[qubes-users] Qubes OS 4.0.4 has been released!
Dear Qubes Community, We're pleased to announce the release of Qubes OS 4.0.4! This is the fourth stable release of Qubes 4.0. It includes many updates over the initial 4.0 release, including: - All 4.0 dom0 updates to date - Fedora 32 TemplateVM - Debian 10 TemplateVM - Whonix 15 Gateway and Workstation TemplateVMs - Linux kernel 5.4 by default Qubes 4.0.4 is available on the downloads page: https://www.qubes-os.org/downloads/ What is a point release? A point release does not designate a separate, new version of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.0) inclusive of all updates up to a certain point. Installing Qubes 4.0 and fully updating [1] it results in the same system as installing Qubes 4.0.4. What should I do? - If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully updated [1], then your system is already equivalent to a Qubes 4.0.4 installation. No further action is required. Regardless of your current OS, if you wish to install (or reinstall) Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient and secure, since it bundles all Qubes 4.0 updates to date. Please see the installation guide [2] for detailed instructions. Thank you to all the release candidate users for testing this release and reporting issues [3]! [1] https://www.qubes-os.org/doc/updating-qubes-os/ [2] https://www.qubes-os.org/doc/installation-guide/ [3] https://www.qubes-os.org/doc/reporting-bugs/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/03/04/qubes-4-0-4/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/235b6cc8-6904-d20f-132d-dd5bb8b651b1%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] XSAs released on 2021-03-04
Dear Qubes Community, The Xen Project released one or more new Xen Security Advisories (XSAs) on 2021-03-04. The security of Qubes OS *is not affected* by these XSAs. Therefore, *no user action is required*. XSAs that affect the security of Qubes OS (user action required) The following XSAs *do affect* the security of Qubes OS: - (None) XSAs that do not affect the security of Qubes OS (no user action required) -- The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - XSA-367 (not affected; Qubes uses PVH/HVM) - XSA-369 (DoS only) Related links - - Qubes Security Pack (qubes-secpack): https://www.qubes-os.org/security/pack/ - Qubes Security Bulletins (QSBs): https://www.qubes-os.org/security/bulletins/ - XSA Tracker: https://www.qubes-os.org/security/xsa/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/03/04/xsas-released-on-2021-03-04/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/55b3a113-89cb-6f8d-5d84-ffb8c157e03e%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB-066: XML injection through libvirt domain configuration
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 066: XML injection through libvirt domain configuration. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-066 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-066-2021.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ ``` ---===[ Qubes Security Bulletin 066 ]===--- 2021-03-03 XML injection through libvirt domain configuration User action required = Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0: - qubes-core-dom0 package, version 4.0.58-1 For Qubes 4.1: - qubes-core-dom0 package, version 4.1.20-1 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. Alternatively, it is possible to restart qubesd with the following command in dom0: $ systemctl restart qubesd.service These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Summary The libvirt domain configuration is an XML file built by filling a template with values specific to a particular domain -- mostly its properties but, in a few cases, "features" (extra properties that can be freely defined). While most of the properties have strictly-defined formats, some allow for a very broad range of values -- broad enough to allow characters that are otherwise special in XML. Using such characters in XML values requires escaping them, which was not enabled in the template engine we use (jinja2). The specific VM metadata properties that allow free text and are used in libvirt XML are as follows: - `kernelopts` property - `timezone` feature (although it is validated in the template itself) - `video-model` feature - `audio-model` feature (Qubes R4.1 only) Normally, this wouldn't be an issue, since all VM settings come from a trusted entity (dom0). However, with the introduction of the Admin API [1] in Qubes 4.0, it is possible to allow less trusted domains (known as "ManagementVMs") to manage a subset of VMs or their settings, including the affected properties and features. This, in turn, can be used to modify unintended parts of the libvirt XML. In the worst case, this could lead to code execution in dom0. To fix the issue, we're enabling the autoescape feature of the jinja2 template engine. This will cover the current problematic properties as well as any others that might be introduced in the future. Additionally, we're adding an extra validation step for "features" that are otherwise used in a free text form context (specifically, `net.fake-*` features are expected to be IP addresses, but they lacked such validation). Note that a ManagementVM can still break a VM it has control over, for example, by setting some property to an improper value in a given context (e.g., too little memory or too short of a startup timeout). However, after these changes, it should no longer be able to escalate its permissions beyond what it has been assigned. Impact === Default Qubes 4.0 and 4.1 configurations are not affected. If a less trusted domain (known as a "ManagementVM") is given Admin API access to set any of the affected properties or features on any domain (via the `admin.vm.property.Set` or `admin.vm.feature.Set` qrexec services), it may use this access to elevate its privileges and potentially take full control of the system. Note that `qubes.FeaturesRequest` is enabled by default but *is not* vulnerable for three reasons. First, feature names are read from qubesd, which enforces a whitelist of permitted characters in paths. None of the permitted characters are metacharacters in XML. Second, none of the features for which dom0 will honor a request have their values incorporated into libvirt XML. Third, `qubes.FeaturesRequest` can only unset a feature or set its value to `1`. Credits This issue was discovered by Demi Marie Obenour. References === [1] https://www.qubes-os.org/doc/admin-api/ -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/03/03/qsb-066/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To
[qubes-users] "Improvements in testing and building: GitLab CI and reproducible builds" by Marek Marczykowski-Górecki
Dear Qubes Community, We have just published a new article: "Improvements in testing and building: GitLab CI and reproducible builds" by Marek Marczykowski-Górecki https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/ For those using plain text email, the original Markdown source is reproduced below: --- layout: post title: "Improvements in testing and building: GitLab CI and reproducible builds" categories: articles author: Marek Marczykowski-Górecki --- Over the last couple of months, we have made some significant changes to two important parts of the Qubes development process: testing and building. What are continuous integration (CI) and reproducible builds? -- Automated testing is a major part of the software development process. It spares developers many, many hours of manual testing that would still miss some bugs and other problems. In Qubes development, we're using an approach called "continuous integration" (CI), in which local changes made by the developers are frequently merged and tested remotely, using dedicated automated testing solutions. This is very important both for maintaining consistent code quality (all changes are tested) and for making development easier for the developers. Testing Qubes is not easy. Since Qubes is an entire operating system, doing the testing on the same system in which you're developing is a bit like building a rocket landing system en route to Mars --- not impossible, but very stressful. The second area of improvement is the build process. The term "[reproducible builds]" refers to a process in which the same source code always compiles into exactly the same binary (for example, a package used to install a program via a package manager like `dnf` or `apt`). Why is this difficult to achieve? After all, computers are not random. Shouldn't builds be reproducible by default, without requiring special effort to make them deterministic? Unfortunately, it's not that simple. There are thousands of variables influencing the way binaries are built, ranging from the time of day to the availability of remote servers and locale settings. Ensuring that binaries are built the same way every time is surprisingly difficult. However, the effort is worth the security benefits. To understand these benefits, imagine that an attacker wishes to feed unsuspecting users a compromised package. The attacker knows that the source code is public, so any malicious code he inserts into it would be highly exposed and at risk of detection. On the other hand, he reasons, compromising the build infrastructure would allow him to surreptitiously insert malicious changes that would make it into the resultant package. Since the source code remains untouched, his malicious changes are less likely to be detected. This is where the value of reproducible builds comes in. If the build process is reproducible, then we will immediately notice that building a package from the untouched source code results in a package that is *different* from the compromised one. This would be a major red flag that would prompt an immediate security investigation. GitLab-CI migration As many of you are aware, we migrated from Travis-CI to GitLab-CI late last year. While the [direct reason][ci-thread] was a change in the Travis-CI terms of service, GitLab-CI gives us many additional benefits. Just to name a few: - A modern execution environment with native Docker support: We can use whatever base environment we like. We are no longer constrained to specific (not so fresh) Ubuntu versions. - Much more flexible job definitions, including dependencies among them: We use this to split jobs into smaller pieces that can run in parallel and reduce duplication among them. - Out-of-the-box support for caching and artifacts: Another feature allowing for a great speed-up of our tests. A specific build environment can be stored with a pre-populated cache, for example avoiding the need to create a chroot environment each time. - Higher time limits and the ability to connect our own workers: This allows us to automatically test bigger components like the Linux kernel (which previously didn't fit into Travis-CI's hard time limit). The actual migration was a massive undertaking, with the [GitLab-CI configuration] spread across 50 files with over 1,000 lines in total. We have opened and merged over 90 pull requests in the process. This was mainly done by [Frédéric Pierret]. We still host the actual code on GitHub. We use GitLab only for CI. This mode of operation is supported natively by GitLab, but this support is quite limited. Most importantly, it [does not support] testing pull requests made from repository forks, which is the vast majority of our pull requests (if not all of them). For this reason, Frédéric ended up creating [our own integration],
[qubes-users] Re: Announcement: Fedora 33 TemplateVMs available
On 2/26/21 1:22 PM, Andrew David Wong wrote: Dear Qubes Community, New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1. *Important:* If you wish to use the Qubes Update widget to update a Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` qube to a Fedora 33 template. (Alternatively, you can create a separate management DisposableVM Template based on a Fedora 33 template for the purpose of updating Fedora 33 templates.) This does not affect updating internally using `dnf`. Instructions are available for upgrading Fedora TemplateVMs [2]. We also provide fresh Fedora 33 TemplateVM packages through the official Qubes repositories, which you can get with the following commands (in dom0). Standard [3] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33 Minimal [4] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33-minimal After installing or upgrading a TemplateVM, please remember to update [5] (see important note above) and switch all qubes that were using the old template to use the new one [1]. [1] https://www.qubes-os.org/doc/templates/#switching [2] https://www.qubes-os.org/doc/template/fedora/upgrade/ [3] https://www.qubes-os.org/doc/templates/fedora/ [4] https://www.qubes-os.org/doc/templates/minimal/ [5] https://www.qubes-os.org/doc/software-update-domu/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/ *Addendum:* Fedora 33 has switched the default DNS resolver to systemd-resolved [1]. If resolving local domains on your LAN does not work as expected even when specifying the full name, you may wish to disable systemd-resolved and enable NetworkManager in the TemplateVM instead. For more on this, please see issue #6431 [2]. For a complete list of changes in Fedora 33, please see the official Fedora 33 release notes [3], and for a more general overview, the official Fedora 33 announcement [4]. [1] https://fedoraproject.org/wiki/Changes/systemd-resolved [2] https://github.com/QubesOS/qubes-issues/issues/6431 [3] https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/ [4] https://fedoramagazine.org/announcing-fedora-33/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c71f0fa8-8c51-f4a3-02e3-bee8d1aef803%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Announcement: Fedora 33 TemplateVMs available
Dear Qubes Community, New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1. *Important:* If you wish to use the Qubes Update widget to update a Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` qube to a Fedora 33 template. (Alternatively, you can create a separate management DisposableVM Template based on a Fedora 33 template for the purpose of updating Fedora 33 templates.) This does not affect updating internally using `dnf`. Instructions are available for upgrading Fedora TemplateVMs [2]. We also provide fresh Fedora 33 TemplateVM packages through the official Qubes repositories, which you can get with the following commands (in dom0). Standard [3] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33 Minimal [4] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33-minimal After installing or upgrading a TemplateVM, please remember to update [5] (see important note above) and switch all qubes that were using the old template to use the new one [1]. [1] https://www.qubes-os.org/doc/templates/#switching [2] https://www.qubes-os.org/doc/template/fedora/upgrade/ [3] https://www.qubes-os.org/doc/templates/fedora/ [4] https://www.qubes-os.org/doc/templates/minimal/ [5] https://www.qubes-os.org/doc/software-update-domu/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d4dd183d-a652-e172-6cc2-450361e2897c%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] XSAs released on 2021-02-18
Dear Qubes Community, The Xen Project released one or more new Xen Security Advisories (XSAs) on 2021-02-18. The security of Qubes OS *is affected* by one or more of these XSAs. Therefore, *user action is required*. XSAs that affect the security of Qubes OS (user action required) The following XSAs *do affect* the security of Qubes OS: - XSA-366 Please see QSB-065 for the actions users must take in order to protect themselves, as well as further details about these XSAs: https://www.qubes-os.org/news/2021/02/19/qsb-065/ XSAs that do not affect the security of Qubes OS (no user action required) -- The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - (None) Related links - - Qubes Security Pack (qubes-secpack): https://www.qubes-os.org/security/pack/ - Qubes Security Bulletins (QSBs): https://www.qubes-os.org/security/bulletins/ - XSA Tracker: https://www.qubes-os.org/security/xsa/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/19/xsas-released-on-2021-02-18/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15a1661a-aab6-693f-42c2-24dbd686e043%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB-065: Missed flush in XSA-321 backport (XSA-366)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 065: Missed flush in XSA-321 backport (XSA-366). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-065 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-065-2021.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-366 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#366 ``` ---===[ Qubes Security Bulletin 065 ]===--- 2021-02-18 Missed flush in XSA-321 backport (XSA-366) User action required = Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0: - Xen packages, versions 4.8.5-30 For Qubes 4.1: not affected The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary On 2021-02-18, the Xen Security Team published the following Xen Security Advisory (XSA): XSA-366 [1] "missed flush in XSA-321 backport" | An oversight was made when backporting XSA-320, leading entries in the | IOMMU not being properly updated under certain circumstances. Impact === XSA-366, as described by the Xen Security Team: | A malicious guest may be able to retain read/write DMA access to | frames returned to Xen's free pool, and later reused for another | purpose. Host crashes (leading to a Denial of Service) and privilege | escalation cannot be ruled out. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-366.html -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/19/qsb-065/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a4e5809c-8acd-77a7-54b7-060172ab3a04%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] XSAs released on 2021-02-16
Dear Qubes Community, The Xen Project released one or more new Xen Security Advisories (XSAs) on 2021-02-16. The security of Qubes OS *is affected* by these XSAs. Therefore, *user action is required*. XSAs that affect the security of Qubes OS (user action required) The following XSAs *do affect* the security of Qubes OS: - XSA-365 Please see QSB-064 for the actions users must take in order to protect themselves, as well as further details about these XSAs: https://www.qubes-os.org/news/2021/02/17/qsb-064/ XSAs that do not affect the security of Qubes OS (no user action required) -- The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - XSA-361 (DoS-only) - XSA-362 (DoS-only) - XSA-363 (DoS-only) - XSA-364 (ARM-only) Related links - - Qubes Security Pack (qubes-secpack): https://www.qubes-os.org/security/pack/ - Qubes Security Bulletins (QSBs): https://www.qubes-os.org/security/bulletins/ - XSA Tracker: https://www.qubes-os.org/security/xsa/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/17/xsas-released-on-2021-02-16/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6209b05-4427-cf7f-432b-ebe9ef7c834d%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB-064: Linux: error handling issues in blkback's grant mapping (XSA-365)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 064: Linux: error handling issues in blkback's grant mapping (XSA-365). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-064 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-064-2021.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-365 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#365 ``` ---===[ Qubes Security Bulletin 064 ]===--- 2021-02-16 Linux: error handling issues in blkback's grant mapping (XSA-365) User action required = Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0: - Linux kernel packages, versions 5.10.16-1, 5.4.98-1, 4.19.176-1 For Qubes 4.1: - Linux kernel packages, versions 5.10.16-1, 5.4.98-1 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Linux kernel binaries. Summary On 2021-02-16, the Xen Security Team published the following Xen Security Advisory (XSA): XSA-365 [1] "Linux: error handling issues in blkback's grant mapping" | To service requests, the driver maps grant references provided by the | frontend. In this process, errors may be encountered. In one case an | error encountered earlier might be discarded by later processing, | resulting in the caller assuming successful mapping, and hence | subsequent operations trying to access space that wasn't mapped. In | another case internal state would be insufficiently updated, preventing | safe recovery from the error. Impact === XSA-365, as described by Xen Security Team: | A malicious or buggy frontend driver may be able to crash the | corresponding backend driver, potentially affecting the entire domain | running the backend driver. In configurations without driver domains | or similar disaggregation, that is a host-wide denial of sevice. | | Privilege escalation and information leaks cannot be ruled out. Credits See the original Xen Security Advisories. References === [1] https://xenbits.xen.org/xsa/advisory-365.html -- The Qubes Security Team https://www.qubes-os.org/security/ ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/02d55761-826a-7222-cb38-c35c0db29410%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Qubes OS 4.0.4-rc2 has been released!
Dear Qubes Community, We're pleased to announce the second release candidate for Qubes OS 4.0.4. Qubes OS 4.0.4-rc2 includes many updates over the initial 4.0 release, in particular: - All 4.0 dom0 updates to date - Fedora 32 TemplateVM - Debian 10 TemplateVM - Whonix 15 Gateway and Workstation TemplateVMs - Linux kernel 5.4 by default - Bug fixes from 4.0.4-rc1 Qubes 4.0.4-rc2 is available on the downloads page: https://www.qubes-os.org/downloads/ What is a point release? A point release does not designate a separate, new version of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.0) inclusive of all updates up to a certain point. Installing Qubes 4.0 and fully updating it results in the same system as installing Qubes 4.0.4. What should I do? - If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully updated [1], then your system is already equivalent to a Qubes 4.0.4 installation. No further action is required. Regardless of your current OS, if you wish to install (or reinstall) Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient and secure, since it bundles all Qubes 4.0 updates to date. Please see the installation guide [2] for detailed instructions. If you're willing to test [3] this release candidate, you can help to improve the stable release by reporting any bugs you encounter [4]. Release candidate planning -- If no major issues are discovered in 4.0.4-rc2, we expect to announce the stable release of 4.0.4 in a couple weeks. [1] https://www.qubes-os.org/doc/updating-qubes-os/ [2] https://www.qubes-os.org/doc/installation-guide/ [3] https://www.qubes-os.org/doc/testing/ [4] https://www.qubes-os.org/doc/reporting-bugs/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/01/22/qubes-4-0-4-rc2/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a856e67d-693d-4cd8-620d-ea9a418d005d%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] XSAs released on 2021-01-21
Dear Qubes Community, The Xen Project released one or more new Xen Security Advisories (XSAs) on 2021-01-21. The security of Qubes OS *is not affected* by these XSAs. Therefore, *user action is not required*. XSAs that affect the security of Qubes OS (user action required) None. XSAs that do not affect the security of Qubes OS (no user action required) -- The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - XSA-360 (DoS only) Related links - - Qubes Security Pack (qubes-secpack): https://www.qubes-os.org/security/pack/ - Qubes Security Bulletins (QSBs): https://www.qubes-os.org/security/bulletins/ - XSA Tracker: https://www.qubes-os.org/security/xsa/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/01/22/xsas-released-on-2021-01-21/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53344b63-a863-2549-f612-ec931370da91%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [EXT] Re: [qubes-users] Disable lock screen / screenshot question
On 1/2/21 9:05 AM, Ulrich Windl wrote: On 12/30/20 8:20 AM, Andrew David Wong wrote: On 12/29/20 10:02 AM, Ulrich Windl wrote: [...] When trying, it seems my Dom0 does not have a file manager in the menu. I had to run "thunar" manually from the terminal. This is by design. Using a file manager in dom0 is a security risk and is therefore discouraged: https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md#dom0-precautions So is there an alternative that gets the user script registered for saving a screenshot? I'm not sure exactly what you mean, but there's: https://github.com/QubesOS/qubes-issues/issues/953 -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e668b46b-f900-28a7-76ec-0c3ee740e2e2%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [EXT] Re: [qubes-users] Disable lock screen / screenshot question
On 12/29/20 10:02 AM, Ulrich Windl wrote: [...] When trying, it seems my Dom0 does not have a file manager in the menu. I had to run "thunar" manually from the terminal. This is by design. Using a file manager in dom0 is a security risk and is therefore discouraged: https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md#dom0-precautions -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af5a87e1-46e3-47aa-616c-78b931f686bf%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: HCL - Dell Latitude 7280
On 12/29/20 5:15 PM, Sven Semmler wrote: On 12/29/20 3:52 AM, Max Parker wrote: dell link no longer works:( @ADW: what do we want to do in such a case? Already checked the internet archive and couldn't find any cached versions. /Sven If a link is dead and there's no archive.org version, we just have to remove the link. It's unfortunate, but I don't see what else we can do. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/beae1c0c-7c15-0210-02fd-1870c158c40d%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Re: Qubes Canary 025
On 12/14/20 5:58 AM, Andrew David Wong wrote: Dear Qubes Community, Several users have pointed out a mistake in the canary below. "March 2020" should instead be "March 2021". This was just a typographical error. We will be fixing this and updating the signatures on the canary. Thank you. "March 2020" has now been corrected to "March 2021" in statement 5. The original canary, the website announcement, and the signatures on the canary have all been updated. Thank you. On 12/12/20 6:22 AM, Andrew David Wong wrote: Dear Qubes Community, We have published Qubes Canary 025. The text of this canary is reproduced below. Note: We have decided to make some minor formatting changes to the way Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed, such as dropping the '#' symbol and using hyphens instead of spaces. This canary and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View Qubes Canary 025 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past canaries: https://www.qubes-os.org/security/canaries/ ``` ---===[ Qubes Canary 025 ]===--- Statements --- The Qubes core developers who have digitally signed this file [1] state the following: 1. The date of issue of this canary is December 8, 2020. 2. There have been 62 Qubes Security Bulletins published so far. 3. The Qubes Master Signing Key fingerprint is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 4. No warrants have ever been served to us with regard to the Qubes OS Project (e.g. to hand out the private signing keys or to introduce backdoors). 5. We plan to publish the next of these canary statements in the first two weeks of March 2020. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation. Special announcements -- None. Disclaimers and notes -- We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised. This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads. This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations. The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance. This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here. Proof of freshness --- Tue, 08 Dec 2020 16:46:42 + Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Dangerous Accusations: German Tennis Star Alexander Zverev Faces Career Turning Point Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an Ultimatum Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic Relations Generation Corona: The Pandemic Is Changing Our Children's Lives for the Worse Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Covid-19 Live Updates: Britain Begins Vaccinating Citizens U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First U.S. Leaves Behind Afghan Bases and a Legacy of Land Disputes Covid Infections, and Blame, Rise Along Southeast Asian Borders U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Safety data on Pfizer jab released by US Lloyd Austin: Biden picks ex-general as defence secretary The man saving monkeys in the Colombian Amazon Charlie Hebdo attack: France seeks long jail terms in Paris trial Christchurch massacre: Inquiry finds failures ahead of attack Source: Blockchain.info 000c6550025327ca735099e0c621a9ad4599a49dab41f573 Footnotes -- [1] This file should be signed in two ways: (1) via detached PGP signatures by each of the signers, distributed together with this canary in the qubes-secpack.git repo, and (2) via digital signatures on the corresponding qubes-secpack.git repo tags. [2] [2] Don't j
[qubes-users] XSAs released on 2020-12-15
Dear Qubes Community, The Xen Project released new Xen Security Advisories (XSAs) on 2020-12-15. The security of Qubes OS *is affected* by at least one of these XSAs. Therefore, *user action is required*. XSAs that affect the security of Qubes OS (user action required) The following XSAs *do affect* the security of Qubes OS: - XSA-115 - XSA-325 - XSA-350 Please see QSB-063 for the actions users must take in order to protect themselves, as well as further details about these XSAs: https://www.qubes-os.org/news/2020/12/16/qsb-063/ XSAs that do not affect the security of Qubes OS (no user action required) -- The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - XSA-322 (domid reuse impractical in Qubes case) - XSA-323 (no oxenstored) - XSA-324 (DoS only) - XSA-330 (DoS only) - XSA-348 (DoS only) - XSA-349 (DoS only) - XSA-352 (no oxenstored) - XSA-353 (no oxenstored) - XSA-354 (DoS only) - XSA-356 (DoS only) - XSA-358 (DoS only) - XSA-359 (DoS only) Related links - - Qubes Security Pack (qubes-secpack): https://www.qubes-os.org/security/pack/ - Qubes Security Bulletins (QSBs): https://www.qubes-os.org/security/bulletins/ - XSA Tracker: https://www.qubes-os.org/security/xsa/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/12/16/xsas-released-on-2020-12-15/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c57024df-a5fb-f4f9-1af7-b6f0105c5003%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB-063: Multiple Xen issues (XSA-115, XSA-325, XSA-350)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 063: Stack corruption from XSA-346 change (XSA-355). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-063 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-063-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View the XSA Tracker: https://www.qubes-os.org/security/xsa/ ``` ---===[ Qubes Security Bulletin 063 ]===--- 2020-12-15 Multiple Xen issues (XSA-115, XSA-325, XSA-350) User action required = Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0: - Xen packages, version 4.8.5-28 - Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1 For Qubes 4.1: - Xen packages, version 4.14.0-9 - Linux kernel packages, versions 5.9.14-1, 5.4.83-1, 4.19.163-1 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary On 2020-12-15, the Xen Security Team published the following Xen Security Advisories (XSAs): XSA-115 [1] "xenstore watch notifications lacking permission checks" | Neither xenstore implementation does any permissions checks when | reporting a xenstore watch event. | | A guest administrator can watch the root xenstored node, which will | cause notifications for every created, modified and deleted key. | | A guest administrator can also use the special watches, which will | cause a notification every time a domain is created and destroyed. | | Data may include: | - number, type and domids of other VMs | - existence and domids of driver domains | - numbers of virtual interfaces, block devices, vcpus | - existence of virtual framebuffers and their backend style (eg, |existence of VNC service) | - Xen VM UUIDs for other domains | - timing information about domain creation and device setup | - some hints at the backend provisioning of VMs and their devices | | The watch events do not contain values stored in xenstore, only key | names. XSA-325 [2] "Xenstore: guests can disturb domain cleanup" | Xenstored and guests communicate via a shared memory page using a | specific protocol. When a guest violates this protocol, xenstored will | drop the connection to that guest. | | Unfortunately this is done by just removing the guest from xenstored's | internal management, resulting in the same actions as if the guest had | been destroyed, including sending an @releaseDomain event. | | @releaseDomain events do not say guest has been removed. All watchers | of this event must look at the states of all guests to find the guest | which has been removed. When an @releaseDomain is generated due to | domain xenstored protocol violation, As the guest is still running, so | the watchers will not react. | | Later, when the guest is actually destroyed, xenstored will no longer | have it stored in its internal data base, so no further @releaseDomain | event will be sent. This can lead to a zombie domain; memory mappings | of that guest's memory will not be removed, due to the missing | event. This zombie domain will be cleaned up only after another domain | is destroyed, as that will trigger another @releaseDomain event. | | If the device model of the guest which violated the Xenstore protocol | is running in a stub-domain, a use-after-free case could happen in | xenstored, after having removed the guest from its internal data base, | possibly resulting in a crash of xenstored. XSA-350 [3] "Use after free triggered by block frontend in Linux blkback" | The Linux kernel PV block backend expects the kernel thread handler | to reset ring->xenblkd to NULL when stopped. However, the handler may | not have time to run if the frontend quickly toggle between the states | connect and disconnect. | | As a consequence, the block backend may re-use a pointer after it was | freed. Impact === XSA-115, as described by Xen Security Team: | A guest administrator can observe non-sensitive domain and device | lifecycle events relating to other
[qubes-users] Re: Qubes Canary 025
Dear Qubes Community, Several users have pointed out a mistake in the canary below. "March 2020" should instead be "March 2021". This was just a typographical error. We will be fixing this and updating the signatures on the canary. Thank you. On 12/12/20 6:22 AM, Andrew David Wong wrote: Dear Qubes Community, We have published Qubes Canary 025. The text of this canary is reproduced below. Note: We have decided to make some minor formatting changes to the way Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed, such as dropping the '#' symbol and using hyphens instead of spaces. This canary and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View Qubes Canary 025 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past canaries: https://www.qubes-os.org/security/canaries/ ``` ---===[ Qubes Canary 025 ]===--- Statements --- The Qubes core developers who have digitally signed this file [1] state the following: 1. The date of issue of this canary is December 8, 2020. 2. There have been 62 Qubes Security Bulletins published so far. 3. The Qubes Master Signing Key fingerprint is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 4. No warrants have ever been served to us with regard to the Qubes OS Project (e.g. to hand out the private signing keys or to introduce backdoors). 5. We plan to publish the next of these canary statements in the first two weeks of March 2020. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation. Special announcements -- None. Disclaimers and notes -- We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised. This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads. This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations. The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance. This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here. Proof of freshness --- Tue, 08 Dec 2020 16:46:42 + Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Dangerous Accusations: German Tennis Star Alexander Zverev Faces Career Turning Point Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an Ultimatum Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic Relations Generation Corona: The Pandemic Is Changing Our Children's Lives for the Worse Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Covid-19 Live Updates: Britain Begins Vaccinating Citizens U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First U.S. Leaves Behind Afghan Bases and a Legacy of Land Disputes Covid Infections, and Blame, Rise Along Southeast Asian Borders U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Safety data on Pfizer jab released by US Lloyd Austin: Biden picks ex-general as defence secretary The man saving monkeys in the Colombian Amazon Charlie Hebdo attack: France seeks long jail terms in Paris trial Christchurch massacre: Inquiry finds failures ahead of attack Source: Blockchain.info 000c6550025327ca735099e0c621a9ad4599a49dab41f573 Footnotes -- [1] This file should be signed in two ways: (1) via detached PGP signatures by each of the signers, distributed together with this canary in the qubes-secpack.git repo, and (2) via digital signatures on the corresponding qubes-secpack.git repo tags. [2] [2] Don't just trust the contents of this file blindly! Verify the digital signatures! ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/12/12/canary-25/ -- Andrew David Wong (Axon) Community Manager, Qubes OS h
[qubes-users] Qubes Canary 025
Dear Qubes Community, We have published Qubes Canary 025. The text of this canary is reproduced below. Note: We have decided to make some minor formatting changes to the way Qubes Canary and Qubes Security Bulletin (QSB) numbers are printed, such as dropping the '#' symbol and using hyphens instead of spaces. This canary and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View Qubes Canary 025 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-025-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past canaries: https://www.qubes-os.org/security/canaries/ ``` ---===[ Qubes Canary 025 ]===--- Statements --- The Qubes core developers who have digitally signed this file [1] state the following: 1. The date of issue of this canary is December 8, 2020. 2. There have been 62 Qubes Security Bulletins published so far. 3. The Qubes Master Signing Key fingerprint is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 4. No warrants have ever been served to us with regard to the Qubes OS Project (e.g. to hand out the private signing keys or to introduce backdoors). 5. We plan to publish the next of these canary statements in the first two weeks of March 2020. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation. Special announcements -- None. Disclaimers and notes -- We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised. This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads. This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations. The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance. This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here. Proof of freshness --- Tue, 08 Dec 2020 16:46:42 + Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Dangerous Accusations: German Tennis Star Alexander Zverev Faces Career Turning Point Skiing in the Pandemic: Alpine Rivalries Flare amid Resort Closures Biden's Goal of Saving the Iran Deal Just Got Harder - A Murder and an Ultimatum Heiko Maas: Germany's Foreign Minister on the Future of Trans-Atlantic Relations Generation Corona: The Pandemic Is Changing Our Children's Lives for the Worse Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Covid-19 Live Updates: Britain Begins Vaccinating Citizens U.K. Covid Vaccine: Side Effects, Safety, and Who Gets It First U.S. Leaves Behind Afghan Bases and a Legacy of Land Disputes Covid Infections, and Blame, Rise Along Southeast Asian Borders U.S. Imposes Sanctions on Chinese Officials Over Hong Kong Crackdown Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Safety data on Pfizer jab released by US Lloyd Austin: Biden picks ex-general as defence secretary The man saving monkeys in the Colombian Amazon Charlie Hebdo attack: France seeks long jail terms in Paris trial Christchurch massacre: Inquiry finds failures ahead of attack Source: Blockchain.info 000c6550025327ca735099e0c621a9ad4599a49dab41f573 Footnotes -- [1] This file should be signed in two ways: (1) via detached PGP signatures by each of the signers, distributed together with this canary in the qubes-secpack.git repo, and (2) via digital signatures on the corresponding qubes-secpack.git repo tags. [2] [2] Don't just trust the contents of this file blindly! Verify the digital signatures! ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/12/12/canary-25/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cee592fa-871d-59d3-782c-ec04324489f6%40qubes-os.org. OpenPGP_signature
Re: [qubes-users] Can no longer copy text from xterm by default
On 12/10/20 8:14 PM, unman wrote: On Fri, Dec 11, 2020 at 03:56:16AM +, unman wrote: On Thu, Dec 10, 2020 at 06:47:16PM -0800, Andrew David Wong wrote: On 12/10/20 6:25 AM, unman wrote: On Wed, Dec 09, 2020 at 06:49:35PM -0800, Andrew David Wong wrote: I used to be able to be able to do the following to copy text from xterm in Fedora and Debian VMs: 1. Select/highlight the desired text, thereby inserting it into the PRIMARY buffer. 2. Press in order to bring up a menu (I think it was the "VT Options" menu). 3. In this menu, select the option to copy text from the PRIMARY buffer to that VM's local clipboard. 4. Press to copy text to the Qubes inter-VM clipboard and proceed as usual. However, some time ago, step 2 suddenly stopped working, and I have no idea why. Pressing in xterm now does nothing, as far as I can tell. I've checked my trackpad/mouse settings, and everything seems fine and unchanged. I've tried pressing the left and right mouse buttons simultaneously instead, but nothing. I know that I can probably create custom xterm settings that will allow me to copy text, but I'd still like to know whether there's a way to do it by default for cases in which the VM is uncustomized. Does anyone know if there is such a way? On Debian you can hold down the Ctrl key before pressing the button, to get the VT options menu. See if that works for you. Does for me. No, that's exactly the behavior I described as no longer working for me. means the same thing as holding down Ctrl before pressing the middle mouse button. In my experience, holding a key down *before* another action does not always work the same as performing both actions simultaneously, so I did not think that these "meant the same thing". Ah, interesting. In my experience, they've always meant the same thing in the context of computing, but I suppose it's possible that some systems treat them differently. Can you call up the Main options, and Font menus using buttons 1 and 2? Yes, those are still working as expected. Add "XTerm*selectToClipboard:true" to ~/.Xdefaults and you need not invoke the menu Right. As mentioned above, I'm aware that I can customize the xterm settings in order to able to copy text, but I'd still like to know whether there's a way to do it with the default settings for cases in which the VM is uncustomized. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8cf2a9b-a502-6249-9ca6-3e8fb045f981%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: Can no longer copy text from xterm by default
On 12/10/20 12:23 PM, Ulrich Windl wrote: On 12/10/20 3:49 AM, Andrew David Wong wrote: I used to be able to be able to do the following to copy text from xterm in Fedora and Debian VMs: 1. Select/highlight the desired text, thereby inserting it into the PRIMARY buffer. 2. Press in order to bring up a menu (I think it was the "VT Options" menu). 3. In this menu, select the option to copy text from the PRIMARY buffer to that VM's local clipboard. 4. Press to copy text to the Qubes inter-VM clipboard and proceed as usual. However, some time ago, step 2 suddenly stopped working, and I have no idea why. Pressing in xterm now does nothing, as far as I can tell. I've checked my trackpad/mouse settings, and everything seems fine and unchanged. I've tried pressing the left and right mouse buttons simultaneously instead, but nothing. I know that I can probably create custom xterm settings that will allow me to copy text, but I'd still like to know whether there's a way to do it by default for cases in which the VM is uncustomized. Does anyone know if there is such a way? I never used that, but here for the fedora-32 template it works. I think you can override bindings inside the app via X resources, but my suspect is that the window manager "captures" the mouse or key event, so it does not arrive at the terminal any more. I'm confused. You say it's working in the Fedora 32 template for you, yet you also say the key event is captured, so it's not arriving at the terminal anymore. How can it be working for you if the key event is being captured by the window manager? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2698c646-e2a6-725f-e80f-1d1568ef0f77%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Can no longer copy text from xterm by default
On 12/10/20 6:25 AM, unman wrote: On Wed, Dec 09, 2020 at 06:49:35PM -0800, Andrew David Wong wrote: I used to be able to be able to do the following to copy text from xterm in Fedora and Debian VMs: 1. Select/highlight the desired text, thereby inserting it into the PRIMARY buffer. 2. Press in order to bring up a menu (I think it was the "VT Options" menu). 3. In this menu, select the option to copy text from the PRIMARY buffer to that VM's local clipboard. 4. Press to copy text to the Qubes inter-VM clipboard and proceed as usual. However, some time ago, step 2 suddenly stopped working, and I have no idea why. Pressing in xterm now does nothing, as far as I can tell. I've checked my trackpad/mouse settings, and everything seems fine and unchanged. I've tried pressing the left and right mouse buttons simultaneously instead, but nothing. I know that I can probably create custom xterm settings that will allow me to copy text, but I'd still like to know whether there's a way to do it by default for cases in which the VM is uncustomized. Does anyone know if there is such a way? On Debian you can hold down the Ctrl key before pressing the button, to get the VT options menu. See if that works for you. Does for me. No, that's exactly the behavior I described as no longer working for me. means the same thing as holding down Ctrl before pressing the middle mouse button. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/62196a62-e0f3-e5ea-f112-1c728723dcb7%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Can no longer copy text from xterm by default
I used to be able to be able to do the following to copy text from xterm in Fedora and Debian VMs: 1. Select/highlight the desired text, thereby inserting it into the PRIMARY buffer. 2. Press in order to bring up a menu (I think it was the "VT Options" menu). 3. In this menu, select the option to copy text from the PRIMARY buffer to that VM's local clipboard. 4. Press to copy text to the Qubes inter-VM clipboard and proceed as usual. However, some time ago, step 2 suddenly stopped working, and I have no idea why. Pressing in xterm now does nothing, as far as I can tell. I've checked my trackpad/mouse settings, and everything seems fine and unchanged. I've tried pressing the left and right mouse buttons simultaneously instead, but nothing. I know that I can probably create custom xterm settings that will allow me to copy text, but I'd still like to know whether there's a way to do it by default for cases in which the VM is uncustomized. Does anyone know if there is such a way? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/accb9528-6dc8-188b-c3a5-457be79c1733%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Are known cpu bugs a risk as long as I work with Qubes OS?
On 12/7/20 3:21 AM, Rainer Neumann wrote: Thank you, Sven, for your answer to the topic of qubes-hcl-report. I have one aditional question. If I type in a console "cat /proc/cpuinfo", I get an output, where one line is called "bugs". It looks like my cpu has a lot of bugs: null_seg, cpu_meltdown, spectre_v1, spectre_v2, spec_store_bypass, l1tf, mds, swapgs, itlb_multihit, srbds. The producer of my computer offeres a bios and microprocessor update for the purpose to fix these bugs. It is an exe-file for Windows: https://www.dell.com/support/home/de-ch/drivers/driversdetails?driverid=5m70h=wt32a=optiplex-7010 Okay, lets say, we can trust Intel and the computer manufacturer. But is it really necesarry to install the update as long as I work with Qubes OS? Kindly regards, Rainer Have a look at this: https://unix.stackexchange.com/questions/456425/what-does-the-bugs-section-of-proc-cpuinfo-actually-show Specifically: "Dump the flags which denote we have detected and/or have applied bug workarounds to the CPU we're executing on, in a similar manner to the feature flags." In other words, according to the commit that added it, the "bugs" section doesn't tell you whether your CPU is vulnerable to the things in the list. Maybe a mitigation has already been applied. Maybe it has merely been detected and nothing has been done about it. We have no way to tell just from this section. You would have to do further investigation into each of these in order to try to determine whether your CPU is currently vulnerable. Here's a discussion about doing that: https://www.reddit.com/r/linux/comments/8k3x3b/til_proccpuinfo_shows_architecture_bugs_such_as/ It specifically mentions checking in: /sys/devices/system/cpu/vulnerabilities/ However, Qubes is different from a standard Linux OS, and we often take our own special steps to address security problems, so there may be additional mitigations on top of whatever is mentioned here. In addition, the unique architecture of Qubes makes certain classes of security vulnerabilities inapplicable, so it will probably depend on the specific nature of that particular bug. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/03d264ba-9f7f-1146-e265-61fd536a8aa1%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [EXT] Re: [qubes-users] Qubes OS: .onion and links
On 12/7/20 3:58 PM, Andrew David Wong wrote: On 12/6/20 5:13 PM, unman wrote: On Mon, Dec 07, 2020 at 02:07:03AM +0100, Ulrich Windl wrote: On 12/1/20 7:35 PM, 'disrupt_the_flow' via qubes-users wrote: On November 30, 2020 8:15:14 PM UTC, Ulrich Windl wrote: Hi! I noticed when I click the link "upgrading Fedora TemplateVMs" found on the onion version of the page (using the tor browser of whonix), you are directed to a non-onion page (https://www.qubes-os.org/doc/template/fedora/upgrade/), <https://www.qubes-os.org/doc/template/fedora/upgrade/),> and you'll have to switch to onion again. In contrast when I click news items on http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/ I remain on onion sites. Regards, Ulrich Hello Ulrich. What page exactly? I can't find such a page on the QubesOS website. http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/2020/06/30/fedora-32-templates-available/ Yes, the links on that page are hard coded to the clearnet site rather than local links. That's a mistake - but it is not peculiar to this page. A quick check suggests that (almost?) all the news pages contain such links. Thanks for pointing this out. Ah, that's because people asked a long time ago for the News post plain text content to be copied into the body of messages to the mailing lists (not just a hyperlink to the website). At the time, it seemed easier just to include full URLs in the original Markdown source so that the plain text could more easily be copy/pasted into messages to the mailing lists, since the difference between absolute and relative links on the was transparent to users after Jekyll rendering. Of course, we did not foresee that something else would come to rely on the links to be relative rather than absolute. Now that this is the case, we can simply use relative links everywhere (including in these News posts) and write out the complete URLs when preparing the plain text content for the mailing lists. I'm also converting existing links from absolute to relative and updating the doc guidelines on this point: https://github.com/QubesOS/qubes-posts/pull/73 https://github.com/QubesOS/qubes-doc/pull/1100 -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b991a57-6cf1-0fbe-f06c-2362b88108cf%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [EXT] Re: [qubes-users] Qubes OS: .onion and links
On 12/6/20 5:13 PM, unman wrote: On Mon, Dec 07, 2020 at 02:07:03AM +0100, Ulrich Windl wrote: On 12/1/20 7:35 PM, 'disrupt_the_flow' via qubes-users wrote: On November 30, 2020 8:15:14 PM UTC, Ulrich Windl wrote: Hi! I noticed when I click the link "upgrading Fedora TemplateVMs" found on the onion version of the page (using the tor browser of whonix), you are directed to a non-onion page (https://www.qubes-os.org/doc/template/fedora/upgrade/), <https://www.qubes-os.org/doc/template/fedora/upgrade/),> and you'll have to switch to onion again. In contrast when I click news items on http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/ I remain on onion sites. Regards, Ulrich Hello Ulrich. What page exactly? I can't find such a page on the QubesOS website. http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/news/2020/06/30/fedora-32-templates-available/ Yes, the links on that page are hard coded to the clearnet site rather than local links. That's a mistake - but it is not peculiar to this page. A quick check suggests that (almost?) all the news pages contain such links. Thanks for pointing this out. Ah, that's because people asked a long time ago for the News post plain text content to be copied into the body of messages to the mailing lists (not just a hyperlink to the website). At the time, it seemed easier just to include full URLs in the original Markdown source so that the plain text could more easily be copy/pasted into messages to the mailing lists, since the difference between absolute and relative links on the was transparent to users after Jekyll rendering. Of course, we did not foresee that something else would come to rely on the links to be relative rather than absolute. Now that this is the case, we can simply use relative links everywhere (including in these News posts) and write out the complete URLs when preparing the plain text content for the mailing lists. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3ddea903-185f-123b-69cc-f4fb73135519%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Qubes updater icon never gets cleared
On 12/5/20 1:36 AM, Viktor Ransmayr wrote: Hello Qubes community, I noticed since yesterday, that the icon, which indicates that updates are available, never gets cleared on my system, although I obviously try to launch the updater in a timely fashion - and - the operation succeeds ... Here's the log from the latest attempt: ### Updating fedora-32 fedora-32: -- ID: dnf list updates --refresh >/dev/null Function: cmd.run Result: True Comment: Command "dnf list updates --refresh >/dev/null" run Started: 09:00:59.753451 Duration: 8745.114 ms Changes: -- pid: 1077 retcode: 0 stderr: stdout: -- ID: update Function: pkg.uptodate Result: True Comment: Upgrade ran successfully Started: 09:01:10.612928 Duration: 24382.315 ms Changes: -- ID: notify-updates Function: cmd.run Name: /usr/lib/qubes/upgrades-status-notify Result: True Comment: Command "/usr/lib/qubes/upgrades-status-notify" run Started: 09:01:34.995429 Duration: 3878.256 ms Changes: -- pid: 1148 retcode: 0 stderr: stdout: Summary for fedora-32 Succeeded: 3 (changed=2) Failed:0 Total states run: 3 Total run time: 37.006 s ### Does anyone have an explanation - or - a suggestion what else to try? - TIA! Viktor This is probably: https://github.com/QubesOS/qubes-issues/issues/6234 In which case, it's a known bug, and the fix is in current-testing. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/14d11015-2511-04ce-6922-57c0c334ab36%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] "Qubes Survey: The Results" by Marta Marczykowska-Górecka
Dear Qubes Community, Marta Marczykowska-Górecka has just published an article covering the results of our recent survey: https://www.qubes-os.org/news/2020/11/26/qubes-survey-results/ For your convenience, the original plain text Markdown source of the article is reproduced below. However, since this article includes many images, we recommend the web version for most readers. --- "Qubes Survey: The Results" by Marta Marczykowska-Górecka Hello, lovely Qubes Community! A couple of weeks ago, we asked you to participate in a survey; to our delight and surprise, over 2100 of you decided to help us and filled it out! We are grateful for our wonderful community and wanted to share some interesting findings from the survey with you. A small statistical note: a survey such as this, on a non-random and very much self-selected sample, is not necessarily completely representative of the whole community. It's quite possible that the people whom we did not reach and the people who decided not the participate in the survey differ in statistical ways from those we did survey, so please understand all of the "community members say X" statements below as having a little asterisk with "as far as we know based on this survey". Some introductory stats: 54% percent of our respondents have Qubes installed, and 22% are planning to. [](/attachment/wiki/posts/survey_chart_1.png) Most of them are expert computer users to varying degrees, but 1% said that they prefer not to use computers when they don't have to. Seeing the state of security in the wide computer world, sometimes we're tempted to agree. It also turned out that our community has a fairly unsurprising age spread, with almost half (43%) of the respondents between 18 and 34 and a third (31%) between 35 and 49. There are people over 70 and under 18 among us, too. [](/attachment/wiki/posts/survey_chart_2.png) About one-third of the respondents are developers (which is in line with what we anticipated --- after all, Qubes is a pretty technical piece of software), and IT professionals of all sorts are about sixty percent of the respondents. We also have a strong contingent of academics (19%) and activists (16%). [](/attachment/wiki/posts/survey_chart_3.png) For privacy reasons, we won't be sharing a detailed breakdown of where our users are located, but we made a map with countries colored based on how many Qubes users are there, for your and our enjoyment. Note: the map is based on Wikipedia's map of the world. Please forgive any inaccuracies in it. [](/attachment/wiki/posts/survey-map.png) While doing the data crunching, I was a bit fascinated by three large groups of people: those from capital cities just putting down the name of the capital (omitting the country name), people in the US replying with just the name of their town (I've learned a lot about small American towns!) and people in the UK clarifying they are not English, thank you very much. I had to smile at "United Kingdom of England and Some Actually Good Countries". We're very interested in the hardware people are using and want to use with Qubes. Hardware is always a difficult subject for us, as there's a lot of possible combinations and not nearly enough manpower to test and fix bugs for all of them, and we want to know where to focus our resources. This intuition was well confirmed by the survey: hardware compatibility was something a lot of people mentioned in the "reasons for not using Qubes/reasons for stopping using Qubes" questions. Following the common trend in modern hardware, most people use laptops or laptops and desktops equally (only 22% of our respondents use mostly a desktop computer), and most Qubes users tend to use it on a laptop (63% of them in the survey). A lot of people use external monitors with their laptops (over 55% of laptop users), and we know an external monitor can be tricky to use with Qubes, leading to all sorts of annoying problems with layout or input detection. (If you haven't yet tried it, take a look here: [Qubes GUI Troubleshooting](https://www.qubes-os.org/doc/gui-troubleshooting/)). A significant number of respondents also say they use cameras (36%) and microphones (60%). It makes me wonder what the responses to this question would be a year ago, before so many of us started working remotely. As far as desired Qubes localization goes, there were few surprises, with the overwhelming majority preferring English (for a survey in English, it's hard to be shocked by this result), and the next places being taken by German (over 200 votes), French (over 120 votes), Spanish
Re: [qubes-users] HCL - Dell Precision M6800 Workstation
On 11/28/20 12:41 PM, Jason ZenRiot wrote: I'm a bit of a Qubes novice, this is my first setup and Ive been up and running for about 4 months now, so I've poked into most of the corners, tho not too deep. Easy install, stable AF and pretty fast. I'm not terribly impressed with playback performance with multiple video streams. But I'm running three 27" displays off a laptop so I have no business complaining about the refresh rate. Near as I can tell ALL of the hardware is supported from first boot. Audio, video, USB, all elements fully functional, I'm pretty sure the TPM is not being utilized, but thats probably due to me not knowing a lot still.I am struggling to get my solokey setup, but thats def an id10T issue... I highly recommend this platform, its a little heavy for a laptop, but its got a BIG sexy screen, 3 yes three drive bays (1 msata, two 2.5 SATA3) DVDBurner, modular video card upgrades available NVidia K4000 or ATI Firebolt and VGA, HDMI, and DisplayPort supporting 2 external displays without the docking station which provides support for a fourth ($15 on ebay) 5 USB3 ports, and it all f'in works with Qubes... I see refirbs onsale now in the $500-$800 area... Festivus is upon us... shouldn't SOMETHING be easy in 2020? :-D Hello,I am JayDogg, and with this submission, I am joining the community...Its really good to be here... because apparently there's no time to lose. > Welcome to the community, and thanks for your report! Glad to hear it's working well. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/02500bb9-6b17-413b-c208-4836998aa316%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Is there a discord, IRC, or jabber channel where I can find someone experienced in Qubes to mentor me? I'm dying right now guys
On 11/28/20 12:39 PM, setemera...@posteo.net wrote: If you chart my posts in the usergroup, it pretty much follows the pattern of "ask for help", go dark for a while, "ask for help again." go dark again. The part in between that goes unseen is the part where I'm intimidated by my OS and have to ask someone more knowledgeable about every little thing that comes up just so I can do basic things. Many questions can be answered by reading the documentation, especially basic ones. I strongly recommend starting there if you're finding it difficult to do even basic things. https://www.qubes-os.org/doc/ Whether it is the kaliVM setup (still haven't done that), VPN setup, These are not really basic and not required to get the major benefits of using Qubes. I'd caution you against trying to sprint before learning to walk, as it were. or even just getting my terminals to actually reach github, This sounds like a non-Qubes-specific Linux thing, so it's also worth noting that many questions about Qubes are actually questions about Linux. I feel quite powerless and stupid everytime I try to do something on this laptop. So I put things off. I put things off I need to learn to secure my own system or to do the things I want to do with it. As a novice CS student, starting with Qubes was probably a mistake but I believe now, as then, that learning this OS would give me an edge when I get to my career field. That said its rough at times, and its been a lonely experience thus far. Sorry to hear that. :( Here's my ask: I would really appreciate one person, any person really, who I can at least talk to about Qubes in general. I don't expect you to hold my hand or to be my one stop shop for tech-support or something. It's just tiresome being the only one I know who runs this OS and there is no sense of community for me when my only interaction is asking for help on a random google group. If it helps, we also have a forum: https://www.qubes-os.org/support/#forum Unofficial chat channels: https://www.qubes-os.org/support/#unofficial-chat-channels And a subreddit: https://www.reddit.com/r/Qubes/ If you are up for guiding a noob through this hard ass learning curve or at least being someone I can chat up, email me at setemera...@posteo.net. I hope you find the person you're looking for, but it's also worth pointing out that there are many other new users here like yourself, and everyone benefits when questions are asked in the open so that others can participate, provide answers and experience, and learn from the results. Don't be afraid to ask questions. Our discussion list guidelines have same advice about how to do that in a productive way: https://www.qubes-os.org/support/#discussion-guidelines All I can offer to the community in exchange is my help rewriting documentation based on my experiences. Since I'm having such a hard beginning as a novice user, I'll definitely remember what tripped me up getting started and can share that with the community. As far as taking action to handle the hard things first, expect to see me posting on here a lot more. No sense in being intimidated by a piece of tech I can learn if I stay on it. Thank you and be well. Good, and welcome to the community. :) -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7cdbbd07-1004-66ef-8309-61b0478e4f54%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Are "smart" monitors/TVs a security issue?
On 11/27/20 7:08 PM, Steve Coleman wrote: [...] 1. TV's are often encoded to deliberately export use intelligence data to be utilized by the advertisers and ratings organizations. The camera and microphone, if installed, are actually designed and used to watch and listen to the family watching the programs. Zero privacy, and you may even have no way to disconnect it, so denying it any network access is your only hope to stop exfiltration. Physically disabling the camera and microphone may be an option in some cases. Cameras can be covered, but covering a microphone doesn't do much. I recently got a new smart TV that has a microphone in the remote. Since I never planned to use the voice features, I simply found a sewing needle, inserted it into the mic hole, and used a flat piece of hard plastic on the other end to apply moderate force. There was a single "click" sound. After that, voice commands were no longer recognized by the TV, but the remote and everything else still worked perfectly. Hopefully that's good enough. By the way, this reminds me of when Joanna removed all the microphones and front camera from her iPhone: https://twitter.com/rootkovska/status/547496843291410432 -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7c8dcda4-9504-4942-3431-00bc022f70db%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
Hi all, Based on the feedback we've received for Qubes 4.0.4-rc1, we've decided to make one additional change for 4.0.4, namely updating the kernel to at least 5.4. This means that we'll need a second release candidate before the stable release of 4.0.4. [1] The official announcement for 4.0.4-rc2 will come soon. This is just an informal request for anyone willing to help test kernel 5.4 on Qubes 4.0 to do so and report any problems. [2] The package is already available in current-testing. [3] Thank you! [1] https://github.com/QubesOS/qubes-issues/issues/6170 [2] https://www.qubes-os.org/doc/reporting-bugs/ [3] https://www.qubes-os.org/doc/testing/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eca8f071-fa3d-006e-f72a-514809217055%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Are "smart" monitors/TVs a security issue?
On 11/25/20 6:31 AM, River~~ wrote: Hi all In the days of CRT monitors one way the security of a computer system could be compromised non-intrusively (ie without amending the installed code) was by picking up the radio-frequency leakage from the tube in the monitor. This could only be done from near by, but where possible it enabled the spy to see what was on the screen -- almost everything that you typed (aprt from passwords that were blanked or starred out). This was a remote form of shoulder surfing, where someone looks over your shoulder in an environent like an internet cafe. Nowadays we do not have to worry about CRT monitors. This is known as a TEMPEST attack: https://en.wikipedia.org/wiki/Tempest_(codename) Although we may not use CRT monitors any more, there are still many other forms of this attack, many of which are still relevant today. It's still important to be mindful of any kind of leaking emanation. But TVs are increasingly delivered with their own internet connection, making it easy to watch You-Tube (etc) without needing a separate computer or phone. Clearly there is a computer inside which can be hacked, and if so a remote shoulder surfing attack would be very possible. Yes, definitely. Smart TV spying is already a widely-reported phenomenon: https://duckduckgo.com/?q=smart+tv+spying Is the same true of monitors and of TVs that do not have an apparent internet link? The digital tech to draw a picture from the input is unlikely to be done by traditional electronics, but being all digital is likely done by a miniporcessor of some kind in all digital displays. It's impossible to say without knowing exactly what kind of hardware is inside. To put my question in the most provocative way on this forum: if there much point securing the OS when the monitor might be an easier target for those out to (umm) monitor our reading and our keystrokes? This thught has only just come to me, and I wonder if there is already some available mitigation? Any ideas? Or am I being overly cautious? R~~ Any ideas? Well, there's no such thing as perfect security, but you can decrease your risk here in multiple ways, such as selecting a monitor with as few "smart" features as possible or, if you use a laptop, sticking with the built-in monitor. There might also be some advantage to preferring "dumb" ports on your monitor. For example, DisplayPort and Thunderbolt are probably bigger risks than VGA and DVI, since DisplayPort can transmit USB and other data, and Thunderbolt combines PCIe and DisplayPort. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0126b42-d45f-80fb-c783-b30a0202e8cf%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] HCA reports - some advice please
On 11/23/20 1:42 PM, Steve Coleman wrote: On Mon, Nov 23, 2020 at 2:31 PM Andrew David Wong wrote: On 11/23/20 10:06 AM, Steve Coleman wrote: On Mon, Nov 23, 2020 at 9:33 AM Andrew David Wong wrote: I have a question about the HCL process and page display that I have been wondering about. I was for the longest time copying and pasting the HCL web page into a spreadsheet just so I could sort and delete out all the old information, as I was looking to replace my desktop system with something more up to date. I can't tell you how many times in the last three years I copied the HCL to this spreadsheet, and when my old desktop finally died I had to give up hope and just bought a new system sight unseen that was not on the list and I just hoped for the best. Fortunately, it worked out Ok. As it is right now it is difficult and getting increasingly harder to find just the latest hardware on the list as it seems that by the time something appears on the list it is no longer even available for purchase. Remember that these are almost all reports voluntarily submitted by users. If it's mostly old hardware, that's because few people with new hardware are submitting reports for that hardware. Agreed. But it is certainly possible to make this more of a discussion on how to give back to the community. The Qubes patriotic thing to do is to submit your successes so others can follow without so much fear and hesitation. We can't force anyone to submit reports, and we usually can't get new hardware to generate reports on ourselves. No, but a well-placed note/request at the end of the Qubes install process could go a long way to actually encourage them to submit the report to help others. The "how you can help" could also suggest this as a way to give back which is easy even for novices who were just introduced to Qubes. Make it a badge of honor. In fact, one could encourage people with questions to include a report link/ID where the fundamentals of their basic machine configuration would be available online for the experts to better understand the problem. Not everyone would necessarily want to give their anonymity away, but for some questions, this link could provide some valuable information about the hardware that would be easy to share. Good ideas! I've opened an issue for this: https://github.com/QubesOS/qubes-issues/issues/6231 I've already implemented the documentation suggestions (as well as some similar ones inspired by your suggestions). For details, see the issue. Though, to be fair, the reports from the mailing list haven't been added in a while, so that might also be part of it. Very true, unfortunately. I submitted my "Dell XPS 8930" but it has not shown up yet. With 8 cores and 64GB of memory, it is already out of production but it is still available through other retailers. Somebody who is looking for a new beefy desktop may not see this on the HCL until it is no longer available anywhere. That is the same boat I was in when my desktop up and died and I had no choice but to draw straws and pick one almost at random. Yes, there were other *very old* XPS's on the HCL and some did *not* work properly, but based on the hardware in this one I figured it might just work. Unfortunately, this only has a "firmware TPM" that is disabled in BIOS when using the legacy boot settings and there is no header on the motherboard to even add a physical TPM. I may just dabble with the idea of a qubes auditable software-based vTPM (qTPM) and see if I can find a way to make something work for the contributor's packages. Not sure about that yet, but it's an idea that might even allow for locking down the boot partition by making it read-only until after a successful boot/login. Evil maids can't change what they can't edit. We've decided to recruit an additional HCL maintainer to get reports from the mailing list onto the website more quickly. I've sent a message to these lists about it. However, there are LOTS of machines that you could only find on eBay and many/most lack sufficient memory, BIOS, or current chipset support for the current Qubes R4.x system being developed. Old systems on the HCL are seemingly never updated, so you can't tell which ones are still working and which ones have retired years ago. There are many items on that list even in the wrong categories (e.g. DIY System boards in the Desktop section when there is a separate section just for those) and I see no defined process by which to help change that. My question is this: What would it take to get a set of simple filter options on that HCL webpage? This open issue is very similar to what you're asking: https://github.com/QubesOS/qubes-issues/issues/3795 I've just opened two PRs (linked to this issue) that make the HCL tables sortable. However, some rows break on sorting. Please see the issue comments for more details and an image showing exactly how it breaks. If
[qubes-users] Seeking an additional HCL maintainer
Dear Qubes Community, As many of you know, the Hardware Compatibility List (HCL) [1] is an important resource for users when deciding on which hardware to get for Qubes. Currently, our system for adding new entries to this list is basically as follows: Users voluntarily generate HCL reports [2], then send them to the qubes-users mailing list. Our HCL maintainer then periodically collects these reports from qubes-users, performs any necessary cleanup and processing, then submits them in a PR to the HCL repo [3]. Users are also free to submit their reports in PRs directly to the HCL repo, and we're always looking for ways to improve this system and all aspects of the HCL. Our current HCL maintainer is Chris (tasket), but the project could benefit from an additional HCL maintainer to help out and share the load. This would allow us to get reports from the mailing list onto the website more quickly and perhaps help make other improvements to the HCL. Chris can provide further details about what's involved in this role. If you'd like to volunteer for this role, please let us know by replying to this thread or directly to me. Thank you! [1] https://www.qubes-os.org/hcl/ [2] https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports [3] https://github.com/QubesOS/qubes-hcl -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc28adcf-885c-5bb9-f760-c062724d9cd4%40qubes-os.org. OpenPGP_0xBC211FCEE9C54C53.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Fedora 31 has reached EOL
Dear Qubes Community, Fedora 31 has reached EOL (end-of-life [1]). If you have not already done so, we strongly recommend upgrading your Fedora 31 TemplateVMs and StandaloneVMs to Fedora 32 immediately. We provide step-by-step upgrade instructions for upgrading Fedora TemplateVMs [2]. For a complete list of TemplateVM versions supported for your specific version of Qubes, see the list of supported TemplateVM versions [3]. We also provide a fresh Fedora 32 TemplateVM package through the official Qubes repositories, which you can install in dom0 by following the standard installation instructions [4]. After upgrading your TemplateVMs, please remember to switch all qubes that were using the old template to use the new one [5]. Please note that no user action is required regarding the OS version in dom0. For details, please see our note on dom0 and EOL [6]. [1] https://fedoraproject.org/wiki/End_of_life [2] https://www.qubes-os.org/doc/template/fedora/upgrade/ [3] https://www.qubes-os.org/doc/supported-versions/#templatevms [4] https://www.qubes-os.org/doc/templates/fedora/#installing [5] https://www.qubes-os.org/doc/templates/#switching [6] https://www.qubes-os.org/doc/supported-versions/#note-on-dom0-and-eol This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/11/24/fedora-31-eol/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b47555fd-0f24-63b6-f006-d8305739c72d%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB #062: Stack corruption from XSA-346 change (XSA-355)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #062: Stack corruption from XSA-346 change (XSA-355). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #062 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-062-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-355 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#355 ``` ---===[ Qubes Security Bulletin #62 ]===--- 2020-11-24 Stack corruption from XSA-346 change (XSA-355) Summary On 2020-11-24, the Xen Security Team published Xen Security Advisory 355 (XSA-355) [1] with the following description: | One of the two changes for XSA-346 introduced an on-stack array. The | check for guarding against overrunning this array was off by one, | allowing for corruption of the first stack slot immediately following | this array. | | A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting | in a Denial of Service (DoS) to the entire host. Privilege escalation | as well as information leaks cannot be excluded. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-27 For Qubes 4.1: - Xen packages, version 4.14.0-8 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-355.html -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/11/24/qsb-062/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46f8bae9-5540-ff20-079a-930016e146a3%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] HCA reports - some advice please
On 11/23/20 10:06 AM, Steve Coleman wrote: On Mon, Nov 23, 2020 at 9:33 AM Andrew David Wong wrote: If you can fix them first, that would be a great help! I think it would make things easier for our HCL maintainer. :) Usually, it's just the model number for that product, e.g., "FX-8320" is short for "AMD FX(tm)-8320 Eight-Core Processor". Take a look at the existing entries for examples: https://github.com/QubesOS/qubes-hcl/tree/master I am thinking of including the cpio files, but do not want to share a serial number that they contain. WOuld those files be useful to others if I edited them so that the serial number reads "Redacted"? Sure, feel free to redact whatever you like. :) If you prefer, you can send the cpio files directly to Marek PGP-encrypted (instead of the to the mailing list). See here for more info: https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports I have a question about the HCL process and page display that I have been wondering about. I was for the longest time copying and pasting the HCL web page into a spreadsheet just so I could sort and delete out all the old information, as I was looking to replace my desktop system with something more up to date. I can't tell you how many times in the last three years I copied the HCL to this spreadsheet, and when my old desktop finally died I had to give up hope and just bought a new system sight unseen that was not on the list and I just hoped for the best. Fortunately, it worked out Ok. As it is right now it is difficult and getting increasingly harder to find just the latest hardware on the list as it seems that by the time something appears on the list it is no longer even available for purchase. Remember that these are almost all reports voluntarily submitted by users. If it's mostly old hardware, that's because few people with new hardware are submitting reports for that hardware. We can't force anyone to submit reports, and we usually can't get new hardware to generate reports on ourselves. Though, to be fair, the reports from the mailing list haven't been added in a while, so that might also be part of it. However, there are LOTS of machines that you could only find on eBay and many/most lack sufficient memory, BIOS, or current chipset support for the current Qubes R4.x system being developed. Old systems on the HCL are seemingly never updated, so you can't tell which ones are still working and which ones have retired years ago. There are many items on that list even in the wrong categories (e.g. DIY System boards in the Desktop section when there is a separate section just for those) and I see no defined process by which to help change that. My question is this: What would it take to get a set of simple filter options on that HCL webpage? This open issue is very similar to what you're asking: https://github.com/QubesOS/qubes-issues/issues/3795 I've just opened two PRs (linked to this issue) that make the HCL tables sortable. However, some rows break on sorting. Please see the issue comments for more details and an image showing exactly how it breaks. If you can help with this, please let me know on that issue. Or, is there a way for someone to help clean up and better organize this list? There are two main ways you can help: 1. Help un-break the aforementioned sorting, or provide a better way to sort or filter the tables. 2. Submit a PR that modifies or removes old or bad HCL entries: https://github.com/QubesOS/qubes-hcl/tree/master Going forward it is not all that helpful to see what was historically running, years ago, if they are no longer adequate for the current Qubes R4.x baseline. My inclination is this lists' primary function should be to support those who are looking for some adequate hardware that could run the current baseline, and failing that test, it should be filtered out by default. Or maybe just filter by date added/updated? I can understand the motivation behind removing old entries for EOL Qubes releases. If those entries are truly of no use to anyone, then there is not much reason to keep them around. But perhaps there's some value in keeping the old entries that we're overlooking. I'm curious whether Chris and Marek have any opinions on this. Another idea is to have separate HCL tables for each Qubes release, or even entirely separate HCL *pages* for each Qubes release. This might make sense as part of our plan for release-specific documentation: https://github.com/QubesOS/qubes-issues/issues/5308 Another thought is we should actively request those who successfully upgrade their systems to the latest baseline to resubmit their HCL thus showing that the same system is still capable of running the latest baseline number. I know matching old and new HCL reports would require some work, but I think if you want Qubes to be more popular this is a must. We can request it, but I'm not sure how much
Re: [qubes-users] Re: HCL - Hewlett Packard HP Pavillion Notebook
On 11/23/20 2:55 AM, Raja Saham wrote: May I know the procedure to add this report into hardware compatibility list ? Thank you for your report! Our HCL maintainer periodically collects all reports sent to this mailing list and submits them in a pull request to: https://github.com/QubesOS/qubes-hcl/tree/master However, if you prefer, you can simply submit a PR there yourself. > And whether it is qualified for the list ? That'll be up to our HCL maintainer to determine, but usually reports are accepted without any problems. On Monday, November 23, 2020 at 5:44:13 PM UTC+7 Raja Saham wrote: Dear Qubes Users, I have tried Qubes on my System. Attached is the report for Hardware Compatibility List. Regards, Qubes Users -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2e78291b-31fa-30ea-8b5c-2f0c0dbf%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] HCA reports - some advice please
On 11/22/20 10:50 AM, River~~ wrote: hi I have got a new computer working, and it is a model new to Qubes not just. (Guess who got it cheap on an early bird reduction on kickstarter then :) So, I am going to send in the HCA report. Thank you! I have produced the .yml file. It contains some FIXME items. I am unclear: is it up to e to fix them, or are they a note to whoever processes the report before posting to the HCA page? If you can fix them first, that would be a great help! I think it would make things easier for our HCL maintainer. :) If I have to edit them, what do I use for the "short" items? Am I reasonably free to abbreviate? Usually, it's just the model number for that product, e.g., "FX-8320" is short for "AMD FX(tm)-8320 Eight-Core Processor". Take a look at the existing entries for examples: https://github.com/QubesOS/qubes-hcl/tree/master I am thinking of including the cpio files, but do not want to share a serial number that they contain. WOuld those files be useful to others if I edited them so that the serial number reads "Redacted"? Sure, feel free to redact whatever you like. :) If you prefer, you can send the cpio files directly to Marek PGP-encrypted (instead of the to the mailing list). See here for more info: https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports Finally, the manufacturer's name shown in the .yml is different from the name they used on kickstarter. Would it help, or would it cause confusion, if I added at the end of their name "t/a MinisForum"? It would be ok, but perhaps including this in the comment field instead would make it more likely that your manufacturer field matches any other reports submitted for products from the same manufacturer. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3c1006ac-6a1d-c1cf-0dca-959c97156d1a%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [EXT] Re: [qubes-users] browser plugin?
On 11/21/20 4:00 PM, Ulrich Windl wrote: On 11/13/20 4:42 AM, Sven Semmler wrote: On 11/12/20 11:41 AM, Alex Smirnoff wrote: Is there a browser plugin that adds "open URL in disposable VM" function? like private tab on steroids :) I think this is important when following an URL in Thunderbird from a non-disposable / not-anonymous VM. Copying the link and pasting it to another VM is not really very user-efficient. Well I would not need a new VM for each link, but a _different_ VM... You can already do this with built-in Qubes tools without any extra plug-ins or third-party programs: https://www.qubes-os.org/doc/tips-and-tricks/#opening-links-in-your-preferred-appvm -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/454c8f1d-6868-5910-5e9c-04bb723d3eb7%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?
On 11/19/20 4:50 AM, Matt McCutchen wrote: On Wed, 2020-11-18 at 22:49 -0800, Andrew David Wong wrote: On 11/18/20 5:54 AM, Matt McCutchen wrote: I assumed the update process was the same for a TemplateVM or a StandaloneVM (though I've never tried the latter), It mostly is, but I personally find it easier to be able to update and install packages in the TemplateVM separately from the TemplateBasedVM. Why? Just a lot of little things. For example, if I screw up the TemplateBasedVM, and I don't have any data in it, I can just destroy it and recreate it without having to reinstall any programs. Conversely, if I screw up the TemplateVM, I can keep the TemplateBasedVM and just recreate the TemplateVM. One advantage I see to the StandaloneVM is that package changes are immediately persistent and usable in combination with the private volume. When using a TemplateVM and TemplateBasedVM, I generally make package changes first in the TemplateBasedVM for rapid iteration (where they will be lost on shutdown) and later make them to the TemplateVM once I am sure what changes I want. I suppose I'm now at the point where I already know which packages I need, so that problem seldom arises for me now. There's also the minor fact that I can update all of my templates with a single qubesctl command, whereas StandaloneVMs would be left out. That's strange. If qubesctl has an option to target all TemplateVMs, I'd think the case for an option to target all updatable VMs (TemplateVMs and StandaloneVMs) would be equally strong. Oh, and there's also a bit of a security benefit, which I forgot to mention: https://www.qubes-os.org/doc/templates/#note-on-treating-templatebasedvms-root-filesystem-non-persistence-as-a-security-feature I'm of the firm opinion that auditing a home directory for user-level rootkits is impractical, as suggested by that page. IIRC, I came to this conclusion long before I migrated to Qubes OS in 2014. Yes, but even if you don't skip backing up templates, just being able to include them in different backup sets and being able to back them up at different frequencies is handy. Another interesting point. Currently, I just back up all my VMs weekly. If I were to try to improve that, rather than set different frequencies for different VMs, I'd be more likely to try to find a solution to back up each VM incrementally so I can afford to back up all of them more frequently. In the past, I've seen some discussions of how to do this without significantly increasing the attack surface, but I don't have the links on hand. There's an open issue for this: https://github.com/QubesOS/qubes-issues/issues/858 Though I suppose the more general observation underlying my original proposal was that if the process to generate the system volume from that of the main TemplateVM is automated and reasonably fast, then there's the option to run it on every boot of the TemplateBasedVM rather than persisting a separate system volume at all. I can't speak to that. My experience has led me to keep things simple and in line with intended functionality, since I've found that erecting elaborate custom processes that aren't necessarily supported by the underlying system results in too high of a maintenance burden for me in the future. I personally am not worried about this. While I was waiting for https://github.com/QubesOS/qubes-gui-agent-linux/pull/107 to be merged, rather than build a custom RPM and install it in my template, I elected to set up a script that ran on every boot of the TemplateBasedVM in which I wanted the functionality and overwrote module-vchan-sink.so with my custom-built one. Maybe modifying the template would have been better, but modifying the TemplateBasedVM on every boot did work. Installing RPMs on boot differs only in degree. Matt -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e614ce1d-982f-d014-f166-32a61e5f551e%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?
On 11/18/20 5:54 AM, Matt McCutchen wrote: I have the honor of a response from Andrew! :) :D On Tue, 2020-11-17 at 20:57 -0800, Andrew David Wong wrote: For me, the advantage of TemplateVMs over StandaloneVMs (even if there's only one TemplateBasedVM based on the TemplateVM) is that it's easier to update the TemplateVM and back up the TemplateBasedVM. I assumed the update process was the same for a TemplateVM or a StandaloneVM (though I've never tried the latter), It mostly is, but I personally find it easier to be able to update and install packages in the TemplateVM separately from the TemplateBasedVM. There's also the minor fact that I can update all of my templates with a single qubesctl command, whereas StandaloneVMs would be left out. Oh, and there's also a bit of a security benefit, which I forgot to mention: https://www.qubes-os.org/doc/templates/#note-on-treating-templatebasedvms-root-filesystem-non-persistence-as-a-security-feature and for backups, I can select any set of VMs in the Qube Manager. Perhaps you're pointing out that if the system volume of the desired AppVM is easy enough to recreate that it's not worth backing up, then using a TemplateVM + TemplateBasedVM rather than a StandaloneVM makes it possible to skip the backup? Interesting point. Yes, but even if you don't skip backing up templates, just being able to include them in different backup sets and being able to back them up at different frequencies is handy. There was a forum discussion about this recently: https://qubes-os.discourse.group/t/backups-with-a-single-archive-per-qube/1328/ Though I suppose the more general observation underlying my original proposal was that if the process to generate the system volume from that of the main TemplateVM is automated and reasonably fast, then there's the option to run it on every boot of the TemplateBasedVM rather than persisting a separate system volume at all. I can't speak to that. My experience has led me to keep things simple and in line with intended functionality, since I've found that erecting elaborate custom processes that aren't necessarily supported by the underlying system results in too high of a maintenance burden for me in the future. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53c92729-acb9-ac42-7576-f09ada2e74e3%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Automatic updating of extra RPMs from add-on repos in Fedora template-based VMs?
On 11/15/20 2:10 PM, Matt McCutchen wrote: Hi Steve, Thanks for your thoughtful response! On Sun, 2020-11-15 at 16:31 -0500, Steve Coleman wrote: My way of dealing with it is to just clone your pristine fedora-32 template and add the required packages to that template clone, then create an AppVM that uses that template. This way you limit any potential data loss or damage to just that one AppVM which you then use whenever you need one of those proprietary apps. Same here. The question now is what data would they share in that AppVM and is it reasonable for them to share the same AppVM? If the answer is yes then there is no problem. If no, then create another AppVM based on the same template for the other app. For proprietary apps packaged by their vendors, I don't trust the package installation scripts any more than the apps themselves. Thus, if I wouldn't be willing to run two apps in the same VM, I wouldn't be willing to install both apps in the same template either. This being so, the approach you suggest degenerates to the StandaloneVM approach I mentioned. (At the other extreme, if the apps were packaged by an entity that I trust to ensure that no proprietary code runs without user consent, then I could just install the packages in my main template and the whole problem would go away. Is there an intermediate scenario in which having a second template shared by multiple AppVMs is useful?) For me, the advantage of TemplateVMs over StandaloneVMs (even if there's only one TemplateBasedVM based on the TemplateVM) is that it's easier to update the TemplateVM and back up the TemplateBasedVM. The downside is you now have to update two templates instead of one, but that of course can be automated. While I could probably get used to kicking off the dnf upgrade in all templates and letting it run unattended (it's often slow), I just let it run overnight. my bigger concern is the custom tools and configuration changes in my main template that aren't currently packaged for dnf. I could probably package them and/or do without some of them in some proprietary-app VMs, but I think that would end up being a bigger hassle than developing and using my proposed tool. No need. Just make your changes in one template, then clone that template as needed. That way, you only have to make the changes once. Also, I'm low on disk space and making many templates would make it worse, though maybe it's time that I just bought a bigger disk. If you use minimal templates, even having a lot of them doesn't take up much space. How many specialized AppVMs you create is then based on your own risk/benefit analysis. I would think it's reasonable for instance to have Zoom and Skype share the same memory space unless the topics discussed in each app are highly confidential. You're probably right that the additional risk of sharing a VM between Zoom and Skype (for example) is small compared to the other unsolved security problems I currently have. However, inasmuch as I continue to use the proprietary apps, I'd be more inclined to just develop the tool to automate the use of separate VMs (anticipating that other people might reuse it) than to address this question. Matt -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/813384d7-8adf-0b64-3a1c-40b1c935be6f%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Errors updating Fedora 30 template
On 11/11/20 11:37 AM, Shawn Creighton wrote: I figured out why sys-whonix wasn't working; because I never completed the connection wizard that pops up at every boot. I usually don't use whonix/tor to connect to the internet so I just never completed the prompts. I did however already update dom0 as I said using the sys-firewall connection for the UpdateVM. Wondering if that is safe or if I should do a fresh install and update it the proper way. From a pure Qubes security perspective, it is normal and safe to update via sys-firewall (clearnet) rather than sys-whonix (Tor). Updating via Tor can provide some additional protection from targeted attacks, but it is not necessary (in the sense that the Qubes security model neither assumes nor requires the use of Tor). However, *if* you need the privacy that Tor provides (e.g., because you live under a totalitarian regime that may wish to harm you if they find out that you're using Qubes or any of the software that comes included with Qubes), then it is not safe, since a clearnet connection provides practically no privacy compared to Tor. Page loading seems to be a bit slower now than before I updated dom0. Is that typical? It depends on which updates you installed, but generally no. On Tuesday, November 10, 2020 at 11:33:57 PM UTC-6 Shawn Creighton wrote: No modifications, it gives me those errors even with a fresh install when trying to use sys-whonix as the updatevm. I changed the UpdateVM from sys-whonix to sys-firewall and was able to update Dom0 Is that safe? On Sunday, November 8, 2020 at 9:06:42 PM UTC-6 a...@qubes-os.org wrote: On 11/8/20 12:29 AM, Shawn Creighton wrote: On Sunday, November 8, 2020 at 2:31:25 AM UTC-5 a...@qubes-os.org wrote: On 11/7/20 11:24 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org wrote: On 11/7/20 7:25 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote: I tried running 'dnf install qubes-template-fedora-32' as root and get: Failed to synchronize cache for repo 'qubes-dom0-cached', disabling. No package qubes-template-fedora-32 available Error: unable to find a match Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get the same output `sudo qubes-dom0-update qubes-template-fedora-32` is the command you want. The update script wraps all installs and updates in Dom0 on Qubes. "Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again" Make sure you're running this command in dom0, not in a TemplateVM. https://www.qubes-os.org/doc/templates/fedora/#installing The terminal I am running from the upper left corner menu says dom0 When I run the command it says: Using sys-whonix as UpdateVM to download updates for Dom0; this may take some time But then the cannot retrieve repository metadata (repomd.xml) for repository: fedora. error Based on your other posts in addition to this, it sounds like there may be a problem with your internet connection, proxy settings, or UpdateVM. Can you access the internet normally from, e.g., a web browser in an AppVM? Internet is working ok in all AppVm. I tried updating a qube by clicking the UpdateVM blue arrow in Qubes Manager and I get: Curl error (56): failure when receiving data from peer[Received HTTP code 500 from proxy after Connect] Someone said something about using a VPN to get around it but that's a whole other issue to get that working I also read a post about editing something so the repositories use a http connection rather than https but haven't tried that Definitely sounds like some kind of network-related issue (possibly including firewall, updates proxy, etc.). Have you made any modifications to your system that might affect these things? Did anything else happen at the same time that it stopped working? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/751495ec-29a4-56f4-a0da-9e24bebec837%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Known bug: TemplateVM updates failing (fix in testing)
Dear Qubes Community, We are aware of a bug that prevents TemplateVMs from updating normally: https://github.com/QubesOS/qubes-issues/issues/6188 When attempting to update a TemplateVM, this bug results in traceback mentioning qubes-vm-connector, like this: ``` : -- _error: Failed to return clean data retcode: 1 stderr: Traceback (most recent call last): File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 101, in sys.exit(main()) File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 94, in main return ssh(args) File "/usr/lib/qubes-vm-connector/ssh-wrapper/ssh", line 29, in ssh assert args[1] == '/bin/sh' AssertionError stdout: ``` This bug has already been fixed, but the fix is currently in testing. If you wish to help us test this fix, please see the comments on the issue linked above for specific instructions, package names, and package versions for each Qubes release and TemplateVM. For more information about testing updates, including the expected timeline for updates to migrate from testing to stable, please see: https://www.qubes-os.org/doc/testing/#updates -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d97d4a9a-3ec1-64af-1121-239cbe325904%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] How to install Maple in a Fedora-30 template in Qubes OS R4.0 ?
On 11/9/20 8:59 AM, 'M' via qubes-users wrote: I have received this file from a administrator at my workplace: "Maple2020.1LinuxX64Installer.run" which I have downloaded to my work domain. My question is then: How can I install Maple in a Fedora-30 template in Qubes OS R4.0. ... ? Please note that Fedora 30 reached EOL a long time ago: https://www.qubes-os.org/news/2020/04/30/fedora-31-template-available/ And Fedora 31 is also approaching EOL: https://www.qubes-os.org/news/2020/10/27/fedora-31-approaching-eol/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aebdf7e4-0a92-bfc5-3a6f-06f5443e4000%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes
On 11/9/20 6:34 AM, pillule wrote: On Tue, Nov 03 2020, 'src11' via qubes-users wrote: Why am I not able to delete unused qubes? I tried but they're still there. Sometimes you need to do `qvm-prefs [VM-NAME] installed_by_rpm false' before `qvm-remove' it -- If it's a TemplateVM that was installed by RPM, you can also do `sudo dnf remove ` in dom0. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9764415-b358-e8d8-61ac-f2b3c9d723fb%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Errors updating Fedora 30 template
On 11/8/20 12:29 AM, Shawn Creighton wrote: On Sunday, November 8, 2020 at 2:31:25 AM UTC-5 a...@qubes-os.org wrote: On 11/7/20 11:24 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org wrote: On 11/7/20 7:25 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote: I tried running 'dnf install qubes-template-fedora-32' as root and get: Failed to synchronize cache for repo 'qubes-dom0-cached', disabling. No package qubes-template-fedora-32 available Error: unable to find a match Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get the same output `sudo qubes-dom0-update qubes-template-fedora-32` is the command you want. The update script wraps all installs and updates in Dom0 on Qubes. "Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again" Make sure you're running this command in dom0, not in a TemplateVM. https://www.qubes-os.org/doc/templates/fedora/#installing The terminal I am running from the upper left corner menu says dom0 When I run the command it says: Using sys-whonix as UpdateVM to download updates for Dom0; this may take some time But then the cannot retrieve repository metadata (repomd.xml) for repository: fedora. error Based on your other posts in addition to this, it sounds like there may be a problem with your internet connection, proxy settings, or UpdateVM. Can you access the internet normally from, e.g., a web browser in an AppVM? Internet is working ok in all AppVm. I tried updating a qube by clicking the UpdateVM blue arrow in Qubes Manager and I get: Curl error (56): failure when receiving data from peer[Received HTTP code 500 from proxy after Connect] Someone said something about using a VPN to get around it but that's a whole other issue to get that working I also read a post about editing something so the repositories use a http connection rather than https but haven't tried that Definitely sounds like some kind of network-related issue (possibly including firewall, updates proxy, etc.). Have you made any modifications to your system that might affect these things? Did anything else happen at the same time that it stopped working? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d94655d1-47ab-9536-96ea-c36948194735%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Errors updating Fedora 30 template
On 11/7/20 11:24 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 11:55:47 PM UTC-5 a...@qubes-os.org wrote: On 11/7/20 7:25 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote: I tried running 'dnf install qubes-template-fedora-32' as root and get: Failed to synchronize cache for repo 'qubes-dom0-cached', disabling. No package qubes-template-fedora-32 available Error: unable to find a match Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get the same output `sudo qubes-dom0-update qubes-template-fedora-32` is the command you want. The update script wraps all installs and updates in Dom0 on Qubes. "Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again" Make sure you're running this command in dom0, not in a TemplateVM. https://www.qubes-os.org/doc/templates/fedora/#installing The terminal I am running from the upper left corner menu says dom0 When I run the command it says: Using sys-whonix as UpdateVM to download updates for Dom0; this may take some time But then the cannot retrieve repository metadata (repomd.xml) for repository: fedora. error Based on your other posts in addition to this, it sounds like there may be a problem with your internet connection, proxy settings, or UpdateVM. Can you access the internet normally from, e.g., a web browser in an AppVM? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ff4aa6e-1ba9-0ce0-4771-8156d9afd78e%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Errors updating Fedora 30 template
On 11/7/20 7:25 PM, Shawn Creighton wrote: On Saturday, November 7, 2020 at 6:26:13 PM UTC-5 Jarrah wrote: I tried running 'dnf install qubes-template-fedora-32' as root and get: Failed to synchronize cache for repo 'qubes-dom0-cached', disabling. No package qubes-template-fedora-32 available Error: unable to find a match Also tried: sudo qubes-dom0-install qubes-template-fedora-32 and get the same output `sudo qubes-dom0-update qubes-template-fedora-32` is the command you want. The update script wraps all installs and updates in Dom0 on Qubes. "Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again" Make sure you're running this command in dom0, not in a TemplateVM. https://www.qubes-os.org/doc/templates/fedora/#installing -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c99e7a9-a682-d3a5-bc24-66ed94f5a728%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes
On 11/7/20 5:35 PM, unman wrote: On Sat, Nov 07, 2020 at 12:50:52PM -0800, Shawn Creighton wrote: When trying to delete I go to the qube -> qube settings -> delete qube -> type name of qube -> press enter Doesn't delete it though On Tuesday, November 3, 2020 at 6:04:44 PM UTC-5 a...@qubes-os.org wrote: On 11/3/20 8:57 AM, 'src11' via qubes-users wrote: How do I update Firefox to the latest version in a disposable qube? Generally, you update it in the TemplateVM: https://www.qubes-os.org/doc/software-update-domu/#updating-software-in-templatevms How do I create a new disposable qube? https://www.qubes-os.org/doc/disposablevm/ Why am I not able to delete unused qubes? I tried but they're still there. What exactly did you do, and what exactly was the behavior you observed? If you open a terminal in dom0 and type `qvm-delete ` you Minor typo: Should be `qvm-remove` rather than `qvm-delete`. (Pointing out for Shawn.) will either delete the qube or see an error message. You may find that the qube is not unused after all. Try it and report back. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/93c66f3d-48ba-0848-4fc5-ac4c7eded468%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] how much space is what using?
On 11/5/20 7:31 AM, Stumpy wrote: I am trying to figure out how to claw back some space on my hard drive but am having a really hard time understanding what is taking up how much space? For example, I have one appvm that in the qubes manager is showing disk usage as 173000MiB sudo Baoab is showing me that / is using: 10.5gb and df -f is showing me that / is using 11gb with 500gb free and when i try to reduce private storage anything less than it is already (it is set to 55gb) the settings wont let me, I change it, hit apply and it goes back to 55gb, no matter if i try to change it by 1 or 100gb, also regardless of if i have the appvm shutdown or not? Am having a really hard time understanding this so any clarification would be appreciated! It won't let you reduce the private storage capacity because that's a dangerous operation. The system is protecting you from yourself. :) If you just want to free up space, simply delete stuff you don't need inside of AppVMs. That will free up space, even though the AppVM private storage capacity remains the same. That's because it's total *capacity*, not the amount of space actually being used. If I create a brand new AppVM and immediately increase its private storage capacity to 500GB, that doesn't mean 500GB is being used. Only if I actually fill that AppVM with 500GB of data will that much actually be used on disk. Until I do that, it's just a big empty vessel. Now, if, for some unrelated reason, you really want to try to shrink the private storage capacity (and risk losing data to do so), have a look at this documentation: https://www.qubes-os.org/doc/resize-disk-image/#decreasing-the-size-of-disk-images Just remember that this is not at all necessary for saving disk space, and it's probably a bad idea unless you really, really know what you're doing. Most people will never need to do this. :) -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3740bcb8-9572-9aaf-fc00-efdbf7fb78e3%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Re: Stumpy's question about contributing
Hi Stumpy,
I replied to your email, but it was returned as undelivered with a
message stating that your email address is invalid ("Recipient address
rejected: User unknown"), so I'm replying here on qubes-users. :)
Stumpy asked a great question about how folks can contribute aside from
donating and writing code.
Thanks for asking! We actually have a list of such ways right here:
https://www.qubes-os.org/doc/contributing/
Many items on this list don't require any money or programming
knowledge. In particular, it's always helpful to test new releases and
updates:
https://www.qubes-os.org/doc/testing/
The just-released 4.0.4-rc1 is a great opportunity to do that:
https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/
However, individual package updates are also very important, and they
often don't receive as much feedback as they need:
https://www.qubes-os.org/doc/testing/#providing-feedback
https://github.com/QubesOS/updates-status/issues
Thank you for your willingness to contribute!
--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/238de145-b838-1f85-7bbc-ee68e93618ec%40qubes-os.org.
OpenPGP_signature
Description: OpenPGP digital signature
[qubes-users] Qubes OS 4.0.4-rc1 has been released!
Dear Qubes Community, We're pleased to announce the first release candidate for Qubes OS 4.0.4. Qubes OS 4.0.4-rc1 includes many updates over the initial 4.0 release, in particular: - All 4.0 dom0 updates to date - Fedora 32 TemplateVM - Debian 10 TemplateVM - Whonix 15 Gateway and Workstation TemplateVMs - Linux kernel 4.19 by default Qubes 4.0.4-rc1 is available on the downloads page: https://www.qubes-os.org/downloads/ What is a point release? A point release does not designate a separate, new version of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.0) inclusive of all updates up to a certain point. Installing Qubes 4.0 and fully updating it results in the same system as installing Qubes 4.0.4. What should I do? - If you installed Qubes 4.0, 4.0.1, 4.0.2, or 4.0.3 and have fully updated [1], then your system is already equivalent to a Qubes 4.0.4 installation. No further action is required. Regardless of your current OS, if you wish to install (or reinstall) Qubes 4.0 for any reason, then the 4.0.4 ISO makes this more convenient and secure, since it bundles all Qubes 4.0 updates to date. Please see the installation guide [2] for detailed instructions. If you're willing to test [3] this release candidate, you can help to improve the stable release by reporting any bugs you encounter [4]. Release candidate planning -- If no major issues are discovered in 4.0.4-rc1, we expect to announce the stable release of 4.0.4 in a couple weeks. [1] https://www.qubes-os.org/doc/updating-qubes-os/ [2] https://www.qubes-os.org/doc/installation-guide/ [3] https://www.qubes-os.org/doc/testing/ [4] https://www.qubes-os.org/doc/reporting-bugs/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d4058ed-48e2-9998-3acd-d0804abab5e8%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki
On 11/4/20 3:18 AM, Frédéric Pierret wrote: Le 11/4/20 à 11:39 AM, Stumpy a écrit : On 11/3/20 6:00 PM, Andrew David Wong wrote: On 11/3/20 7:48 AM, Stumpy wrote: On 10/5/20 9:00 PM, Andrew David Wong wrote: Dear Qubes Community, Marek has just published the following announcement: https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/ [...] So do I understand this currently is only available for Fed31? and not 32? I don't recall hearing that anywhere, and I can think of no reason why it would be true. That was mentioned in one of the chat rooms but if true, and Fed31 is reaching EOL is there and ETA on when the contributed-packages will be available for Fed32? As far as I know, the repos should already work on Fedora 32. For the compatibility of the packages themselves, you'll have to check the package details, but I imagine that most, if not all, should be compatible. P.S. -- Please don't reply to multiple lists. Thank you, I will give it a try again. I just asked because I was able to get it to work with Fed31 but not Fed32 (tried Fed32 when the com packages were first made available". Regarding the replies, my apologies, I just mindlessly clicked "reply all". No worries. Packages should be available (or almost) for Fedora 32. Please note this is a community effort. Authors of contribution package are kindly asked to help into maintaining or fixing build issues. Any package normally has a Github issue. I'm currently referencing all packages with extras info into a JSON here: https://github.com/QubesOS-contrib/qubes-contrib-configs/blob/master/packages.json. Regards, Frédéric Also, a reminder that *anyone* can update a contrib package, not just the contributor of that package: https://www.qubes-os.org/doc/package-contributions/#update-procedure -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2e4fc876-1d59-d895-c2e4-50f093568d89%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Qubes R4.1 Release Schedule
On 11/4/20 4:52 AM, load...@gmail.com wrote: Hi everyone, Does anybody know where is Release Schedule for Qubes R4.1 ? All what I found is https://www.qubes-os.org/doc/releases/4.0/schedule/ There isn't one yet, but we're working on it. Stay tuned. :) -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d306be55-e8ad-f611-d1ee-bf2bdf686866%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Updating a disposable qube / Can't delete unused qubes
On 11/3/20 8:57 AM, 'src11' via qubes-users wrote: How do I update Firefox to the latest version in a disposable qube? Generally, you update it in the TemplateVM: https://www.qubes-os.org/doc/software-update-domu/#updating-software-in-templatevms How do I create a new disposable qube? https://www.qubes-os.org/doc/disposablevm/ Why am I not able to delete unused qubes? I tried but they're still there. What exactly did you do, and what exactly was the behavior you observed? -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3385d72-7156-8897-2122-41bef820276a%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki
On 11/3/20 7:48 AM, Stumpy wrote: On 10/5/20 9:00 PM, Andrew David Wong wrote: Dear Qubes Community, Marek has just published the following announcement: https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/ [...] So do I understand this currently is only available for Fed31? and not 32? I don't recall hearing that anywhere, and I can think of no reason why it would be true. That was mentioned in one of the chat rooms but if true, and Fed31 is reaching EOL is there and ETA on when the contributed-packages will be available for Fed32? As far as I know, the repos should already work on Fedora 32. For the compatibility of the packages themselves, you'll have to check the package details, but I imagine that most, if not all, should be compatible. P.S. -- Please don't reply to multiple lists. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/50517fbe-3459-36c1-e452-3d8e7e57b785%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: HCL - intel NUC10i7FNK
On 10/31/20 11:55 PM, Alex Smirnoff wrote: I had to update it first. Also, removed rhgb to get around the password prompt bug. What an amazing system! I installed it to evaluate if it is suitable for our company environment and instantly fell in love with it. However, the answer to my main question is still "no" :(. Unless we buy certified hardware for everyone, at least, If certified hardware is prohibitive for your company, you might investigate the ThinkPad X and T series within the past few years, beginning around the time of the X1 Carbon Gen 5. There may be certain problems (e.g., AEM or suspend not working), but they might still work well enough, depending on what your needs are. and some of us badly need properly working Win10 guest with seamless desktop app integration and clipboard :( Depending on why Win10 VMs are needed, there might be alternatives available, e.g., cloud apps or a Windows machine on your local network that can be accessed remotely from the Qubes machines. On Friday, October 30, 2020 at 9:28:26 PM UTC+2 Ludovic Bellier wrote: Le 30/10/2020 à 19:52, Alex Smirnoff a écrit : Now, that's strange! my dom0 is on the latest kernel, but sys-net is not, so, no network there. Its normal, all VMs keep the default kernel, not the latest. You should change the sys-net VM kernel to latest: - open Qube Manager - select sys-net - right clic, choose Qube-settings - Advanced tab, change the kernel to 5.x.x - Apply and restart sys-net -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3fc7f74f-2c9a-0ff1-48e7-7c61f64034f4%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] [PoC] Qubes SleepKeeper - auto shutdown your Qubes if no password entered after wake up
On 10/30/20 5:51 AM, evado...@gmail.com wrote: interesting but threat model unclear. If the attacker can force you to enter one password after suspend, why would he not force you to enter LUKS and user password 5 minutes later? There are a lot of more attack vectors when system is booted and only protected by xscreensaver. The attacker can use some hardware backdoors, xscreensaver bugs/backdoors/kill it to receive access: dump your memory on hardware level, receive access to memory from vulnerable hardware, guess screensaver password etc. If the system will automatically shutdown then there is only one attack vector: LUKS password There's no disagreement that shut down is more secure than suspended, but the devil is in the details. How exactly is it supposed to work? 1. Attacker forces you to wake up computer (e.g., open laptop lid). 2. Attacker forces you to enter password. 3. You enter incorrect password? 4. Attacker tells you to enter correct password this time? 5. Qubes shuts down because it's been too long? Why not just have an alternate passphrase that, when entered, shuts down the PC (or, as you suggest, wipes the LUKS header)? Why a timer? Perhaps the alternate passphrase, when entered, also sends out an SOS message? пятница, 30 октября 2020 г. в 07:54:14 UTC, haa...@web.de: On 10/29/20 11:06 PM, evado...@gmail.com wrote: Proof of Concept. github.com/evadogstar/qubes-sleepkeeper Qubes-Sleepkeeper protects you from physical attack when the attacker force you to enter the password of your Qubes after it wakeup from sleep or from password guessing after wakeup. The attacker have very limited time to do so or Qubes will shutdown automaticaly. Interesting but threat model unclear. If the attacker can force you to enter one password after suspend, why would he not force you to enter LUKS and user password 5 minutes later? Please explain. Rather an evil maid "attempt detection" (not protection) by "laptop is down instead of sleeping"? I think it really could help as additional data protection in case of normal, criminal theft... -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43f252c2-f34c-202a-9775-37c45cb762c2%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Fedora 31 approaching EOL
Dear Qubes Community, Fedora 33 was released today [1], 2020-10-27. According to the Fedora Release Life Cycle [2], this means that Fedora 31 is scheduled to reach EOL (end-of-life [3]) in approximately four weeks, around 2020-11-24 [4]. We strongly recommend that all Qubes users upgrade their Fedora 31 TemplateVMs and StandaloneVMs to Fedora 32 or higher before Fedora 31 reaches EOL. We provide step-by-step upgrade instructions for upgrading Fedora TemplateVMs [5]. For a complete list of TemplateVM versions supported for your specific version of Qubes, see Supported TemplateVM Versions [6]. We also provide a fresh Fedora 32 TemplateVM package through the official Qubes repositories, which you can install in dom0 by following the standard installation instructions [7]. After upgrading your TemplateVMs, please remember to switch all qubes that were using the old template to use the new one [8]. Please note that no user action is required regarding the OS version in dom0. For details, please see our note on dom0 and EOL [9]. [1] https://fedoramagazine.org/announcing-fedora-33/ [2] https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle [3] https://fedoraproject.org/wiki/End_of_life [4] https://www.timeanddate.com/date/dateadded.html?m1=10=27=2020=add===4== [5] https://www.qubes-os.org/doc/template/fedora/upgrade/ [6] https://www.qubes-os.org/doc/supported-versions/#templatevms [7] https://www.qubes-os.org/doc/templates/fedora/#installing [8] https://www.qubes-os.org/doc/templates/#switching [9] https://www.qubes-os.org/doc/supported-versions/#note-on-dom0-and-eol This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/10/27/fedora-31-approaching-eol/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5c4d7896-1146-92f0-ee76-4cb66369578d%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: QSB #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347)
On 10/22/20 2:19 AM, 54th Parallel wrote:
XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or
sys-usb in the default configuration) could try to exploit this
vulnerability in order to crash the host.
Just wanted to point out that there's a very minor typo here ('XSA-457').
Thank you for pointing out the typo. We'll make sure this gets fixed in
the repo and website versions.
Also, since the last QSB was posted on Discourse, I was wondering if this
should be too.
It's automatic, but there might be a delay.
--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/de09e7da-dee6-edbf-8728-576e2bafc028%40qubes-os.org.
OpenPGP_signature
Description: OpenPGP digital signature
[qubes-users] XSAs 286, 331, 332, and 345 do not affect the security of Qubes OS
Dear Qubes Community, The Xen Project has published the following Xen Security Advisories: XSA-286, XSA-331, XSA-332, and XSA-345. These XSAs do *not* affect the security of Qubes OS, and no user action is necessary. *Special note:* Although XSA-345 is included in QSB #060 [1], we do not consider XSA-345 to affect the security of Qubes OS, since the default configuration is safe, and we have already implemented appropriate safeguards to prevent users from changing to a vulnerable configuration by accident. Please see the Impact section of QSB #060 [1] for further details. [1] https://www.qubes-os.org/news/2020/10/20/qsb-060/ These XSAs have been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#286 https://www.qubes-os.org/security/xsa/#331 https://www.qubes-os.org/security/xsa/#332 https://www.qubes-os.org/security/xsa/#345 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/10/20/xsa-286-331-332-345-qubes-not-affected/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc3578a1-4aa1-4763-3aa4-3c77c2630ff8%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] QSB #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #060: Multiple Xen issues (XSA-345, XSA-346, XSA-347). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). *Special note:* Although XSA-345 is included in this QSB, we do not consider XSA-345 to affect the security of Qubes OS [1], since the default configuration is safe, and we have already implemented appropriate safeguards to prevent users from changing to a vulnerable configuration by accident. Please see the Impact section in QSB #060 below for further details. [1] https://www.qubes-os.org/news/2020/10/20/xsa-286-331-332-345-qubes-not-affected/ View QSB #060 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-060-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View the associated XSAs in the XSA Tracker: https://www.qubes-os.org/security/xsa/#345 https://www.qubes-os.org/security/xsa/#346 https://www.qubes-os.org/security/xsa/#347 ``` ---===[ Qubes Security Bulletin #60 ]===--- 2020-10-20 Multiple Xen issues (XSA-345, XSA-346, XSA-347) Summary On 2020-10-20, the Xen Security Team published the following Xen Security Advisories (XSAs): XSA-345 [1] "x86: Race condition in Xen mapping code": | The Xen code handling the updating of the hypervisor's own pagetables | tries to use 2MiB and 1GiB superpages as much as possible to maximize | TLB efficiency. Some of the operations for checking and coalescing | superpages take non-negligible amount of time; to avoid potential lock | contention, this code also tries to avoid holding locks for the entire | operation. | | Unfortunately, several potential race conditions were not considered; | precisely-timed guest actions could potentially lead to the code | writing to a page which has been freed (and thus potentially already | reused). | | A malicious guest can cause a host denial-of-service. Data corruption | or privilege escalation cannot be ruled out. XSA-346 [2] "undue deferral of IOMMU TLB flushes": | To efficiently change the physical to machine address mappings of a | larger range of addresses for fully virtualized guests, Xen contains | an optimization to coalesce per-page IOMMU TLB flushes into a single, | wider flush after all adjustments have been made. While this is fine | to do for newly introduced page mappings, the possible removal of | pages from such guests during this operation should not be "optimized" | in the same way. This is because the (typically) final reference of | such pages is dropped before the coalesced flush, and hence the pages | may have been put to a different use even though DMA initiated by | their original owner might still be in progress. | | A malicious guest might be able to cause data corruption and data | leaks. Host or guest Denial of Service (DoS), and privilege | escalation, cannot be ruled out. XSA-347 [3] "unsafe AMD IOMMU page table updates": | AMD IOMMU page table entries are updated in a step by step manner, | without regard to them being potentially in use by the IOMMU. | Therefore it was possible that the IOMMU would read and then use a | half-updated entry. Furthermore, updates to Device Table entries | lacked suitable ordering enforcement for certain steps involved in | these updates. | | In both case the specific outcome heavily depends on how exactly the | compiler translated the affected pieces of code. | | A malicious guest might be able to cause data corruption and data | leaks. Host or guest Denial of Service (DoS), and privilege | escalation, cannot be ruled out. Impact === XSA-345: The default Qubes configuration is safe. Shadow mode for HVM and PVH domains is disabled at build time, and domains that have PCI devices run in HVM mode by default. Therefore, we do not consider this XSA to affect the security of Qubes OS. However, we are including it in this QSB anyway since it is technically possible for the user to manually change a domain that has PCI devices from HVM to PV, which would result in a configuration that is vulnerable to this issue. Having anticipated the risk associated with such a manual change, we have already implemented appropriate safeguards. In the Qubes GUI for changing VM settings, the user would have to go to the "Advanced" tab in order to change the setting from HVM to PV. Upon making the change, the user would immediately be confronted with a warning in bold red text that reads, "Using PV mode exposes more hypervisor attack surface!" Therefore, it is nearly impossible users would switch to the vulnerable configuration by accident. XSA-346, XSA-457: A malicious domain with a PCI device (e.g., sys-net or sys-usb in the default
Re: [qubes-users] Installing Qubes OS contributed packages? (rofi and tunnel packages)
On 10/19/20 9:58 AM, Stumpy wrote: On 10/17/20 6:17 PM, Jarrah wrote: I just tried to install qubes-tunnel in a fedora template and that also didnt work, sudo dnf install qubes-repo-contrib && sudo dnf install qubes-tunnel Try with `dnf install --refresh --enablerepo=qubes-repo-contrib qubes-tunnel`. It may be that either the new metadata hasn't come down (happens a lot on Debian, not so much fedora) or the repo isn't enabled by default in the package. Thanks for the suggestion, I get pretty much the same kind of error (in the template and in dom0 when trying to install rofi) bash-5.0# sudo dnf install --refresh --enablerepo=qubes-repo-contrib qubes-tunnel Error: Unknown repo: 'qubes-repo-contrib' yet when I installed something (Sakura in this case) it clearly showed it was checking the contrib repo in addition to the other repos? 1. The reason you're getting "Error: Unknown repo" is that the repository name is not "qubes-repo-contrib". Rather, the name depends on your Qubes release and whether it is in dom0 or a TemplateVM. For example, in a Fedora VM on Qubes 4.0, the new repository is: /etc/yum.repos.d/qubes-contrib-vm-r4.0.repo 2. After I installed the repository in a Fedora VM, I checked and found that it was already enabled, so --enablerepo is unnecessary. 3. I then tried to install the "qubes-tunnel" package in the same VM. Even though dnf reported that the contrib repo was checked, the "qubes-tunnel" package was not found. So, I can at least partially reproduce this. However, I don't know whether this problem is specific to the "qubes-tunnel" package. I suggest filing a bug report. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/98ee8e30-febd-ccc6-efed-930c3140a11c%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Calling all humans! (from Nina)
On 10/12/20 1:01 PM, tetrahedra via qubes-users wrote: On Sun, Oct 11, 2020 at 11:42:27PM +0500, Stumpy wrote: Thanks for this, I have filled it out and volunteered but really really really wanted to iterate one big (for me) point, and that is include at least some of the things listed in the documentation as an option in the setup. Side idea: include the documentation in the base install! And then it's easier to point to the relevant bits of the documentation post-install... This is already in the works. :) https://github.com/QubesOS/qubes-issues/issues/1019 -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d9b3b8d-f253-580c-1d2f-787a86bc32d0%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] How to burn directory's to an optical disc in Qubes OS 4.0.3 by using an application ?
On 10/12/20 2:27 AM, 'M' via qubes-users wrote: How to burn directory's to an optical disc in Qubes OS 4.0.3 by using an application ? Which application is recommended and how to install it ? I have read this: https://www.qubes-os.org/doc/optical-discs/ Since you didn't specify, I'll assume you're talking about using a USB optical drive inside of a standard qube, which is the least problematic route. This sounds like a general Linux question, so you might be able to find some helpful existing answers by searching more generally. For example, if you want to do this in a Fedora qube, you might try searching for recommended disc burning software for Fedora in general. (Of course, there's nothing wrong with also asking here. Just pointing out an additional option.) As for how to install it, most likely the standard way: https://www.qubes-os.org/doc/software-update-domu/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a3e5112-f658-a519-206f-fd5270f40379%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Calling all humans! (from Nina)
[The following message is from Nina Eleanor Alter, our UX specialist.] Greetings, Qubes community! We are running our first ever survey of current, former, and future Qubes OS users. We invite you all to lend us 10-15min of your time, to participate. https://survey.qubes-os.org/index.php?r=survey/index=791682=en The Qubes OS team loves the conversations we have with our community across forums, email lists, in support tickets, and at conferences. As most of us understand, though, structured data is very different -- and clear information to help us make product and development decisions in the weeks and months to come, we feel is necessary to best serve our users. This survey is also just the beginning of several weeks of user research work that will consist of interviews, user testing, co-creation workshop(s) with users guided by a ux specialist, and possibly more surveys. At the end of this survey, we’ll collect contact information should participating in that work be of interest to folks. We also look forward to keeping folks updated in our user communities, with how all of this work is progressing. - This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/10/09/calling-all-humans/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da4d57b7-2ae0-2137-304a-ba81f2617377%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Known issue: Qubes extension not yet working with Thunderbird 78
Dear Qubes Community, Many of you are upgrading to Thunderbird 78. The Qubes Thunderbird extension, which allows you to easily open attachments in DisposableVMs, has not yet been updated to work with this new Thunderbird release. You can find the details in this bug report: https://github.com/QubesOS/qubes-issues/issues/5861 However, while you wait for the extension to be updated, it is important to understand that this extension is purely for convenience. It is not required to do anything. You can do everything that the extension does manually. For example, to view an email attachment in a DisposableVM: 1. Save the attachment in your email VM. 2. Open the file manager in your email VM (e.g., nautilus). 3. Right-click on the attachment and select "View in DisposableVM." The extension makes this more convenient by automating the process, but it doesn't do anything that you can't do yourself. Nonetheless, we are working on upgrading the extension as soon as reasonably possible. Further discussion can be found on this forum thread: https://qubes-os.discourse.group/t/thunderbird-qubes-attachments/865/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4e014bd-3cdc-a3a8-df61-bb87dea401c7%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki
On 10/7/20 2:24 PM, evado...@gmail.com wrote: Nice! P.S. old version of qubes-screenshot-tool in repo. There is already next version available. Could you please update the package? The procedure is explained here: https://www.qubes-os.org/doc/package-contributions/#update-procedure -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f9b37478-aab7-c06c-e464-024e97c800ac%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
Re: [qubes-users] Re: Updated Split GPG documentation for Thunderbird 78
On 10/7/20 3:56 AM, Andrew David Wong wrote: On 10/7/20 3:47 AM, Andrew David Wong wrote: On 10/7/20 3:46 AM, Andrew David Wong wrote: Hi all, Many of us have recently upgraded to Thunderbird 78, which changes the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG documentation was updated a little over a week ago with detailed new instructions, including a full screenshot walk-through, for how to use Split GPG with Thunderbird 78 and higher. If you haven't already seen it, take a look: https://www.qubes-os.org/doc/split-gpg/#using-thunderbird By the way, if anyone figures out how to automatically sign all emails, please let me know. :) Answering my own question: Account Settings -> End-To-End Encryption -> Default settings for sending messages -> [x] Add my digital signature by default There's also an option here to require encryption by default. However, I don't see an option to use inline signatures for compatibility with our mailing lists. Found this: https://wiki.mozilla.org/Thunderbird:OpenPGP:Status > -- unknown schedule -- > [...] > sending an INLINE cleartext signed message without attachments (we don't intend to support sending other kinds of inline OpenPGP messages) -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fef707b4-ad52-c937-a7ae-5ac38d865fbc%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Re: Updated Split GPG documentation for Thunderbird 78
On 10/7/20 3:47 AM, Andrew David Wong wrote: On 10/7/20 3:46 AM, Andrew David Wong wrote: Hi all, Many of us have recently upgraded to Thunderbird 78, which changes the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG documentation was updated a little over a week ago with detailed new instructions, including a full screenshot walk-through, for how to use Split GPG with Thunderbird 78 and higher. If you haven't already seen it, take a look: https://www.qubes-os.org/doc/split-gpg/#using-thunderbird By the way, if anyone figures out how to automatically sign all emails, please let me know. :) Answering my own question: Account Settings -> End-To-End Encryption -> Default settings for sending messages -> [x] Add my digital signature by default There's also an option here to require encryption by default. However, I don't see an option to use inline signatures for compatibility with our mailing lists. Ok, I'm going to stop replying to both lists at the same time now. -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ca1dfe6d-1488-84bc-89c2-fcd2b6c788dd%40qubes-os.org.
[qubes-users] Re: Updated Split GPG documentation for Thunderbird 78
On 10/7/20 3:46 AM, Andrew David Wong wrote: Hi all, Many of us have recently upgraded to Thunderbird 78, which changes the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG documentation was updated a little over a week ago with detailed new instructions, including a full screenshot walk-through, for how to use Split GPG with Thunderbird 78 and higher. If you haven't already seen it, take a look: https://www.qubes-os.org/doc/split-gpg/#using-thunderbird By the way, if anyone figures out how to automatically sign all emails, please let me know. :) -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb04da6d-4b0f-97f5-26b0-e6a5babbba6b%40qubes-os.org. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Updated Split GPG documentation for Thunderbird 78
Hi all, Many of us have recently upgraded to Thunderbird 78, which changes the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG documentation was updated a little over a week ago with detailed new instructions, including a full screenshot walk-through, for how to use Split GPG with Thunderbird 78 and higher. If you haven't already seen it, take a look: https://www.qubes-os.org/doc/split-gpg/#using-thunderbird -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a52055a-6adf-7cc0-f2e3-886d279b74d9%40qubes-os.org.
[qubes-users] Article: "New Gentoo templates and maintenance infrastructure" by Frédéric Pierret
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, Frédéric Pierret has just published the following article: https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/ The plain text of this article is reproduced below. === "New Gentoo templates and maintenance infrastructure" by Frédéric Pierret _This is the third article in the "What's new in Qubes 4.1?" series. Previously: [The New Qrexec Policy System](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/) and [The GUI Domain](https://www.qubes-os.org/news/2020/03/18/gui-domain/)._ New Gentoo templates - The work I've been doing on Gentoo templates is finally ready to be released! The corresponding issue is [#4412](https://github.com/QubesOS/qubes-issues/issues/4412), where you can find almost every related piece of work. I would like to highlight that this has been a great opportunity to collaborate with the Gentoo core team, and multiple improvements have been implemented on the Gentoo side thanks to the help of Gentoo devs **mgorny** and **zmedico**. When I encountered issues, I appreciated the quick response from several maintainers of different Gentoo components. Why a Gentoo template? Gentoo is designed for users who want to customize a Linux distribution to fit their specific needs. The benefit in Qubes is that it allows one to create highly customized and hardened TemplateVMs (or StandaloneVMs). For example, one could customize the Gentoo Qubes Builder to create a [ClipOS](https://clip-os.org/en/) build. The new Gentoo templates are available in tree flavors. The [default (Gnome)](https://www.qubes-os.org/doc/templates/gentoo/), [minimal](https://www.qubes-os.org/doc/templates/minimal/), and [XFCE](https://www.qubes-os.org/doc/templates/xfce/). Currently, they are available in the `qubes-templates-community-testing` repo, and they'll soon be in the `qubes-templates-community` repo. Maintenance infrastructure - -- In order to keep the new Gentoo template in good working condition, we need a set of automated tests. The bare minimum is continually testing whether just building the template still works. Due to the nature of Gentoo, such tests require far more resources (time, CPU power) than are available for open-source projects on Travis CI (which we use for testing other templates). We use Travis CI as a bare minimum for validating every pull request, then it generally goes to openQA. Here, the issue with Gentoo is that, by definition, it's a source distribution, so everything needs to be rebuilt. Travis allows a maximum timeout of something like 50 minutes for jobs. Simply rebuilding a Qubes component for Gentoo takes several hours (and more than half a day for each template). So, Travis is out. I've set up in our pull request pipeline the use of a feature of Gentoo that allows us to get pre-built binaries from a mirror. For that, when I build a full template, I push a fresh repository with every package built on my mirror. But still, even when doing this, hours are needed for jobs. I didn't want to give up on this, so, after evaluating several options, I decided to set up my own self-hosted GitLab CI instance. For that, I've developed a service that I call [qubes-g2g-continuous-integration](https://github.com/fepitre/qubes-g2g-continuous-integration/), forwarding selected GitHub pull requests to my GitLab CI instance. In consequence, I can manage the allocated resources for Gentoo builds, and we now have the means to validate every pull request for each component that has been integrated into Gentoo. A check status appears on GitHub side-by-side with Travis checks for other distros where everyone can access the build logs too. Here is an [example](https://gitlab.notset.fr/fepitre-bot/qubes-app-linux-input-proxy/-/pipelines/346). By the way, this is also what we use for automatically checking kernel pull requests. Here is a [recent pull request](https://github.com/QubesOS/qubes-linux-kernel/pull/276). When viewing the checks, you can see the results for the kernel builds. Once again, it's because the build time is superior to what Travis allows. Conclusion - -- All this infrastructure is intended not only for the kernel and Gentoo, but also to help Arch Linux users. Depending on the needed resources, we could also add the longer Arch Linux jobs into my GitLab CI instance, because we currently don't properly validate the template itself. In general, this new infrastructure allows us to create and test pipelines that require a lot of resources. Combined with Travis and openQA, we have another layer to rely on for validating and automating the building of cutting edge templates like Gentoo and Arch Linux. While the same kinds of features are available on paid GitLab plans, I preferred to
[qubes-users] Announcement: "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, Marek has just published the following announcement: https://www.qubes-os.org/news/2020/10/05/qubes-os-contributed-packages/ The plain text of this announcement is reproduced below. == "Qubes OS contributed packages are now available" by Marek Marczykowski-Górecki We are happy to announce the availability of Qubes OS contributed packages under the [QubesOS-contrib] GitHub Project. This is a place where our community can [contribute Qubes OS related packages, additions and various customizations][package-contrib]. Meanwhile, we provide the infrastructure and [review process] necessary to make them available easily and safely to users within standard Qubes installations. [Frédéric Pierret] built the infrastructure based on a similar setup for building official packages. This means that it features the same [Qubes build security] measures, including keeping the signing keys separate in a dedicated VM, downloading packages over Tor, publishing build logs in a non-spoofable way and more. Frédéric is also the maintainer of [QubesOS-contrib]. The source code repositories of the packages and infrastructure-related parts are also hosted under [QubesOS-contrib]. To contribute a package, follow the process described at [package contributions]. You will find a few helpful tips there, including a [skeleton repository] with example RPM packaging and [Qubes Builder] integration. Since the project has been running for some time already, there are already some submitted packages available there. To name a few: - [qubes-tunnel] - [qvm-screenshot-tool] - [qmenu] You can find the full list at [QubesOS-contrib]. If you want to install one of these packages, first you need to enable the repository in your system (dom0 and/or templates). This can be done by installing the `qubes-repo-contrib` package. This package includes the repository definition and keys necessary to download, verify, and install [QubesOS-contrib] packages. In dom0, use `qubes-dom0-update`: sudo qubes-dom0-update qubes-repo-contrib In a Fedora-based template, use `dnf`: sudo dnf install qubes-repo-contrib In a Debian-based template, use `apt`: sudo apt update && sudo apt install qubes-repo-contrib [QubesOS-contrib]: https://github.com/QubesOS-contrib/ [package-contrib]: https://www.qubes-os.org/doc/package-contributions/ [review process]: https://www.qubes-os.org/doc/package-contributions/#review-procedure [Frédéric Pierret]: https://www.qubes-os.org/team/#fr%C3%A9d%C3%A9ric-pierret [Qubes build security]: https://www.qubes-os.org/news/2016/05/30/build-security/ [package contributions]: https://www.qubes-os.org/doc/package-contributions/ [skeleton repository]: https://github.com/QubesOS-contrib/qubes-skeleton/ [Qubes Builder]: https://www.qubes-os.org/doc/qubes-builder/ [qubes-tunnel]: https://github.com/QubesOS-contrib/qubes-tunnel [qvm-screenshot-tool]: https://github.com/QubesOS-contrib/qvm-screenshot-tool [qmenu]: https://github.com/QubesOS-contrib/qmenu == -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl97wZ8ACgkQ203TvDlQ MDCXUxAAkurl2jyJSCEZxPlUel8G1rUhFFBPm3LFgpyTg3odC3GSD0fho0XiEKHh zY0ifGJO76n0b/INU9DK1RdDsMI5hM0w9uXEhnrk27xGLyYgtyBzZ7wV/ok3xQlr aEsjO4+SdRCNgIGt/MMRHtjnE1GgySo4UpExucilbKkmSXoSabY9r02DFMQIdsBL d3k+MIpgz5YlEAO3pvvTcKEN/k10s9oGalLrpIDjSlpieeXKzSrblDDSWhbN6hPA zMDjtoBnEHU9QX4OxoGN1qE8QDnfJK4LCqYz5II7HLWrRWywZ6E1+sCiqQRBg1H7 Osj+oWX03fZeh9HGRQGX7r5bDO5qRpFHge4SEQ0eiIwyeuijEY+w819spC2cfRN2 3hDnSKVOJl2E9Vth1/VF30kBsJsstgIomGoHmm49iGk8PzzAFUqPpklDiIJ/OpJl BTFUgdYXIwqae5JkfkQb866GkaMmeDsMT5hKdtWuKB26Idb4nboQ8rVQ7jD76lAR adXBJPMqmPr7mpI+xjqqBEvObau9zrLDaUFhS4FlsxLpqaSKWxQGkbLpBe+yL5/U +IW7Hsfjb/UELkW0sEPxXS+D6+Uxne7fWORBaxIbIJypw/fseOtchXBYbIzEpZGG O6gODRsAEad5YcgiZfwcNsa3BXu9qUYu9PUw95uP1wDIbLmpn44= =tYPp -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d25ebc13-6944-f035-1c2d-d9e3df17070e%40qubes-os.org.
Re: [qubes-users] Re: git qubes iso 4.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-10-02 2:12 PM, load...@gmail.com wrote: > > >> >> i need to download afresh qubes iso 4.1 how the web sit is 4.0 >> thanks >> > > > Where did you see the 4.1 version? > Qubes 4.1 is an upcoming release that is currently undergoing development and testing. It has not been released yet. Qubes 4.0 is still the latest stable release. If you'd like to get involved with testing, please see: https://www.qubes-os.org/doc/testing/ As explained on that page, you can find alpha ISOs (such as for Qubes 4.1) here: https://openqa.qubes-os.org/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl934ZgACgkQ203TvDlQ MDDD7hAAlorPA5pWd77RVZN4vF1NB1mabqI76gXWMrCsPDPnIK4Vx2VnoO/om63p FigoDlZ+uut6sPi9xmKd5tf6sFP5FQ/M2MQwdEbHfMZ0Bif3XAF6CdiUy1hS5cMv MIdKYvfClmnFXowBnQBfx45YAY7CpXDYukIW7Ig/QtyKaf+eaK/YyKQ186L4H4+r EFFdKoopIcQEwKOc9F6uPLZjw+hPKiemKuYVohEHoecIKmOHcit+0a96SXFFoV/u xsqybvO3o/9hLnBf/57FbkR3oRPfeMehzJSNKx0VUQFrgLIiynFnFi72h+ErFKTD TKEUKvng9fkypah9PzLECmZ1LpruAZc+p2iGHsOgw2LgZFhJUrjNokbVZQObnwYR KElBB+lGckwFYBEKU/ZU7/BShqZsiX5RBTjaD8d41qz1XImlYGELT8omoGoKliZF UBFqpYfUMszWFIlBB3xkHJug2OrPUmSfX70VhEUuT04G5sPL3v3yT09hOMrbWlsE ymrDkdrFoEBDNQQgywSyCdnZhf4n/MckDwZE/Zj1/EcUwgk6p6OGje7WKFY6Vr3d 4d5jFU6Ae47r+WhZIHiI5ZataIehDclxEBlAobHqrpvSHBiVh7ouCD6k6aWdeFVr yY6xcIjRSec0IrAvhyhu/7JnupIlIYFi0onMM14RjQz731pI8FY= =qR7V -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3f2e7621-c6ae-14f2-aa83-0b42a6d3cf5f%40qubes-os.org.
[qubes-users] XSAs 333, 334, 336, 338, 339, 342, and 344 do not affect the security of Qubes OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Xen Project has published the following Xen Security Advisories: XSA-333, XSA-334, XSA-336, XSA-338, XSA-339, XSA-342, and XSA-344. These XSAs do *not* affect the security of Qubes OS, and no user action is necessary. These XSAs have been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#333 https://www.qubes-os.org/security/xsa/#334 https://www.qubes-os.org/security/xsa/#336 https://www.qubes-os.org/security/xsa/#338 https://www.qubes-os.org/security/xsa/#339 https://www.qubes-os.org/security/xsa/#342 https://www.qubes-os.org/security/xsa/#344 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/09/22/xsa-333-334-336-338-339-342-344-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9qE5oACgkQ203TvDlQ MDBakhAAxf9PcCgCJLnf7IIxajeTbJurDk49LFCTOzz9McjPDF6QByx1M1Ca65Zh OShAsWqRTMLP2nABKv0WSBie1YgTG5Z3i+MPZK3CHqU5bCi7fx/OSEGyXiKLZFlK tHuJq1FrQdIVMA/6rcit+1fdbd7obZUwnTCds4DwXOZ7s7TY8Y+RCk57M/v0/emx jumCG1JFDcPN6uQZcGisuECoLHhA8SOdhgD9AQiRzD3GG6Oelxh0ZFhRqK3SvCzS jvXSUNBS1Pl5VPKSGSQcTCzxINmZBkyklRZDjJUUFVEJYIX1yDAiHpe4VQPGxKnw Iy87PA928XfORWxwtu4emagVZyzurjdxeL+zb/D/AY7rH1HW3Tcod6npEsE4w7MO 9yP7QBn3Tk70RFzD7n5X7HcF9sW9kuP4wsFn0uKtd2C6PVuM9kXmnpxF3RuY8hQN LIPs82mUbgzyspxzx1Wfliwc5Ckdv+WbmoDqJnpOOltfdXY5Nt1eaU/cd7wdRzHG +ocGMSpw++unaDMcpAedFeJPyNSPDNDYZOVeB9hTyoMPqLLtjMAOrWyLKQ1D5Kx5 fJJ0L/eLbuCqittEHjYfeiTL4IPH93ADV6wWrz/ySsNpmDI4ZzTgj19Cd60uvAZB VdjHNLSlfrjMAflZKHQCrYEy2b1AUenAvgRfBJK7P0okbMqPR7s= =J7PC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/397d0280-3730-0186-d250-a5e117f477ae%40qubes-os.org.
[qubes-users] QSB #059: Multiple Xen issues (XSA-337, XSA-340, XSA-343)
s Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/09/22/qsb-059/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9qE38ACgkQ203TvDlQ MDDesA/8C3/RhsCOJPGGytJEBkvgpaQ8xOHn5KdxLaLLdUUSaJGch8zShd2RtPWc e9/Pz/OGfggOfn1wjxgOULeYngoqr2TjichQVxfVIAvAH1kQdEM+UnTH4GNPK+CK FQ3N+Yt3vh5s6RxmEySA/BoV+tnxHaHMALQRw8oKBqPd5fNfMtNcOCC3bL+8oIu4 Y43ew71LnEnXrrHhoxqZV6jyRovsxBVq/w+Autrqd5u3cCCJe2XwhfYReQexSMRx xfoDgoxYupUWjels0WgeeTaPKUdWyJKy0nNpRqMXp2xCF947/IEQbwk9ThQqr1od wP8pjDwqymTEHvY5X1s7vy3jj+VCgxXnYpOAkabIMlkGiCm7TkVPt5R1SyJf33ja YX7MBbu14r2mBmi2rgO4exyRWtwua51yPFN7zztnMk7Qtjt3L/E8Rd8rM026UlP9 QquYmcfwNcPrvJUqGXIne05iQxXkZ3VBWfLJgsP5FAvneSWf0rbn15mYj8fLi2nP Lk4y9ZgsqHsJH2dQCAuI3ZjLTqv6nUy8uTuF4kNePc5WioDWAquaW5kjsAMEkGtP Ik2sH0ZmC6XncoxtMy8UlNw+0Ee+9wqJJONd/p2J68JaisZ5tH1PqWcCtvRJpDkX d07ePXGN2YRoZtWKwvGvqGOfQ/sevjxoctcNr6Gy5XObCFRIJpU= =ls6i -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/88bcc05e-49b9-c83d-f72b-2063c853523e%40qubes-os.org.
[qubes-users] Get paid to support Qubes development through automated testing! (three-month contract)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Qubes OS Project is seeking an expert in automated testing. We use OpenQA and Travis to test changes to the Qubes OS source code and automated building from source. We're looking for someone who can help with improving both the automated tests themselves and the testing infrastructure. This is a paid position on a three-month part-time contract through the Internews BASICS project (Building Analytical and Support Infrastructure for Critical Security tools): https://chm.tbe.taleo.net/chm04/ats/careers/v2/viewRequisition?org=INTERNEWS=38=1186 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/09/20/get-paid-to-support-qubes-development-through-automated-testing/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9npasACgkQ203TvDlQ MDCJfxAAoZn2VjpOz3EWN0gsBOI/l0BM4YCjaEuPdw2/iTyyiWqn9imxRR88IDXb CSDTiVl828/7S4w4LLxHsfneXWlM9ChOFu4ufBm6qs728Z22gKa+nx/neNZr7eon FueeYxrybNcK8gb0dWeqETeZ10zlcDRm159QZanGKJl7eY43oOPjl87wf0XF/n/S 7S8KHaiQErdnEg0og6/YYrM8iSoaCSOdY8vJfGBYN0aEyBbJN/ZT2PfjrSLfCNUz FFK+uCjWMMh6ywnfHC81wdQBupO7lM0IeKk/DV3MQyKIQO+n+9E5PnytrNYoLGpl RSkIArIzq/Z91dbEAEhNorMxaAUvtC2CzS4dWqnIKrXTi5oGI1DVzKaTtsSdejrZ hmCnxs47ddm3FhyXOmXa01QEDE1sJEh3ANhXUaL7xkoT4yiXSYWUtZkXVMSYsmvV IZlwicZSfqpwNXjC+ylrcbIBsQVZ89E5INXKMQiSXeVfnZg+Y5hCJl8/mK1mdzyT k1nn6Tx2nOlSBVIEQ8eCyGe+yQeAKqdUlCg7emSfTyRPmAmLnjdYl1zBYoSjB47U pf2IgGA/w2CEAbGzgkt62Jn4Ksdn+ingsxubF2k1zdu30uGsT8c9am9rqkKpXF9i G1KAyTb7TblEdajQMLv+m5iZG70pmzkatMW1bmAVyoQvh0Q1tfA= =JOIb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f67994b3-e1cd-f283-ed7b-4754cfc3e651%40qubes-os.org.
Re: [qubes-users] Adding new kernels to iso?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-09-19 7:53 AM, unman wrote: > [...] > > (Also, the documentation should do this by default too.) Patches welcome. :) Most links were probably added before the the Mail Archive mirror existed. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9mXwgACgkQ203TvDlQ MDDu0BAAo20deJQ62gk9oLgRkTsOO9aH57VfEHIATqZ+EwxpjuTRrbkDgzwnFJ0l CwQDhgUPTHkm7MlGDQrQ+2MkF4ujXHzDy5S7HFd+R6EcBR8vHT3HqEEpmng+1jjf 7VBjdj2uVbid8ZCm0cXVuDL0Z+QTtcwKi/lOnnaNdzOEO+qqZ9+2DQ9WlzqJcuKa UiFoy6qylqUx0r+A/G7A1kvyrkHApjQFj97nzbIF/5HYdpTnqrJRicafRzV+ZMyC jNn9oK05cbsBvrv8uty8dDa21XR8j1g2N0v6ezKYvW1y4Gml9GyVP9gzKFMgwCGY NfpusWSMdwb4/TD4rjYzh9sDzxwvx/X2aOeIR54SMB4RT5IY+57kARZL0hfM6J7W 9wVxq+8nFmiPFx4RjHKljbLpI2MtDefkNUWtfoQCJnTh/+vTBT7ACF6zxe3UXwxi QT5CNpWpDCrJsDikNVHE5lKSmZs7v/tm0ZZyXiKMzphgsSf9nnYCv9Q4pYne6xp0 JhwM0YkrAr81MrV3zZVKKCWOIiVcID5vIqkxooO23fHKK2LbOKTX4TO5swBPfB3Y 1uBWR8S33d22OLO+qdV2wHuYFWoit6sHs8e1airR++h+7AsggwvTql07xthFAo0n gsxlh85tyBepdQRbmeFn5/w/W+7vTjOBp+aUL4uNEBzLmudoJn0= =ovo3 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dae9020a-e912-20dd-fbc7-0bf341ab27a3%40qubes-os.org.
[qubes-users] Qubes Canary #24
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, We have published Qubes Canary #24. The text of this canary is reproduced below. This canary and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View Qubes Canary #24 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-024-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past canaries: https://www.qubes-os.org/security/canaries/ ``` ---===[ Qubes Canary #24 ]===--- Statements - --- The Qubes core developers who have digitally signed this file [1] state the following: 1. The date of issue of this canary is September 8, 2020. 2. There have been 58 Qubes Security Bulletins published so far. 3. The Qubes Master Signing Key fingerprint is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 4. No warrants have ever been served to us with regard to the Qubes OS Project (e.g. to hand out the private signing keys or to introduce backdoors). 5. We plan to publish the next of these canary statements in the first two weeks of December 2020. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation. Special announcements - -- None. Disclaimers and notes - -- We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised. This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads. This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations. The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance. This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here. Proof of freshness - --- Tue, 08 Sep 2020 01:45:14 + Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Germany Debates Halting Contentious Russian Pipeline Project Monetary Policy Expert David Marsh: "We Are Witnessing the End of Independent Central Banks" How Feces and Other Bodily Fluids Can Help Track COVID Outbreaks Russian Patient: The Kremlin, Belarus and the Attack on Alexei Navalny Nord Stream 2 Troubles: An Uncertain Future for the German-Russian Pipeline Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Trump Emerges as Inspiration for Germany’s Far Right Aided by Modern Ingenuity, a Taste of Ancient Judean Dates Aleksei Navalny Out of a Coma and Responsive, German Doctors Say London’s Bridges Really Are Falling Down Truck Bomb in Somalia Kills 3 and Wounds 3, Including a U.S. Soldier Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Australian journalists flown out of China 'amid diplomatic standoff' Michael Cohen's Trump book: The ex-lawyer's key claims Russia's Navalny out of coma after poisoning Wildfires burn through record area in California as blazes continue to spread 'They shot him in cold blood' Source: Blockchain.info 0005a914bdf7052f546448bd3459aa95b52bc1f1a62c27f6 Footnotes - -- [1] This file should be signed in two ways: (1) via detached PGP signatures by each of the signers, distributed together with this canary in the qubes-secpack.git repo, and (2) via digital signatures on the corresponding qubes-secpack.git repo tags. [2] [2] Don't just trust the contents of this file blindly! Verify the digital signatures! ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/09/10/canary-24/ -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9auLMACgkQ203TvDlQ MDDQNhAAzdJ6oYC3OUgcRnVvpI7WMenjDVzRjGlzU72UIXD6dXvREdZHjuCcFX5r gVU81sE8541t/FAerjOoDLCytFFrSCDwxj0g0heClq1IKGUMtt1Yq1m23thBfG9o lN3NvUDlkZk7fTVKXZAwCsFAd7gdvWUwZ46FrlAVpF4qDsreNpUXxUNLj3J6TTML wbwJc5kI2SBE+csM6JnGbZnHsSbv5GE1rQePDtiMCaiWXw7VzM3t1diRm5f+dq/c ILhwSr83z7SBnNrdwS+C/oeQi0xvXN24Rkmw+Pc+yWTVXaxEcLQNQ8c7wod0WWdY KJ6pG9n2x1wYtd+Pq1LpT1LbrXVJHgHVWDWLDMbeHLRJg1Y8HAoc2/r/BtI0+Izf 0Yh332HK4zXRUtuZiZOoD1WcOHNhmFvG7RdocbAfU9iFw6DKY78kWNbZNSf+Wn6O
Re: [qubes-users] Hardening Guide for Paranoid Noobs?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-09-07 5:42 PM, Andrew David Wong wrote: > > On 2020-09-05 12:35 PM, 'awokd' via qubes-users wrote: >> If you're concerned about Fedora's lack of signing, switch to >> Debian templates, or some other that has signing. > > This is a misconception. Fedora packages are absolutely > cryptographically signed by PGP keys. The signature verification must > succeed, or else the package will not be updated or installed. You can > prove this for yourself by temporarily moving/renaming the signing > keys, then trying to install a package. > > The real issue is about signing repo metadata. See these threads: > > https://groups.google.com/g/qubes-users/c/HHedtfDFdj4/m/dap-D0nwEwAJ > https://groups.google.com/g/qubes-users/c/cNwCH3rcIGk/m/grr1yJktDAAJ > https://groups.google.com/g/qubes-users/c/X0GvIdpQtcM/m/Tey9k_geWGUJ > Follow-up: https://github.com/QubesOS/qubes-issues/issues/1919#issuecomment-689245921 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9YM6AACgkQ203TvDlQ MDA/RxAAwi0TYbqNgyuaJpEpY/lX6UhxVbDPyexrl3ao2ycRTeIXCKguLimjLIT9 o9QARbQTfCdHR0GdAGIE+f3q86HDnF+WIeUCUJuV0WRYI9JcrmgOXFxcBACpw2qI FmRC7JyqGvLg+hE3lPQUFtdNgnK6/Xxp4s0QrlJEr9UjXCv6UAQ5SVe3cxwVFWi2 PIHRqaxWIUauVMUIkrrBEWhcaoRVJgWNIAkepF3ScjaHkojnDBdPJ2Df5ckC34Rg aAUoRFSbRnxGyQdekkXQP1XMKb7Hmf21p8FR6TiUVI46TfrTgF5xeG8U1cmV2K5F P+b4rty2sVOVOT47hq0EIBgAkeBBQXMNJ4ebeGyju2o1vc0kcgIjbQvBYXevMZvW SPP+yKIQQ9GfP3Nr4pPab/3JX0sZivdT1xPVeV/BQxU9Xc4X3N5gYqpJKJxEjHtO JWK6HPn0JsX3uyC4UBGpLrwLvyyzKuxcyf3JiIl26xDORTIFu62oa16Guo/2Pee3 LdQcXEQ1K3ZtfetppCisdrjuKiXmN+hZG8PnIsAoro4NWW6VkUTixFSzU37ykMb7 1/H8E8OKXXCGDyXbMU84A+G5LvFc0PQkZxtPGTZ1mw8juXdtpSEGwWeReCeH4fY1 Z6cQf5JHfSI8ypw6dwBLoyzROEsReHa2CwAH/XtybhV6Rq7zjwQ= =7itL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0fbfc3b-f653-bdd2-c1c8-58ec2e0a7b96%40qubes-os.org.
Re: [qubes-users] Hardening Guide for Paranoid Noobs?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-09-05 12:35 PM, 'awokd' via qubes-users wrote: > If you're concerned about Fedora's lack of signing, switch to > Debian templates, or some other that has signing. This is a misconception. Fedora packages are absolutely cryptographically signed by PGP keys. The signature verification must succeed, or else the package will not be updated or installed. You can prove this for yourself by temporarily moving/renaming the signing keys, then trying to install a package. The real issue is about signing repo metadata. See these threads: https://groups.google.com/g/qubes-users/c/HHedtfDFdj4/m/dap-D0nwEwAJ https://groups.google.com/g/qubes-users/c/cNwCH3rcIGk/m/grr1yJktDAAJ https://groups.google.com/g/qubes-users/c/X0GvIdpQtcM/m/Tey9k_geWGUJ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9Wt2YACgkQ203TvDlQ MDAcSQ//Z4gXnuTfz2GyFTycvJ2wsoLdI24SbM8f6+jron8tlFEo9hcjWF4leM/d DlvT7sVGX94XBbe8gdsYIFQbNXCknq5d4F89jDnxHLpe/vQtZ23VSBzE81yGZjTq WU1fCclQD3pMhASYna8u4o+TcYe3RfbLqSaq3HfVhtFMsYXaZLp6MKbVAWtLcXXz VeBAnOft/E7HJeBtZQQj66zgsbdzjKvcm8ot+dE/VrTZ8ohX+P6uXca04G2Z4G90 oyRgpIFr4u+3EORNap7R2Cr44U7WZBI4Wv9bcXkZZcC4yxSetD1hYkl9bhC8a8GV iJhFu/Y5Utowfj3IeXb17Bt724YeNhTJUO9hGrN4W16+XmIPmF7Vy2yNS196NipQ NkW6dXw7CDDLjBFMr+Uv5S1sjCGT1TVGLolfkZt4MlAeGlNYw8gjnVQx7fzE7Vnf RRE4ckPmtJRf1FU3/ONaowhQ/RCxakJqF3CSoaf7+Wg++mqu02/jm5d/0AMrB7Ib /iVm1Ztc1DAqe7GGMQGl2uWAGFg6RuEmgxWInwFnuCzOm/LId2bRI2PI52PQAEJl A+F4MbhuiHeG4WRMZOKCwRZgHaNGE8Zk3wj9q9BE5dAPm/+OWpc6GmKnRfckBxwo 8ZEzgOkBgkmd0WMGjMQGXlvosj4irRtycUpUi+ByWSHzRNqF/MU= =eHe6 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0c4aa78-dc42-dbb9-88d3-664eb64e602a%40qubes-os.org.
[qubes-users] XSA-335 does not affect the security of Qubes OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Xen Project has published Xen Security Advisory 335 (XSA-335). This XSA does *not* affect the security of Qubes OS, and no user action is necessary. This XSA has been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#335 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/08/24/xsa-335-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9Dwo8ACgkQ203TvDlQ MDBryQ/+MDVp8/0MqFPvdCiHOGDDQRAnJdFSPhlR+aLd4QivvPVCYcqHY2jIK8I5 f6fsuoBNvnq56Jk3eJPYemgtlmFixaXZtKpC2YtkKvg6qCVo4jEfvzJ3+nx9VnKd gq2QK5ZekYRZR6kWtXsntphSqP2aSDGX9Oa/4IFYqUichpZPJ7IaPTtTHHRB1Ftd daViGKCHWaNH181kFpNHqRO/h8XHAVlCWOT3uRTBaUNz7qqHblvp3nDjn03wNLaH QPqeH0XucvxMpmEb5zTMVS+DuROFiTLzcFniWeCg4xE5hwDAdFXFnkcd3Dy4QQkV SUuNI7ai6XKOGgNC25rnK+D7Ab8jDIPZuNp16Q1KMWS4qKD123CFbrCFOvGMiOrw bmy2IPczx8NuXaO7BP+mWrS6uF34Iy2IthZcm74dxT7AKTmI6lxw3hjbKN8t0Wk9 Rj6VWQ70cIAUcXr9eZmyhNfcTgZAJEsW7XuSG7Mv0G1iVa2F6NcEaCzt/Gk4MBH9 DyW4yvZv2aLuiV4ZFwAukTY7ODqqGfJqjo/V4gK4l0pfQVuLBsvIHhrQuhfcEK5i LTRxL6WCuP+nxeuIK5Xy1HAjmysSAJnooPlb09AaFgH/Ox8n/DtshXzdteTF2DnH ygKyGRNjTA6E0oXmHEilk4gy67YpCVr9J49vbIIWKCllCEqldH0= =V15+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31ea7ef2-1f20-83df-08e9-e78409d55669%40qubes-os.org.
[qubes-users] Announcement: New community forum for Qubes OS users!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes community, We're pleased to announce the launch of a new forum for Qubes OS users: https://qubes-os.discourse.group This is an official user forum where you can ask questions, get help, share tips and experiences, and more! For a long time, members of our community have sought a privacy-respecting forum experience with modern features that traditional mailing lists do not support. The open-source Discourse [1] platform fills this need for us, as it does for many other open-source projects. Thanks to their generous free hosting for open source projects [2], we're pleased to be able to create this space for our community. Why create a forum now? === Previously, the only option for a forum-like experience was to interact with our mailing lists via Google Groups, but we understand all too well that the privacy implications and user experience were unacceptable for many members of our community, especially with the recent addition of a sign-in requirement to view threads. Many of you value the lower barrier to entry, organization, ease-of-use, and modern social features that today's forums support. Moreover, Discourse features email integration for those who still prefer the traditional mailing list format. How is this different from our mailing lists? = To be clear, this is *not* a replacement for our mailing lists [3] (such as qubes-users and qubes-devel), which will continue on as they are. This new forum is simply an *additional* place for discussion. Certain types of discussions naturally lend themselves more to mailing lists or to forums, and different types of users prefer different venues. We've heard from some users who find the mailing lists to be a bit intimidating or who may feel that their message isn't important enough to merit creating a new email that lands in thousands of inboxes. Others want more selective control over topic notifications. Some users simply appreciate the ability to add a "reaction" to a message instead of having to add an entirely new reply. Whatever your reasons, it's up to you to decide where and how you want to join the conversation. Will this split the community? == Many open-source projects (such as Fedora and Debian) have both mailing lists and forums (and additional discussion venues). In fact, Qubes already has non-mailing-list discussion venues such as IRC [4] and Reddit [5]. We believe that this additional venue will foster the continued growth of community participation and improve everyone's experience. In addition, we fully expect that many community members -- especially the most active ones -- will choose to participate in both venues. (Again, for those who still prefer interacting via email, Discourse supports that too!) - - Special thanks to Michael Carbone for spearheading the creation of this forum and to deeplow who, as our first forum administrator, has done much of the legwork to help get it looking good and working well! [1] https://www.discourse.org/ [2] https://blog.discourse.org/2018/11/free-hosting-for-open-source-v2/ [3] https://www.qubes-os.org/support/ [4] https://www.qubes-os.org/support/#unofficial-chat-channels [5] https://www.reddit.com/r/Qubes/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/08/20/new-community-forum-for-qubes-os-users/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8+sPQACgkQ203TvDlQ MDDYTxAApehnwrpqFCoadx3Cmcu2llDOYbV5CuCjQFj7aMwGg2Gq3TWuugiXFjQ1 z6uW+asPIEvCu4XxP5K9FfVYiSF1bqLTEGomib0npapNMM1ZbULUoSU2EoACz8OS BpYxgrcX1YyN8/3qQ2N2a3yRe+c0XBD72CJQ2sPu/U+xaTRKZgW6saI5Y/jpwxb7 WKQR0Mc9Y2vP6GRNb5ICcCNelS9fUiBJPaGQBJX7XRyAcW1y0hvF6dBZpdG70TDF DN0ddhSbYQnv0aHjNnU5ajU81PZWpr5ZqK8ObZwlU/Br8ZznNlApf2ATk73x/5up eMhwGqDMebJPKaIUPUEKb1FWdObKtW9TvRxhb+yybDkI4Gtfj0fIO5SfJrJ5Ud94 Vyt4TJfqyI4RmCpKfv3QXM3DnjKbjD0yAThVVnphqD9s+NIVSVi7K0LWGxLcX6TS vCTouzWkPCrNxMylCf8M4v3V4uUJ9b8AQA3iF/v+a2tKzPveK4+mOF590918YGYE CxwlrOKzb0Ecpl/LzdcrX+jq4j+Zj+B0evLc3ZbaTp+Bfr6gihOnocL/1YjHwGPU 6PSJ4lYHzZzZotPaaJ1tmZtSGIkK2d7mmJBPDCSG2gSMS0QL474ObfKjAvolQ9ph ZKMhEME8YbHje+X/nyxTcgO4GAoLyuPeYuDIkjmXzD0hGYFnKYA= =ngAL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16224df5-1ddb-2dad-f870-182f230d5867%40qubes-os.org.
Re: [EXT] Re: [qubes-users] Google requiring login to access qubes-users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-08-18 1:55 AM, Jarrah wrote: > >> With the changes in Google Group's interface, I'm tempted to >> abandon this place entirely and shift to mail, but for the sake >> of having more participants, it'd be nice to have the >> forum/mailing list somewhere less restrictive. > There was quite a large discussion about this under the subject > "Help create a Qubes Users Forum!" on qubes-devel a while back. > It's even more of a ghost town currently, but there's only one way > to fix that. It's at https://qubes-os.discourse.group/. Maybe it > could solve the problem? > We're actually working on an announcement about this right now. Stay tuned! - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl87tfEACgkQ203TvDlQ MDDP8hAAxAO4VJTZzM/nIDD4nBBRJW9id4llRlfnG/61ao30JliGz+Au1Nq4O8mJ ucTUVHnjcCdhM56URMxfcjIbzxk1Ta+iNSz9EckLFUPZWO7w8unhTFxKcTGOWAG9 TBT9i4rseZEm+c/oT92UzElytwwLPP9wRzZj+BCFZbH+qdnh7o6OhDOP+J2DVYwr bhpbmTuokdLVH5jqjfLYrfQO4gH6AAEB0XD4RwnijKqYKxg9kyvQYrfsZ61XndNI 1oVkHeyiLjEy8mpg6bc+IsN7NDoIkTUmxFRv8mF14boZ3evSvth8xpmvdnT1w7fv jxSRoZIHtfiDgjl2taUuBp2XB7HeaGlt7IwNK9+ILgvIeZrrGciXiTwrhX6U6GbK eZiUuNtWXGHZKgMj0g2bhdjArSLyYs+Q5Qrfk9v6wLnj0KilrfmTCTUL53s6BYCx i8Xw7WDvUimiiV+qXbgc6nIjMs6zcBvI7Y511dg/F4d295San35l2U23bf4CbvDJ I9ksQiwHYt2PysRbL9GyM4oGYpei5j6FqZLr9UpJp0j0gNRIElXOYeyuZ7AK/rCC Pc62/qyMH7SlWfJjMyxLcd2aXPyM80PYMFArMaH06H6sjtgwkgiw8yIREFAuVVL8 0YzqFl1sk2w2HgYkBGGMEgEwEhehxP04xQRso3q1b6ou9FP3Z0M= =bcbz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5ebb7051-c0d3-b229-54ea-d47c511a7ab8%40qubes-os.org.
Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-08-13 9:32 PM, 54th Parallel wrote: > P.S. I'm not liking this new Google Groups look Then don't use it! :) "While the mailing lists are implemented as Google Group web forums, a Google account is in no way required, expected, or encouraged. Many discussants (including most members of the Qubes team) treat these lists as conventional mailing lists, interacting with them solely through plain text email with MUAs like Thunderbird and Mutt. The Google Groups service is just free infrastructure, and we distrust the infrastructure. This is why, for example, we encourage discussants to use Split GPG to sign all of their messages to the lists, but we do not endorse the use of these Google Groups as web forums. Some users prefer to interact with the mailing lists through their optional web interfaces. This has the advantage that it allows you to search and reply to messages which were sent prior to your subscription to the list. However, a Google account is required in order to post through the web interfaces. (Note: There have been many discussions about why the Qubes OS Project does not maintain an official forum. The curious can find these by searching the list archives.)" https://www.qubes-os.org/support/#mailing-lists-vs-forums - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl83gwoACgkQ203TvDlQ MDBoDQ//fRXbNMyGgvY2JjUX/qxzKqditI/w6YAwTf4BCwY9SJ6PL3z7XDSP9USY uZG70EN9wTGHtQpjl6e1BewE7kSfR/V3wFmzPMWT+9paQ2pfG9mX38OYFAhKRJ5l /nAEH19pSc692KuQWEZDfizT6P5TX2lPbaeFgUvGS3AGnrHXOZvtk8C73WauFx9/ JGU14KjDvoKRRrGkHSC5vmXG3ih8aBdzxQ3pnRCpCJ7ukPuwdhmJ9flU9cOoWEoM m5mPNmA884J1VTYNJUmqSeAqzU1eRH/y/llZBDrJvj9w4vZaM8dsxfgBlAYH/rsO 65t5Z70N4cM1m8TELk6khICEhc3tHyDbsooeGpq7M9P6ts/O11OLkCqu+koppfyM H/SzwyYqMIHzdTdDVx5AAEaVahErm6rc0eTmLNWNYzgh+u1++0KusvY8d15BWujO Wb1ZpAVuQ4DHSBMLxACKlx342XiHBe04wKJ22BbRzzJ2HvFU4hO0fh/x9LY1K0Pw d43dedUYw0SGh1jXrKRxaOrH7f3Hknx+ZzFwDFgy8SfcCdAcQcYAKz8cvs6ysqEl GoTTWIPl+Evzt+bLt6HrBZeWfoAt2SOVVm5RxACqEVRpxU4SoTxEp+0sMmiT1/oP RzixkvJ5CUv0E0StpRJJ5s3KDjWw+82KbDCI+TBxNw5H0IuCgvg= =7DwR -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a17b80b-7b9e-199e-787f-2aedf0129681%40qubes-os.org.
Re: [qubes-users] Qubes dom0-update-guard script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-08-09 3:05 PM, Chris Laprise wrote: > On 8/8/20 10:20 AM, fiftyfourthparal...@gmail.com wrote: >> So the new overview of the script is: have a dedicated (and >> hardened?) tor VM --basically, whonix-ws-- download the metadata >> from a few mirror sites, compare them to the metadata from Tor, >> and if all checks out, compare the tor version to the packages >> installed in dom0. If it doesn't check out, alert user and ask >> whether to proceed. To do this entirely in dom0 (keeping it safe >> and simple for a newbie at programming), I'm going to use qvm-run >> with --pass-io somewhere in my script, along with something to >> read the whonix output and run cross checks. > > Just an idea: Use the Qubes Security Bulletins as your reference > for checking package versions: > > https://www.qubes-os.org/security/pack/ > > These bulletins are signed txt files, which makes them secure. The > difficult part would be parsing the QSBs themselves but I wonder > if Qubes devs would agree to a standard format going forward to > make it easier + reliable. > The QSB formats are actually pretty standardized already, though our expectation has been that they'd be read by humans rather than programmatically. We use a template [1] for the overall structure, and in particular, the "Patching" section always follows this format: ``` Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes : - - - - For Qubes : - - - - The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. ``` Feel free to take a look at any QSBs for specific examples. [2] I'm sure it wouldn't be a problem to change the syntax slightly if that would make things easier, as long as it doesn't harm human readability. [1] https://www.qubes-os.org/security/bulletins/template/ [2] https://www.qubes-os.org/security/bulletins/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8xI+QACgkQ203TvDlQ MDBOyg//T0/mxeE+pVlF7LIUuShy1B55Fjxxi35JhlkfX9Ws7fLT7hLh6172cxGQ 55E1WXlZ19AE9OZFeIUNX08ov5X6/OelAy8qFdtAmXFI3dEDzdjDVRk8naRpdtu6 hxqsnP4zsHLj0WQEYnsuPyjfgFuIZCy5TfXRlxm8u4l9oorK/IB6sqhBftwnT078 U37Sls/fPlKpnZ0rPJ6Kv/cGbXG1wKpxuui2LAsTis/IY/3TsRpEY8CLa1oIKX53 okQCY8GXnp7ova+8LEyhHBdoDK4iT1Fl8ohfJ+JzekE2SaR/7CnFGO2XrwyiFyXw Zz9Huu+UIJl+ygIGK80HBBmUNSF+/sSoMSo0SYKZP96JnV0Vka54EEppH5Ctzexy 8yVIpYSwmavHOUO2+GVXh4ykETgkpC0UKg+QLoWacNTRqihT5XTCY3J7SqNLn93Z 21OHE5bAy7/cXNtq0rrnw/BeIzgmrHuaKMrOuW9HExoWIrroyb4a+rpEPbQfsCrb G09/1A5uOt04ZQXKVhly2UYBA8Zzlld6vh4mKlCYBRBFBzAgJ69yHt3gubWcMAVV f42Za2qpOZsNharvb6lvHI/7E0XY7FpqvOHZuVfX1c0UiTifTm5ZLwN0IDpGgw0f 1K26/H7GriIU4MZlC4qjToRGGXf40jV6l9zHZUzUzbdSGxEF20A= =Gs9V -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1074ec2f-3146-f1d6-7c73-6aaefdafd200%40qubes-os.org.
Re: [qubes-users] Questions: Protection against local forensics/privacy problems with Fedora sys-net, sys-firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-08-06 7:47 PM, shie1ohk via qubes-users wrote: > 2) Is there an easy way to save the qubes-os.org wiki locally? > Yes. As explained on the Documentation Guidelines page [1], "All Qubes OS documentation pages are stored as plain text files in the dedicated qubes-doc repository. [2] By cloning and regularly pulling from this repo, users can maintain their own up-to-date offline copy of all Qubes documentation rather than relying solely on the web." In fact, you can save the entire Qubes OS website this way. [3] [1] https://www.qubes-os.org/doc/doc-guidelines/ [2] https://github.com/QubesOS/qubes-doc [3] https://github.com/QubesOS/qubesos.github.io - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8s/ykACgkQ203TvDlQ MDB5fRAAwAomf1I1rh79uXzMHb2NZrKmlXhwZB2wXqKMNfnYLze/XHvk1S9wo65y T8OPd/hLuanurEJsH4Ci1/A27rl5A01+6nMWbEOiOYwHAz46Br6mt21+XmZGFoU+ xFJ29aGmRzDJFouvD2wcM3rczcAUjBoA9BZ2rduuazUeGB+KSmhfVoCwsCjQ3ijE OJAc6zoBVSzbUinCmshj4RJr02LE0DC53RjoyvsisG7QZZTtNsFUiOaF5e5Ru6Ut dM90sbWvdYW4fHytf67z6dB/vQVQ+vq1BlivJZSyRT9OP42rbF1enHryWHvtGjPo t1hAyJQkmPhH9JZ0hqnwCe1IqSB0weiNMgnXhzarUhqY4Cp8KqOHgrdppc41nSBe Vm3h2IplN5EzkG+3WYcC+r/iTxaEsXxYPWVn92Et9RaWIasIwO2L9A4shIWrfxIA BIl69Tmw+SSM3Piihl479NxBP6bvMseOVOVHSLP8L0VdLobkTbdzPFA5VcPJvqIT v0a2mbG3cezb95tc8C9DhjWeHoK9dQjvKh8RP0gRx1iDmJyXgLx4A1SMoTqaKrYP yS/09jWg6KW7Xs/NyydPZDBz+gBnLzPM5EX3RB3JzqnpfCHyLGt5X6V7gklnkKxf bqzZyfpOqvTrBnoYvi6DGLmuML6GAuw7f1qaAneZ36w77xqZso8= =1LsF -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/accecbae-27e8-3bb3-ce66-fae89ffcb5a9%40qubes-os.org.
[qubes-users] Qubes T-shirts, polos, and sweatshirts now available from HELLOTUX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, Thanks to Frédéric, Qubes T-shirts, polos, and sweatshirts are now available from HELLOTUX. A small portion of each purchase will be donated back to the Qubes OS Project. Please see this page for additional Qubes merchandise options and general information: https://www.qubes-os.org/merchandise/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8s81gACgkQ203TvDlQ MDDDCw/+PkkWUl/rQ40dEbl35sMVAd8B4/SppqtIZdBs1C36XZGs/jXHNx7mnDE8 wAKplX7/Bi1bIrBwL1Nbvfqru9queT1jayNbCiM79P3flGwhp19I3U6oM7tdj0Je czLiE0ZGcecUNECDHSFUYQib6uc2m8P0ded/r7mSIaGIA/6tjTzk8PQwa163xQ5m pcFdaQhgPqm5iEzuAMEUtbTwt1z/lOia4tMNIVuLq8iEXQQy9OynjigBLi4OX6ZK 65qe+8C0bRkEAxE7rWbBiPDa4YPm30rIKVYFXWr7boH/OjWHHZfWSsmd2b5qUK3V Xt5PaVfFgovpMkIoIS7CtkW7SANYM//dUxdo2PlW1PSO04pTFhmpz+6TYA/HSlrh xr3tbp5VqX/5quHY1+daIwLwLsbzjV8RMJEokb6o7rbKAhqFCbqQVup7LeaNyK5O dPivzxMyg1MSZYssRFRxD/M7Hz/WbjgYFQn2QYgCUwlLy+NumLUPVXFDiLf0N5PX bhu7QouGYHRquDZRcmspQz71vvh90x8OAo0VDU8BnGlErtpNOioSfhXxwD69t3f6 CFrx+/BqFebm5dkBnLRiaRRCZe1UbUbV+5MpEJQKkGwQrZXjB++/XNX4NBRaLIu+ lt04CesC8MqjyXxZGkn/ZQt7OKucn+urPQ/qfPeO3B4MgkcAyhU= =b+xD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87eaeb72-89b0-5305-8bcd-29d64e929e70%40qubes-os.org.
Re: [qubes-users] Qubes-OS architecture.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-08-02 6:34 AM, Jason Long wrote: > Why not a good document about it? > I think it's mainly lack of necessity and lack of time. We prefer to focus our limited time and resources on the things that will provide the greatest real, practical security benefit for our users in their everyday lives, whereas such a document would be more of a "nice to have" thing. P.S. -- Please avoid top-posting. > Sent from Yahoo Mail on Android > > On Wed, Jul 29, 2020 at 2:19 AM, Andrew David > Wong wrote: > > On 2020-07-28 4:04 PM, 'Jason Long' via qubes-users wrote: >> Hello,I found a pdf file about the Qubes-OS architecture but it >> is for 2010 :(. Any new version? Tnx. >> > > I take it that you're referring to the PDF available at the bottom > of this page: > > https://www.qubes-os.org/doc/architecture/ > > I'm afraid there is no newer version of that particular PDF. That > was more of an initial design document. Now that Qubes actually > exists and is under continual development, it has been largely > replaced by our documentation and articles: > > https://www.qubes-os.org/doc/ > > https://www.qubes-os.org/news/categories/#articles > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8oaMMACgkQ203TvDlQ MDCXRg/+NZadEVmnHGxZTaE3AHgJWAoDXch1811vU739COIEVsrGXf9DNj8/bLrG uitnptX07mDKBqe7ImZv3MUBQxhzZ4L/S9efSPCKadz4kdnIueJAEa8/WSvYyADp CYCDmRZHrfWIcaVQveksZNEiaO09GKpCYjaFhQQ5Ljvl4usE+Ewyilu5Hmllgq0P x4zft0BAKI7HkJyspCTk0k0ZIdS+2bRluas7Q4+4HdSGp3U36FARrbTzRo4JvTsD hL9QIBepEID5EO1Y4QIH/b+Lirv+N/FyxtXQ39oMfE5G+kto7D9UzsUx0bv3Em9u SKqAECauMIjmz/R3NxkK13RGVCSI1wUbtLE34aXH0kPy3Ba3G4JFvMo6ZSOqecNz PvEBwARdzlloqT72boAXrtS5UB28bzqZVe2ab5MbRFQ6adERMwWZRXxzRaX0cWAI jjdVkNTPt9aX8oaOXiWNTaQi8L7Xdlj5h65rEnVk7BsVTzPqXXKlCzhItIjSn+RE sTrHWuux9l4c2PyI2jXMhTrBzkhecjjUOM4UqEbYYU41YBeesGMIlMUp2M238aTQ EmhFj13FNWP4Sgw7MsBrALK3ttYSYA88ExiarTAqoV1tPQ2wpFX9Qt8DtkqlkTl+ Ej43LRhDGzuefXmR1heOevg1uqCNd44KLhqc96fXwLGAV7EYEXI= =6Tiw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9ca21ef0-8a7f-70f3-f707-964e691f4765%40qubes-os.org.
Re: [qubes-users] Qubes-OS architecture.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-07-28 4:04 PM, 'Jason Long' via qubes-users wrote: > Hello,I found a pdf file about the Qubes-OS architecture but it is > for 2010 :(. Any new version? Tnx. > I take it that you're referring to the PDF available at the bottom of this page: https://www.qubes-os.org/doc/architecture/ I'm afraid there is no newer version of that particular PDF. That was more of an initial design document. Now that Qubes actually exists and is under continual development, it has been largely replaced by our documentation and articles: https://www.qubes-os.org/doc/ https://www.qubes-os.org/news/categories/#articles - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8gnUMACgkQ203TvDlQ MDDx1Q/8CqvFsxSM5DyL8N45xrcs8PFIKQDYmRqhZRFRkpPSSYpSDnzrXDzY490k +R7dnDxJVtgyieo3S88n8qXom51L83lfnQBjZC59hmKIZzNMmD1cjwktbTmMJAvH r6qizjCeHuQ16s84vtvZknESe4nPsDJnsNvw4Gs879OLha+zwC4fKYh24r9chlw/ k5Az4cn4J5f2JBKi7qV9mNFrZT6zYXNPZO2KVhJN8Krgfyd5BAEVcHMtUMq0ugGG bbMIOxee/iKbsAEaK32kZsLEI0vD7oAWaKujI+nLw9pWgiD44hExRQA5kDa/eDSl lJ49TaXdYlxxZM4FoSkxQtb5ncNoJDxmN/QLoX2kDzLvymd13GtYYyFGvM8Oqsrs EOKnyPlTG/TNkbjHYiBPyTOmAwG2derejAn5xgSC6xq/CQ53ovBhdyuWYgubgJ+s Fhd2cW6epp1j0tX0w0apCan5JBHaNQFMk/ml9prLEl3L3b+hcjmkYMrwcqe3jDet zlMhq4wIy2udz8WDLOHe4qTVK4b4ekWDrddSNUxN4Kmb9bCL9uIxUHypyRSrcAHm 7yYAzfQ+LJmUVvy/mlsQEAiVgH82ekVmdQuynXkdA5h+qEs3H+zWUJdfb67SEMlV etMYjYAO50jWYlrhyuBs40yqVtjCEx7/+zkmfAEsUt/E0GkEW0k= =XRM1 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a7f8b97-fd3f-0d8c-9bc1-b88963b8a23d%40qubes-os.org.
[qubes-users] XSA-329 does not affect the security of Qubes OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Xen Project has published Xen Security Advisory 329 (XSA-329). This XSA does *not* affect the security of Qubes OS, and no user action is necessary. This XSA has been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#329 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/07/16/xsa-329-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8QYKgACgkQ203TvDlQ MDDpYxAAmXHBx3IZQNtfGtzqfkwEKgEUjfDKIbNY3odVcpcdEH63DyiJE6qSK7zW X1l6DN+pi2mOPzkcj/tRo/cziuDC0Q4Ray1YXc/Mb5t4tO/wjCLUI4T8nhG1lbc8 /0/7EgzuYStn8N+sglKl+GNcAFAhil7OYE7+MMVeZzz+L1Ydi4YEm/OXJEL7J5Bk HwpdfRgxKicuVAiLYMNQpyPHBrxAG1aRoHoDVMMpyKawsrGIn8OTIrP3CxnFCs8L aQn3RpzMBohVJ5q9u7JM8CXERG339wX44zCiao+rXdPTdheeusgk9y/zwyxTlrFc i6eanpK5wTIsotDQAQiZVJxGiQzlcn51mR3nZaWWj1JD5Szf+pI4DjS5yI2LBNX1 IbxgmXCHZUJbhuMPSUn+cyy/bfi1hP3RnPJf22Fvq7T/Jx/shMoloroUaNZZY4JM yk9Vu3mEPbqin4ILRHVVFcI+iHTvAZOp9Tu2xfJngq18Wfo4tZquQvjCNqFHAMZV 2LSsb/T/qo9SE8mjmlkT2peoQxMmslfjusBmKQ8mLMTB6z2LpAog8gZlNoLMEwLC ave0MCjYI6Mn8TnNuNvZ8oY/1/G2/YCS9ILSZ/3L1hKLDC8m/4JG4vTt7mlkUgU1 Y48yb6hLg1jQqmGP24EveLfp9rheIDzAInXxkXO2b1DRIiW6HfE= =mfYB -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/271cb9e0-2212-c559-432d-846af1de8630%40qubes-os.org.
Re: [qubes-users] broken link in https://www.qubes-os.org/doc/vm-sudo/
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2020-07-13 5:53 AM, unman wrote: > On Mon, Jul 13, 2020 at 11:51:15AM +0200, Peter Funk wrote: >> While reading in the official Qubes OS documentation I discovered >> a broken link in the page titled "Passwordless Root Access in VMs" >> in "Background (/etc/sudoers.d/qubes in VM)". I was interested in >> the Background and was unable to find the mentioned >> https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes.sudoers >> anywhere else. Does anybody know where this was moved to? >> >> Best regards, Peter Funk > > The contents of the file are there on that page, so you have already > read it. > As to your failure to find it anywhere else in master, it has been hidden in > the > confusingly named "passwordless-root" directory. ;-) > > https://github.com/QubesOS/qubes-core-agent-linux/blob/master/passwordless-root/qubes.sudoers > I've removed the unnecessary broken link. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8MRLEACgkQ203TvDlQ MDAhThAAqpg2SjU308KbmF5vHw0hJ6RtyrtTbGUbzI44mpPf75J7ooqsl4dfeCEQ oCkQPqRZLVUpxQMLvhFsEGBmlueQcB4peB8nSa3kwqwm7X9ZGsJskp8UuK9hgBE6 OnIggwCnCI543WODTLDuqk5WQkjDeFW+8etqnOkZch5BPlwbJ+vyQppa0b3rgR8y zmIwk98i2nYWBMG5L2/eaF35+dN006xj3ZY+2c6lGEmxb0hMGLOvYTxScinktFjl VDTbkLyiHQHgfFjM4XbfQjn8mdyybaRSAWDJrvJ/JRFmsz4wMVY2kR+3dBjh2wsq r1e9EtFNmQYNBNOWT7Bwh53jOR+h/1cW931qVOIP+mH4vVguYV0puvF7wyCf+i0w PuCQ9YWw62J6Oo4EB3UwvYzMGdgvPx3S7Ab/NKzZLPbHeheRBIOENgEkC7HFIL4H loAJIAq7uGxZpGowhATxhIzgt/AVIiPfg6afEz/np8G9ed1Qx5FwPBiun8gLsYWE VNxFpCxPJ0278DecgOaJxMjcY3LFLhMZrkcrT/96cG1ImJpd7dsO53Hm8yzXYq2I s5ZfCIJZWaQOWEHTiei6EhofiAyPgi++2aY6Sejs6LdQqQMLBuXR6kmbUqw/ISY4 Hhj48kQr5Z8HP6L9HFwy5deIN4C5Tiri5wDsyzKPemKygwls+Jg= =ubhS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c54e702-e380-c8ce-8685-9ed874f6252d%40qubes-os.org.
[qubes-users] XSAs 317, 319, 327, and 328 do not affect the security of Qubes OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, The Xen Project has published Xen Security Advisories 317, 319, 327, and 328 (XSA-317, XSA-319, XSA-327, and XSA-328, respectively). These XSAs do *not* affect the security of Qubes OS, and no user action is necessary. These XSAs have been added to the XSA Tracker: https://www.qubes-os.org/security/xsa/#317 https://www.qubes-os.org/security/xsa/#319 https://www.qubes-os.org/security/xsa/#327 https://www.qubes-os.org/security/xsa/#328 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/07/07/xsa-317-319-327-328-qubes-not-affected/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8EgO8ACgkQ203TvDlQ MDDesxAAqtWf0jMOHXTDDN5jZHa0p0R9W6dTqNpR2xDYO/2ZtYUlXNs9YrUnclvA 8LXGx11qZVIt0+IKVD/MwQfwXDd4+Q8cfAXRfLVANy3L/YzYHId5KD4uIxGX/gTW 0v4yI8Jy5tDsUu+IqpQ1FUZHorFFC6Mr5Auae6II+3XE8yIi6NVzAnRWNCDEY1qI fYrhdnYbsDMbRFitTR//NypH0Daj3b1iNr70xJj90hd/AdI/NgKpocQZIsKb9Fb1 nLqrXX6D5Un5KHRHFqBZcXM+eplySggWFFHFyJpctOnjos8nazXHgOmoRc9dqpAe 61zzNS4iGa820Tz+ezhWo9gc5+7OjWm2WQ4RIIscN5J/YrYkId2oaxG0MqLuOrXN B8mgZ0X05v8JErqRjQRsSStgogL5zemrmRVE4cOM6w4lUGCO7ROERUyj17ErtO29 ndra+xfGkd+Y5qR+D8SVugqJFI49p3NyVWJ75DxzE2YoyPuZAN3Mt9gykp2BpLOg d7E69dMftho77+/lWfm7goHJa+cAdMr/W2Es4n7kV+JSE7fx702YtxiMt1nxC8ay QGI+sd89PsvxDBVzsAVW98wGMZPmSW5m3uZRnxeTzHhYYXIEFnkc4kk05j/xJtNe Tu4GQ5SI7lKKRWgL5vZ7WkpLmk85CFRT8/L7d5XYKWpVuGY0qfE= =Maei -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6cda03b6-2230-e598-a6ab-53a0e38bc05f%40qubes-os.org.
[qubes-users] QSB #058: Insufficient cache write-back under VT-d (XSA-321)
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #058: Insufficient cache write-back under VT-d (XSA-321). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #058 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-058-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-321 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#321 ``` ---===[ Qubes Security Bulletin #58 ]===--- 2020-07-07 Insufficient cache write-back under VT-d (XSA-321) Summary On 2020-07-07, the Xen Security Team published Xen Security Advisory 321 (CVE-2020-15565 / XSA-321) [1] with the following description: | When page tables are shared between IOMMU and CPU, changes to them | require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, | and hence prior to flushing IOMMU TLBs CPU cached also needs writing | back to memory after changes were made. Such writing back of cached | data was missing in particular when splitting large page mappings into | smaller granularity ones. | | A malicious guest may be able to retain read/write DMA access to | frames returned to Xen's free pool, and later reused for another | purpose. Host crashes (leading to a Denial of Service) and privilege | escalation cannot be ruled out. A malicious HVM qube with a PCI device (such as sys-net or sys-usb in Qubes' default configuration) can potentially compromise the whole system. Only Intel systems are affected. AMD systems are not affected. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-19 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-321.html -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/07/07/qsb-058/ -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/34eddc9a-300c-743c-cb12-acc677f5784f%40qubes-os.org.
[qubes-users] Fedora 32 TemplateVMs available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, New Fedora 32 TemplateVMs are now available for both Qubes 4.0 and 4.1. *Important:* If you wish to use the Qubes Update widget to update a Fedora 32 template, you must first switch [1] the `default-mgmt-dvm` qube to a Fedora 32 template. (Alternatively, you can create a separate management DisposableVM Template based on a Fedora 32 template for the purpose of updating Fedora 32 templates.) This does not affect updating internally using `dnf`. Instructions are available for upgrading Fedora TemplateVMs [2]. We also provide fresh Fedora 32 TemplateVM packages through the official Qubes repositories, which you can get with the following commands (in dom0). Standard [3] Fedora 32 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-32 Minimal [4] Fedora 32 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-32-minimal After installing or upgrading a TemplateVM, please remember to update [5] (see important note above) and switch all qubes that were using the old template to use the new one [1]. [1] https://www.qubes-os.org/doc/templates/#switching [2] https://www.qubes-os.org/doc/template/fedora/upgrade/ [3] https://www.qubes-os.org/doc/templates/fedora/ [4] https://www.qubes-os.org/doc/templates/minimal/ [5] https://www.qubes-os.org/doc/software-update-domu/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2020/06/30/fedora-32-templates-available/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl77HWkACgkQ203TvDlQ MDBEjA/+KvqIijaKuin+U2u3Yanv1JoIMOAIycxDP8bKfmQKdilAJx+Ga8uTDHmR xZcUAheih8nG6O0wYo6PWGJ3I8hvyzwaL9O3NrIJwIkdpJQ1etuNSHidyTDZXE1Y ZrHhIVQsuYKfKkllc0w5aZ7Lt2qbpqnK84Zi0Cwpxb08jrcmy9UwRhx6D3sO/q1z XwZLOlYnBUh6wIGkTfUN+6vivcq735CW2Ou6xPsN1Qxs/J2RS0TCD6oi0/m5UQcI dZkWtaPZDYhijsJldLgUoslqqZ7qOCMvX+ndJPrQMUX3mxnj1hOSC5ge1n9Nu3oJ fr1072R8gpLS/hTN8/E9/txx2ihpUs1Q02ljDMTpdF+LsdSVgFoKxAZunyBVSeIv GHLeiIwtVOZSBs7xDi7Ahxlu9hjnQtbjC1Jk4PrmWhibTS7VFw2L9mghfoGr3pZw kuKlFwl4tuC/uHEqJ7vG2ELrqpkT3FrwYrGITo4Gthvwilkf4v12glgoTQjtDWw+ gCLqLw3XWQjnSraq+a6ck80cJ3RV5FIc43ed/c5UElfHY4w0jQGT7Eb/XwH9Sfgc g8nZLopvCEG0LmyVFmejHNTUcdcO/OY46YlVBLz3wvKTOVdkKp0V7nG7D5WKD4oC MJEdyil20KANwcLnAm3258Yet3b3hYAHxqCqhy3cRNVs5/Niuzo= =gwpL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f117606f-c455-3ba5-5335-0dd6bed0f326%40qubes-os.org.
