.20-1

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.  Alternatively, it is
possible to restart qubesd with the following command in dom0:

  $ systemctl restart qubesd.service

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.


Summary


The libvirt domain configuration is an XML file built by filling a
template with values specific to a particular domain -- mostly its
properties but, in a few cases, "features" (extra properties that can be
freely defined). While most of the properties have strictly-defined
formats, some allow for a very broad range of values -- broad enough to
allow characters that are otherwise special in XML. Using such
characters in XML values requires escaping them, which was not enabled
in the template engine we use (jinja2). The specific VM metadata
properties that allow free text and are used in libvirt XML are as
follows:

 - `kernelopts` property
 - `timezone` feature (although it is validated in the template itself)
 - `video-model` feature
 - `audio-model` feature (Qubes R4.1 only)

Normally, this wouldn't be an issue, since all VM settings come from a
trusted entity (dom0). However, with the introduction of the Admin API
[1] in Qubes 4.0, it is possible to allow less trusted domains (known as
"ManagementVMs") to manage a subset of VMs or their settings, including
the affected properties and features. This, in turn, can be used to
modify unintended parts of the libvirt XML. In the worst case, this
could lead to code execution in dom0.

To fix the issue, we're enabling the autoescape feature of the jinja2
template engine. This will cover the current problematic properties as
well as any others that might be introduced in the future. Additionally,
we're adding an extra validation step for "features" that are otherwise
used in a free text form context (specifically, `net.fake-*` features
are expected to be IP addresses, but they lacked such validation).

Note that a ManagementVM can still break a VM it has control over, for
example, by setting some property to an improper value in a given
context (e.g., too little memory or too short of a startup timeout).
However, after these changes, it should no longer be able to escalate
its permissions beyond what it has been assigned.


Impact
===

Default Qubes 4.0 and 4.1 configurations are not affected.

If a less trusted domain (known as a "ManagementVM") is given Admin API
access to set any of the affected properties or features on any domain
(via the `admin.vm.property.Set` or `admin.vm.feature.Set` qrexec
services), it may use this access to elevate its privileges and
potentially take full control of the system.

Note that `qubes.FeaturesRequest` is enabled by default but *is not*
vulnerable for three reasons.  First, feature names are read from
qubesd, which enforces a whitelist of permitted characters in paths.
None of the permitted characters are metacharacters in XML.  Second,
none of the features for which dom0 will honor a request have their
values incorporated into libvirt XML.  Third, `qubes.FeaturesRequest`
can only unset a feature or set its value to `1`.

Credits


This issue was discovered by Demi Marie Obenour.


References
===

[1] https://www.qubes-os.org/doc/admin-api/

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/03/03/qsb-066/


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To 

[qubes-users] "Improvements in testing and building: GitLab CI and reproducible builds" by Marek Marczykowski-Górecki

2021-02-28 Thread Andrew David Wong

Dear Qubes Community,

We have just published a new article:

"Improvements in testing and building: GitLab CI and reproducible builds"
by Marek Marczykowski-Górecki

https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/

For those using plain text email, the original Markdown source is 
reproduced below:


---
layout: post
title: "Improvements in testing and building: GitLab CI and reproducible 
builds"

categories: articles
author: Marek Marczykowski-Górecki
---

Over the last couple of months, we have made some significant changes to 
two important parts of the Qubes development process: testing and building.



What are continuous integration (CI) and reproducible builds?
--

Automated testing is a major part of the software development process. 
It spares developers many, many hours of manual testing that would still 
miss some bugs and other problems. In Qubes development, we're using an 
approach called "continuous integration" (CI), in which local changes 
made by the developers are frequently merged and tested remotely, using 
dedicated automated testing solutions. This is very important both for 
maintaining consistent code quality (all changes are tested) and for 
making development easier for the developers. Testing Qubes is not easy. 
Since Qubes is an entire operating system, doing the testing on the same 
system in which you're developing is a bit like building a rocket 
landing system en route to Mars --- not impossible, but very stressful.


The second area of improvement is the build process. The term 
"[reproducible builds]" refers to a process in which the same source 
code always compiles into exactly the same binary (for example, a 
package used to install a program via a package manager like `dnf` or 
`apt`). Why is this difficult to achieve? After all, computers are not 
random. Shouldn't builds be reproducible by default, without requiring 
special effort to make them deterministic? Unfortunately, it's not that 
simple. There are thousands of variables influencing the way binaries 
are built, ranging from the time of day to the availability of remote 
servers and locale settings.


Ensuring that binaries are built the same way every time is surprisingly 
difficult. However, the effort is worth the security benefits. To 
understand these benefits, imagine that an attacker wishes to feed 
unsuspecting users a compromised package. The attacker knows that the 
source code is public, so any malicious code he inserts into it would be 
highly exposed and at risk of detection. On the other hand, he reasons, 
compromising the build infrastructure would allow him to surreptitiously 
insert malicious changes that would make it into the resultant package. 
Since the source code remains untouched, his malicious changes are less 
likely to be detected. This is where the value of reproducible builds 
comes in. If the build process is reproducible, then we will immediately 
notice that building a package from the untouched source code results in 
a package that is *different* from the compromised one. This would be a 
major red flag that would prompt an immediate security investigation.



GitLab-CI migration


As many of you are aware, we migrated from Travis-CI to GitLab-CI late 
last year. While the [direct reason][ci-thread] was a change in the 
Travis-CI terms of service, GitLab-CI gives us many additional benefits. 
Just to name a few:


 - A modern execution environment with native Docker support: We can 
use whatever base environment we like. We are no longer constrained to 
specific (not so fresh) Ubuntu versions.
 - Much more flexible job definitions, including dependencies among 
them: We use this to split jobs into smaller pieces that can run in 
parallel and reduce duplication among them.
 - Out-of-the-box support for caching and artifacts: Another feature 
allowing for a great speed-up of our tests. A specific build environment 
can be stored with a pre-populated cache, for example avoiding the need 
to create a chroot environment each time.
 - Higher time limits and the ability to connect our own workers: This 
allows us to automatically test bigger components like the Linux kernel 
(which previously didn't fit into Travis-CI's hard time limit).


The actual migration was a massive undertaking, with the [GitLab-CI 
configuration] spread across 50 files with over 1,000 lines in total. We 
have opened and merged over 90 pull requests in the process. This was 
mainly done by [Frédéric Pierret].


We still host the actual code on GitHub. We use GitLab only for CI. This 
mode of operation is supported natively by GitLab, but this support is 
quite limited. Most importantly, it [does not support] testing pull 
requests made from repository forks, which is the vast majority of our 
pull requests (if not all of them). For this reason, Frédéric ended up 
creating [our own integration], 

[qubes-users] Re: Announcement: Fedora 33 TemplateVMs available

2021-02-27 Thread Andrew David Wong

On 2/26/21 1:22 PM, Andrew David Wong wrote:

Dear Qubes Community,

New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1.

*Important:* If you wish to use the Qubes Update widget to update a 
Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` 
qube to a Fedora 33 template. (Alternatively, you can create a separate 
management DisposableVM Template based on a Fedora 33 template for the 
purpose of updating Fedora 33 templates.) This does not affect updating 
internally using `dnf`.


Instructions are available for upgrading Fedora TemplateVMs [2]. We also 
provide fresh Fedora 33 TemplateVM packages through the official Qubes 
repositories, which you can get with the following commands (in dom0).


Standard [3] Fedora 33 TemplateVM:

     $ sudo qubes-dom0-update qubes-template-fedora-33

Minimal [4] Fedora 33 TemplateVM:

     $ sudo qubes-dom0-update qubes-template-fedora-33-minimal

After installing or upgrading a TemplateVM, please remember to update 
[5] (see important note above) and switch all qubes that were using the 
old template to use the new one [1].



[1] https://www.qubes-os.org/doc/templates/#switching
[2] https://www.qubes-os.org/doc/template/fedora/upgrade/
[3] https://www.qubes-os.org/doc/templates/fedora/
[4] https://www.qubes-os.org/doc/templates/minimal/
[5] https://www.qubes-os.org/doc/software-update-domu/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/



*Addendum:* Fedora 33 has switched the default DNS resolver to 
systemd-resolved [1]. If resolving local domains on your LAN does not 
work as expected even when specifying the full name, you may wish to 
disable systemd-resolved and enable NetworkManager in the TemplateVM 
instead. For more on this, please see issue #6431 [2].


For a complete list of changes in Fedora 33, please see the official 
Fedora 33 release notes [3], and for a more general overview, the 
official Fedora 33 announcement [4].



[1] https://fedoraproject.org/wiki/Changes/systemd-resolved
[2] https://github.com/QubesOS/qubes-issues/issues/6431
[3] https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/
[4] https://fedoramagazine.org/announcing-fedora-33/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c71f0fa8-8c51-f4a3-02e3-bee8d1aef803%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Announcement: Fedora 33 TemplateVMs available

2021-02-26 Thread Andrew David Wong

Dear Qubes Community,

New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1.

*Important:* If you wish to use the Qubes Update widget to update a 
Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` 
qube to a Fedora 33 template. (Alternatively, you can create a separate 
management DisposableVM Template based on a Fedora 33 template for the 
purpose of updating Fedora 33 templates.) This does not affect updating 
internally using `dnf`.


Instructions are available for upgrading Fedora TemplateVMs [2]. We also 
provide fresh Fedora 33 TemplateVM packages through the official Qubes 
repositories, which you can get with the following commands (in dom0).


Standard [3] Fedora 33 TemplateVM:

$ sudo qubes-dom0-update qubes-template-fedora-33

Minimal [4] Fedora 33 TemplateVM:

$ sudo qubes-dom0-update qubes-template-fedora-33-minimal

After installing or upgrading a TemplateVM, please remember to update 
[5] (see important note above) and switch all qubes that were using the 
old template to use the new one [1].



[1] https://www.qubes-os.org/doc/templates/#switching
[2] https://www.qubes-os.org/doc/template/fedora/upgrade/
[3] https://www.qubes-os.org/doc/templates/fedora/
[4] https://www.qubes-os.org/doc/templates/minimal/
[5] https://www.qubes-os.org/doc/software-update-domu/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d4dd183d-a652-e172-6cc2-450361e2897c%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] XSAs released on 2021-02-18

2021-02-19 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project released one or more new Xen Security Advisories (XSAs) 
on 2021-02-18.

The security of Qubes OS *is affected* by one or more of these XSAs.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

 - XSA-366

Please see QSB-065 for the actions users must take in order to protect 
themselves, as well as further details about these XSAs:


https://www.qubes-os.org/news/2021/02/19/qsb-065/


XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


 - (None)


Related links
-

 - Qubes Security Pack (qubes-secpack): 
https://www.qubes-os.org/security/pack/
 - Qubes Security Bulletins (QSBs): 
https://www.qubes-os.org/security/bulletins/

 - XSA Tracker: https://www.qubes-os.org/security/xsa/


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/19/xsas-released-on-2021-02-18/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15a1661a-aab6-693f-42c2-24dbd686e043%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB-065: Missed flush in XSA-321 backport (XSA-366)

2021-02-19 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 065:
Missed flush in XSA-321 backport (XSA-366).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack 
(qubes-secpack).


View QSB-065 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-065-2021.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-366 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#366

```


 ---===[ Qubes Security Bulletin 065 ]===---

 2021-02-18


  Missed flush in XSA-321 backport (XSA-366)


User action required
=

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0:
  - Xen packages, versions 4.8.5-30

  For Qubes 4.1: not affected

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary


On 2021-02-18, the Xen Security Team published the following Xen
Security Advisory (XSA):

XSA-366 [1] "missed flush in XSA-321 backport"
| An oversight was made when backporting XSA-320, leading entries in the
| IOMMU not being properly updated under certain circumstances.



Impact
===

XSA-366, as described by the Xen Security Team:
| A malicious guest may be able to retain read/write DMA access to
| frames returned to Xen's free pool, and later reused for another
| purpose.  Host crashes (leading to a Denial of Service) and privilege
| escalation cannot be ruled out.


Credits


See the original Xen Security Advisory.


References
===

[1] https://xenbits.xen.org/xsa/advisory-366.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/19/qsb-065/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4e5809c-8acd-77a7-54b7-060172ab3a04%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] XSAs released on 2021-02-16

2021-02-17 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project released one or more new Xen Security Advisories (XSAs) 
on 2021-02-16.

The security of Qubes OS *is affected* by these XSAs.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

 - XSA-365

Please see QSB-064 for the actions users must take in order to protect 
themselves, as well as further details about these XSAs:


https://www.qubes-os.org/news/2021/02/17/qsb-064/


XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


 - XSA-361 (DoS-only)
 - XSA-362 (DoS-only)
 - XSA-363 (DoS-only)
 - XSA-364 (ARM-only)


Related links
-

 - Qubes Security Pack (qubes-secpack): 
https://www.qubes-os.org/security/pack/
 - Qubes Security Bulletins (QSBs): 
https://www.qubes-os.org/security/bulletins/

 - XSA Tracker: https://www.qubes-os.org/security/xsa/


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/17/xsas-released-on-2021-02-16/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f6209b05-4427-cf7f-432b-ebe9ef7c834d%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB-064: Linux: error handling issues in blkback's grant mapping (XSA-365)

2021-02-17 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 064:
Linux: error handling issues in blkback's grant mapping (XSA-365).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack 
(qubes-secpack).


View QSB-064 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-064-2021.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-365 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#365

```


 ---===[ Qubes Security Bulletin 064 ]===---

 2021-02-16


   Linux: error handling issues in blkback's grant mapping (XSA-365)


User action required
=

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0:
  - Linux kernel packages, versions 5.10.16-1, 5.4.98-1, 4.19.176-1

  For Qubes 4.1:
  - Linux kernel packages, versions 5.10.16-1, 5.4.98-1

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Linux kernel binaries.


Summary


On 2021-02-16, the Xen Security Team published the following Xen
Security Advisory (XSA):

XSA-365 [1] "Linux: error handling issues in blkback's grant mapping"
| To service requests, the driver maps grant references provided by the
| frontend.  In this process, errors may be encountered.  In one case an
| error encountered earlier might be discarded by later processing,
| resulting in the caller assuming successful mapping, and hence
| subsequent operations trying to access space that wasn't mapped.  In
| another case internal state would be insufficiently updated, preventing
| safe recovery from the error.


Impact
===

XSA-365, as described by Xen Security Team:
| A malicious or buggy frontend driver may be able to crash the
| corresponding backend driver, potentially affecting the entire domain
| running the backend driver.  In configurations without driver domains
| or similar disaggregation, that is a host-wide denial of sevice.
|
| Privilege escalation and information leaks cannot be ruled out.


Credits


See the original Xen Security Advisories.


References
===

[1] https://xenbits.xen.org/xsa/advisory-365.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02d55761-826a-7222-cb38-c35c0db29410%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Qubes OS 4.0.4-rc2 has been released!

2021-01-23 Thread Andrew David Wong

Dear Qubes Community,

We're pleased to announce the second release candidate for Qubes OS
4.0.4.

Qubes OS 4.0.4-rc2 includes many updates over the initial 4.0 release,
in particular:

- All 4.0 dom0 updates to date
- Fedora 32 TemplateVM
- Debian 10 TemplateVM
- Whonix 15 Gateway and Workstation TemplateVMs
- Linux kernel 5.4 by default
- Bug fixes from 4.0.4-rc1

Qubes 4.0.4-rc2 is available on the downloads page:

https://www.qubes-os.org/downloads/


What is a point release?


A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.4.


What should I do?
-

If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully
updated [1], then your system is already equivalent to a Qubes 4.0.4
installation. No further action is required.

Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date. Please see
the installation guide [2] for detailed instructions.

If you're willing to test [3] this release candidate, you can help to
improve the stable release by reporting any bugs you encounter [4].


Release candidate planning
--

If no major issues are discovered in 4.0.4-rc2, we expect to announce
the stable release of 4.0.4 in a couple weeks.


[1] https://www.qubes-os.org/doc/updating-qubes-os/
[2] https://www.qubes-os.org/doc/installation-guide/
[3] https://www.qubes-os.org/doc/testing/
[4] https://www.qubes-os.org/doc/reporting-bugs/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/01/22/qubes-4-0-4-rc2/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a856e67d-693d-4cd8-620d-ea9a418d005d%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] XSAs released on 2021-01-21

2021-01-22 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project released one or more new Xen Security Advisories (XSAs) 
on 2021-01-21.

The security of Qubes OS *is not affected* by these XSAs.
Therefore, *user action is not required*.


XSAs that affect the security of Qubes OS (user action required)


None.


XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


 - XSA-360 (DoS only)


Related links
-

 - Qubes Security Pack (qubes-secpack): 
https://www.qubes-os.org/security/pack/
 - Qubes Security Bulletins (QSBs): 
https://www.qubes-os.org/security/bulletins/

 - XSA Tracker: https://www.qubes-os.org/security/xsa/


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/01/22/xsas-released-on-2021-01-21/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53344b63-a863-2549-f612-ec931370da91%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [EXT] Re: [qubes-users] Disable lock screen / screenshot question

2021-01-02 Thread Andrew David Wong

On 1/2/21 9:05 AM, Ulrich Windl wrote:

On 12/30/20 8:20 AM, Andrew David Wong wrote:

On 12/29/20 10:02 AM, Ulrich Windl wrote:

[...]
When trying, it seems my Dom0 does not have a file manager in the 
menu. I had to run "thunar" manually from the terminal.


This is by design. Using a file manager in dom0 is a security risk and 
is therefore discouraged:


https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md#dom0-precautions 



So is there an alternative that gets the user script registered for 
saving a screenshot?




I'm not sure exactly what you mean, but there's:

https://github.com/QubesOS/qubes-issues/issues/953

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e668b46b-f900-28a7-76ec-0c3ee740e2e2%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [EXT] Re: [qubes-users] Disable lock screen / screenshot question

2020-12-29 Thread Andrew David Wong

On 12/29/20 10:02 AM, Ulrich Windl wrote:

[...]
When trying, it seems my Dom0 does not have a file manager in the menu. 
I had to run "thunar" manually from the terminal.


This is by design. Using a file manager in dom0 is a security risk and 
is therefore discouraged:


https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md#dom0-precautions

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af5a87e1-46e3-47aa-616c-78b931f686bf%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: HCL - Dell Latitude 7280

2020-12-29 Thread Andrew David Wong

On 12/29/20 5:15 PM, Sven Semmler wrote:

On 12/29/20 3:52 AM, Max Parker wrote:

dell link no longer works:(


@ADW: what do we want to do in such a case? Already checked the internet 
archive and couldn't find any cached versions.


/Sven



If a link is dead and there's no archive.org version, we just have to 
remove the link. It's unfortunate, but I don't see what else we can do.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/beae1c0c-7c15-0210-02fd-1870c158c40d%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Re: Qubes Canary 025

2020-12-16 Thread Andrew David Wong

On 12/14/20 5:58 AM, Andrew David Wong wrote:

Dear Qubes Community,

Several users have pointed out a mistake in the canary below. "March 
2020" should instead be "March 2021". This was just a typographical 
error. We will be fixing this and updating the signatures on the canary. 
Thank you.




"March 2020" has now been corrected to "March 2021" in statement 5.
The original canary, the website announcement, and the signatures on the 
canary have all been updated. Thank you.



On 12/12/20 6:22 AM, Andrew David Wong wrote:

Dear Qubes Community,

We have published Qubes Canary 025. The text of this canary is
reproduced below.

Note: We have decided to make some minor formatting changes to the way
Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed,
such as dropping the '#' symbol and using hyphens instead of spaces.

This canary and its accompanying signatures will always be available in
the Qubes Security Pack (qubes-secpack).

View Qubes Canary 025 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt 



Learn about the qubes-secpack, including how to obtain, verify, and
read it:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canaries/

```


 ---===[ Qubes Canary 025 ]===---


Statements
---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 8, 2020.

2. There have been 62 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of March 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
--

None.

Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
---

Tue, 08 Dec 2020 16:46:42 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Dangerous Accusations: German Tennis Star Alexander Zverev Faces 
Career Turning Point

Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures
Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an 
Ultimatum
Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic 
Relations
Generation Corona: The Pandemic Is Changing Our Children's Lives for 
the Worse


Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)

Covid-19 Live Updates: Britain Begins Vaccinating Citizens
U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First
U.S. Leaves Behind Afghan Bases  and a Legacy of Land Disputes
Covid Infections, and Blame, Rise Along Southeast Asian Borders
U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Safety data on Pfizer jab released by US
Lloyd Austin: Biden picks ex-general as defence secretary
The man saving monkeys in the Colombian Amazon
Charlie Hebdo attack: France seeks long jail terms in Paris trial
Christchurch massacre: Inquiry finds failures ahead of attack

Source: Blockchain.info
000c6550025327ca735099e0c621a9ad4599a49dab41f573

Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't j

[qubes-users] XSAs released on 2020-12-15

2020-12-16 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project released new Xen Security Advisories (XSAs) on 2020-12-15.
The security of Qubes OS *is affected* by at least one of these XSAs.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

 - XSA-115
 - XSA-325
 - XSA-350

Please see QSB-063 for the actions users must take in order to protect 
themselves, as well as further details about these XSAs:


https://www.qubes-os.org/news/2020/12/16/qsb-063/


XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


 - XSA-322 (domid reuse impractical in Qubes case)
 - XSA-323 (no oxenstored)
 - XSA-324 (DoS only)
 - XSA-330 (DoS only)
 - XSA-348 (DoS only)
 - XSA-349 (DoS only)
 - XSA-352 (no oxenstored)
 - XSA-353 (no oxenstored)
 - XSA-354 (DoS only)
 - XSA-356 (DoS only)
 - XSA-358 (DoS only)
 - XSA-359 (DoS only)


Related links
-

 - Qubes Security Pack (qubes-secpack): 
https://www.qubes-os.org/security/pack/
 - Qubes Security Bulletins (QSBs): 
https://www.qubes-os.org/security/bulletins/

 - XSA Tracker: https://www.qubes-os.org/security/xsa/


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/12/16/xsas-released-on-2020-12-15/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c57024df-a5fb-f4f9-1af7-b6f0105c5003%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB-063: Multiple Xen issues (XSA-115, XSA-325, XSA-350)

2020-12-16 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 063: Stack 
corruption from XSA-346 change (XSA-355). The text of this QSB is 
reproduced below. This QSB and its accompanying signatures will always 
be available in the Qubes Security Pack (qubes-secpack).


View QSB-063 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-063-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View the XSA Tracker:

https://www.qubes-os.org/security/xsa/

```


 ---===[ Qubes Security Bulletin 063 ]===---

 2020-12-15


   Multiple Xen issues (XSA-115, XSA-325, XSA-350)


User action required
=

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-28
  - Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1

  For Qubes 4.1:
  - Xen packages, version 4.14.0-9
  - Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary


On 2020-12-15, the Xen Security Team published the following Xen
Security Advisories (XSAs):

XSA-115 [1] "xenstore watch notifications lacking permission checks"
| Neither xenstore implementation does any permissions checks when
| reporting a xenstore watch event.
|
| A guest administrator can watch the root xenstored node, which will
| cause notifications for every created, modified and deleted key.
|
| A guest administrator can also use the special watches, which will
| cause a notification every time a domain is created and destroyed.
|
| Data may include:
|  - number, type and domids of other VMs
|  - existence and domids of driver domains
|  - numbers of virtual interfaces, block devices, vcpus
|  - existence of virtual framebuffers and their backend style (eg,
|existence of VNC service)
|  - Xen VM UUIDs for other domains
|  - timing information about domain creation and device setup
|  - some hints at the backend provisioning of VMs and their devices
|
| The watch events do not contain values stored in xenstore, only key
| names.

XSA-325 [2] "Xenstore: guests can disturb domain cleanup"
| Xenstored and guests communicate via a shared memory page using a
| specific protocol. When a guest violates this protocol, xenstored will
| drop the connection to that guest.
|
| Unfortunately this is done by just removing the guest from xenstored's
| internal management, resulting in the same actions as if the guest had
| been destroyed, including sending an @releaseDomain event.
|
| @releaseDomain events do not say guest has been removed.  All watchers
| of this event must look at the states of all guests to find the guest
| which has been removed.  When an @releaseDomain is generated due to
| domain xenstored protocol violation, As the guest is still running, so
| the watchers will not react.
|
| Later, when the guest is actually destroyed, xenstored will no longer
| have it stored in its internal data base, so no further @releaseDomain
| event will be sent. This can lead to a zombie domain; memory mappings
| of that guest's memory will not be removed, due to the missing
| event. This zombie domain will be cleaned up only after another domain
| is destroyed, as that will trigger another @releaseDomain event.
|
| If the device model of the guest which violated the Xenstore protocol
| is running in a stub-domain, a use-after-free case could happen in
| xenstored, after having removed the guest from its internal data base,
| possibly resulting in a crash of xenstored.

XSA-350 [3] "Use after free triggered by block frontend in Linux blkback"
| The Linux kernel PV block backend expects the kernel thread handler
| to reset ring->xenblkd to NULL when stopped. However, the handler may
| not have time to run if the frontend quickly toggle between the states
| connect and disconnect.
|
| As a consequence, the block backend may re-use a pointer after it was
| freed.


Impact
===

XSA-115, as described by Xen Security Team:
| A guest administrator can observe non-sensitive domain and device
| lifecycle events relating to other 

[qubes-users] Re: Qubes Canary 025

2020-12-14 Thread Andrew David Wong

Dear Qubes Community,

Several users have pointed out a mistake in the canary below. "March 
2020" should instead be "March 2021". This was just a typographical 
error. We will be fixing this and updating the signatures on the canary. 
Thank you.


On 12/12/20 6:22 AM, Andrew David Wong wrote:

Dear Qubes Community,

We have published Qubes Canary 025. The text of this canary is
reproduced below.

Note: We have decided to make some minor formatting changes to the way
Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed,
such as dropping the '#' symbol and using hyphens instead of spaces.

This canary and its accompanying signatures will always be available in
the Qubes Security Pack (qubes-secpack).

View Qubes Canary 025 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt 



Learn about the qubes-secpack, including how to obtain, verify, and
read it:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canaries/

```


     ---===[ Qubes Canary 025 ]===---


Statements
---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 8, 2020.

2. There have been 62 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

     427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of March 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
--

None.

Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
---

Tue, 08 Dec 2020 16:46:42 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Dangerous Accusations: German Tennis Star Alexander Zverev Faces Career 
Turning Point

Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures
Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an 
Ultimatum
Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic 
Relations
Generation Corona: The Pandemic Is Changing Our Children's Lives for the 
Worse


Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)

Covid-19 Live Updates: Britain Begins Vaccinating Citizens
U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First
U.S. Leaves Behind Afghan Bases  and a Legacy of Land Disputes
Covid Infections, and Blame, Rise Along Southeast Asian Borders
U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Safety data on Pfizer jab released by US
Lloyd Austin: Biden picks ex-general as defence secretary
The man saving monkeys in the Colombian Amazon
Charlie Hebdo attack: France seeks long jail terms in Paris trial
Christchurch massacre: Inquiry finds failures ahead of attack

Source: Blockchain.info
000c6550025327ca735099e0c621a9ad4599a49dab41f573

Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/12/12/canary-25/



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
h

[qubes-users] Qubes Canary 025

2020-12-12 Thread Andrew David Wong

Dear Qubes Community,

We have published Qubes Canary 025. The text of this canary is
reproduced below.

Note: We have decided to make some minor formatting changes to the way
Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed,
such as dropping the '#' symbol and using hyphens instead of spaces.

This canary and its accompanying signatures will always be available in
the Qubes Security Pack (qubes-secpack).

View Qubes Canary 025 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and
read it:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canaries/

```


---===[ Qubes Canary 025 ]===---


Statements
---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 8, 2020.

2. There have been 62 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of March 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
--

None.

Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
---

Tue, 08 Dec 2020 16:46:42 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Dangerous Accusations: German Tennis Star Alexander Zverev Faces Career 
Turning Point

Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures
Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an 
Ultimatum
Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic 
Relations
Generation Corona: The Pandemic Is Changing Our Children's Lives for the 
Worse


Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)

Covid-19 Live Updates: Britain Begins Vaccinating Citizens
U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First
U.S. Leaves Behind Afghan Bases  and a Legacy of Land Disputes
Covid Infections, and Blame, Rise Along Southeast Asian Borders
U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Safety data on Pfizer jab released by US
Lloyd Austin: Biden picks ex-general as defence secretary
The man saving monkeys in the Colombian Amazon
Charlie Hebdo attack: France seeks long jail terms in Paris trial
Christchurch massacre: Inquiry finds failures ahead of attack

Source: Blockchain.info
000c6550025327ca735099e0c621a9ad4599a49dab41f573

Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/12/12/canary-25/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cee592fa-871d-59d3-782c-ec04324489f6%40qubes-os.org.


OpenPGP_signature

Re: [qubes-users] Can no longer copy text from xterm by default

2020-12-12 Thread Andrew David Wong

On 12/10/20 8:14 PM, unman wrote:

On Fri, Dec 11, 2020 at 03:56:16AM +, unman wrote:

On Thu, Dec 10, 2020 at 06:47:16PM -0800, Andrew David Wong wrote:

On 12/10/20 6:25 AM, unman wrote:

On Wed, Dec 09, 2020 at 06:49:35PM -0800, Andrew David Wong wrote:

I used to be able to be able to do the following to copy text from xterm in
Fedora and Debian VMs:

1. Select/highlight the desired text, thereby inserting it into the PRIMARY
buffer.

2. Press  in order to bring up a menu (I think
it was the "VT Options" menu).

3. In this menu, select the option to copy text from the PRIMARY buffer to
that VM's local clipboard.

4. Press  to copy text to the Qubes inter-VM clipboard and
proceed as usual.

However, some time ago, step 2 suddenly stopped working, and I have no idea
why. Pressing  in xterm now does nothing, as far
as I can tell. I've checked my trackpad/mouse settings, and everything seems
fine and unchanged. I've tried pressing the left and right mouse buttons
simultaneously instead, but nothing.

I know that I can probably create custom xterm settings that will allow me
to copy text, but I'd still like to know whether there's a way to do it by
default for cases in which the VM is uncustomized. Does anyone know if there
is such a way?



On Debian you can hold down the Ctrl key before pressing the button, to get the
VT options menu. See if that works for you. Does for me.



No, that's exactly the behavior I described as no longer working for me.
 means the same thing as holding down Ctrl
before pressing the middle mouse button.



In my experience, holding a key down *before* another action does not
always work the same as performing both actions simultaneously, so I
did not think that these "meant the same thing".


Ah, interesting. In my experience, they've always meant the same thing 
in the context of computing, but I suppose it's possible that some 
systems treat them differently.



Can you call up the Main options, and Font menus using buttons 1 and 2?



Yes, those are still working as expected.



Add "XTerm*selectToClipboard:true" to ~/.Xdefaults and you need not
invoke the menu



Right. As mentioned above, I'm aware that I can customize the xterm 
settings in order to able to copy text, but I'd still like to know 
whether there's a way to do it with the default settings for cases in 
which the VM is uncustomized.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8cf2a9b-a502-6249-9ca6-3e8fb045f981%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: Can no longer copy text from xterm by default

2020-12-10 Thread Andrew David Wong

On 12/10/20 12:23 PM, Ulrich Windl wrote:

On 12/10/20 3:49 AM, Andrew David Wong wrote:
I used to be able to be able to do the following to copy text from 
xterm in Fedora and Debian VMs:


1. Select/highlight the desired text, thereby inserting it into the 
PRIMARY buffer.


2. Press  in order to bring up a menu (I 
think it was the "VT Options" menu).


3. In this menu, select the option to copy text from the PRIMARY 
buffer to that VM's local clipboard.


4. Press  to copy text to the Qubes inter-VM 
clipboard and proceed as usual.


However, some time ago, step 2 suddenly stopped working, and I have no 
idea why. Pressing  in xterm now does 
nothing, as far as I can tell. I've checked my trackpad/mouse 
settings, and everything seems fine and unchanged. I've tried pressing 
the left and right mouse buttons simultaneously instead, but nothing.


I know that I can probably create custom xterm settings that will 
allow me to copy text, but I'd still like to know whether there's a 
way to do it by default for cases in which the VM is uncustomized. 
Does anyone know if there is such a way?


I never used that, but here for the fedora-32 template it works.
I think you can override bindings inside the app via X resources, but my 
suspect is that the window manager "captures" the mouse or key event, so 
it does not arrive at the terminal any more.




I'm confused. You say it's working in the Fedora 32 template for you, 
yet you also say the key event is captured, so it's not arriving at the 
terminal anymore. How can it be working for you if the key event is 
being captured by the window manager?


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2698c646-e2a6-725f-e80f-1d1568ef0f77%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Can no longer copy text from xterm by default

2020-12-10 Thread Andrew David Wong

On 12/10/20 6:25 AM, unman wrote:

On Wed, Dec 09, 2020 at 06:49:35PM -0800, Andrew David Wong wrote:

I used to be able to be able to do the following to copy text from xterm in
Fedora and Debian VMs:

1. Select/highlight the desired text, thereby inserting it into the PRIMARY
buffer.

2. Press  in order to bring up a menu (I think
it was the "VT Options" menu).

3. In this menu, select the option to copy text from the PRIMARY buffer to
that VM's local clipboard.

4. Press  to copy text to the Qubes inter-VM clipboard and
proceed as usual.

However, some time ago, step 2 suddenly stopped working, and I have no idea
why. Pressing  in xterm now does nothing, as far
as I can tell. I've checked my trackpad/mouse settings, and everything seems
fine and unchanged. I've tried pressing the left and right mouse buttons
simultaneously instead, but nothing.

I know that I can probably create custom xterm settings that will allow me
to copy text, but I'd still like to know whether there's a way to do it by
default for cases in which the VM is uncustomized. Does anyone know if there
is such a way?



On Debian you can hold down the Ctrl key before pressing the button, to get the
VT options menu. See if that works for you. Does for me.



No, that's exactly the behavior I described as no longer working for me. 
 means the same thing as holding down Ctrl 
before pressing the middle mouse button.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/62196a62-e0f3-e5ea-f112-1c728723dcb7%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Can no longer copy text from xterm by default

2020-12-09 Thread Andrew David Wong
I used to be able to be able to do the following to copy text from xterm 
in Fedora and Debian VMs:


1. Select/highlight the desired text, thereby inserting it into the 
PRIMARY buffer.


2. Press  in order to bring up a menu (I 
think it was the "VT Options" menu).


3. In this menu, select the option to copy text from the PRIMARY buffer 
to that VM's local clipboard.


4. Press  to copy text to the Qubes inter-VM clipboard 
and proceed as usual.


However, some time ago, step 2 suddenly stopped working, and I have no 
idea why. Pressing  in xterm now does 
nothing, as far as I can tell. I've checked my trackpad/mouse settings, 
and everything seems fine and unchanged. I've tried pressing the left 
and right mouse buttons simultaneously instead, but nothing.


I know that I can probably create custom xterm settings that will allow 
me to copy text, but I'd still like to know whether there's a way to do 
it by default for cases in which the VM is uncustomized. Does anyone 
know if there is such a way?


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/accb9528-6dc8-188b-c3a5-457be79c1733%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Are known cpu bugs a risk as long as I work with Qubes OS?

2020-12-07 Thread Andrew David Wong

On 12/7/20 3:21 AM, Rainer Neumann wrote:

Thank you, Sven, for your answer to the topic of qubes-hcl-report. I have one 
aditional question.

If I type in a console "cat /proc/cpuinfo", I get an output, where one line is called 
"bugs". It looks like my cpu has a lot of bugs: null_seg, cpu_meltdown, spectre_v1, 
spectre_v2, spec_store_bypass, l1tf, mds, swapgs, itlb_multihit, srbds.

The producer of my computer offeres a bios and microprocessor update for the purpose to 
fix these bugs. It is an exe-file for Windows: 
https://www.dell.com/support/home/de-ch/drivers/driversdetails?driverid=5m70h=wt32a=optiplex-7010

Okay, lets say, we can trust Intel and the computer manufacturer. But is it 
really necesarry to install the update as long as I work with Qubes OS?

Kindly regards,
Rainer



Have a look at this:

https://unix.stackexchange.com/questions/456425/what-does-the-bugs-section-of-proc-cpuinfo-actually-show

Specifically:

"Dump the flags which denote we have detected and/or have applied bug 
workarounds to the CPU we're executing on, in a similar manner to the 
feature flags."


In other words, according to the commit that added it, the "bugs" 
section doesn't tell you whether your CPU is vulnerable to the things in 
the list. Maybe a mitigation has already been applied. Maybe it has 
merely been detected and nothing has been done about it. We have no way 
to tell just from this section. You would have to do further 
investigation into each of these in order to try to determine whether 
your CPU is currently vulnerable.


Here's a discussion about doing that:

https://www.reddit.com/r/linux/comments/8k3x3b/til_proccpuinfo_shows_architecture_bugs_such_as/

It specifically mentions checking in:

/sys/devices/system/cpu/vulnerabilities/

However, Qubes is different from a standard Linux OS, and we often take 
our own special steps to address security problems, so there may be 
additional mitigations on top of whatever is mentioned here. In 
addition, the unique architecture of Qubes makes certain classes of 
security vulnerabilities inapplicable, so it will probably depend on the 
specific nature of that particular bug.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/03d264ba-9f7f-1146-e265-61fd536a8aa1%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [EXT] Re: [qubes-users] Qubes OS: .onion and links

2020-12-07 Thread Andrew David Wong

On 12/7/20 3:58 PM, Andrew David Wong wrote:

On 12/6/20 5:13 PM, unman wrote:

On Mon, Dec 07, 2020 at 02:07:03AM +0100, Ulrich Windl wrote:

On 12/1/20 7:35 PM, 'disrupt_the_flow' via qubes-users wrote:

On November 30, 2020 8:15:14 PM UTC, Ulrich Windl
 wrote:

 Hi!

 I noticed when I click the link "upgrading Fedora TemplateVMs" 
found on
 the onion version of the page (using the tor browser of 
whonix), you are

 directed to a non-onion page
 (https://www.qubes-os.org/doc/template/fedora/upgrade/),  
<https://www.qubes-os.org/doc/template/fedora/upgrade/),>  and 
you'll have

 to switch to onion again.

 In contrast when I click news items on
 
http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/ 


 I remain on onion sites.

 Regards,
 Ulrich


Hello Ulrich. What page exactly? I can't find such a page on the 
QubesOS

website.


http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/2020/06/30/fedora-32-templates-available/ 





Yes, the links on that page are hard coded to the clearnet site rather
than local links.
That's a mistake - but it is not peculiar to this page. A quick check
suggests that (almost?) all the news pages contain such links.
Thanks for pointing this out.



Ah, that's because people asked a long time ago for the News post plain 
text content to be copied into the body of messages to the mailing lists 
(not just a hyperlink to the website). At the time, it seemed easier 
just to include full URLs in the original Markdown source so that the 
plain text could more easily be copy/pasted into messages to the mailing 
lists, since the difference between absolute and relative links on the 
was transparent to users after Jekyll rendering. Of course, we did not 
foresee that something else would come to rely on the links to be 
relative rather than absolute. Now that this is the case, we can simply 
use relative links everywhere (including in these News posts) and write 
out the complete URLs when preparing the plain text content for the 
mailing lists.




I'm also converting existing links from absolute to relative and 
updating the doc guidelines on this point:


https://github.com/QubesOS/qubes-posts/pull/73
https://github.com/QubesOS/qubes-doc/pull/1100

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b991a57-6cf1-0fbe-f06c-2362b88108cf%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [EXT] Re: [qubes-users] Qubes OS: .onion and links

2020-12-07 Thread Andrew David Wong

On 12/6/20 5:13 PM, unman wrote:

On Mon, Dec 07, 2020 at 02:07:03AM +0100, Ulrich Windl wrote:

On 12/1/20 7:35 PM, 'disrupt_the_flow' via qubes-users wrote:

On November 30, 2020 8:15:14 PM UTC, Ulrich Windl
 wrote:

 Hi!

 I noticed when I click the link "upgrading Fedora TemplateVMs" found on
 the onion version of the page (using the tor browser of whonix), you are
 directed to a non-onion page
 (https://www.qubes-os.org/doc/template/fedora/upgrade/),  
<https://www.qubes-os.org/doc/template/fedora/upgrade/),>  and you'll have
 to switch to onion again.

 In contrast when I click news items on
 http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/
 I remain on onion sites.

 Regards,
 Ulrich


Hello Ulrich. What page exactly? I can't find such a page on the QubesOS
website.


http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/2020/06/30/fedora-32-templates-available/



Yes, the links on that page are hard coded to the clearnet site rather
than local links.
That's a mistake - but it is not peculiar to this page. A quick check
suggests that (almost?) all the news pages contain such links.
Thanks for pointing this out.



Ah, that's because people asked a long time ago for the News post plain 
text content to be copied into the body of messages to the mailing lists 
(not just a hyperlink to the website). At the time, it seemed easier 
just to include full URLs in the original Markdown source so that the 
plain text could more easily be copy/pasted into messages to the mailing 
lists, since the difference between absolute and relative links on the 
was transparent to users after Jekyll rendering. Of course, we did not 
foresee that something else would come to rely on the links to be 
relative rather than absolute. Now that this is the case, we can simply 
use relative links everywhere (including in these News posts) and write 
out the complete URLs when preparing the plain text content for the 
mailing lists.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ddea903-185f-123b-69cc-f4fb73135519%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Qubes updater icon never gets cleared

2020-12-05 Thread Andrew David Wong

On 12/5/20 1:36 AM, Viktor Ransmayr wrote:

Hello Qubes community,

I noticed since yesterday, that the icon, which indicates that updates are
available, never gets cleared on my system, although I obviously try to
launch the updater in a timely fashion - and - the operation succeeds ...

Here's the log from the latest attempt:

###

Updating fedora-32

fedora-32:
   --
 ID: dnf list updates --refresh >/dev/null
   Function: cmd.run
 Result: True
Comment: Command "dnf list updates --refresh >/dev/null" run
Started: 09:00:59.753451
   Duration: 8745.114 ms
Changes:
 --
 pid:
 1077
 retcode:
 0
 stderr:
 stdout:
   --
 ID: update
   Function: pkg.uptodate
 Result: True
Comment: Upgrade ran successfully
Started: 09:01:10.612928
   Duration: 24382.315 ms
Changes:
   --
 ID: notify-updates
   Function: cmd.run
   Name: /usr/lib/qubes/upgrades-status-notify
 Result: True
Comment: Command "/usr/lib/qubes/upgrades-status-notify" run
Started: 09:01:34.995429
   Duration: 3878.256 ms
Changes:
 --
 pid:
 1148
 retcode:
 0
 stderr:
 stdout:
   
   Summary for fedora-32

   
   Succeeded: 3 (changed=2)
   Failed:0
   
   Total states run: 3
   Total run time:  37.006 s

###

Does anyone have an explanation - or - a suggestion what else to try? - TIA!

Viktor



This is probably:

https://github.com/QubesOS/qubes-issues/issues/6234

In which case, it's a known bug, and the fix is in current-testing.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14d11015-2511-04ce-6922-57c0c334ab36%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] "Qubes Survey: The Results" by Marta Marczykowska-Górecka

2020-12-01 Thread Andrew David Wong

Dear Qubes Community,

Marta Marczykowska-Górecka has just published an article covering the 
results of our recent survey:


https://www.qubes-os.org/news/2020/11/26/qubes-survey-results/

For your convenience, the original plain text Markdown source of the 
article is reproduced below. However, since this article includes many 
images, we recommend the web version for most readers.


---

"Qubes Survey: The Results"
by Marta Marczykowska-Górecka


Hello, lovely Qubes Community!

A couple of weeks ago, we asked you to participate in a survey; to our 
delight and surprise, over 2100 of you decided to help us and filled it 
out!
We are grateful for our wonderful community and wanted to share some 
interesting findings from the survey with you.
A small statistical note: a survey such as this, on a non-random and 
very much self-selected sample, is not necessarily completely 
representative of the whole community.
It's quite possible that the people whom we did not reach and the people 
who decided not the participate in the survey differ in statistical ways 
from those we did survey, so please understand all of the "community 
members say X" statements below as having a little asterisk with "as far 
as we know based on this survey".


Some introductory stats: 54% percent of our respondents have Qubes 
installed, and 22% are planning to.


[![Qubes users 
chart](/attachment/wiki/posts/survey_chart_1.png)](/attachment/wiki/posts/survey_chart_1.png)


Most of them are expert computer users to varying degrees, but 1% said 
that they prefer not to use computers when they don't have to.
Seeing the state of security in the wide computer world, sometimes we're 
tempted to agree.


It also turned out that our community has a fairly unsurprising age 
spread, with almost half (43%) of the respondents between 18 and 34 and 
a third (31%) between 35 and 49.

There are people over 70 and under 18 among us, too.

[![Responder 
age](/attachment/wiki/posts/survey_chart_2.png)](/attachment/wiki/posts/survey_chart_2.png)


About one-third of the respondents are developers (which is in line with 
what we anticipated --- after all, Qubes is a pretty technical piece of 
software), and IT professionals of all sorts are about sixty percent of 
the respondents.

We also have a strong contingent of academics (19%) and activists (16%).

[![How many responders say they 
are...](/attachment/wiki/posts/survey_chart_3.png)](/attachment/wiki/posts/survey_chart_3.png)


For privacy reasons, we won't be sharing a detailed breakdown of where 
our users are located, but we made a map with countries colored based on 
how many Qubes users are there, for your and our enjoyment.
Note: the map is based on Wikipedia's map of the world. Please forgive 
any inaccuracies in it.


[![Qubes User 
Map](/attachment/wiki/posts/survey-map.png)](/attachment/wiki/posts/survey-map.png)


While doing the data crunching, I was a bit fascinated by three large 
groups of people: those from capital cities just putting down the name 
of the capital (omitting the country name), people in the US replying 
with just the name of their town (I've learned a lot about small 
American towns!) and people in the UK clarifying they are not English, 
thank you very much.
I had to smile at "United Kingdom of England and Some Actually Good 
Countries".


We're very interested in the hardware people are using and want to use 
with Qubes. Hardware is always a difficult subject for us, as there's a 
lot of possible combinations and not nearly enough manpower to test and 
fix bugs for all of them, and we want to know where to focus our resources.
This intuition was well confirmed by the survey: hardware compatibility 
was something a lot of people mentioned in the "reasons for not using 
Qubes/reasons for stopping using Qubes" questions.


Following the common trend in modern hardware, most people use laptops 
or laptops and desktops equally (only 22% of our respondents use mostly 
a desktop computer), and most Qubes users tend to use it on a laptop 
(63% of them in the survey).
A lot of people use external monitors with their laptops (over 55% of 
laptop users), and we know an external monitor can be tricky to use with 
Qubes, leading to all sorts of annoying problems with layout or input 
detection. (If you haven't yet tried it, take a look here: [Qubes GUI 
Troubleshooting](https://www.qubes-os.org/doc/gui-troubleshooting/)).
A significant number of respondents also say they use cameras (36%) and 
microphones (60%). It makes me wonder what the responses to this 
question would be a year ago, before so many of us started working 
remotely.


As far as desired Qubes localization goes, there were few surprises, 
with the overwhelming majority preferring English (for a survey in 
English, it's hard to be shocked by this result), and the next places 
being taken by German (over 200 votes), French (over 120 votes), Spanish 

Re: [qubes-users] HCL - Dell Precision M6800 Workstation

2020-11-28 Thread Andrew David Wong

On 11/28/20 12:41 PM, Jason ZenRiot wrote:

I'm a bit of a Qubes novice, this is my first setup and Ive been up and
running for about 4 months now, so I've poked into most of the corners, tho
not too deep.
Easy install, stable AF and pretty fast. I'm not terribly impressed with
playback performance with multiple video streams. But I'm running three 27"
displays off a laptop so I have no business complaining about the refresh
rate. Near as I can tell ALL of the hardware is supported from first boot.
Audio, video, USB, all elements fully functional, I'm pretty sure the TPM
is not being utilized, but thats probably due to me not knowing a lot
still.I am struggling to get my solokey setup, but thats def an id10T
issue...

I highly recommend this platform, its a little heavy for a laptop, but its
got a BIG sexy screen, 3 yes three drive bays (1 msata, two 2.5 SATA3)
DVDBurner, modular video card upgrades available NVidia K4000 or ATI
Firebolt and VGA, HDMI, and DisplayPort supporting 2 external displays
without the docking station which provides support for a fourth ($15 on
ebay)  5 USB3 ports, and it all f'in works with Qubes...

I see refirbs onsale now in the $500-$800 area... Festivus is upon us...
shouldn't SOMETHING be easy in 2020? :-D
Hello,I am JayDogg, and with this submission, I am joining the
community...Its really good to be here... because apparently there's no
time to lose.

>

Welcome to the community, and thanks for your report! Glad to hear it's 
working well.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02500bb9-6b17-413b-c208-4836998aa316%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Is there a discord, IRC, or jabber channel where I can find someone experienced in Qubes to mentor me? I'm dying right now guys

2020-11-28 Thread Andrew David Wong

On 11/28/20 12:39 PM, setemera...@posteo.net wrote:
If you chart my posts in the usergroup, it pretty much follows the 
pattern of "ask for help", go dark for a while, "ask for help again." go 
dark again.


The part in between that goes unseen is the part where I'm intimidated 
by my OS and have to ask someone more knowledgeable about every little 
thing that comes up just so I can do basic things.


Many questions can be answered by reading the documentation, especially 
basic ones. I strongly recommend starting there if you're finding it 
difficult to do even basic things.


https://www.qubes-os.org/doc/

Whether it is the 
kaliVM setup (still haven't done that), VPN setup,


These are not really basic and not required to get the major benefits of 
using Qubes. I'd caution you against trying to sprint before learning to 
walk, as it were.


or even just getting 
my terminals to actually reach github,


This sounds like a non-Qubes-specific Linux thing, so it's also worth 
noting that many questions about Qubes are actually questions about Linux.


I feel quite powerless and stupid 
everytime I try to do something on this laptop. So I put things off. I 
put things off I need to learn to secure my own system or to do the 
things I want to do with it. As a novice CS student, starting with Qubes 
was probably a mistake but I believe now, as then, that learning this OS 
would give me an edge when I get to my career field. That said its rough 
at times, and its been a lonely experience thus far.




Sorry to hear that. :(

Here's my ask: I would really appreciate one person, any person really, 
who I can at least talk to about Qubes in general. I don't expect you to 
hold my hand or to be my one stop shop for tech-support or something. 
It's just tiresome being the only one I know who runs this OS and there 
is no sense of community for me when my only interaction is asking for 
help on a random google group.

If it helps, we also have a forum:

https://www.qubes-os.org/support/#forum

Unofficial chat channels:

https://www.qubes-os.org/support/#unofficial-chat-channels

And a subreddit:

https://www.reddit.com/r/Qubes/

If you are up for guiding a noob through 
this hard ass learning curve or at least being someone I can chat up, 
email me at setemera...@posteo.net.




I hope you find the person you're looking for, but it's also worth 
pointing out that there are many other new users here like yourself, and 
everyone benefits when questions are asked in the open so that others 
can participate, provide answers and experience, and learn from the 
results. Don't be afraid to ask questions.


Our discussion list guidelines have same advice about how to do that in 
a productive way:


https://www.qubes-os.org/support/#discussion-guidelines

All I can offer to the community in exchange is my help rewriting 
documentation based on my experiences. Since I'm having such a hard 
beginning as a novice user, I'll definitely remember what tripped me up 
getting started and can share that with the community.


As far as taking action to handle the hard things first, expect to see 
me posting on here a lot more. No sense in being intimidated by a piece 
of tech I can learn if I stay on it. Thank you and be well.




Good, and welcome to the community. :)

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cdbbd07-1004-66ef-8309-61b0478e4f54%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Are "smart" monitors/TVs a security issue?

2020-11-28 Thread Andrew David Wong

On 11/27/20 7:08 PM, Steve Coleman wrote:

[...]
1. TV's are often encoded to deliberately export use intelligence data to
be utilized by the advertisers and ratings organizations. The camera and
microphone, if installed, are actually designed and used to watch and
listen to the family watching the programs. Zero privacy, and you may even
have no way to disconnect it, so denying it any network access is your only
hope to stop exfiltration.


Physically disabling the camera and microphone may be an option in some 
cases. Cameras can be covered, but covering a microphone doesn't do 
much. I recently got a new smart TV that has a microphone in the remote. 
Since I never planned to use the voice features, I simply found a sewing 
needle, inserted it into the mic hole, and used a flat piece of hard 
plastic on the other end to apply moderate force. There was a single 
"click" sound. After that, voice commands were no longer recognized by 
the TV, but the remote and everything else still worked perfectly. 
Hopefully that's good enough.


By the way, this reminds me of when Joanna removed all the microphones 
and front camera from her iPhone:


https://twitter.com/rootkovska/status/547496843291410432

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7c8dcda4-9504-4942-3431-00bc022f70db%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2

2020-11-27 Thread Andrew David Wong

Hi all,

Based on the feedback we've received for Qubes 4.0.4-rc1, we've decided 
to make one additional change for 4.0.4, namely updating the kernel to 
at least 5.4. This means that we'll need a second release candidate 
before the stable release of 4.0.4. [1]


The official announcement for 4.0.4-rc2 will come soon. This is just an 
informal request for anyone willing to help test kernel 5.4 on Qubes 4.0 
to do so and report any problems. [2] The package is already available 
in current-testing. [3] Thank you!


[1] https://github.com/QubesOS/qubes-issues/issues/6170
[2] https://www.qubes-os.org/doc/reporting-bugs/
[3] https://www.qubes-os.org/doc/testing/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eca8f071-fa3d-006e-f72a-514809217055%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Are "smart" monitors/TVs a security issue?

2020-11-26 Thread Andrew David Wong

On 11/25/20 6:31 AM, River~~ wrote:

Hi all

In the days of CRT monitors one way the security of a computer system
could be compromised non-intrusively (ie without amending the
installed code) was by picking up the radio-frequency leakage from the
tube in the monitor. This could only be done from near by, but where
possible it enabled the spy to see what was on the screen -- almost
everything that you typed (aprt from passwords that were blanked or
starred out). This was a remote form of shoulder surfing, where
someone looks over your shoulder in an environent like an internet
cafe.

Nowadays we do not have to worry about CRT monitors.


This is known as a TEMPEST attack:

https://en.wikipedia.org/wiki/Tempest_(codename)

Although we may not use CRT monitors any more, there are still many 
other forms of this attack, many of which are still relevant today. It's 
still important to be mindful of any kind of leaking emanation.



But TVs are
increasingly delivered with their own internet connection, making it
easy to watch You-Tube (etc) without needing a separate computer or
phone. Clearly there is a computer inside which can be hacked, and if
so a remote shoulder surfing attack would be very possible.



Yes, definitely. Smart TV spying is already a widely-reported phenomenon:

https://duckduckgo.com/?q=smart+tv+spying


Is the same true of monitors and of TVs that do not have an apparent
internet link? The digital tech to draw a picture from the input is
unlikely to be done by traditional electronics, but being all digital
is likely done by a miniporcessor of some kind in all digital
displays.



It's impossible to say without knowing exactly what kind of hardware is 
inside.



To put my question in the most provocative way on this forum: if there
much point securing the OS when the monitor might be an easier target
for those out to (umm) monitor our reading and our keystrokes?

This thught has only just come to me, and I wonder if there is already
some available mitigation? Any ideas?

Or am I being overly cautious?

R~~

Any ideas?



Well, there's no such thing as perfect security, but you can decrease 
your risk here in multiple ways, such as selecting a monitor with as few 
"smart" features as possible or, if you use a laptop, sticking with the 
built-in monitor. There might also be some advantage to preferring 
"dumb" ports on your monitor. For example, DisplayPort and Thunderbolt 
are probably bigger risks than VGA and DVI, since DisplayPort can 
transmit USB and other data, and Thunderbolt combines PCIe and DisplayPort.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0126b42-d45f-80fb-c783-b30a0202e8cf%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] HCA reports - some advice please

2020-11-25 Thread Andrew David Wong

On 11/23/20 1:42 PM, Steve Coleman wrote:

On Mon, Nov 23, 2020 at 2:31 PM Andrew David Wong  wrote:


On 11/23/20 10:06 AM, Steve Coleman wrote:

On Mon, Nov 23, 2020 at 9:33 AM Andrew David Wong 

wrote:


I have a question about the HCL process and page display that I have been
wondering about.

I was for the longest time copying and pasting the HCL web page into a
spreadsheet just so I could sort and delete out all the old information,

as

I was looking to replace my desktop system with something more up to

date.

I can't tell you how many times in the last three years I copied the HCL

to

this spreadsheet, and when my old desktop finally died I had to give up
hope and just bought a new system sight unseen that was not on the list

and

I just hoped for the best. Fortunately, it worked out Ok.

As it is right now it is difficult and getting increasingly harder to

find

just the latest hardware on the list as it seems that by the time

something

appears on the list it is no longer even available for purchase.


Remember that these are almost all reports voluntarily submitted by
users. If it's mostly old hardware, that's because few people with new
hardware are submitting reports for that hardware.


Agreed. But it is certainly possible to make this more of a discussion on
how to give back to the community. The Qubes patriotic thing to do is to
submit your successes so others can follow without so much fear and
hesitation.

We can't force anyone

to submit reports, and we usually can't get new hardware to generate
reports on ourselves.


No, but a well-placed note/request at the end of the Qubes install process
could go a long way to actually encourage them to submit the report to help
others. The "how you can help" could also suggest this as a way to give
back which is easy even for novices who were just introduced to Qubes. Make
it a badge of honor. In fact, one could encourage people with questions to
include a report link/ID where the fundamentals of their basic machine
configuration would be available online for the experts to better
understand the problem. Not everyone would necessarily want to give their
anonymity away, but for some questions, this link could provide some
valuable information about the hardware that would be easy to share.



Good ideas!

I've opened an issue for this:

https://github.com/QubesOS/qubes-issues/issues/6231

I've already implemented the documentation suggestions (as well as some 
similar ones inspired by your suggestions). For details, see the issue.



Though, to be fair, the reports from the mailing
list haven't been added in a while, so that might also be part of it.



Very true, unfortunately. I submitted my "Dell XPS 8930" but it has not
shown up yet. With 8 cores and 64GB of memory, it is already out of
production but it is still available through other retailers. Somebody who
is looking for a new beefy desktop may not see this on the HCL until it is
no longer available anywhere. That is the same boat I was in when my
desktop up and died and I had no choice but to draw straws and pick one
almost at random. Yes, there were other *very old* XPS's on the HCL and
some did *not* work properly, but based on the hardware in this one I
figured it might just work. Unfortunately, this only has a "firmware TPM"
that is disabled in BIOS when using the legacy boot settings and there is
no header on the motherboard to even add a physical TPM. I may just dabble
with the idea of a qubes auditable software-based vTPM (qTPM) and see if I
can find a way to make something work for the contributor's packages. Not
sure about that yet, but it's an idea that might even allow for locking
down the boot partition by making it read-only until after a successful
boot/login. Evil maids can't change what they can't edit.



We've decided to recruit an additional HCL maintainer to get reports 
from the mailing list onto the website more quickly. I've sent a message 
to these lists about it.



However,

there are LOTS of machines that you could only find on eBay and many/most
lack sufficient memory, BIOS, or current chipset support for the current
Qubes R4.x system being developed. Old systems on the HCL are seemingly
never updated, so you can't tell which ones are still working and which
ones have retired years ago. There are many items on that list even in

the

wrong categories (e.g. DIY System boards in the Desktop section when

there

is a separate section just for those) and I see no defined process by

which

to help change that.

My question is this: What would it take to get a set of simple filter
options on that HCL webpage?


This open issue is very similar to what you're asking:

https://github.com/QubesOS/qubes-issues/issues/3795

I've just opened two PRs (linked to this issue) that make the HCL tables
sortable. However, some rows break on sorting. Please see the issue
comments for more details and an image showing exactly how it breaks. If

[qubes-users] Seeking an additional HCL maintainer

2020-11-25 Thread Andrew David Wong

Dear Qubes Community,

As many of you know, the Hardware Compatibility List (HCL) [1] is an 
important resource for users when deciding on which hardware to get for 
Qubes. Currently, our system for adding new entries to this list is 
basically as follows: Users voluntarily generate HCL reports [2], then 
send them to the qubes-users mailing list. Our HCL maintainer then 
periodically collects these reports from qubes-users, performs any 
necessary cleanup and processing, then submits them in a PR to the HCL 
repo [3].


Users are also free to submit their reports in PRs directly to the HCL 
repo, and we're always looking for ways to improve this system and all 
aspects of the HCL.


Our current HCL maintainer is Chris (tasket), but the project could 
benefit from an additional HCL maintainer to help out and share the 
load. This would allow us to get reports from the mailing list onto the 
website more quickly and perhaps help make other improvements to the 
HCL. Chris can provide further details about what's involved in this 
role. If you'd like to volunteer for this role, please let us know by 
replying to this thread or directly to me. Thank you!



[1] https://www.qubes-os.org/hcl/
[2] https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports
[3] https://github.com/QubesOS/qubes-hcl

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc28adcf-885c-5bb9-f760-c062724d9cd4%40qubes-os.org.


OpenPGP_0xBC211FCEE9C54C53.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Fedora 31 has reached EOL

2020-11-24 Thread Andrew David Wong

Dear Qubes Community,

Fedora 31 has reached EOL (end-of-life [1]). If you have not already 
done so, we strongly recommend upgrading your Fedora 31 TemplateVMs and 
StandaloneVMs to Fedora 32 immediately. We provide step-by-step upgrade 
instructions for upgrading Fedora TemplateVMs [2]. For a complete list 
of TemplateVM versions supported for your specific version of Qubes, see 
the list of supported TemplateVM versions [3].


We also provide a fresh Fedora 32 TemplateVM package through the 
official Qubes repositories, which you can install in dom0 by following 
the standard installation instructions [4].


After upgrading your TemplateVMs, please remember to switch all qubes 
that were using the old template to use the new one [5].


Please note that no user action is required regarding the OS version in 
dom0. For details, please see our note on dom0 and EOL [6].



[1] https://fedoraproject.org/wiki/End_of_life
[2] https://www.qubes-os.org/doc/template/fedora/upgrade/
[3] https://www.qubes-os.org/doc/supported-versions/#templatevms
[4] https://www.qubes-os.org/doc/templates/fedora/#installing
[5] https://www.qubes-os.org/doc/templates/#switching
[6] https://www.qubes-os.org/doc/supported-versions/#note-on-dom0-and-eol

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/11/24/fedora-31-eol/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b47555fd-0f24-63b6-f006-d8305739c72d%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB #062: Stack corruption from XSA-346 change (XSA-355)

2020-11-24 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #062: Stack 
corruption from XSA-346 change (XSA-355). The text of this QSB is 
reproduced below. This QSB and its accompanying signatures will always 
be available in the Qubes Security Pack (qubes-secpack).


View QSB #062 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-062-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-355 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#355

```


 ---===[ Qubes Security Bulletin #62 ]===---

 2020-11-24


   Stack corruption from XSA-346 change (XSA-355)


Summary


On 2020-11-24, the Xen Security Team published Xen Security Advisory
355 (XSA-355) [1] with the following description:

| One of the two changes for XSA-346 introduced an on-stack array.  The
| check for guarding against overrunning this array was off by one,
| allowing for corruption of the first stack slot immediately following
| this array.
|
| A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting
| in a Denial of Service (DoS) to the entire host.  Privilege escalation
| as well as information leaks cannot be excluded.


Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-27
  For Qubes 4.1:
  - Xen packages, version 4.14.0-8

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Credits


See the original Xen Security Advisory.


References
===

[1] https://xenbits.xen.org/xsa/advisory-355.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/11/24/qsb-062/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/46f8bae9-5540-ff20-079a-930016e146a3%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] HCA reports - some advice please

2020-11-23 Thread Andrew David Wong

On 11/23/20 10:06 AM, Steve Coleman wrote:

On Mon, Nov 23, 2020 at 9:33 AM Andrew David Wong  wrote:



If you can fix them first, that would be a great help! I think it would
make things easier for our HCL maintainer. :)

Usually, it's just the model number for that product, e.g., "FX-8320" is
short for "AMD FX(tm)-8320 Eight-Core Processor". Take a look at the
existing entries for examples:

https://github.com/QubesOS/qubes-hcl/tree/master


I am thinking of including the cpio files, but do not want to share a
serial number that they contain. WOuld those files be useful to others
if I edited them so that the serial number reads "Redacted"?



Sure, feel free to redact whatever you like. :)

If you prefer, you can send the cpio files directly to Marek
PGP-encrypted (instead of the to the mailing list). See here for more info:

https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports



I have a question about the HCL process and page display that I have been
wondering about.

I was for the longest time copying and pasting the HCL web page into a
spreadsheet just so I could sort and delete out all the old information, as
I was looking to replace my desktop system with something more up to date.
I can't tell you how many times in the last three years I copied the HCL to
this spreadsheet, and when my old desktop finally died I had to give up
hope and just bought a new system sight unseen that was not on the list and
I just hoped for the best. Fortunately, it worked out Ok.

As it is right now it is difficult and getting increasingly harder to find
just the latest hardware on the list as it seems that by the time something
appears on the list it is no longer even available for purchase.


Remember that these are almost all reports voluntarily submitted by 
users. If it's mostly old hardware, that's because few people with new 
hardware are submitting reports for that hardware. We can't force anyone 
to submit reports, and we usually can't get new hardware to generate 
reports on ourselves. Though, to be fair, the reports from the mailing 
list haven't been added in a while, so that might also be part of it.



However,
there are LOTS of machines that you could only find on eBay and many/most
lack sufficient memory, BIOS, or current chipset support for the current
Qubes R4.x system being developed. Old systems on the HCL are seemingly
never updated, so you can't tell which ones are still working and which
ones have retired years ago. There are many items on that list even in the
wrong categories (e.g. DIY System boards in the Desktop section when there
is a separate section just for those) and I see no defined process by which
to help change that.

My question is this: What would it take to get a set of simple filter
options on that HCL webpage?


This open issue is very similar to what you're asking:

https://github.com/QubesOS/qubes-issues/issues/3795

I've just opened two PRs (linked to this issue) that make the HCL tables 
sortable. However, some rows break on sorting. Please see the issue 
comments for more details and an image showing exactly how it breaks. If 
you can help with this, please let me know on that issue.



Or, is there a way for someone to help clean
up and better organize this list?



There are two main ways you can help:

1. Help un-break the aforementioned sorting, or provide a better way to 
sort or filter the tables.


2. Submit a PR that modifies or removes old or bad HCL entries:

   https://github.com/QubesOS/qubes-hcl/tree/master


Going forward it is not all that helpful to see what was historically
running, years ago, if they are no longer adequate for the current Qubes
R4.x baseline. My inclination is this lists' primary function should be to
support those who are looking for some adequate hardware that could run the
current baseline, and failing that test, it should be filtered out by
default. Or maybe just filter by date added/updated?



I can understand the motivation behind removing old entries for EOL 
Qubes releases. If those entries are truly of no use to anyone, then 
there is not much reason to keep them around. But perhaps there's some 
value in keeping the old entries that we're overlooking. I'm curious 
whether Chris and Marek have any opinions on this.


Another idea is to have separate HCL tables for each Qubes release, or 
even entirely separate HCL *pages* for each Qubes release. This might 
make sense as part of our plan for release-specific documentation:


https://github.com/QubesOS/qubes-issues/issues/5308


Another thought is we should actively request those who successfully
upgrade their systems to the latest baseline to resubmit their HCL thus
showing that the same system is still capable of running the latest
baseline number. I know matching old and new HCL reports would require some
work, but I think if you want Qubes to be more popular this is a must.



We can request it, but I'm not sure how much 

Re: [qubes-users] Re: HCL - Hewlett Packard HP Pavillion Notebook

2020-11-23 Thread Andrew David Wong

On 11/23/20 2:55 AM, Raja Saham wrote:

May I know the procedure to add this report into hardware compatibility
list ?


Thank you for your report!

Our HCL maintainer periodically collects all reports sent to this 
mailing list and submits them in a pull request to:


https://github.com/QubesOS/qubes-hcl/tree/master

However, if you prefer, you can simply submit a PR there yourself.

> And whether it is qualified for the list ?

That'll be up to our HCL maintainer to determine, but usually reports 
are accepted without any problems.




On Monday, November 23, 2020 at 5:44:13 PM UTC+7 Raja Saham wrote:


Dear Qubes Users,

I have tried Qubes on my System.
Attached is the report for Hardware Compatibility List.

Regards,
Qubes Users





--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e78291b-31fa-30ea-8b5c-2f0c0dbf%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] HCA reports - some advice please

2020-11-23 Thread Andrew David Wong

On 11/22/20 10:50 AM, River~~ wrote:

hi I have got a new computer working, and it is a model new to Qubes
not just. (Guess who got it cheap on an early bird reduction on
kickstarter then :)

So, I am going to send in the HCA report.


Thank you!


I have produced the .yml
file. It contains some FIXME items. I am unclear: is it up to e to fix
them, or are they a note to whoever processes the report before
posting to the HCA page?



If you can fix them first, that would be a great help! I think it would 
make things easier for our HCL maintainer. :)



If I have to edit them, what do I use for the "short" items? Am I
reasonably free to abbreviate?



Usually, it's just the model number for that product, e.g., "FX-8320" is 
short for "AMD FX(tm)-8320 Eight-Core Processor". Take a look at the 
existing entries for examples:


https://github.com/QubesOS/qubes-hcl/tree/master


I am thinking of including the cpio files, but do not want to share a
serial number that they contain. WOuld those files be useful to others
if I edited them so that the serial number reads "Redacted"?



Sure, feel free to redact whatever you like. :)

If you prefer, you can send the cpio files directly to Marek 
PGP-encrypted (instead of the to the mailing list). See here for more info:


https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports


Finally, the manufacturer's name shown in the .yml is different from
the name they used on kickstarter. Would it help, or would it cause
confusion, if I added at the end of their name "t/a MinisForum"?



It would be ok, but perhaps including this in the comment field instead 
would make it more likely that your manufacturer field matches any other 
reports submitted for products from the same manufacturer.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c1006ac-6a1d-c1cf-0dca-959c97156d1a%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [EXT] Re: [qubes-users] browser plugin?

2020-11-22 Thread Andrew David Wong

On 11/21/20 4:00 PM, Ulrich Windl wrote:

On 11/13/20 4:42 AM, Sven Semmler wrote:

On 11/12/20 11:41 AM, Alex Smirnoff wrote:

Is there a browser plugin that adds "open URL in disposable VM"
function? like private tab on steroids :)


I think this is important when following an URL in Thunderbird from a 
non-disposable / not-anonymous VM. Copying the link and pasting it to 
another VM is not really very user-efficient.

Well I would not need a new VM for each link, but a _different_ VM...



You can already do this with built-in Qubes tools without any extra 
plug-ins or third-party programs:


https://www.qubes-os.org/doc/tips-and-tricks/#opening-links-in-your-preferred-appvm

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/454c8f1d-6868-5910-5e9c-04bb723d3eb7%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?

2020-11-20 Thread Andrew David Wong

On 11/19/20 4:50 AM, Matt McCutchen wrote:

On Wed, 2020-11-18 at 22:49 -0800, Andrew David Wong wrote:

On 11/18/20 5:54 AM, Matt McCutchen wrote:

I assumed the update process was the same for a TemplateVM or a
StandaloneVM (though I've never tried the latter),


It mostly is, but I personally find it easier to be able to update and
install packages in the TemplateVM separately from the TemplateBasedVM.


Why?


Just a lot of little things. For example, if I screw up the 
TemplateBasedVM, and I don't have any data in it, I can just destroy it 
and recreate it without having to reinstall any programs. Conversely, if 
I screw up the TemplateVM, I can keep the TemplateBasedVM and just 
recreate the TemplateVM.



One advantage I see to the StandaloneVM is that package changes
are immediately persistent and usable in combination with the private
volume.  When using a TemplateVM and TemplateBasedVM, I generally make
package changes first in the TemplateBasedVM for rapid iteration (where
they will be lost on shutdown) and later make them to the TemplateVM
once I am sure what changes I want.
  


I suppose I'm now at the point where I already know which packages I 
need, so that problem seldom arises for me now.



There's also the minor fact that I can update all of my templates with a
single qubesctl command, whereas StandaloneVMs would be left out.


That's strange.  If qubesctl has an option to target all TemplateVMs,
I'd think the case for an option to target all updatable VMs
(TemplateVMs and StandaloneVMs) would be equally strong.


Oh, and there's also a bit of a security benefit, which I forgot to
mention:

https://www.qubes-os.org/doc/templates/#note-on-treating-templatebasedvms-root-filesystem-non-persistence-as-a-security-feature


I'm of the firm opinion that auditing a home directory for user-level
rootkits is impractical, as suggested by that page.  IIRC, I came to
this conclusion long before I migrated to Qubes OS in 2014.


Yes, but even if you don't skip backing up templates, just being able to
include them in different backup sets and being able to back them up at
different frequencies is handy.


Another interesting point.  Currently, I just back up all my VMs
weekly.  If I were to try to improve that, rather than set different
frequencies for different VMs, I'd be more likely to try to find a
solution to back up each VM incrementally so I can afford to back up
all of them more frequently.  In the past, I've seen some discussions
of how to do this without significantly increasing the attack surface,
but I don't have the links on hand.



There's an open issue for this:

https://github.com/QubesOS/qubes-issues/issues/858


Though I suppose the more general
observation underlying my original proposal was that if the process to
generate the system volume from that of the main TemplateVM is
automated and reasonably fast, then there's the option to run it on
every boot of the TemplateBasedVM rather than persisting a separate
system volume at all.



I can't speak to that. My experience has led me to keep things simple
and in line with intended functionality, since I've found that erecting
elaborate custom processes that aren't necessarily supported by the
underlying system results in too high of a maintenance burden for me in
the future.


I personally am not worried about this.  While I was waiting for
https://github.com/QubesOS/qubes-gui-agent-linux/pull/107 to be merged,
rather than build a custom RPM and install it in my template, I elected
to set up a script that ran on every boot of the TemplateBasedVM in
which I wanted the functionality and overwrote module-vchan-sink.so
with my custom-built one.  Maybe modifying the template would have been
better, but modifying the TemplateBasedVM on every boot did work.
  Installing RPMs on boot differs only in degree.

Matt



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e614ce1d-982f-d014-f166-32a61e5f551e%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?

2020-11-18 Thread Andrew David Wong

On 11/18/20 5:54 AM, Matt McCutchen wrote:

I have the honor of a response from Andrew! :)



:D


On Tue, 2020-11-17 at 20:57 -0800, Andrew David Wong wrote:

For me, the advantage of TemplateVMs over StandaloneVMs (even if there's
only one TemplateBasedVM based on the TemplateVM) is that it's easier to
update the TemplateVM and back up the TemplateBasedVM.


I assumed the update process was the same for a TemplateVM or a
StandaloneVM (though I've never tried the latter),


It mostly is, but I personally find it easier to be able to update and 
install packages in the TemplateVM separately from the TemplateBasedVM. 
There's also the minor fact that I can update all of my templates with a 
single qubesctl command, whereas StandaloneVMs would be left out.


Oh, and there's also a bit of a security benefit, which I forgot to mention:

https://www.qubes-os.org/doc/templates/#note-on-treating-templatebasedvms-root-filesystem-non-persistence-as-a-security-feature


and for backups, I
can select any set of VMs in the Qube Manager.  Perhaps you're pointing
out that if the system volume of the desired AppVM is easy enough to
recreate that it's not worth backing up, then using a TemplateVM +
TemplateBasedVM rather than a StandaloneVM makes it possible to skip
the backup?  Interesting point.


Yes, but even if you don't skip backing up templates, just being able to 
include them in different backup sets and being able to back them up at 
different frequencies is handy. There was a forum discussion about this 
recently:


https://qubes-os.discourse.group/t/backups-with-a-single-archive-per-qube/1328/


Though I suppose the more general
observation underlying my original proposal was that if the process to
generate the system volume from that of the main TemplateVM is
automated and reasonably fast, then there's the option to run it on
every boot of the TemplateBasedVM rather than persisting a separate
system volume at all.



I can't speak to that. My experience has led me to keep things simple 
and in line with intended functionality, since I've found that erecting 
elaborate custom processes that aren't necessarily supported by the 
underlying system results in too high of a maintenance burden for me in 
the future.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53c92729-acb9-ac42-7576-f09ada2e74e3%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?

2020-11-17 Thread Andrew David Wong

On 11/15/20 2:10 PM, Matt McCutchen wrote:

Hi Steve,

Thanks for your thoughtful response!

On Sun, 2020-11-15 at 16:31 -0500, Steve Coleman wrote:

My way of dealing with it is to just clone your pristine fedora-32
template and add the required packages to that template clone, then
create an AppVM that uses that template. This way you limit any
potential data loss or damage to just that one AppVM which you then
use whenever you need one of those proprietary apps.


Same here.


The question now
is what data would they share in that AppVM and is it reasonable for
them to share the same AppVM? If the answer is yes then there is no
problem. If no, then create another AppVM based on the same template
for the other app.


For proprietary apps packaged by their vendors, I don't trust the
package installation scripts any more than the apps themselves.  Thus,
if I wouldn't be willing to run two apps in the same VM, I wouldn't be
willing to install both apps in the same template either.  This being
so, the approach you suggest degenerates to the StandaloneVM approach I
mentioned.  (At the other extreme, if the apps were packaged by an
entity that I trust to ensure that no proprietary code runs without
user consent, then I could just install the packages in my main
template and the whole problem would go away.  Is there an intermediate
scenario in which having a second template shared by multiple AppVMs is
useful?)



For me, the advantage of TemplateVMs over StandaloneVMs (even if there's 
only one TemplateBasedVM based on the TemplateVM) is that it's easier to 
update the TemplateVM and back up the TemplateBasedVM.



The downside is you now have to update two templates instead of one,
but that of course can be automated.


While I could probably get used to kicking off the dnf upgrade in all
templates and letting it run unattended (it's often slow),


I just let it run overnight.


my bigger
concern is the custom tools and configuration changes in my main
template that aren't currently packaged for dnf.  I could probably
package them and/or do without some of them in some proprietary-app
VMs, but I think that would end up being a bigger hassle than
developing and using my proposed tool.


No need. Just make your changes in one template, then clone that 
template as needed. That way, you only have to make the changes once.



Also, I'm low on disk space and
making many templates would make it worse, though maybe it's time that
I just bought a bigger disk.



If you use minimal templates, even having a lot of them doesn't take up 
much space.



How many specialized AppVMs you create is then based on your own
risk/benefit analysis. I would think it's reasonable for instance to
have Zoom and Skype share the same memory space unless the topics
discussed in each app are highly confidential.


You're probably right that the additional risk of sharing a VM between
Zoom and Skype (for example) is small compared to the other unsolved
security problems I currently have.  However, inasmuch as I continue to
use the proprietary apps, I'd be more inclined to just develop the tool
to automate the use of separate VMs (anticipating that other people
might reuse it) than to address this question.


Matt



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/813384d7-8adf-0b64-3a1c-40b1c935be6f%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Errors updating Fedora 30 template

2020-11-12 Thread Andrew David Wong

On 11/11/20 11:37 AM, Shawn Creighton wrote:

I figured out why sys-whonix wasn't working; because I never completed the
connection wizard that pops up at every boot. I usually don't use
whonix/tor to connect to the internet so I just never completed the
prompts.
I did however already update dom0 as I said using the sys-firewall
connection for the UpdateVM. Wondering if that is safe or if I should do a
fresh install and update it the proper way.


From a pure Qubes security perspective, it is normal and safe to update 
via sys-firewall (clearnet) rather than sys-whonix (Tor). Updating via 
Tor can provide some additional protection from targeted attacks, but it 
is not necessary (in the sense that the Qubes security model neither 
assumes nor requires the use of Tor).


However, *if* you need the privacy that Tor provides (e.g., because you 
live under a totalitarian regime that may wish to harm you if they find 
out that you're using Qubes or any of the software that comes included 
with Qubes), then it is not safe, since a clearnet connection provides 
practically no privacy compared to Tor.



Page loading seems to be a bit
slower now than before I updated dom0. Is that typical?



It depends on which updates you installed, but generally no.


On Tuesday, November 10, 2020 at 11:33:57 PM UTC-6 Shawn Creighton wrote:


No modifications, it gives me those errors even with a fresh install when
trying to use sys-whonix as the updatevm.
I changed the UpdateVM from sys-whonix to sys-firewall and was able to
update Dom0
Is that safe?


On Sunday, November 8, 2020 at 9:06:42 PM UTC-6 a...@qubes-os.org wrote:


On 11/8/20 12:29 AM, Shawn Creighton wrote:



On Sunday, November 8, 2020 at 2:31:25 AM UTC-5 a...@qubes-os.org

wrote:



On 11/7/20 11:24 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org

wrote:



On 11/7/20 7:25 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote:




I tried running 'dnf install qubes-template-fedora-32' as root and

get:


Failed to synchronize cache for repo 'qubes-dom0-cached',

disabling.

No package qubes-template-fedora-32 available
Error: unable to find a match
Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and

get

the

same output

`sudo qubes-dom0-update qubes-template-fedora-32` is the command

you

want. The update script wraps all installs and updates in Dom0 on

Qubes.




"Cannot retrieve repository metadata (repomd.xml) for repository:

fedora.

Please verify its path and try again"



Make sure you're running this command in dom0, not in a TemplateVM.

https://www.qubes-os.org/doc/templates/fedora/#installing



The terminal I am running from the upper left corner menu says dom0
When I run the command it says: Using sys-whonix as UpdateVM to

download

updates for Dom0; this may take some time
But then the cannot retrieve repository metadata (repomd.xml) for
repository: fedora. error



Based on your other posts in addition to this, it sounds like there may
be a problem with your internet connection, proxy settings, or

UpdateVM.

Can you access the internet normally from, e.g., a web browser in an
AppVM?



Internet is working ok in all AppVm.
I tried updating a qube by clicking the UpdateVM blue arrow in Qubes
Manager and I get: Curl error (56): failure when receiving data from
peer[Received HTTP code 500 from proxy after Connect]
Someone said something about using a VPN to get around it but that's a
whole other issue to get that working
I also read a post about editing something so the repositories use a

http

connection rather than https but haven't tried that



Definitely sounds like some kind of network-related issue (possibly
including firewall, updates proxy, etc.). Have you made any
modifications to your system that might affect these things? Did
anything else happen at the same time that it stopped working?



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/751495ec-29a4-56f4-a0da-9e24bebec837%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Known bug: TemplateVM updates failing (fix in testing)

2020-11-09 Thread Andrew David Wong

Dear Qubes Community,

We are aware of a bug that prevents TemplateVMs from updating normally:

https://github.com/QubesOS/qubes-issues/issues/6188

When attempting to update a TemplateVM, this bug results in traceback 
mentioning qubes-vm-connector, like this:


```
:
  --
  _error:
  Failed to return clean data
  retcode:
  1
  stderr:
  Traceback (most recent call last):
File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 
101, in 

  sys.exit(main())
File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 
94, in main

  return ssh(args)
File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 
29, in ssh

  assert args[1] == '/bin/sh'
  AssertionError
  stdout:
```

This bug has already been fixed, but the fix is currently in testing. If 
you wish to help us test this fix, please see the comments on the issue 
linked above for specific instructions, package names, and package 
versions for each Qubes release and TemplateVM.


For more information about testing updates, including the expected 
timeline for updates to migrate from testing to stable, please see:


https://www.qubes-os.org/doc/testing/#updates

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d97d4a9a-3ec1-64af-1121-239cbe325904%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] How to install Maple in a Fedora-30 template in Qubes OS R4.0 ?

2020-11-09 Thread Andrew David Wong

On 11/9/20 8:59 AM, 'M' via qubes-users wrote:

I have received this file from a administrator at my workplace:
"Maple2020.1LinuxX64Installer.run" which I have downloaded to my work
domain.

My question is then: How can I install Maple in a Fedora-30 template in
Qubes OS R4.0. ... ?



Please note that Fedora 30 reached EOL a long time ago:

https://www.qubes-os.org/news/2020/04/30/fedora-31-template-available/

And Fedora 31 is also approaching EOL:

https://www.qubes-os.org/news/2020/10/27/fedora-31-approaching-eol/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aebdf7e4-0a92-bfc5-3a6f-06f5443e4000%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes

2020-11-09 Thread Andrew David Wong

On 11/9/20 6:34 AM, pillule wrote:


On Tue, Nov 03 2020, 'src11' via qubes-users wrote:


Why am I not able to delete unused qubes? I tried but they're still there.


Sometimes you need to do
`qvm-prefs [VM-NAME] installed_by_rpm false'
before `qvm-remove' it

--


If it's a TemplateVM that was installed by RPM, you can also do `sudo 
dnf remove ` in dom0.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9764415-b358-e8d8-61ac-f2b3c9d723fb%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Errors updating Fedora 30 template

2020-11-08 Thread Andrew David Wong

On 11/8/20 12:29 AM, Shawn Creighton wrote:



On Sunday, November 8, 2020 at 2:31:25 AM UTC-5 a...@qubes-os.org wrote:


On 11/7/20 11:24 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org

wrote:



On 11/7/20 7:25 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote:




I tried running 'dnf install qubes-template-fedora-32' as root and

get:


Failed to synchronize cache for repo 'qubes-dom0-cached', disabling.
No package qubes-template-fedora-32 available
Error: unable to find a match
Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get

the

same output

`sudo qubes-dom0-update qubes-template-fedora-32` is the command you
want. The update script wraps all installs and updates in Dom0 on

Qubes.




"Cannot retrieve repository metadata (repomd.xml) for repository:

fedora.

Please verify its path and try again"



Make sure you're running this command in dom0, not in a TemplateVM.

https://www.qubes-os.org/doc/templates/fedora/#installing



The terminal I am running from the upper left corner menu says dom0
When I run the command it says: Using sys-whonix as UpdateVM to download
updates for Dom0; this may take some time
But then the cannot retrieve repository metadata (repomd.xml) for
repository: fedora. error



Based on your other posts in addition to this, it sounds like there may
be a problem with your internet connection, proxy settings, or UpdateVM.
Can you access the internet normally from, e.g., a web browser in an
AppVM?



Internet is working ok in all AppVm.
I tried updating a qube by clicking the UpdateVM blue arrow in Qubes
Manager and I get: Curl error (56): failure when receiving data from
peer[Received HTTP code 500 from proxy after Connect]
Someone said something about using a VPN to get around it but that's a
whole other issue to get that working
I also read a post about editing something so the repositories use a http
connection rather than https but haven't tried that



Definitely sounds like some kind of network-related issue (possibly 
including firewall, updates proxy, etc.). Have you made any 
modifications to your system that might affect these things? Did 
anything else happen at the same time that it stopped working?


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d94655d1-47ab-9536-96ea-c36948194735%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Errors updating Fedora 30 template

2020-11-07 Thread Andrew David Wong

On 11/7/20 11:24 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org wrote:


On 11/7/20 7:25 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote:




I tried running 'dnf install qubes-template-fedora-32' as root and

get:


Failed to synchronize cache for repo 'qubes-dom0-cached', disabling.
No package qubes-template-fedora-32 available
Error: unable to find a match
Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get

the

same output

`sudo qubes-dom0-update qubes-template-fedora-32` is the command you
want. The update script wraps all installs and updates in Dom0 on

Qubes.




"Cannot retrieve repository metadata (repomd.xml) for repository:

fedora.

Please verify its path and try again"



Make sure you're running this command in dom0, not in a TemplateVM.

https://www.qubes-os.org/doc/templates/fedora/#installing



The terminal I am running from the upper left corner menu says dom0
When I run the command it says: Using sys-whonix as UpdateVM to download
updates for Dom0; this may take some time
But then the cannot retrieve repository metadata (repomd.xml) for
repository: fedora. error



Based on your other posts in addition to this, it sounds like there may 
be a problem with your internet connection, proxy settings, or UpdateVM. 
Can you access the internet normally from, e.g., a web browser in an AppVM?


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ff4aa6e-1ba9-0ce0-4771-8156d9afd78e%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Errors updating Fedora 30 template

2020-11-07 Thread Andrew David Wong

On 11/7/20 7:25 PM, Shawn Creighton wrote:



On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote:




I tried running 'dnf install qubes-template-fedora-32' as root and get:

Failed to synchronize cache for repo 'qubes-dom0-cached', disabling.
No package qubes-template-fedora-32 available
Error: unable to find a match
Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get the
same output

`sudo qubes-dom0-update qubes-template-fedora-32` is the command you
want. The update script wraps all installs and updates in Dom0 on Qubes.



"Cannot retrieve repository metadata (repomd.xml) for repository: fedora.
Please verify its path and try again"



Make sure you're running this command in dom0, not in a TemplateVM.

https://www.qubes-os.org/doc/templates/fedora/#installing

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c99e7a9-a682-d3a5-bc24-66ed94f5a728%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes

2020-11-07 Thread Andrew David Wong

On 11/7/20 5:35 PM, unman wrote:

On Sat, Nov 07, 2020 at 12:50:52PM -0800, Shawn Creighton wrote:

When trying to delete I go to the qube -> qube settings -> delete qube ->
type name of qube -> press enter

Doesn't delete it though

On Tuesday, November 3, 2020 at 6:04:44 PM UTC-5 a...@qubes-os.org wrote:


On 11/3/20 8:57 AM, 'src11' via qubes-users wrote:

How do I update Firefox to the latest version in a disposable qube?



Generally, you update it in the TemplateVM:


https://www.qubes-os.org/doc/software-update-domu/#updating-software-in-templatevms


How do I create a new disposable qube?



https://www.qubes-os.org/doc/disposablevm/


Why am I not able to delete unused qubes? I tried but they're still

there.




What exactly did you do, and what exactly was the behavior you observed?



If you open a terminal in dom0 and type `qvm-delete ` you


Minor typo: Should be `qvm-remove` rather than `qvm-delete`.

(Pointing out for Shawn.)


will either delete the qube or see an error message.
You may find that the qube is not unused after all.

Try it and report back.



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93c66f3d-48ba-0848-4fc5-ac4c7eded468%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] how much space is what using?

2020-11-05 Thread Andrew David Wong

On 11/5/20 7:31 AM, Stumpy wrote:
I am trying to figure out how to claw back some space on my hard drive 
but am having a really hard time understanding what is taking up how 
much space?


For example, I have one appvm that in the qubes manager is showing disk 
usage as 173000MiB

sudo Baoab is showing me that / is using:
10.5gb
and df -f is showing me that / is using
11gb with 500gb free

and when i try to reduce private storage anything less than it is 
already (it is set to 55gb) the settings wont let me, I change it, 
hit apply and it goes back to 55gb, no matter if i try to change it 
by 1 or 100gb, also regardless of if i have the appvm shutdown or not?


Am having a really hard time understanding this so any clarification 
would be appreciated!




It won't let you reduce the private storage capacity because that's a 
dangerous operation. The system is protecting you from yourself. :)


If you just want to free up space, simply delete stuff you don't need 
inside of AppVMs. That will free up space, even though the AppVM private 
storage capacity remains the same. That's because it's total *capacity*, 
not the amount of space actually being used. If I create a brand new 
AppVM and immediately increase its private storage capacity to 500GB, 
that doesn't mean 500GB is being used. Only if I actually fill that 
AppVM with 500GB of data will that much actually be used on disk. Until 
I do that, it's just a big empty vessel.


Now, if, for some unrelated reason, you really want to try to shrink the 
private storage capacity (and risk losing data to do so), have a look at 
this documentation:


https://www.qubes-os.org/doc/resize-disk-image/#decreasing-the-size-of-disk-images

Just remember that this is not at all necessary for saving disk space, 
and it's probably a bad idea unless you really, really know what you're 
doing. Most people will never need to do this. :)


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3740bcb8-9572-9aaf-fc00-efdbf7fb78e3%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Re: Stumpy's question about contributing

2020-11-05 Thread Andrew David Wong

Hi Stumpy,

I replied to your email, but it was returned as undelivered with a 
message stating that your email address is invalid ("Recipient address 
rejected: User unknown"), so I'm replying here on qubes-users. :)


Stumpy asked a great question about how folks can contribute aside from 
donating and writing code.


Thanks for asking! We actually have a list of such ways right here:

https://www.qubes-os.org/doc/contributing/

Many items on this list don't require any money or programming 
knowledge. In particular, it's always helpful to test new releases and 
updates:


https://www.qubes-os.org/doc/testing/

The just-released 4.0.4-rc1 is a great opportunity to do that:

https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/

However, individual package updates are also very important, and they 
often don't receive as much feedback as they need:


https://www.qubes-os.org/doc/testing/#providing-feedback
https://github.com/QubesOS/updates-status/issues

Thank you for your willingness to contribute!

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/238de145-b838-1f85-7bbc-ee68e93618ec%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Qubes OS 4.0.4-rc1 has been released!

2020-11-05 Thread Andrew David Wong

Dear Qubes Community,

We're pleased to announce the first release candidate for Qubes OS
4.0.4.

Qubes OS 4.0.4-rc1 includes many updates over the initial 4.0 release,
in particular:

- All 4.0 dom0 updates to date
- Fedora 32 TemplateVM
- Debian 10 TemplateVM
- Whonix 15 Gateway and Workstation TemplateVMs
- Linux kernel 4.19 by default

Qubes 4.0.4-rc1 is available on the downloads page:

https://www.qubes-os.org/downloads/


What is a point release?


A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.4.


What should I do?
-

If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully
updated [1], then your system is already equivalent to a Qubes 4.0.4
installation. No further action is required.

Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient
and secure, since it bundles all Qubes 4.0 updates to date. Please see
the installation guide [2] for detailed instructions.

If you're willing to test [3] this release candidate, you can help to
improve the stable release by reporting any bugs you encounter [4].


Release candidate planning
--

If no major issues are discovered in 4.0.4-rc1, we expect to announce
the stable release of 4.0.4 in a couple weeks.


[1] https://www.qubes-os.org/doc/updating-qubes-os/
[2] https://www.qubes-os.org/doc/installation-guide/
[3] https://www.qubes-os.org/doc/testing/
[4] https://www.qubes-os.org/doc/reporting-bugs/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d4058ed-48e2-9998-3acd-d0804abab5e8%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki

2020-11-04 Thread Andrew David Wong

On 11/4/20 3:18 AM, Frédéric Pierret wrote:

Le 11/4/20 à 11:39 AM, Stumpy a écrit :

On 11/3/20 6:00 PM, Andrew David Wong wrote:

On 11/3/20 7:48 AM, Stumpy wrote:

On 10/5/20 9:00 PM, Andrew David Wong wrote:

Dear Qubes Community,

Marek has just published the following announcement:

https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/ 



[...]


So do I understand this currently is only available for Fed31? and 
not 32?


I don't recall hearing that anywhere, and I can think of no reason 
why it would be true.


That was mentioned in one of the chat rooms but if true, and Fed31 
is reaching EOL is there and ETA on when the contributed-packages 
will be available for Fed32?


As far as I know, the repos should already work on Fedora 32.

For the compatibility of the packages themselves, you'll have to 
check the package details, but I imagine that most, if not all, 
should be compatible.


P.S. -- Please don't reply to multiple lists.



Thank you, I will give it a try again. I just asked because I was able 
to get it to work with Fed31 but not Fed32 (tried Fed32 when the com 
packages were first made available".


Regarding the replies, my apologies, I just mindlessly clicked "reply 
all".




No worries.



Packages should be available (or almost) for Fedora 32.

Please note this is a community effort. Authors of contribution package 
are kindly asked to help into maintaining or fixing build issues. Any 
package normally has a Github issue. I'm currently referencing all 
packages with extras info into a JSON here: 
https://github.com/QubesOS-contrib/qubes-contrib-configs/blob/master/packages.json. 



Regards,
Frédéric



Also, a reminder that *anyone* can update a contrib package, not just 
the contributor of that package:


https://www.qubes-os.org/doc/package-contributions/#update-procedure

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e4fc876-1d59-d895-c2e4-50f093568d89%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Qubes R4.1 Release Schedule

2020-11-04 Thread Andrew David Wong

On 11/4/20 4:52 AM, load...@gmail.com wrote:


Hi everyone,

Does anybody know where is Release Schedule for Qubes R4.1 ?
All what I found is https://www.qubes-os.org/doc/releases/4.0/schedule/



There isn't one yet, but we're working on it. Stay tuned. :)

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d306be55-e8ad-f611-d1ee-bf2bdf686866%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes

2020-11-03 Thread Andrew David Wong

On 11/3/20 8:57 AM, 'src11' via qubes-users wrote:

How do I update Firefox to the latest version in a disposable qube?



Generally, you update it in the TemplateVM:

https://www.qubes-os.org/doc/software-update-domu/#updating-software-in-templatevms


How do I create a new disposable qube?



https://www.qubes-os.org/doc/disposablevm/


Why am I not able to delete unused qubes? I tried but they're still there.



What exactly did you do, and what exactly was the behavior you observed?

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3385d72-7156-8897-2122-41bef820276a%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki

2020-11-03 Thread Andrew David Wong

On 11/3/20 7:48 AM, Stumpy wrote:

On 10/5/20 9:00 PM, Andrew David Wong wrote:

Dear Qubes Community,

Marek has just published the following announcement:

https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/

[...]


So do I understand this currently is only available for Fed31? and not 
32?


I don't recall hearing that anywhere, and I can think of no reason why 
it would be true.


That was mentioned in one of the chat rooms but if true, and Fed31 
is reaching EOL is there and ETA on when the contributed-packages will 
be available for Fed32?


As far as I know, the repos should already work on Fedora 32.

For the compatibility of the packages themselves, you'll have to check 
the package details, but I imagine that most, if not all, should be 
compatible.


P.S. -- Please don't reply to multiple lists.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50517fbe-3459-36c1-e452-3d8e7e57b785%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: HCL - intel NUC10i7FNK

2020-11-01 Thread Andrew David Wong

On 10/31/20 11:55 PM, Alex Smirnoff wrote:

I had to update it first. Also, removed rhgb to get around the password
prompt bug.
What an amazing system! I installed it to evaluate if it is suitable for
our company environment and instantly fell in love with it. However, the
answer to my main question is still "no" :(. Unless we buy certified
hardware for everyone, at least,


If certified hardware is prohibitive for your company, you might 
investigate the ThinkPad X and T series within the past few years, 
beginning around the time of the X1 Carbon Gen 5. There may be certain 
problems (e.g., AEM or suspend not working), but they might still work 
well enough, depending on what your needs are.



and some of us badly need properly working
Win10 guest with seamless desktop app integration and clipboard :(



Depending on why Win10 VMs are needed, there might be alternatives 
available, e.g., cloud apps or a Windows machine on your local network 
that can be accessed remotely from the Qubes machines.



On Friday, October 30, 2020 at 9:28:26 PM UTC+2 Ludovic Bellier wrote:


Le 30/10/2020 à 19:52, Alex Smirnoff a écrit :

Now, that's strange! my dom0 is on the latest kernel, but sys-net is
not, so, no network there.


Its normal, all VMs keep the default kernel, not the latest.

You should change the sys-net VM kernel to latest:

- open Qube Manager

- select sys-net

- right clic, choose Qube-settings

- Advanced tab, change the kernel to 5.x.x

- Apply and restart sys-net



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3fc7f74f-2c9a-0ff1-48e7-7c61f64034f4%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] [PoC] Qubes SleepKeeper - auto shutdown your Qubes if no password entered after wake up

2020-10-31 Thread Andrew David Wong

On 10/30/20 5:51 AM, evado...@gmail.com wrote:

interesting but threat model unclear. If the attacker can force you to
enter one password after suspend, why would he not force you to enter
LUKS and user password 5 minutes later?


There are a lot of more attack vectors when system is booted and only
protected by xscreensaver.
The attacker can use some hardware backdoors, xscreensaver
bugs/backdoors/kill it to receive access: dump your memory on hardware
level, receive access to memory from vulnerable hardware, guess screensaver
password etc.

If the system will automatically shutdown then there is only one attack
vector: LUKS password



There's no disagreement that shut down is more secure than suspended, 
but the devil is in the details. How exactly is it supposed to work?


1. Attacker forces you to wake up computer (e.g., open laptop lid).
2. Attacker forces you to enter password.
3. You enter incorrect password?
4. Attacker tells you to enter correct password this time?
5. Qubes shuts down because it's been too long?

Why not just have an alternate passphrase that, when entered, shuts down 
the PC (or, as you suggest, wipes the LUKS header)? Why a timer?


Perhaps the alternate passphrase, when entered, also sends out an SOS 
message?




пятница, 30 октября 2020 г. в 07:54:14 UTC, haa...@web.de:


On 10/29/20 11:06 PM, evado...@gmail.com wrote:

Proof of Concept.

github.com/evadogstar/qubes-sleepkeeper

Qubes-Sleepkeeper protects you from physical attack when the attacker
force you to enter the password of your Qubes after it wakeup from sleep
or from password guessing after wakeup. The attacker have very limited
time to do so or Qubes will shutdown automaticaly.


Interesting but threat model unclear. If the attacker can force you to
enter one password after suspend, why would he not force you to enter
LUKS and user password 5 minutes later? Please explain. Rather an evil
maid "attempt detection" (not protection) by "laptop is down instead of
sleeping"? I think it really could help as additional data protection in
case of normal, criminal theft...



--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43f252c2-f34c-202a-9775-37c45cb762c2%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Fedora 31 approaching EOL

2020-10-27 Thread Andrew David Wong

Dear Qubes Community,

Fedora 33 was released today [1], 2020-10-27. According to the Fedora
Release Life Cycle [2], this means that Fedora 31 is scheduled to reach
EOL (end-of-life [3]) in approximately four weeks, around 2020-11-24 [4].

We strongly recommend that all Qubes users upgrade their Fedora 31
TemplateVMs and StandaloneVMs to Fedora 32 or higher before Fedora 31
reaches EOL. We provide step-by-step upgrade instructions for upgrading
Fedora TemplateVMs [5]. For a complete list of TemplateVM versions
supported for your specific version of Qubes, see Supported TemplateVM
Versions [6].

We also provide a fresh Fedora 32 TemplateVM package through the
official Qubes repositories, which you can install in dom0 by following
the standard installation instructions [7].

After upgrading your TemplateVMs, please remember to switch all qubes
that were using the old template to use the new one [8].

Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL [9].


[1] https://fedoramagazine.org/announcing-fedora-33/
[2] https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
[3] https://fedoraproject.org/wiki/End_of_life
[4] 
https://www.timeanddate.com/date/dateadded.html?m1=10=27=2020=add===4==

[5] https://www.qubes-os.org/doc/template/fedora/upgrade/
[6] https://www.qubes-os.org/doc/supported-versions/#templatevms
[7] https://www.qubes-os.org/doc/templates/fedora/#installing
[8] https://www.qubes-os.org/doc/templates/#switching
[9] https://www.qubes-os.org/doc/supported-versions/#note-on-dom0-and-eol

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/10/27/fedora-31-approaching-eol/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5c4d7896-1146-92f0-ee76-4cb66369578d%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: QSB #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347)

2020-10-24 Thread Andrew David Wong

On 10/22/20 2:19 AM, 54th Parallel wrote:




XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.



Just wanted to point out that there's a very minor typo here ('XSA-457').


Thank you for pointing out the typo. We'll make sure this gets fixed in 
the repo and website versions.



Also, since the last QSB was posted on Discourse, I was wondering if this
should be too.


It's automatic, but there might be a delay.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de09e7da-dee6-edbf-8728-576e2bafc028%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] XSAs 286, 331, 332, and 345 do not affect the security of Qubes OS

2020-10-20 Thread Andrew David Wong

Dear Qubes Community,

The Xen Project has published the following Xen Security Advisories:
XSA-286, XSA-331, XSA-332, and XSA-345. These XSAs do *not* affect the
security of Qubes OS, and no user action is necessary.

*Special note:* Although XSA-345 is included in QSB #060 [1], we do not
consider XSA-345 to affect the security of Qubes OS, since the default
configuration is safe, and we have already implemented appropriate
safeguards to prevent users from changing to a vulnerable configuration
by accident. Please see the Impact section of QSB #060 [1] for further
details.

[1] https://www.qubes-os.org/news/2020/10/20/qsb-060/

These XSAs have been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#286
https://www.qubes-os.org/security/xsa/#331
https://www.qubes-os.org/security/xsa/#332
https://www.qubes-os.org/security/xsa/#345

This announcement is also available on the Qubes website:

https://www.qubes-os.org/news/2020/10/20/xsa-286-331-332-345-qubes-not-affected/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc3578a1-4aa1-4763-3aa4-3c77c2630ff8%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347)

2020-10-20 Thread Andrew David Wong

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #060: Multiple Xen
issues (XSA-345, XSA-346, XSA-347). The text of this QSB is reproduced
below. This QSB and its accompanying signatures will always be available
in the Qubes Security Pack (qubes-secpack).

*Special note:* Although XSA-345 is included in this QSB, we do not
consider XSA-345 to affect the security of Qubes OS [1], since the
default configuration is safe, and we have already implemented
appropriate safeguards to prevent users from changing to a vulnerable
configuration by accident. Please see the Impact section in QSB #060
below for further details.

[1] 
https://www.qubes-os.org/news/2020/10/20/xsa-286-331-332-345-qubes-not-affected/


View QSB #060 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-060-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View the associated XSAs in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#345
https://www.qubes-os.org/security/xsa/#346
https://www.qubes-os.org/security/xsa/#347

```


 ---===[ Qubes Security Bulletin #60 ]===---

 2020-10-20


   Multiple Xen issues (XSA-345, XSA-346, XSA-347)


Summary


On 2020-10-20, the Xen Security Team published the following Xen
Security Advisories (XSAs):

XSA-345 [1] "x86: Race condition in Xen mapping code":
| The Xen code handling the updating of the hypervisor's own pagetables
| tries to use 2MiB and 1GiB superpages as much as possible to maximize
| TLB efficiency.  Some of the operations for checking and coalescing
| superpages take non-negligible amount of time; to avoid potential lock
| contention, this code also tries to avoid holding locks for the entire
| operation.
|
| Unfortunately, several potential race conditions were not considered;
| precisely-timed guest actions could potentially lead to the code
| writing to a page which has been freed (and thus potentially already
| reused).
|
| A malicious guest can cause a host denial-of-service.  Data corruption
| or privilege escalation cannot be ruled out.


XSA-346 [2] "undue deferral of IOMMU TLB flushes":
| To efficiently change the physical to machine address mappings of a
| larger range of addresses for fully virtualized guests, Xen contains
| an optimization to coalesce per-page IOMMU TLB flushes into a single,
| wider flush after all adjustments have been made.  While this is fine
| to do for newly introduced page mappings, the possible removal of
| pages from such guests during this operation should not be "optimized"
| in the same way.  This is because the (typically) final reference of
| such pages is dropped before the coalesced flush, and hence the pages
| may have been put to a different use even though DMA initiated by
| their original owner might still be in progress.
|
| A malicious guest might be able to cause data corruption and data
| leaks.  Host or guest Denial of Service (DoS), and privilege
| escalation, cannot be ruled out.


XSA-347 [3] "unsafe AMD IOMMU page table updates":
| AMD IOMMU page table entries are updated in a step by step manner,
| without regard to them being potentially in use by the IOMMU.
| Therefore it was possible that the IOMMU would read and then use a
| half-updated entry.  Furthermore, updates to Device Table entries
| lacked suitable ordering enforcement for certain steps involved in
| these updates.
|
| In both case the specific outcome heavily depends on how exactly the
| compiler translated the affected pieces of code.
|
| A malicious guest might be able to cause data corruption and data
| leaks.  Host or guest Denial of Service (DoS), and privilege
| escalation, cannot be ruled out.


Impact
===

XSA-345: The default Qubes configuration is safe. Shadow mode for HVM
and PVH domains is disabled at build time, and domains that have PCI
devices run in HVM mode by default. Therefore, we do not consider this
XSA to affect the security of Qubes OS. However, we are including it in
this QSB anyway since it is technically possible for the user to
manually change a domain that has PCI devices from HVM to PV, which
would result in a configuration that is vulnerable to this issue. Having
anticipated the risk associated with such a manual change, we have
already implemented appropriate safeguards. In the Qubes GUI for
changing VM settings, the user would have to go to the "Advanced" tab in
order to change the setting from HVM to PV. Upon making the change, the
user would immediately be confronted with a warning in bold red text
that reads, "Using PV mode exposes more hypervisor attack surface!"
Therefore, it is nearly impossible users would switch to the vulnerable
configuration by accident.

XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default 

Re: [qubes-users] Installing Qubes OS contributed packages? (rofi and tunnel packages)

2020-10-19 Thread Andrew David Wong

On 10/19/20 9:58 AM, Stumpy wrote:

On 10/17/20 6:17 PM, Jarrah wrote:



I just tried to install qubes-tunnel in a fedora template and that
also didnt work,

sudo dnf install qubes-repo-contrib && sudo dnf install qubes-tunnel



Try with `dnf install --refresh --enablerepo=qubes-repo-contrib
qubes-tunnel`. It may be that either the new metadata hasn't come down
(happens a lot on Debian, not so much fedora) or the repo isn't enabled
by default in the package.




Thanks for the suggestion, I get pretty much the same kind of error (in 
the template and in dom0 when trying to install rofi)


bash-5.0# sudo dnf install --refresh --enablerepo=qubes-repo-contrib 
qubes-tunnel

Error: Unknown repo: 'qubes-repo-contrib'

yet when I installed something (Sakura in this case) it clearly showed 
it was checking the contrib repo in addition to the other repos?




1. The reason you're getting "Error: Unknown repo" is that the 
repository name is not "qubes-repo-contrib". Rather, the name depends on 
your Qubes release and whether it is in dom0 or a TemplateVM. For 
example, in a Fedora VM on Qubes 4.0, the new repository is:


  /etc/yum.repos.d/qubes-contrib-vm-r4.0.repo

2. After I installed the repository in a Fedora VM, I checked and found 
that it was already enabled, so --enablerepo is unnecessary.


3. I then tried to install the "qubes-tunnel" package in the same VM. 
Even though dnf reported that the contrib repo was checked, the 
"qubes-tunnel" package was not found. So, I can at least partially 
reproduce this. However, I don't know whether this problem is specific 
to the "qubes-tunnel" package.


I suggest filing a bug report.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98ee8e30-febd-ccc6-efed-930c3140a11c%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Calling all humans! (from Nina)

2020-10-12 Thread Andrew David Wong

On 10/12/20 1:01 PM, tetrahedra via qubes-users wrote:

On Sun, Oct 11, 2020 at 11:42:27PM +0500, Stumpy wrote:
Thanks for this, I have filled it out and volunteered but really 
really really wanted to iterate one big (for me) point, and that is 
include at least some of the things listed in the documentation as an 
option in the setup.


Side idea: include the documentation in the base install!

And then it's easier to point to the relevant bits of the documentation 
post-install...




This is already in the works. :)

https://github.com/QubesOS/qubes-issues/issues/1019

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d9b3b8d-f253-580c-1d2f-787a86bc32d0%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] How to burn directory's to an optical disc in Qubes OS 4.0.3 by using an application ?

2020-10-12 Thread Andrew David Wong

On 10/12/20 2:27 AM, 'M' via qubes-users wrote:

How to burn directory's to an optical disc in Qubes OS 4.0.3 by using an
application ?

Which application is recommended and how to install it ?

I have read this: https://www.qubes-os.org/doc/optical-discs/



Since you didn't specify, I'll assume you're talking about using a USB 
optical drive inside of a standard qube, which is the least problematic 
route. This sounds like a general Linux question, so you might be able 
to find some helpful existing answers by searching more generally. For 
example, if you want to do this in a Fedora qube, you might try 
searching for recommended disc burning software for Fedora in general. 
(Of course, there's nothing wrong with also asking here. Just pointing 
out an additional option.)


As for how to install it, most likely the standard way:

https://www.qubes-os.org/doc/software-update-domu/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a3e5112-f658-a519-206f-fd5270f40379%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Calling all humans! (from Nina)

2020-10-09 Thread Andrew David Wong

[The following message is from Nina Eleanor Alter, our UX specialist.]

Greetings, Qubes community! We are running our first ever survey of 
current, former, and future Qubes OS users. We invite you all to lend us 
10-15min of your time, to participate.


https://survey.qubes-os.org/index.php?r=survey/index=791682=en

The Qubes OS team loves the conversations we have with our community 
across forums, email lists, in support tickets, and at conferences. As 
most of us understand, though, structured data is very different -- and 
clear information to help us make product and development decisions in 
the weeks and months to come, we feel is necessary to best serve our users.


This survey is also just the beginning of several weeks of user research 
work that will consist of interviews, user testing, co-creation 
workshop(s) with users guided by a ux specialist, and possibly more 
surveys. At the end of this survey, we’ll collect contact information 
should participating in that work be of interest to folks. We also look 
forward to keeping folks updated in our user communities, with how all 
of this work is progressing.


-

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/10/09/calling-all-humans/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da4d57b7-2ae0-2137-304a-ba81f2617377%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Known issue: Qubes extension not yet working with Thunderbird 78

2020-10-08 Thread Andrew David Wong

Dear Qubes Community,

Many of you are upgrading to Thunderbird 78. The Qubes Thunderbird 
extension, which allows you to easily open attachments in DisposableVMs, 
has not yet been updated to work with this new Thunderbird release. You 
can find the details in this bug report:


https://github.com/QubesOS/qubes-issues/issues/5861

However, while you wait for the extension to be updated, it is important 
to understand that this extension is purely for convenience. It is not 
required to do anything. You can do everything that the extension does 
manually. For example, to view an email attachment in a DisposableVM:


1. Save the attachment in your email VM.
2. Open the file manager in your email VM (e.g., nautilus).
3. Right-click on the attachment and select "View in DisposableVM."

The extension makes this more convenient by automating the process, but 
it doesn't do anything that you can't do yourself. Nonetheless, we are 
working on upgrading the extension as soon as reasonably possible.


Further discussion can be found on this forum thread:

https://qubes-os.discourse.group/t/thunderbird-qubes-attachments/865/

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4e014bd-3cdc-a3a8-df61-bb87dea401c7%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki

2020-10-08 Thread Andrew David Wong

On 10/7/20 2:24 PM, evado...@gmail.com wrote:

Nice!
P.S. old version of qubes-screenshot-tool in repo. There is already next
version available.



Could you please update the package? The procedure is explained here:

https://www.qubes-os.org/doc/package-contributions/#update-procedure

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f9b37478-aab7-c06c-e464-024e97c800ac%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


Re: [qubes-users] Re: Updated Split GPG documentation for Thunderbird 78

2020-10-07 Thread Andrew David Wong

On 10/7/20 3:56 AM, Andrew David Wong wrote:

On 10/7/20 3:47 AM, Andrew David Wong wrote:

On 10/7/20 3:46 AM, Andrew David Wong wrote:

Hi all,

Many of us have recently upgraded to Thunderbird 78, which changes 
the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG 
documentation was updated a little over a week ago with detailed new 
instructions, including a full screenshot walk-through, for how to 
use Split GPG with Thunderbird 78 and higher. If you haven't already 
seen it, take a look:


https://www.qubes-os.org/doc/split-gpg/#using-thunderbird



By the way, if anyone figures out how to automatically sign all 
emails, please let me know. :)




Answering my own question:

Account Settings -> End-To-End Encryption -> Default settings for 
sending messages -> [x] Add my digital signature by default


There's also an option here to require encryption by default.

However, I don't see an option to use inline signatures for 
compatibility with our mailing lists.




Found this:

https://wiki.mozilla.org/Thunderbird:OpenPGP:Status

> -- unknown schedule --
> [...]
> sending an INLINE cleartext signed message without attachments (we 
don't intend to support sending other kinds of inline OpenPGP messages)


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fef707b4-ad52-c937-a7ae-5ac38d865fbc%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Re: Updated Split GPG documentation for Thunderbird 78

2020-10-07 Thread Andrew David Wong

On 10/7/20 3:47 AM, Andrew David Wong wrote:

On 10/7/20 3:46 AM, Andrew David Wong wrote:

Hi all,

Many of us have recently upgraded to Thunderbird 78, which changes the 
way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG 
documentation was updated a little over a week ago with detailed new 
instructions, including a full screenshot walk-through, for how to use 
Split GPG with Thunderbird 78 and higher. If you haven't already seen 
it, take a look:


https://www.qubes-os.org/doc/split-gpg/#using-thunderbird



By the way, if anyone figures out how to automatically sign all emails, 
please let me know. :)




Answering my own question:

Account Settings -> End-To-End Encryption -> Default settings for 
sending messages -> [x] Add my digital signature by default


There's also an option here to require encryption by default.

However, I don't see an option to use inline signatures for 
compatibility with our mailing lists.


Ok, I'm going to stop replying to both lists at the same time now.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca1dfe6d-1488-84bc-89c2-fcd2b6c788dd%40qubes-os.org.


[qubes-users] Re: Updated Split GPG documentation for Thunderbird 78

2020-10-07 Thread Andrew David Wong

On 10/7/20 3:46 AM, Andrew David Wong wrote:

Hi all,

Many of us have recently upgraded to Thunderbird 78, which changes the 
way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG 
documentation was updated a little over a week ago with detailed new 
instructions, including a full screenshot walk-through, for how to use 
Split GPG with Thunderbird 78 and higher. If you haven't already seen 
it, take a look:


https://www.qubes-os.org/doc/split-gpg/#using-thunderbird



By the way, if anyone figures out how to automatically sign all emails, 
please let me know. :)


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb04da6d-4b0f-97f5-26b0-e6a5babbba6b%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] Updated Split GPG documentation for Thunderbird 78

2020-10-07 Thread Andrew David Wong

Hi all,

Many of us have recently upgraded to Thunderbird 78, which changes the 
way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG 
documentation was updated a little over a week ago with detailed new 
instructions, including a full screenshot walk-through, for how to use 
Split GPG with Thunderbird 78 and higher. If you haven't already seen 
it, take a look:


https://www.qubes-os.org/doc/split-gpg/#using-thunderbird

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a52055a-6adf-7cc0-f2e3-886d279b74d9%40qubes-os.org.


[qubes-users] Article: "New Gentoo templates and maintenance infrastructure" by Frédéric Pierret

2020-10-05 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

Frédéric Pierret has just published the following article:

https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/

The plain text of this article is reproduced below.

===

"New Gentoo templates and maintenance infrastructure"
by Frédéric Pierret

_This is the third article in the "What's new in Qubes 4.1?" series. 
Previously: [The New Qrexec Policy 
System](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/) and 
[The GUI Domain](https://www.qubes-os.org/news/2020/03/18/gui-domain/)._

New Gentoo templates
- 

The work I've been doing on Gentoo templates is finally ready to be released! 
The corresponding issue is 
[#4412](https://github.com/QubesOS/qubes-issues/issues/4412), where you can 
find almost every related piece of work. I would like to highlight that this 
has been a great opportunity to collaborate with the Gentoo core team, and 
multiple improvements have been implemented on the Gentoo side thanks to the 
help of Gentoo devs **mgorny** and **zmedico**. When I encountered issues, I 
appreciated the quick response from several maintainers of different Gentoo 
components.

Why a Gentoo template? Gentoo is designed for users who want to customize a 
Linux distribution to fit their specific needs. The benefit in Qubes is that it 
allows one to create highly customized and hardened TemplateVMs (or 
StandaloneVMs). For example, one could customize the Gentoo Qubes Builder to 
create a [ClipOS](https://clip-os.org/en/) build.

The new Gentoo templates are available in tree flavors. The [default 
(Gnome)](https://www.qubes-os.org/doc/templates/gentoo/), 
[minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
[XFCE](https://www.qubes-os.org/doc/templates/xfce/). Currently, they are 
available in the `qubes-templates-community-testing` repo, and they'll soon be 
in the `qubes-templates-community` repo.

Maintenance infrastructure
- --

In order to keep the new Gentoo template in good working condition, we need a 
set of automated tests. The bare minimum is continually testing whether just 
building the template still works. Due to the nature of Gentoo, such tests 
require far more resources (time, CPU power) than are available for open-source 
projects on Travis CI (which we use for testing other templates). We use Travis 
CI as a bare minimum for validating every pull request, then it generally goes 
to openQA. Here, the issue with Gentoo is that, by definition, it's a source 
distribution, so everything needs to be rebuilt. Travis allows a maximum 
timeout of something like 50 minutes for jobs. Simply rebuilding a Qubes 
component for Gentoo takes several hours (and more than half a day for each 
template). So, Travis is out.

I've set up in our pull request pipeline the use of a feature of Gentoo that 
allows us to get pre-built binaries from a mirror. For that, when I build a 
full template, I push a fresh repository with every package built on my mirror. 
But still, even when doing this, hours are needed for jobs. I didn't want to 
give up on this, so, after evaluating several options, I decided to set up my 
own self-hosted GitLab CI instance. For that, I've developed a service that I 
call 
[qubes-g2g-continuous-integration](https://github.com/fepitre/qubes-g2g-continuous-integration/),
 forwarding selected GitHub pull requests to my GitLab CI instance.

In consequence, I can manage the allocated resources for Gentoo builds, and we 
now have the means to validate every pull request for each component that has 
been integrated into Gentoo. A check status appears on GitHub side-by-side with 
Travis checks for other distros where everyone can access the build logs too. 
Here is an 
[example](https://gitlab.notset.fr/fepitre-bot/qubes-app-linux-input-proxy/-/pipelines/346).
 By the way, this is also what we use for automatically checking kernel pull 
requests. Here is a [recent pull 
request](https://github.com/QubesOS/qubes-linux-kernel/pull/276). When viewing 
the checks, you can see the results for the kernel builds. Once again, it's 
because the build time is superior to what Travis allows.

Conclusion
- --

All this infrastructure is intended not only for the kernel and Gentoo, but 
also to help Arch Linux users. Depending on the needed resources, we could also 
add the longer Arch Linux jobs into my GitLab CI instance, because we currently 
don't properly validate the template itself.

In general, this new infrastructure allows us to create and test pipelines that 
require a lot of resources. Combined with Travis and openQA, we have another 
layer to rely on for validating and automating the building of cutting edge 
templates like Gentoo and Arch Linux. While the same kinds of features are 
available on paid GitLab plans, I preferred to 

[qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki

2020-10-05 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

Marek has just published the following announcement:

https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/

The plain text of this announcement is reproduced below.

==

"Qubes OS contributed packages are now available"
by Marek Marczykowski-Górecki

We are happy to announce the availability of Qubes OS contributed packages 
under the [QubesOS-contrib] GitHub Project. This is a place where our community 
can [contribute Qubes OS related packages, additions and various 
customizations][package-contrib]. Meanwhile, we provide the infrastructure and 
[review process] necessary to make them available easily and safely to users 
within standard Qubes installations.

[Frédéric Pierret] built the infrastructure based on a similar setup for 
building official packages. This means that it features the same [Qubes build 
security] measures, including keeping the signing keys separate in a dedicated 
VM, downloading packages over Tor, publishing build logs in a non-spoofable way 
and more. Frédéric is also the maintainer of [QubesOS-contrib].
The source code repositories of the packages and infrastructure-related parts 
are also hosted under [QubesOS-contrib].

To contribute a package, follow the process described at [package 
contributions]. You will find a few helpful tips there, including a [skeleton 
repository] with example RPM packaging and [Qubes Builder] integration.
Since the project has been running for some time already, there are already 
some submitted packages available there. To name a few:

 - [qubes-tunnel]
 - [qvm-screenshot-tool]
 - [qmenu]

You can find the full list at [QubesOS-contrib].

If you want to install one of these packages, first you need to enable the 
repository in your system (dom0 and/or templates). This can be done by 
installing the `qubes-repo-contrib` package. This package includes the 
repository definition and keys necessary to download, verify, and install 
[QubesOS-contrib] packages.

In dom0, use `qubes-dom0-update`:

sudo qubes-dom0-update qubes-repo-contrib

In a Fedora-based template, use `dnf`:

sudo dnf install qubes-repo-contrib

In a Debian-based template, use `apt`:

sudo apt update && sudo apt install qubes-repo-contrib


[QubesOS-contrib]: https://github.com/QubesOS-contrib/
[package-contrib]: https://www.qubes-os.org/doc/package-contributions/
[review process]: 
https://www.qubes-os.org/doc/package-contributions/#review-procedure
[Frédéric Pierret]: https://www.qubes-os.org/team/#fr%C3%A9d%C3%A9ric-pierret
[Qubes build security]: https://www.qubes-os.org/news/2016/05/30/build-security/
[package contributions]: https://www.qubes-os.org/doc/package-contributions/
[skeleton repository]: https://github.com/QubesOS-contrib/qubes-skeleton/
[Qubes Builder]: https://www.qubes-os.org/doc/qubes-builder/
[qubes-tunnel]: https://github.com/QubesOS-contrib/qubes-tunnel
[qvm-screenshot-tool]: https://github.com/QubesOS-contrib/qvm-screenshot-tool
[qmenu]: https://github.com/QubesOS-contrib/qmenu

==

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl97wZ8ACgkQ203TvDlQ
MDCXUxAAkurl2jyJSCEZxPlUel8G1rUhFFBPm3LFgpyTg3odC3GSD0fho0XiEKHh
zY0ifGJO76n0b/INU9DK1RdDsMI5hM0w9uXEhnrk27xGLyYgtyBzZ7wV/ok3xQlr
aEsjO4+SdRCNgIGt/MMRHtjnE1GgySo4UpExucilbKkmSXoSabY9r02DFMQIdsBL
d3k+MIpgz5YlEAO3pvvTcKEN/k10s9oGalLrpIDjSlpieeXKzSrblDDSWhbN6hPA
zMDjtoBnEHU9QX4OxoGN1qE8QDnfJK4LCqYz5II7HLWrRWywZ6E1+sCiqQRBg1H7
Osj+oWX03fZeh9HGRQGX7r5bDO5qRpFHge4SEQ0eiIwyeuijEY+w819spC2cfRN2
3hDnSKVOJl2E9Vth1/VF30kBsJsstgIomGoHmm49iGk8PzzAFUqPpklDiIJ/OpJl
BTFUgdYXIwqae5JkfkQb866GkaMmeDsMT5hKdtWuKB26Idb4nboQ8rVQ7jD76lAR
adXBJPMqmPr7mpI+xjqqBEvObau9zrLDaUFhS4FlsxLpqaSKWxQGkbLpBe+yL5/U
+IW7Hsfjb/UELkW0sEPxXS+D6+Uxne7fWORBaxIbIJypw/fseOtchXBYbIzEpZGG
O6gODRsAEad5YcgiZfwcNsa3BXu9qUYu9PUw95uP1wDIbLmpn44=
=tYPp
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d25ebc13-6944-f035-1c2d-d9e3df17070e%40qubes-os.org.


Re: [qubes-users] Re: git qubes iso 4.1

2020-10-02 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-10-02 2:12 PM, load...@gmail.com wrote:
>
>
>>
>> i need to download afresh qubes iso 4.1 how the web sit is 4.0
>> thanks
>>
>
>
> Where did you see the 4.1 version?
>

Qubes 4.1 is an upcoming release that is currently undergoing
development and testing. It has not been released yet. Qubes 4.0 is
still the latest stable release.

If you'd like to get involved with testing, please see:

https://www.qubes-os.org/doc/testing/

As explained on that page, you can find alpha ISOs (such as for Qubes
4.1) here:

https://openqa.qubes-os.org/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl934ZgACgkQ203TvDlQ
MDDD7hAAlorPA5pWd77RVZN4vF1NB1mabqI76gXWMrCsPDPnIK4Vx2VnoO/om63p
FigoDlZ+uut6sPi9xmKd5tf6sFP5FQ/M2MQwdEbHfMZ0Bif3XAF6CdiUy1hS5cMv
MIdKYvfClmnFXowBnQBfx45YAY7CpXDYukIW7Ig/QtyKaf+eaK/YyKQ186L4H4+r
EFFdKoopIcQEwKOc9F6uPLZjw+hPKiemKuYVohEHoecIKmOHcit+0a96SXFFoV/u
xsqybvO3o/9hLnBf/57FbkR3oRPfeMehzJSNKx0VUQFrgLIiynFnFi72h+ErFKTD
TKEUKvng9fkypah9PzLECmZ1LpruAZc+p2iGHsOgw2LgZFhJUrjNokbVZQObnwYR
KElBB+lGckwFYBEKU/ZU7/BShqZsiX5RBTjaD8d41qz1XImlYGELT8omoGoKliZF
UBFqpYfUMszWFIlBB3xkHJug2OrPUmSfX70VhEUuT04G5sPL3v3yT09hOMrbWlsE
ymrDkdrFoEBDNQQgywSyCdnZhf4n/MckDwZE/Zj1/EcUwgk6p6OGje7WKFY6Vr3d
4d5jFU6Ae47r+WhZIHiI5ZataIehDclxEBlAobHqrpvSHBiVh7ouCD6k6aWdeFVr
yY6xcIjRSec0IrAvhyhu/7JnupIlIYFi0onMM14RjQz731pI8FY=
=qR7V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f2e7621-c6ae-14f2-aa83-0b42a6d3cf5f%40qubes-os.org.


[qubes-users] XSAs 333, 334, 336, 338, 339, 342, and 344 do not affect the security of Qubes OS

2020-09-22 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published the following Xen Security Advisories:
XSA-333, XSA-334, XSA-336, XSA-338, XSA-339, XSA-342, and XSA-344.
These XSAs do *not* affect the security of Qubes OS, and no user
action is necessary.

These XSAs have been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#333
https://www.qubes-os.org/security/xsa/#334
https://www.qubes-os.org/security/xsa/#336
https://www.qubes-os.org/security/xsa/#338
https://www.qubes-os.org/security/xsa/#339
https://www.qubes-os.org/security/xsa/#342
https://www.qubes-os.org/security/xsa/#344

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/09/22/xsa-333-334-336-338-339-342-344-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9qE5oACgkQ203TvDlQ
MDBakhAAxf9PcCgCJLnf7IIxajeTbJurDk49LFCTOzz9McjPDF6QByx1M1Ca65Zh
OShAsWqRTMLP2nABKv0WSBie1YgTG5Z3i+MPZK3CHqU5bCi7fx/OSEGyXiKLZFlK
tHuJq1FrQdIVMA/6rcit+1fdbd7obZUwnTCds4DwXOZ7s7TY8Y+RCk57M/v0/emx
jumCG1JFDcPN6uQZcGisuECoLHhA8SOdhgD9AQiRzD3GG6Oelxh0ZFhRqK3SvCzS
jvXSUNBS1Pl5VPKSGSQcTCzxINmZBkyklRZDjJUUFVEJYIX1yDAiHpe4VQPGxKnw
Iy87PA928XfORWxwtu4emagVZyzurjdxeL+zb/D/AY7rH1HW3Tcod6npEsE4w7MO
9yP7QBn3Tk70RFzD7n5X7HcF9sW9kuP4wsFn0uKtd2C6PVuM9kXmnpxF3RuY8hQN
LIPs82mUbgzyspxzx1Wfliwc5Ckdv+WbmoDqJnpOOltfdXY5Nt1eaU/cd7wdRzHG
+ocGMSpw++unaDMcpAedFeJPyNSPDNDYZOVeB9hTyoMPqLLtjMAOrWyLKQ1D5Kx5
fJJ0L/eLbuCqittEHjYfeiTL4IPH93ADV6wWrz/ySsNpmDI4ZzTgj19Cd60uvAZB
VdjHNLSlfrjMAflZKHQCrYEy2b1AUenAvgRfBJK7P0okbMqPR7s=
=J7PC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/397d0280-3730-0186-d250-a5e117f477ae%40qubes-os.org.


[qubes-users] QSB #059: Multiple Xen issues (XSA-337, XSA-340, XSA-343)

2020-09-22 Thread Andrew David Wong
s Security Team
https://www.qubes-os.org/security/
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/09/22/qsb-059/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9qE38ACgkQ203TvDlQ
MDDesA/8C3/RhsCOJPGGytJEBkvgpaQ8xOHn5KdxLaLLdUUSaJGch8zShd2RtPWc
e9/Pz/OGfggOfn1wjxgOULeYngoqr2TjichQVxfVIAvAH1kQdEM+UnTH4GNPK+CK
FQ3N+Yt3vh5s6RxmEySA/BoV+tnxHaHMALQRw8oKBqPd5fNfMtNcOCC3bL+8oIu4
Y43ew71LnEnXrrHhoxqZV6jyRovsxBVq/w+Autrqd5u3cCCJe2XwhfYReQexSMRx
xfoDgoxYupUWjels0WgeeTaPKUdWyJKy0nNpRqMXp2xCF947/IEQbwk9ThQqr1od
wP8pjDwqymTEHvY5X1s7vy3jj+VCgxXnYpOAkabIMlkGiCm7TkVPt5R1SyJf33ja
YX7MBbu14r2mBmi2rgO4exyRWtwua51yPFN7zztnMk7Qtjt3L/E8Rd8rM026UlP9
QquYmcfwNcPrvJUqGXIne05iQxXkZ3VBWfLJgsP5FAvneSWf0rbn15mYj8fLi2nP
Lk4y9ZgsqHsJH2dQCAuI3ZjLTqv6nUy8uTuF4kNePc5WioDWAquaW5kjsAMEkGtP
Ik2sH0ZmC6XncoxtMy8UlNw+0Ee+9wqJJONd/p2J68JaisZ5tH1PqWcCtvRJpDkX
d07ePXGN2YRoZtWKwvGvqGOfQ/sevjxoctcNr6Gy5XObCFRIJpU=
=ls6i
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88bcc05e-49b9-c83d-f72b-2063c853523e%40qubes-os.org.


[qubes-users] Get paid to support Qubes development through automated testing! (three-month contract)

2020-09-20 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Qubes OS Project is seeking an expert in automated testing. We use
OpenQA and Travis to test changes to the Qubes OS source code and
automated building from source. We're looking for someone who can help
with improving both the automated tests themselves and the testing
infrastructure.

This is a paid position on a three-month part-time contract through the
Internews BASICS project (Building Analytical and Support Infrastructure
for Critical Security tools):

https://chm.tbe.taleo.net/chm04/ats/careers/v2/viewRequisition?org=INTERNEWS=38=1186

This announcement is also available on the Qubes website:

https://www.qubes-os.org/news/2020/09/20/get-paid-to-support-qubes-development-through-automated-testing/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9npasACgkQ203TvDlQ
MDCJfxAAoZn2VjpOz3EWN0gsBOI/l0BM4YCjaEuPdw2/iTyyiWqn9imxRR88IDXb
CSDTiVl828/7S4w4LLxHsfneXWlM9ChOFu4ufBm6qs728Z22gKa+nx/neNZr7eon
FueeYxrybNcK8gb0dWeqETeZ10zlcDRm159QZanGKJl7eY43oOPjl87wf0XF/n/S
7S8KHaiQErdnEg0og6/YYrM8iSoaCSOdY8vJfGBYN0aEyBbJN/ZT2PfjrSLfCNUz
FFK+uCjWMMh6ywnfHC81wdQBupO7lM0IeKk/DV3MQyKIQO+n+9E5PnytrNYoLGpl
RSkIArIzq/Z91dbEAEhNorMxaAUvtC2CzS4dWqnIKrXTi5oGI1DVzKaTtsSdejrZ
hmCnxs47ddm3FhyXOmXa01QEDE1sJEh3ANhXUaL7xkoT4yiXSYWUtZkXVMSYsmvV
IZlwicZSfqpwNXjC+ylrcbIBsQVZ89E5INXKMQiSXeVfnZg+Y5hCJl8/mK1mdzyT
k1nn6Tx2nOlSBVIEQ8eCyGe+yQeAKqdUlCg7emSfTyRPmAmLnjdYl1zBYoSjB47U
pf2IgGA/w2CEAbGzgkt62Jn4Ksdn+ingsxubF2k1zdu30uGsT8c9am9rqkKpXF9i
G1KAyTb7TblEdajQMLv+m5iZG70pmzkatMW1bmAVyoQvh0Q1tfA=
=JOIb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f67994b3-e1cd-f283-ed7b-4754cfc3e651%40qubes-os.org.


Re: [qubes-users] Adding new kernels to iso?

2020-09-19 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-09-19 7:53 AM, unman wrote:
> [...]
>
> (Also, the documentation should do this by default too.)

Patches welcome. :)

Most links were probably added before the the Mail Archive
mirror existed.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9mXwgACgkQ203TvDlQ
MDDu0BAAo20deJQ62gk9oLgRkTsOO9aH57VfEHIATqZ+EwxpjuTRrbkDgzwnFJ0l
CwQDhgUPTHkm7MlGDQrQ+2MkF4ujXHzDy5S7HFd+R6EcBR8vHT3HqEEpmng+1jjf
7VBjdj2uVbid8ZCm0cXVuDL0Z+QTtcwKi/lOnnaNdzOEO+qqZ9+2DQ9WlzqJcuKa
UiFoy6qylqUx0r+A/G7A1kvyrkHApjQFj97nzbIF/5HYdpTnqrJRicafRzV+ZMyC
jNn9oK05cbsBvrv8uty8dDa21XR8j1g2N0v6ezKYvW1y4Gml9GyVP9gzKFMgwCGY
NfpusWSMdwb4/TD4rjYzh9sDzxwvx/X2aOeIR54SMB4RT5IY+57kARZL0hfM6J7W
9wVxq+8nFmiPFx4RjHKljbLpI2MtDefkNUWtfoQCJnTh/+vTBT7ACF6zxe3UXwxi
QT5CNpWpDCrJsDikNVHE5lKSmZs7v/tm0ZZyXiKMzphgsSf9nnYCv9Q4pYne6xp0
JhwM0YkrAr81MrV3zZVKKCWOIiVcID5vIqkxooO23fHKK2LbOKTX4TO5swBPfB3Y
1uBWR8S33d22OLO+qdV2wHuYFWoit6sHs8e1airR++h+7AsggwvTql07xthFAo0n
gsxlh85tyBepdQRbmeFn5/w/W+7vTjOBp+aUL4uNEBzLmudoJn0=
=ovo3
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dae9020a-e912-20dd-fbc7-0bf341ab27a3%40qubes-os.org.


[qubes-users] Qubes Canary #24

2020-09-10 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have published Qubes Canary #24. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).

View Qubes Canary #24 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-024-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and
read it:

https://www.qubes-os.org/security/pack/

View all past canaries:

https://www.qubes-os.org/security/canaries/

```


---===[ Qubes Canary #24 ]===---


Statements
- ---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is September 8, 2020.

2. There have been 58 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of December 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
- --

None.

Disclaimers and notes
- --

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
- ---

Tue, 08 Sep 2020 01:45:14 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Germany Debates Halting Contentious Russian Pipeline Project
Monetary Policy Expert David Marsh: "We Are Witnessing the End of Independent 
Central Banks"
How Feces and Other Bodily Fluids Can Help Track COVID Outbreaks
Russian Patient: The Kremlin, Belarus and the Attack on Alexei Navalny
Nord Stream 2 Troubles: An Uncertain Future for the German-Russian Pipeline

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Trump Emerges as Inspiration for Germany’s Far Right
Aided by Modern Ingenuity, a Taste of Ancient Judean Dates
Aleksei Navalny Out of a Coma and Responsive, German Doctors Say
London’s Bridges Really Are Falling Down
Truck Bomb in Somalia Kills 3 and Wounds 3, Including a U.S. Soldier

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Australian journalists flown out of China 'amid diplomatic standoff'
Michael Cohen's Trump book: The ex-lawyer's key claims
Russia's Navalny out of coma after poisoning
Wildfires burn through record area in California as blazes continue to spread
'They shot him in cold blood'

Source: Blockchain.info
0005a914bdf7052f546448bd3459aa95b52bc1f1a62c27f6

Footnotes
- --

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/09/10/canary-24/

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9auLMACgkQ203TvDlQ
MDDQNhAAzdJ6oYC3OUgcRnVvpI7WMenjDVzRjGlzU72UIXD6dXvREdZHjuCcFX5r
gVU81sE8541t/FAerjOoDLCytFFrSCDwxj0g0heClq1IKGUMtt1Yq1m23thBfG9o
lN3NvUDlkZk7fTVKXZAwCsFAd7gdvWUwZ46FrlAVpF4qDsreNpUXxUNLj3J6TTML
wbwJc5kI2SBE+csM6JnGbZnHsSbv5GE1rQePDtiMCaiWXw7VzM3t1diRm5f+dq/c
ILhwSr83z7SBnNrdwS+C/oeQi0xvXN24Rkmw+Pc+yWTVXaxEcLQNQ8c7wod0WWdY
KJ6pG9n2x1wYtd+Pq1LpT1LbrXVJHgHVWDWLDMbeHLRJg1Y8HAoc2/r/BtI0+Izf
0Yh332HK4zXRUtuZiZOoD1WcOHNhmFvG7RdocbAfU9iFw6DKY78kWNbZNSf+Wn6O

Re: [qubes-users] Hardening Guide for Paranoid Noobs?

2020-09-08 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-09-07 5:42 PM, Andrew David Wong wrote:
> 
> On 2020-09-05 12:35 PM, 'awokd' via qubes-users wrote:
>> If you're concerned about Fedora's lack of signing, switch to
>> Debian templates, or some other that has signing.
> 
> This is a misconception. Fedora packages are absolutely
> cryptographically signed by PGP keys. The signature verification must
> succeed, or else the package will not be updated or installed. You can
> prove this for yourself by temporarily moving/renaming the signing
> keys, then trying to install a package.
> 
> The real issue is about signing repo metadata. See these threads:
> 
> https://groups.google.com/g/qubes-users/c/HHedtfDFdj4/m/dap-D0nwEwAJ
> https://groups.google.com/g/qubes-users/c/cNwCH3rcIGk/m/grr1yJktDAAJ
> https://groups.google.com/g/qubes-users/c/X0GvIdpQtcM/m/Tey9k_geWGUJ
> 

Follow-up:

https://github.com/QubesOS/qubes-issues/issues/1919#issuecomment-689245921

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9YM6AACgkQ203TvDlQ
MDA/RxAAwi0TYbqNgyuaJpEpY/lX6UhxVbDPyexrl3ao2ycRTeIXCKguLimjLIT9
o9QARbQTfCdHR0GdAGIE+f3q86HDnF+WIeUCUJuV0WRYI9JcrmgOXFxcBACpw2qI
FmRC7JyqGvLg+hE3lPQUFtdNgnK6/Xxp4s0QrlJEr9UjXCv6UAQ5SVe3cxwVFWi2
PIHRqaxWIUauVMUIkrrBEWhcaoRVJgWNIAkepF3ScjaHkojnDBdPJ2Df5ckC34Rg
aAUoRFSbRnxGyQdekkXQP1XMKb7Hmf21p8FR6TiUVI46TfrTgF5xeG8U1cmV2K5F
P+b4rty2sVOVOT47hq0EIBgAkeBBQXMNJ4ebeGyju2o1vc0kcgIjbQvBYXevMZvW
SPP+yKIQQ9GfP3Nr4pPab/3JX0sZivdT1xPVeV/BQxU9Xc4X3N5gYqpJKJxEjHtO
JWK6HPn0JsX3uyC4UBGpLrwLvyyzKuxcyf3JiIl26xDORTIFu62oa16Guo/2Pee3
LdQcXEQ1K3ZtfetppCisdrjuKiXmN+hZG8PnIsAoro4NWW6VkUTixFSzU37ykMb7
1/H8E8OKXXCGDyXbMU84A+G5LvFc0PQkZxtPGTZ1mw8juXdtpSEGwWeReCeH4fY1
Z6cQf5JHfSI8ypw6dwBLoyzROEsReHa2CwAH/XtybhV6Rq7zjwQ=
=7itL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0fbfc3b-f653-bdd2-c1c8-58ec2e0a7b96%40qubes-os.org.


Re: [qubes-users] Hardening Guide for Paranoid Noobs?

2020-09-07 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


On 2020-09-05 12:35 PM, 'awokd' via qubes-users wrote:
> If you're concerned about Fedora's lack of signing, switch to
> Debian templates, or some other that has signing.

This is a misconception. Fedora packages are absolutely
cryptographically signed by PGP keys. The signature verification must
succeed, or else the package will not be updated or installed. You can
prove this for yourself by temporarily moving/renaming the signing
keys, then trying to install a package.

The real issue is about signing repo metadata. See these threads:

https://groups.google.com/g/qubes-users/c/HHedtfDFdj4/m/dap-D0nwEwAJ
https://groups.google.com/g/qubes-users/c/cNwCH3rcIGk/m/grr1yJktDAAJ
https://groups.google.com/g/qubes-users/c/X0GvIdpQtcM/m/Tey9k_geWGUJ

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9Wt2YACgkQ203TvDlQ
MDAcSQ//Z4gXnuTfz2GyFTycvJ2wsoLdI24SbM8f6+jron8tlFEo9hcjWF4leM/d
DlvT7sVGX94XBbe8gdsYIFQbNXCknq5d4F89jDnxHLpe/vQtZ23VSBzE81yGZjTq
WU1fCclQD3pMhASYna8u4o+TcYe3RfbLqSaq3HfVhtFMsYXaZLp6MKbVAWtLcXXz
VeBAnOft/E7HJeBtZQQj66zgsbdzjKvcm8ot+dE/VrTZ8ohX+P6uXca04G2Z4G90
oyRgpIFr4u+3EORNap7R2Cr44U7WZBI4Wv9bcXkZZcC4yxSetD1hYkl9bhC8a8GV
iJhFu/Y5Utowfj3IeXb17Bt724YeNhTJUO9hGrN4W16+XmIPmF7Vy2yNS196NipQ
NkW6dXw7CDDLjBFMr+Uv5S1sjCGT1TVGLolfkZt4MlAeGlNYw8gjnVQx7fzE7Vnf
RRE4ckPmtJRf1FU3/ONaowhQ/RCxakJqF3CSoaf7+Wg++mqu02/jm5d/0AMrB7Ib
/iVm1Ztc1DAqe7GGMQGl2uWAGFg6RuEmgxWInwFnuCzOm/LId2bRI2PI52PQAEJl
A+F4MbhuiHeG4WRMZOKCwRZgHaNGE8Zk3wj9q9BE5dAPm/+OWpc6GmKnRfckBxwo
8ZEzgOkBgkmd0WMGjMQGXlvosj4irRtycUpUi+ByWSHzRNqF/MU=
=eHe6
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0c4aa78-dc42-dbb9-88d3-664eb64e602a%40qubes-os.org.


[qubes-users] XSA-335 does not affect the security of Qubes OS

2020-08-24 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published Xen Security Advisory 335 (XSA-335). This
XSA does *not* affect the security of Qubes OS, and no user action is
necessary.

This XSA has been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#335

This announcement is also available on the Qubes website:

https://www.qubes-os.org/news/2020/08/24/xsa-335-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9Dwo8ACgkQ203TvDlQ
MDBryQ/+MDVp8/0MqFPvdCiHOGDDQRAnJdFSPhlR+aLd4QivvPVCYcqHY2jIK8I5
f6fsuoBNvnq56Jk3eJPYemgtlmFixaXZtKpC2YtkKvg6qCVo4jEfvzJ3+nx9VnKd
gq2QK5ZekYRZR6kWtXsntphSqP2aSDGX9Oa/4IFYqUichpZPJ7IaPTtTHHRB1Ftd
daViGKCHWaNH181kFpNHqRO/h8XHAVlCWOT3uRTBaUNz7qqHblvp3nDjn03wNLaH
QPqeH0XucvxMpmEb5zTMVS+DuROFiTLzcFniWeCg4xE5hwDAdFXFnkcd3Dy4QQkV
SUuNI7ai6XKOGgNC25rnK+D7Ab8jDIPZuNp16Q1KMWS4qKD123CFbrCFOvGMiOrw
bmy2IPczx8NuXaO7BP+mWrS6uF34Iy2IthZcm74dxT7AKTmI6lxw3hjbKN8t0Wk9
Rj6VWQ70cIAUcXr9eZmyhNfcTgZAJEsW7XuSG7Mv0G1iVa2F6NcEaCzt/Gk4MBH9
DyW4yvZv2aLuiV4ZFwAukTY7ODqqGfJqjo/V4gK4l0pfQVuLBsvIHhrQuhfcEK5i
LTRxL6WCuP+nxeuIK5Xy1HAjmysSAJnooPlb09AaFgH/Ox8n/DtshXzdteTF2DnH
ygKyGRNjTA6E0oXmHEilk4gy67YpCVr9J49vbIIWKCllCEqldH0=
=V15+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31ea7ef2-1f20-83df-08e9-e78409d55669%40qubes-os.org.


[qubes-users] Announcement: New community forum for Qubes OS users!

2020-08-20 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes community,

We're pleased to announce the launch of a new forum for Qubes OS users:

https://qubes-os.discourse.group

This is an official user forum where you can ask questions, get help,
share tips and experiences, and more! For a long time, members of our
community have sought a privacy-respecting forum experience with modern
features that traditional mailing lists do not support. The open-source
Discourse [1] platform fills this need for us, as it does for many other
open-source projects. Thanks to their generous free hosting for open
source projects [2], we're pleased to be able to create this space for
our community.


Why create a forum now?
===

Previously, the only option for a forum-like experience was to interact
with our mailing lists via Google Groups, but we understand all too well
that the privacy implications and user experience were unacceptable for
many members of our community, especially with the recent addition of a
sign-in requirement to view threads. Many of you value the lower barrier
to entry, organization, ease-of-use, and modern social features that
today's forums support. Moreover, Discourse features email integration
for those who still prefer the traditional mailing list format.


How is this different from our mailing lists?
=

To be clear, this is *not* a replacement for our mailing lists [3] (such
as qubes-users and qubes-devel), which will continue on as they are.
This new forum is simply an *additional* place for discussion. Certain
types of discussions naturally lend themselves more to mailing lists or
to forums, and different types of users prefer different venues. We've
heard from some users who find the mailing lists to be a bit
intimidating or who may feel that their message isn't important enough
to merit creating a new email that lands in thousands of inboxes. Others
want more selective control over topic notifications. Some users simply
appreciate the ability to add a "reaction" to a message instead of
having to add an entirely new reply. Whatever your reasons, it's up to
you to decide where and how you want to join the conversation.


Will this split the community?
==

Many open-source projects (such as Fedora and Debian) have both mailing
lists and forums (and additional discussion venues). In fact, Qubes
already has non-mailing-list discussion venues such as IRC [4] and
Reddit [5]. We believe that this additional venue will foster the
continued growth of community participation and improve everyone's
experience. In addition, we fully expect that many community members --
especially the most active ones -- will choose to participate in both
venues. (Again, for those who still prefer interacting via email,
Discourse supports that too!)

- -

Special thanks to Michael Carbone for spearheading the creation of this
forum and to deeplow who, as our first forum administrator, has done
much of the legwork to help get it looking good and working well!


[1] https://www.discourse.org/
[2] https://blog.discourse.org/2018/11/free-hosting-for-open-source-v2/
[3] https://www.qubes-os.org/support/
[4] https://www.qubes-os.org/support/#unofficial-chat-channels
[5] https://www.reddit.com/r/Qubes/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/08/20/new-community-forum-for-qubes-os-users/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8+sPQACgkQ203TvDlQ
MDDYTxAApehnwrpqFCoadx3Cmcu2llDOYbV5CuCjQFj7aMwGg2Gq3TWuugiXFjQ1
z6uW+asPIEvCu4XxP5K9FfVYiSF1bqLTEGomib0npapNMM1ZbULUoSU2EoACz8OS
BpYxgrcX1YyN8/3qQ2N2a3yRe+c0XBD72CJQ2sPu/U+xaTRKZgW6saI5Y/jpwxb7
WKQR0Mc9Y2vP6GRNb5ICcCNelS9fUiBJPaGQBJX7XRyAcW1y0hvF6dBZpdG70TDF
DN0ddhSbYQnv0aHjNnU5ajU81PZWpr5ZqK8ObZwlU/Br8ZznNlApf2ATk73x/5up
eMhwGqDMebJPKaIUPUEKb1FWdObKtW9TvRxhb+yybDkI4Gtfj0fIO5SfJrJ5Ud94
Vyt4TJfqyI4RmCpKfv3QXM3DnjKbjD0yAThVVnphqD9s+NIVSVi7K0LWGxLcX6TS
vCTouzWkPCrNxMylCf8M4v3V4uUJ9b8AQA3iF/v+a2tKzPveK4+mOF590918YGYE
CxwlrOKzb0Ecpl/LzdcrX+jq4j+Zj+B0evLc3ZbaTp+Bfr6gihOnocL/1YjHwGPU
6PSJ4lYHzZzZotPaaJ1tmZtSGIkK2d7mmJBPDCSG2gSMS0QL474ObfKjAvolQ9ph
ZKMhEME8YbHje+X/nyxTcgO4GAoLyuPeYuDIkjmXzD0hGYFnKYA=
=ngAL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16224df5-1ddb-2dad-f870-182f230d5867%40qubes-os.org.


Re: [EXT] Re: [qubes-users] Google requiring login to access qubes-users

2020-08-18 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-18 1:55 AM, Jarrah wrote:
>
>> With the changes in Google Group's interface, I'm tempted to
>> abandon this place entirely and shift to mail, but for the sake
>> of having more participants, it'd be nice to have the
>> forum/mailing list somewhere less restrictive.
> There was quite a large discussion about this under the subject
> "Help create a Qubes Users Forum!" on qubes-devel a while back.
> It's  even more of a ghost town currently, but there's only one way
> to fix that. It's at https://qubes-os.discourse.group/. Maybe it
> could solve the problem?
>

We're actually working on an announcement about this right now. Stay
tuned!

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl87tfEACgkQ203TvDlQ
MDDP8hAAxAO4VJTZzM/nIDD4nBBRJW9id4llRlfnG/61ao30JliGz+Au1Nq4O8mJ
ucTUVHnjcCdhM56URMxfcjIbzxk1Ta+iNSz9EckLFUPZWO7w8unhTFxKcTGOWAG9
TBT9i4rseZEm+c/oT92UzElytwwLPP9wRzZj+BCFZbH+qdnh7o6OhDOP+J2DVYwr
bhpbmTuokdLVH5jqjfLYrfQO4gH6AAEB0XD4RwnijKqYKxg9kyvQYrfsZ61XndNI
1oVkHeyiLjEy8mpg6bc+IsN7NDoIkTUmxFRv8mF14boZ3evSvth8xpmvdnT1w7fv
jxSRoZIHtfiDgjl2taUuBp2XB7HeaGlt7IwNK9+ILgvIeZrrGciXiTwrhX6U6GbK
eZiUuNtWXGHZKgMj0g2bhdjArSLyYs+Q5Qrfk9v6wLnj0KilrfmTCTUL53s6BYCx
i8Xw7WDvUimiiV+qXbgc6nIjMs6zcBvI7Y511dg/F4d295San35l2U23bf4CbvDJ
I9ksQiwHYt2PysRbL9GyM4oGYpei5j6FqZLr9UpJp0j0gNRIElXOYeyuZ7AK/rCC
Pc62/qyMH7SlWfJjMyxLcd2aXPyM80PYMFArMaH06H6sjtgwkgiw8yIREFAuVVL8
0YzqFl1sk2w2HgYkBGGMEgEwEhehxP04xQRso3q1b6ou9FP3Z0M=
=bcbz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ebb7051-c0d3-b229-54ea-d47c511a7ab8%40qubes-os.org.


Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?

2020-08-15 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-13 9:32 PM, 54th Parallel wrote:
> P.S. I'm not liking this new Google Groups look

Then don't use it! :)

"While the mailing lists are implemented as Google Group web forums, a
Google account is in no way required, expected, or encouraged. Many
discussants (including most members of the Qubes team) treat these
lists as conventional mailing lists, interacting with them solely
through plain text email with MUAs like Thunderbird and Mutt. The
Google Groups service is just free infrastructure, and we distrust the
infrastructure. This is why, for example, we encourage discussants to
use Split GPG to sign all of their messages to the lists, but we do
not endorse the use of these Google Groups as web forums. Some users
prefer to interact with the mailing lists through their optional web
interfaces. This has the advantage that it allows you to search and
reply to messages which were sent prior to your subscription to the
list. However, a Google account is required in order to post through
the web interfaces. (Note: There have been many discussions about why
the Qubes OS Project does not maintain an official forum. The curious
can find these by searching the list archives.)"

https://www.qubes-os.org/support/#mailing-lists-vs-forums

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl83gwoACgkQ203TvDlQ
MDBoDQ//fRXbNMyGgvY2JjUX/qxzKqditI/w6YAwTf4BCwY9SJ6PL3z7XDSP9USY
uZG70EN9wTGHtQpjl6e1BewE7kSfR/V3wFmzPMWT+9paQ2pfG9mX38OYFAhKRJ5l
/nAEH19pSc692KuQWEZDfizT6P5TX2lPbaeFgUvGS3AGnrHXOZvtk8C73WauFx9/
JGU14KjDvoKRRrGkHSC5vmXG3ih8aBdzxQ3pnRCpCJ7ukPuwdhmJ9flU9cOoWEoM
m5mPNmA884J1VTYNJUmqSeAqzU1eRH/y/llZBDrJvj9w4vZaM8dsxfgBlAYH/rsO
65t5Z70N4cM1m8TELk6khICEhc3tHyDbsooeGpq7M9P6ts/O11OLkCqu+koppfyM
H/SzwyYqMIHzdTdDVx5AAEaVahErm6rc0eTmLNWNYzgh+u1++0KusvY8d15BWujO
Wb1ZpAVuQ4DHSBMLxACKlx342XiHBe04wKJ22BbRzzJ2HvFU4hO0fh/x9LY1K0Pw
d43dedUYw0SGh1jXrKRxaOrH7f3Hknx+ZzFwDFgy8SfcCdAcQcYAKz8cvs6ysqEl
GoTTWIPl+Evzt+bLt6HrBZeWfoAt2SOVVm5RxACqEVRpxU4SoTxEp+0sMmiT1/oP
RzixkvJ5CUv0E0StpRJJ5s3KDjWw+82KbDCI+TBxNw5H0IuCgvg=
=7DwR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a17b80b-7b9e-199e-787f-2aedf0129681%40qubes-os.org.


Re: [qubes-users] Qubes dom0-update-guard script

2020-08-10 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-09 3:05 PM, Chris Laprise wrote:
> On 8/8/20 10:20 AM, fiftyfourthparal...@gmail.com wrote:
>> So the new overview of the script is: have a dedicated (and
>> hardened?) tor VM --basically, whonix-ws-- download the metadata
>> from a few mirror sites, compare them to the metadata from Tor,
>> and if all checks out, compare the tor version to the packages
>> installed in dom0. If it doesn't check out, alert user and ask
>> whether to proceed. To do this entirely in dom0 (keeping it safe
>> and simple for a newbie at programming), I'm going to use qvm-run
>> with --pass-io somewhere in my script, along with something to
>> read the whonix output and run cross checks.
>
> Just an idea: Use the Qubes Security Bulletins as your reference
> for checking package versions:
>
> https://www.qubes-os.org/security/pack/
>
> These bulletins are signed txt files, which makes them secure. The
> difficult part would be parsing the QSBs themselves but I wonder
> if Qubes devs would agree to a standard format going forward to
> make it easier + reliable.
>

The QSB formats are actually pretty standardized already, though our
expectation has been that they'd be read by humans rather than
programmatically. We use a template [1] for the overall structure, and
in particular, the "Patching" section always follows this format:

```
Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes :
  - 
  - 
  - 
  - 

  For Qubes :
  - 
  - 
  - 
  - 

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
```

Feel free to take a look at any QSBs for specific examples. [2] I'm sure
it wouldn't be a problem to change the syntax slightly if that would
make things easier, as long as it doesn't harm human readability.


[1] https://www.qubes-os.org/security/bulletins/template/
[2] https://www.qubes-os.org/security/bulletins/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8xI+QACgkQ203TvDlQ
MDBOyg//T0/mxeE+pVlF7LIUuShy1B55Fjxxi35JhlkfX9Ws7fLT7hLh6172cxGQ
55E1WXlZ19AE9OZFeIUNX08ov5X6/OelAy8qFdtAmXFI3dEDzdjDVRk8naRpdtu6
hxqsnP4zsHLj0WQEYnsuPyjfgFuIZCy5TfXRlxm8u4l9oorK/IB6sqhBftwnT078
U37Sls/fPlKpnZ0rPJ6Kv/cGbXG1wKpxuui2LAsTis/IY/3TsRpEY8CLa1oIKX53
okQCY8GXnp7ova+8LEyhHBdoDK4iT1Fl8ohfJ+JzekE2SaR/7CnFGO2XrwyiFyXw
Zz9Huu+UIJl+ygIGK80HBBmUNSF+/sSoMSo0SYKZP96JnV0Vka54EEppH5Ctzexy
8yVIpYSwmavHOUO2+GVXh4ykETgkpC0UKg+QLoWacNTRqihT5XTCY3J7SqNLn93Z
21OHE5bAy7/cXNtq0rrnw/BeIzgmrHuaKMrOuW9HExoWIrroyb4a+rpEPbQfsCrb
G09/1A5uOt04ZQXKVhly2UYBA8Zzlld6vh4mKlCYBRBFBzAgJ69yHt3gubWcMAVV
f42Za2qpOZsNharvb6lvHI/7E0XY7FpqvOHZuVfX1c0UiTifTm5ZLwN0IDpGgw0f
1K26/H7GriIU4MZlC4qjToRGGXf40jV6l9zHZUzUzbdSGxEF20A=
=Gs9V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1074ec2f-3146-f1d6-7c73-6aaefdafd200%40qubes-os.org.


Re: [qubes-users] Questions: Protection against local forensics/privacy problems with Fedora sys-net, sys-firewall

2020-08-07 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-06 7:47 PM, shie1ohk via qubes-users wrote:
> 2) Is there an easy way to save the qubes-os.org wiki locally?
>

Yes. As explained on the Documentation Guidelines page [1], "All Qubes
OS documentation pages are stored as plain text files in the dedicated
qubes-doc repository. [2] By cloning and regularly pulling from this
repo, users can maintain their own up-to-date offline copy of all
Qubes documentation rather than relying solely on the web."

In fact, you can save the entire Qubes OS website this way. [3]


[1] https://www.qubes-os.org/doc/doc-guidelines/
[2] https://github.com/QubesOS/qubes-doc
[3] https://github.com/QubesOS/qubesos.github.io

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8s/ykACgkQ203TvDlQ
MDB5fRAAwAomf1I1rh79uXzMHb2NZrKmlXhwZB2wXqKMNfnYLze/XHvk1S9wo65y
T8OPd/hLuanurEJsH4Ci1/A27rl5A01+6nMWbEOiOYwHAz46Br6mt21+XmZGFoU+
xFJ29aGmRzDJFouvD2wcM3rczcAUjBoA9BZ2rduuazUeGB+KSmhfVoCwsCjQ3ijE
OJAc6zoBVSzbUinCmshj4RJr02LE0DC53RjoyvsisG7QZZTtNsFUiOaF5e5Ru6Ut
dM90sbWvdYW4fHytf67z6dB/vQVQ+vq1BlivJZSyRT9OP42rbF1enHryWHvtGjPo
t1hAyJQkmPhH9JZ0hqnwCe1IqSB0weiNMgnXhzarUhqY4Cp8KqOHgrdppc41nSBe
Vm3h2IplN5EzkG+3WYcC+r/iTxaEsXxYPWVn92Et9RaWIasIwO2L9A4shIWrfxIA
BIl69Tmw+SSM3Piihl479NxBP6bvMseOVOVHSLP8L0VdLobkTbdzPFA5VcPJvqIT
v0a2mbG3cezb95tc8C9DhjWeHoK9dQjvKh8RP0gRx1iDmJyXgLx4A1SMoTqaKrYP
yS/09jWg6KW7Xs/NyydPZDBz+gBnLzPM5EX3RB3JzqnpfCHyLGt5X6V7gklnkKxf
bqzZyfpOqvTrBnoYvi6DGLmuML6GAuw7f1qaAneZ36w77xqZso8=
=1LsF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/accecbae-27e8-3bb3-ce66-fae89ffcb5a9%40qubes-os.org.


[qubes-users] Qubes T-shirts, polos, and sweatshirts now available from HELLOTUX

2020-08-07 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi all,

Thanks to Frédéric, Qubes T-shirts, polos, and sweatshirts are now
available from HELLOTUX. A small portion of each purchase will be
donated back to the Qubes OS Project.

Please see this page for additional Qubes merchandise options and
general information:

https://www.qubes-os.org/merchandise/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8s81gACgkQ203TvDlQ
MDDDCw/+PkkWUl/rQ40dEbl35sMVAd8B4/SppqtIZdBs1C36XZGs/jXHNx7mnDE8
wAKplX7/Bi1bIrBwL1Nbvfqru9queT1jayNbCiM79P3flGwhp19I3U6oM7tdj0Je
czLiE0ZGcecUNECDHSFUYQib6uc2m8P0ded/r7mSIaGIA/6tjTzk8PQwa163xQ5m
pcFdaQhgPqm5iEzuAMEUtbTwt1z/lOia4tMNIVuLq8iEXQQy9OynjigBLi4OX6ZK
65qe+8C0bRkEAxE7rWbBiPDa4YPm30rIKVYFXWr7boH/OjWHHZfWSsmd2b5qUK3V
Xt5PaVfFgovpMkIoIS7CtkW7SANYM//dUxdo2PlW1PSO04pTFhmpz+6TYA/HSlrh
xr3tbp5VqX/5quHY1+daIwLwLsbzjV8RMJEokb6o7rbKAhqFCbqQVup7LeaNyK5O
dPivzxMyg1MSZYssRFRxD/M7Hz/WbjgYFQn2QYgCUwlLy+NumLUPVXFDiLf0N5PX
bhu7QouGYHRquDZRcmspQz71vvh90x8OAo0VDU8BnGlErtpNOioSfhXxwD69t3f6
CFrx+/BqFebm5dkBnLRiaRRCZe1UbUbV+5MpEJQKkGwQrZXjB++/XNX4NBRaLIu+
lt04CesC8MqjyXxZGkn/ZQt7OKucn+urPQ/qfPeO3B4MgkcAyhU=
=b+xD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87eaeb72-89b0-5305-8bcd-29d64e929e70%40qubes-os.org.


Re: [qubes-users] Qubes-OS architecture.

2020-08-03 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-02 6:34 AM, Jason Long wrote:
> Why not a good document about it?
>

I think it's mainly lack of necessity and lack of time.

We prefer to focus our limited time and resources on the things that
will provide the greatest real, practical security benefit for our
users in their everyday lives, whereas such a document would be more
of a "nice to have" thing.

P.S. -- Please avoid top-posting.

> Sent from Yahoo Mail on Android
>
> On Wed, Jul 29, 2020 at 2:19 AM, Andrew David
> Wong wrote:
>
> On 2020-07-28 4:04 PM, 'Jason Long' via qubes-users wrote:
>> Hello,I found a pdf file about the Qubes-OS architecture but it
>> is for 2010 :(. Any new version? Tnx.
>>
>
> I take it that you're referring to the PDF available at the bottom
> of this page:
>
> https://www.qubes-os.org/doc/architecture/
>
> I'm afraid there is no newer version of that particular PDF. That
> was more of an initial design document. Now that Qubes actually
> exists and is under continual development, it has been largely
> replaced by our documentation and articles:
>
> https://www.qubes-os.org/doc/
>
> https://www.qubes-os.org/news/categories/#articles
>

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8oaMMACgkQ203TvDlQ
MDCXRg/+NZadEVmnHGxZTaE3AHgJWAoDXch1811vU739COIEVsrGXf9DNj8/bLrG
uitnptX07mDKBqe7ImZv3MUBQxhzZ4L/S9efSPCKadz4kdnIueJAEa8/WSvYyADp
CYCDmRZHrfWIcaVQveksZNEiaO09GKpCYjaFhQQ5Ljvl4usE+Ewyilu5Hmllgq0P
x4zft0BAKI7HkJyspCTk0k0ZIdS+2bRluas7Q4+4HdSGp3U36FARrbTzRo4JvTsD
hL9QIBepEID5EO1Y4QIH/b+Lirv+N/FyxtXQ39oMfE5G+kto7D9UzsUx0bv3Em9u
SKqAECauMIjmz/R3NxkK13RGVCSI1wUbtLE34aXH0kPy3Ba3G4JFvMo6ZSOqecNz
PvEBwARdzlloqT72boAXrtS5UB28bzqZVe2ab5MbRFQ6adERMwWZRXxzRaX0cWAI
jjdVkNTPt9aX8oaOXiWNTaQi8L7Xdlj5h65rEnVk7BsVTzPqXXKlCzhItIjSn+RE
sTrHWuux9l4c2PyI2jXMhTrBzkhecjjUOM4UqEbYYU41YBeesGMIlMUp2M238aTQ
EmhFj13FNWP4Sgw7MsBrALK3ttYSYA88ExiarTAqoV1tPQ2wpFX9Qt8DtkqlkTl+
Ej43LRhDGzuefXmR1heOevg1uqCNd44KLhqc96fXwLGAV7EYEXI=
=6Tiw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ca21ef0-8a7f-70f3-f707-964e691f4765%40qubes-os.org.


Re: [qubes-users] Qubes-OS architecture.

2020-07-28 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-07-28 4:04 PM, 'Jason Long' via qubes-users wrote:
> Hello,I found a pdf file about the Qubes-OS architecture but it is
> for 2010 :(. Any new version? Tnx.
>

I take it that you're referring to the PDF available at the bottom of
this page:

https://www.qubes-os.org/doc/architecture/

I'm afraid there is no newer version of that particular PDF. That was
more of an initial design document. Now that Qubes actually exists and
is under continual development, it has been largely replaced by our
documentation and articles:

https://www.qubes-os.org/doc/

https://www.qubes-os.org/news/categories/#articles

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8gnUMACgkQ203TvDlQ
MDDx1Q/8CqvFsxSM5DyL8N45xrcs8PFIKQDYmRqhZRFRkpPSSYpSDnzrXDzY490k
+R7dnDxJVtgyieo3S88n8qXom51L83lfnQBjZC59hmKIZzNMmD1cjwktbTmMJAvH
r6qizjCeHuQ16s84vtvZknESe4nPsDJnsNvw4Gs879OLha+zwC4fKYh24r9chlw/
k5Az4cn4J5f2JBKi7qV9mNFrZT6zYXNPZO2KVhJN8Krgfyd5BAEVcHMtUMq0ugGG
bbMIOxee/iKbsAEaK32kZsLEI0vD7oAWaKujI+nLw9pWgiD44hExRQA5kDa/eDSl
lJ49TaXdYlxxZM4FoSkxQtb5ncNoJDxmN/QLoX2kDzLvymd13GtYYyFGvM8Oqsrs
EOKnyPlTG/TNkbjHYiBPyTOmAwG2derejAn5xgSC6xq/CQ53ovBhdyuWYgubgJ+s
Fhd2cW6epp1j0tX0w0apCan5JBHaNQFMk/ml9prLEl3L3b+hcjmkYMrwcqe3jDet
zlMhq4wIy2udz8WDLOHe4qTVK4b4ekWDrddSNUxN4Kmb9bCL9uIxUHypyRSrcAHm
7yYAzfQ+LJmUVvy/mlsQEAiVgH82ekVmdQuynXkdA5h+qEs3H+zWUJdfb67SEMlV
etMYjYAO50jWYlrhyuBs40yqVtjCEx7/+zkmfAEsUt/E0GkEW0k=
=XRM1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a7f8b97-fd3f-0d8c-9bc1-b88963b8a23d%40qubes-os.org.


[qubes-users] XSA-329 does not affect the security of Qubes OS

2020-07-16 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published Xen Security Advisory 329 (XSA-329). This
XSA does *not* affect the security of Qubes OS, and no user action is
necessary.

This XSA has been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#329

This announcement is also available on the Qubes website:

https://www.qubes-os.org/news/2020/07/16/xsa-329-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8QYKgACgkQ203TvDlQ
MDDpYxAAmXHBx3IZQNtfGtzqfkwEKgEUjfDKIbNY3odVcpcdEH63DyiJE6qSK7zW
X1l6DN+pi2mOPzkcj/tRo/cziuDC0Q4Ray1YXc/Mb5t4tO/wjCLUI4T8nhG1lbc8
/0/7EgzuYStn8N+sglKl+GNcAFAhil7OYE7+MMVeZzz+L1Ydi4YEm/OXJEL7J5Bk
HwpdfRgxKicuVAiLYMNQpyPHBrxAG1aRoHoDVMMpyKawsrGIn8OTIrP3CxnFCs8L
aQn3RpzMBohVJ5q9u7JM8CXERG339wX44zCiao+rXdPTdheeusgk9y/zwyxTlrFc
i6eanpK5wTIsotDQAQiZVJxGiQzlcn51mR3nZaWWj1JD5Szf+pI4DjS5yI2LBNX1
IbxgmXCHZUJbhuMPSUn+cyy/bfi1hP3RnPJf22Fvq7T/Jx/shMoloroUaNZZY4JM
yk9Vu3mEPbqin4ILRHVVFcI+iHTvAZOp9Tu2xfJngq18Wfo4tZquQvjCNqFHAMZV
2LSsb/T/qo9SE8mjmlkT2peoQxMmslfjusBmKQ8mLMTB6z2LpAog8gZlNoLMEwLC
ave0MCjYI6Mn8TnNuNvZ8oY/1/G2/YCS9ILSZ/3L1hKLDC8m/4JG4vTt7mlkUgU1
Y48yb6hLg1jQqmGP24EveLfp9rheIDzAInXxkXO2b1DRIiW6HfE=
=mfYB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/271cb9e0-2212-c559-432d-846af1de8630%40qubes-os.org.


Re: [qubes-users] broken link in https://www.qubes-os.org/doc/vm-sudo/

2020-07-13 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-07-13 5:53 AM, unman wrote:
> On Mon, Jul 13, 2020 at 11:51:15AM +0200, Peter Funk wrote:
>> While reading in the official Qubes OS documentation I discovered
>> a broken link in the page titled "Passwordless Root Access in VMs"
>> in "Background (/etc/sudoers.d/qubes in VM)".  I was interested in
>> the Background and was unable to find the mentioned 
>> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes.sudoers
>> anywhere else.  Does anybody know where this was moved to?
>>
>> Best regards, Peter Funk
> 
> The contents of the file are there on that page, so you have already
> read it.
> As to your failure to find it anywhere else in master, it has been hidden in 
> the
> confusingly named "passwordless-root" directory. ;-)
> 
> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/passwordless-root/qubes.sudoers
> 

I've removed the unnecessary broken link.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8MRLEACgkQ203TvDlQ
MDAhThAAqpg2SjU308KbmF5vHw0hJ6RtyrtTbGUbzI44mpPf75J7ooqsl4dfeCEQ
oCkQPqRZLVUpxQMLvhFsEGBmlueQcB4peB8nSa3kwqwm7X9ZGsJskp8UuK9hgBE6
OnIggwCnCI543WODTLDuqk5WQkjDeFW+8etqnOkZch5BPlwbJ+vyQppa0b3rgR8y
zmIwk98i2nYWBMG5L2/eaF35+dN006xj3ZY+2c6lGEmxb0hMGLOvYTxScinktFjl
VDTbkLyiHQHgfFjM4XbfQjn8mdyybaRSAWDJrvJ/JRFmsz4wMVY2kR+3dBjh2wsq
r1e9EtFNmQYNBNOWT7Bwh53jOR+h/1cW931qVOIP+mH4vVguYV0puvF7wyCf+i0w
PuCQ9YWw62J6Oo4EB3UwvYzMGdgvPx3S7Ab/NKzZLPbHeheRBIOENgEkC7HFIL4H
loAJIAq7uGxZpGowhATxhIzgt/AVIiPfg6afEz/np8G9ed1Qx5FwPBiun8gLsYWE
VNxFpCxPJ0278DecgOaJxMjcY3LFLhMZrkcrT/96cG1ImJpd7dsO53Hm8yzXYq2I
s5ZfCIJZWaQOWEHTiei6EhofiAyPgi++2aY6Sejs6LdQqQMLBuXR6kmbUqw/ISY4
Hhj48kQr5Z8HP6L9HFwy5deIN4C5Tiri5wDsyzKPemKygwls+Jg=
=ubhS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c54e702-e380-c8ce-8685-9ed874f6252d%40qubes-os.org.


[qubes-users] XSAs 317, 319, 327, and 328 do not affect the security of Qubes OS

2020-07-07 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published Xen Security Advisories 317, 319, 327, and
328 (XSA-317, XSA-319, XSA-327, and XSA-328, respectively). These XSAs
do *not* affect the security of Qubes OS, and no user action is necessary.

These XSAs have been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#317
https://www.qubes-os.org/security/xsa/#319
https://www.qubes-os.org/security/xsa/#327
https://www.qubes-os.org/security/xsa/#328

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/07/07/xsa-317-319-327-328-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8EgO8ACgkQ203TvDlQ
MDDesxAAqtWf0jMOHXTDDN5jZHa0p0R9W6dTqNpR2xDYO/2ZtYUlXNs9YrUnclvA
8LXGx11qZVIt0+IKVD/MwQfwXDd4+Q8cfAXRfLVANy3L/YzYHId5KD4uIxGX/gTW
0v4yI8Jy5tDsUu+IqpQ1FUZHorFFC6Mr5Auae6II+3XE8yIi6NVzAnRWNCDEY1qI
fYrhdnYbsDMbRFitTR//NypH0Daj3b1iNr70xJj90hd/AdI/NgKpocQZIsKb9Fb1
nLqrXX6D5Un5KHRHFqBZcXM+eplySggWFFHFyJpctOnjos8nazXHgOmoRc9dqpAe
61zzNS4iGa820Tz+ezhWo9gc5+7OjWm2WQ4RIIscN5J/YrYkId2oaxG0MqLuOrXN
B8mgZ0X05v8JErqRjQRsSStgogL5zemrmRVE4cOM6w4lUGCO7ROERUyj17ErtO29
ndra+xfGkd+Y5qR+D8SVugqJFI49p3NyVWJ75DxzE2YoyPuZAN3Mt9gykp2BpLOg
d7E69dMftho77+/lWfm7goHJa+cAdMr/W2Es4n7kV+JSE7fx702YtxiMt1nxC8ay
QGI+sd89PsvxDBVzsAVW98wGMZPmSW5m3uZRnxeTzHhYYXIEFnkc4kk05j/xJtNe
Tu4GQ5SI7lKKRWgL5vZ7WkpLmk85CFRT8/L7d5XYKWpVuGY0qfE=
=Maei
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6cda03b6-2230-e598-a6ab-53a0e38bc05f%40qubes-os.org.


[qubes-users] QSB #058: Insufficient cache write-back under VT-d (XSA-321)

2020-07-07 Thread Andrew David Wong
Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #058: Insufficient
cache write-back under VT-d (XSA-321). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB #058 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-058-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-321 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#321

```


 ---===[ Qubes Security Bulletin #58 ]===---

 2020-07-07


  Insufficient cache write-back under VT-d (XSA-321)


Summary


On 2020-07-07, the Xen Security Team published Xen Security Advisory
321 (CVE-2020-15565 / XSA-321) [1] with the following description:

| When page tables are shared between IOMMU and CPU, changes to them
| require flushing of both TLBs.  Furthermore, IOMMUs may be non-coherent,
| and hence prior to flushing IOMMU TLBs CPU cached also needs writing
| back to memory after changes were made.  Such writing back of cached
| data was missing in particular when splitting large page mappings into
| smaller granularity ones.
| 
| A malicious guest may be able to retain read/write DMA access to
| frames returned to Xen's free pool, and later reused for another
| purpose.  Host crashes (leading to a Denial of Service) and privilege
| escalation cannot be ruled out.

A malicious HVM qube with a PCI device (such as sys-net or sys-usb in
Qubes' default configuration) can potentially compromise the whole
system.

Only Intel systems are affected. AMD systems are not affected.


Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-19

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Credits


See the original Xen Security Advisory.


References
===

[1] https://xenbits.xen.org/xsa/advisory-321.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/07/07/qsb-058/

-- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/34eddc9a-300c-743c-cb12-acc677f5784f%40qubes-os.org.


[qubes-users] Fedora 32 TemplateVMs available

2020-06-30 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

New Fedora 32 TemplateVMs are now available for both Qubes 4.0 and 4.1.

*Important:* If you wish to use the Qubes Update widget to update a
Fedora 32 template, you must first switch [1] the `default-mgmt-dvm`
qube to a Fedora 32 template. (Alternatively, you can create a
separate management DisposableVM Template based on a Fedora 32
template for the purpose of updating Fedora 32 templates.) This does
not affect updating internally using `dnf`.

Instructions are available for upgrading Fedora TemplateVMs [2]. We
also provide fresh Fedora 32 TemplateVM packages through the official
Qubes repositories, which you can get with the following commands (in
dom0).

Standard [3] Fedora 32 TemplateVM:

$ sudo qubes-dom0-update qubes-template-fedora-32

Minimal [4] Fedora 32 TemplateVM:

$ sudo qubes-dom0-update qubes-template-fedora-32-minimal

After installing or upgrading a TemplateVM, please remember to update
[5] (see important note above) and switch all qubes that were using
the old template to use the new one [1].

[1] https://www.qubes-os.org/doc/templates/#switching
[2] https://www.qubes-os.org/doc/template/fedora/upgrade/
[3] https://www.qubes-os.org/doc/templates/fedora/
[4] https://www.qubes-os.org/doc/templates/minimal/
[5] https://www.qubes-os.org/doc/software-update-domu/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/06/30/fedora-32-templates-available/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl77HWkACgkQ203TvDlQ
MDBEjA/+KvqIijaKuin+U2u3Yanv1JoIMOAIycxDP8bKfmQKdilAJx+Ga8uTDHmR
xZcUAheih8nG6O0wYo6PWGJ3I8hvyzwaL9O3NrIJwIkdpJQ1etuNSHidyTDZXE1Y
ZrHhIVQsuYKfKkllc0w5aZ7Lt2qbpqnK84Zi0Cwpxb08jrcmy9UwRhx6D3sO/q1z
XwZLOlYnBUh6wIGkTfUN+6vivcq735CW2Ou6xPsN1Qxs/J2RS0TCD6oi0/m5UQcI
dZkWtaPZDYhijsJldLgUoslqqZ7qOCMvX+ndJPrQMUX3mxnj1hOSC5ge1n9Nu3oJ
fr1072R8gpLS/hTN8/E9/txx2ihpUs1Q02ljDMTpdF+LsdSVgFoKxAZunyBVSeIv
GHLeiIwtVOZSBs7xDi7Ahxlu9hjnQtbjC1Jk4PrmWhibTS7VFw2L9mghfoGr3pZw
kuKlFwl4tuC/uHEqJ7vG2ELrqpkT3FrwYrGITo4Gthvwilkf4v12glgoTQjtDWw+
gCLqLw3XWQjnSraq+a6ck80cJ3RV5FIc43ed/c5UElfHY4w0jQGT7Eb/XwH9Sfgc
g8nZLopvCEG0LmyVFmejHNTUcdcO/OY46YlVBLz3wvKTOVdkKp0V7nG7D5WKD4oC
MJEdyil20KANwcLnAm3258Yet3b3hYAHxqCqhy3cRNVs5/Niuzo=
=gwpL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f117606f-c455-3ba5-5335-0dd6bed0f326%40qubes-os.org.


  1   2   3   4   5   6   7   8   9   10   >