[qubes-users] Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)

2024-03-18 Thread Andrew David Wong
ware: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qube

[qubes-users] Qubes OS 4.2.1-rc1 is available for testing

2024-03-16 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the first [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.1 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). This [patch 
release](#what-is-a-patch-release) aims to consolidate all the security 
patches, bug fixes, and other updates that have occurred since the release of 
Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to 
install (or reinstall) the latest stable Qubes release with an up-to-date ISO. 
The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page. For more 
information about the changes included in this version, see the [full list of 
issues completed since the release of 
4.2.0](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. If warranted, we then issue a new RC 
that includes the fixes and repeat the process. We continue this iterative 
procedure until we're left with an RC that's good enough to be declared the 
stable release. No one can predict, at the outset, how many iterations will be 
required (and hence how many RCs will be needed before a stable release), but 
we tend to get a clearer picture of this as testing progresses. Here is the 
latest update:

At this point, we expect the stable release sometime around 2024-03-25.

## Testing Qubes 4.2.1-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190). The best way 
to test Qubes 4.2.1-rc1 is by performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) with the new 
ISO. We strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

As an alternative to a clean installation, there is also the option of 
performing an in-place upgrade without reinstalling. However, since Qubes 4.2.1 
is simply Qubes 4.2.0 inclusive of all updates to date, this amounts to simply 
using a fully-updated 4.2.0 installation. In a sense, then, all current 4.2.0 
users who are keeping up with updates are already testing 4.2.1-rc1, but this 
testing is only partial, since it does not cover things like the installation 
procedure. 

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page under the Qubes 
OS 4.2.0-rc5 ISO.

## What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a 
stable release, unless significant bugs are 

[qubes-users] Qubes OS Summit 2024: September 20-22 in Berlin

2024-03-13 Thread Andrew David Wong
Dear Qubes Community,

In conjunction with [3mdeb](https://3mdeb.com/), the sixth edition of our Qubes 
OS Summit will be held live this year from September 20 to 22 in Berlin, 
Germany! For more information about this event, please see: 


If you would like to submit a proposal, the Call for Participation (CFP) is 
open until August 5: 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/13/qubes-os-summit-2024/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9b4b9d7-7283-44c0-b1db-fe4264d71f6e%40qubes-os.org.


[qubes-users] XSAs released on 2024-03-12

2024-03-13 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-452](https://xenbits.xen.org/xsa/advisory-452.html)
  - See [QSB-101](https://www.qubes-os.org/news/2024/03/13/qsb-101/)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-453](https://xenbits.xen.org/xsa/advisory-453.html)
  - The Qubes security team concurs with the Xen security team's assessment in 
the "VULNERABLE SYSTEMS" section of XSA-453.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/13/xsas-released-on-2024-03-12/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/332b7027-9eae-4cb5-9b23-f4456d5f8204%40qubes-os.org.


[qubes-users] QSB-101: Register File Data Sampling (XSA-452)

2024-03-13 Thread Andrew David Wong
ecord the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Ma

[qubes-users] Qubes Canary 038

2024-03-11 Thread Andrew David Wong
e genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPG

Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm

2024-03-06 Thread Andrew David Wong
On 3/6/24 10:37 AM, qubist wrote:
> On Wed, 6 Mar 2024 18:14:53 +0100 Marek Marczykowski-Górecki wrote:
> 
>> The way that console works does not support sending information about
>> window size (changes).
> 
> Do I understand correctly there is no way to change it and it is
> impossible, hence not planned?
> 
> 
>> You must subscribe to qubes-devel mailing list to post there.
> 
> I am subscribed. I was subscribed at the time of posting it, yet it was
> explicitly rejected:
> 
> On Tue, 05 Mar 2024 14:26:01 -0800 Google Groups wrote:
> 
>> Google Groups (https://groups.google.com/d/overview)
>>
>> Unfortunately, your recent post to the qubes-devel  
>> (https://groups.google.com/d/forum/qubes-devel) group
>> was rejected by a group owner or manager.
>>
>> Message from the group owner or manager:
>> Your message to the qubes-devel group has been rejected. For more  
>> information, please see:
>>
>> https://www.qubes-os.org/support/
>>
>> You may wish to send your message to the qubes-users mailing list
>> instead:
>>
>> https://www.qubes-os.org/support/#qubes-users
>>
>> Possible reasons your post was rejected include:
>>* Your post was more relevant to a different group or conversation.
>>* Your post did not conform to the posting guidelines of this
>> group.
>>* Your post needs more information.
>>
>> Google Groups allows you to create and participate in online forums
>> and email-based groups with a rich community experience. You can also
>> use your Group to share documents, pictures, calendars, invitations,
>> and other resources.
>>
>>
>> Visit Google Groups Help Center at  
>> https://support.google.com/groups/answer/46601?hl=en.
> 

I rejected it, because although it contains a "Why did you implement XYZ this 
way...?" question, the rest of the message implies a "How do I...?" request for 
help or support.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a9c8788-b988-4da4-8fef-de839c947c1a%40qubes-os.org.


[qubes-users] Qubes-certified NovaCustom NV41 Series laptop now available with Heads firmware

2024-03-03 Thread Andrew David Wong
Dear Qubes Community,

Last year, we 
[announced](https://www.qubes-os.org/news/2023/05/03/novacustom-nv41-series-qubes-certified/)
 that the [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) 
became a [Qubes-certified 
computer](https://www.qubes-os.org/doc/certified-hardware) for Qubes OS 4. We 
noted in the announcement that the NV41 Series came with 
[Dasharo](https://www.dasharo.com/) [coreboot](https://www.coreboot.org/) 
open-source firmware.

We are now pleased to announce that the NV41 Series is also available with 
[Heads firmware](https://osresearch.net/). When you [configure your NV41 
Series](https://novacustom.com/product/nv41-series/), you can now choose either 
Dasharo coreboot+EDK-II (default) or Dasharo coreboot+Heads for the firmware. 
Both options are certified for Qubes OS 4. This makes the NV41 Series the first 
modern Qubes-certified computer available with Heads!

Current NV41 Series owners who wish to change from Dasharo coreboot+EDK-II to 
the Heads firmware version can [buy the Dasharo Entry 
Subscription](https://novacustom.com/product/dasharo-entry-subscription/) for 
an easy transition to Heads.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/03/novacustom-nv41-series-with-heads-certified/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a4b53ec-6449-4dec-a084-2c0f67ec1a1a%40qubes-os.org.


[qubes-users] XSAs released on 2024-02-27

2024-02-27 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-451](https://xenbits.xen.org/xsa/advisory-451.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/27/xsas-released-on-2024-02-27/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d21b067f-877f-4fb7-8625-8a31c04616a4%40qubes-os.org.


Re: [qubes-users] Where do I verify the gpg key? Do the docs need updating?

2024-02-16 Thread Andrew David Wong
On 2/16/24 12:38 PM, Allen Schultz wrote:
> Hi,
> 
> I''m trying to verify the key I downloaded from the Qubes Download page 
> . According to the documentation on 
> the Verfying Signatures 
> , it looks like 
> there may be a discrepancy between the two.
> 
> The site says the key is:
> 
> 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
> and I have the following:
> 
>  ~  which gpg  
> /usr/bin/gpg
>  ~  ls -al /usr/bin/gpg 
> -rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg
>  ~  ls -al /usr/bin/gpg2
> lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 -> gpg
>  ~  gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc 
> gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key
> gpg: key 0xE022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" 
> imported
> gpg: Total number processed: 1
> gpg:   imported: 1
> gpg: marginals needed: 3  completes needed: 1  trust model: pgp
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: next trustdb check due at 2025-01-04
>  ~  gpg --fingerprint Qubes
> pub   rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC]
>   Key fingerprint = 9C88 4DF3 F810 64A5 69A4  A9FA E022 E58F 8E34 D89F
> uid   [ unknown] Qubes OS Release 4.2 Signing Key
> 
> Any help will be appreciated.
> 
> Thank you.
> 

You downloaded only the Qubes 4.2 release signing key (RSK), not the Qubes 
Master Signing Key (QMSK). Please carefully read and follow this section:

https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc96fa1a-c29c-4f38-9c04-410e7a85dd36%40qubes-os.org.


[qubes-users] Re: Fedora 39 templates available; Fedora 38 approaching EOL

2024-02-14 Thread Andrew David Wong
On 2/13/24 4:17 AM, Andrew David Wong wrote:
> Dear Qubes Community,
> 
> New Fedora 39 templates are now available in standard, 
> [minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
> [Xfce](https://www.qubes-os.org/doc/templates/xfce/) varieties. In addition, 
> Fedora 38 is currently 
> [scheduled](https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html)
>  to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
> 2024-05-14 (approximately three months from now). Please upgrade all of your 
> Fedora templates and standalones by that date. For more information, see 
> [Upgrading to avoid 
> EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).
> 
> There are two ways to upgrade a template to a new Fedora release:
> 
> - *Recommended*: [Install a fresh template to replace an existing 
> one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
> may be simpler for less experienced users.* After you install the new 
> template, redo all desired template modifications and [switch everything that 
> was set to the old template to the new 
> template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
> write down the modifications you make to your templates so that you remember 
> what to redo on each fresh install. To see a log of package manager actions, 
> open a terminal in the old Fedora template and use the `dnf history` command.
> 
> - *Advanced*: [Perform an in-place upgrade of an existing Fedora 
> template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
> This option will preserve any modifications you've made to the template, *but 
> it may be more complicated for less experienced users.*
> 
> Please note that no user action is required regarding the OS version in dom0 
> (see our [note on dom0 and 
> EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).
> 

## Special note on updating Fedora 39 templates on Qubes 4.1

In order to update Fedora 39 templates on Qubes 4.1, the default management 
disposable template (`default-mgmt-dvm`) must also be based on a Fedora 39 
template. Here is the recommended order of events:

1. [Install](https://www.qubes-os.org/doc/templates/fedora/#installing) a fresh 
Fedora 39 template.
2. [Switch](https://www.qubes-os.org/doc/templates/#switching) 
`default-mgmt-dvm` to the new Fedora 39 template.
3. [Update](https://www.qubes-os.org/doc/how-to-update/) the Fedora 39 template.

By default, this applies only to Qubes 4.1, since the default update mechanism 
in Qubes 4.2 no longer relies on Salt. (However, if you have configured your 
Qubes 4.2 system so that it uses Salt for updates, then this still applies to 
you.)

> 
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2024/02/13/fedora-39-templates-available-fedora-38-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab13180e-e814-46dc-bfaf-58eda26e9a91%40qubes-os.org.


[qubes-users] Fedora 39 templates available; Fedora 38 approaching EOL

2024-02-13 Thread Andrew David Wong
Dear Qubes Community,

New Fedora 39 templates are now available in standard, 
[minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
[Xfce](https://www.qubes-os.org/doc/templates/xfce/) varieties. In addition, 
Fedora 38 is currently 
[scheduled](https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html) 
to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
2024-05-14 (approximately three months from now). Please upgrade all of your 
Fedora templates and standalones by that date. For more information, see 
[Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).

There are two ways to upgrade a template to a new Fedora release:

- *Recommended*: [Install a fresh template to replace an existing 
one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. To see a log of package manager actions, 
open a terminal in the old Fedora template and use the `dnf history` command.

- *Advanced*: [Perform an in-place upgrade of an existing Fedora 
template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

Please note that no user action is required regarding the OS version in dom0 
(see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/13/fedora-39-templates-available-fedora-38-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a18436a-3608-4617-a18f-9cb0b22883cc%40qubes-os.org.


[qubes-users] Whonix 17 templates available for Qubes OS 4.1

2024-02-05 Thread Andrew David Wong
Dear Qubes Community,

Until now, Whonix 17 has been available only on Qubes OS 4.2. Since [Whonix 16 
reached EOL (end-of-life) on 
2024-01-18](https://www.qubes-os.org/news/2023/12/22/whonix-16-approaching-eol/),
 this left users still on Qubes OS 4.1 without a supported way to use Whonix. 
In an effort to accommodate this group of users, the Whonix and Qubes teams 
have now made Whonix 17 available for Qubes OS 4.1.

There are two ways to upgrade to Whonix 17 on Qubes OS 4.1:

- *Recommended*: [Install fresh Whonix templates to replace the existing 
ones.](https://www.whonix.org/wiki/Qubes/Install) After you install the new 
templates, redo all desired template modifications and [switch everything that 
was set to the old templates to the new 
templates](https://www.qubes-os.org/doc/templates/#switching).

- *Advanced*: Perform an [in-place upgrade from Whonix 16 to Whonix 
17](https://www.whonix.org/wiki/Release_Upgrade_16_to_17). This option will 
preserve any modifications you've made to the templates, *but it may be more 
complicated for less experienced users.*

If you wish, you also still have the option of performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) of [Qubes OS 
4.2.0](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/),
 which comes with Whonix 17 templates preinstalled (if selected during 
installation).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/whonix-17-templates-available-for-qubes-os-4-1/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7c340e7-a17d-449b-afad-8e60294d540d%40qubes-os.org.


[qubes-users] XSAs released on 2024-01-30

2024-02-05 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-449](https://xenbits.xen.org/xsa/advisory-449.html)
  - See [QSB-100](https://www.qubes-os.org/news/2024/01/30/qsb-100/).

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-450](https://xenbits.xen.org/xsa/advisory-450.html)
  - Affects only builds with HVM support disabled

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/xsas-released-on-2024-01-30/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc4bd956-3697-4c60-96d3-f08200e08edd%40qubes-os.org.


[qubes-users] XSAs released on 2024-01-22

2024-02-05 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-448](https://xenbits.xen.org/xsa/advisory-448.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/xsas-released-on-2024-01-22/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0551668-8386-4abf-bf48-521d06185670%40qubes-os.org.


[qubes-users] QSB-099: Qrexec policy leak via policy.RegisterArgument service

2024-01-18 Thread Andrew David Wong
ferent sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`gpg: Good signature from...` followed by an appropriate key. The `[full]` 
indicates full trust, which this key inherits in virtue of being validly signed 
by the QMSK.

8. Verify PGP signature

[qubes-users] The Star Labs StarBook is Qubes-certified!

2024-01-10 Thread Andrew David Wong
Dear Qubes Community,

It is our pleasure to announce that the [Star Labs 
StarBook](https://starlabs.systems/pages/starbook) is [officially 
certified](https://www.qubes-os.org/doc/certified-hardware/) for Qubes OS 
Release 4!

## The Star Labs StarBook

The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch 
laptop featuring open-source coreboot and EDK II firmware. In addition, the 
StarBook is currently the *only* Qubes-certified computer with out-of-the-box 
support for `qubes-fwupdmgr`, a new feature in Qubes OS 4.2 that allows Qubes 
OS to securely update the computer's firmware.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)

The Qubes developers have tested and certified the following StarBook 
configuration options for Qubes OS 4.X:

| Component| Qubes-certified options  |
|  |  |
| Processor| 13th Generation Intel Core i3-1315U or i7-1360P  |
| Memory   | 8 GB, 16 GB, 32 GB, or 64 GB RAM |
| Storage  | 512 GB, 1 TB, or 2 TB SSD|
| Graphics | Intel (integrated graphics)  |
| Networking   | Intel Wi-Fi 6 AX210 (no built-in wired Ethernet) |
| Firmware | coreboot 8.97 (2023-10-03)   |
| Operating system | Qubes OS (pre-installation optional) |

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_top.png)](https://starlabs.systems/pages/starbook)

The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD 
resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. 
The backlit keyboard is available in US English, UK English, French, German, 
Nordic, and Spanish layouts.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_side.png)](https://starlabs.systems/pages/starbook)

The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, 
and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo 
jack, and a DC jack for charging. For more information, see the official [Star 
Labs StarBook](https://starlabs.systems/pages/starbook) page.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_back.png)](https://starlabs.systems/pages/starbook)

## Special note regarding the need for `kernel-latest` on Qubes OS 4.1

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. If you purchase a StarBook with Qubes OS 4.2 
preinstalled, you don't have to worry about this, as Qubes OS 4.2 is confirmed 
to work with the default kernel option and does not require `kernel-latest`. 
However, if you plan to install Qubes OS 4.1 on the StarBook, please be aware 
that you will have to select this non-default option.

## About Star Labs

In short, we're just a bunch of geeks. Back in 2016, Star Labs was formed in a 
pub. We all depended on using Linux, all with different laptops and all with 
different complaints about them. It always perplexed us that a laptop had never 
been made specifically for Linux. Whilst many had been "converted" to run Linux 
- they seldom offered the experience that macOS and Windows users had. So, 
after a few pints, we decided to make one. [Read the full story on the Star 
Labs website.](https://us.starlabs.systems/pages/about-us)

## What is Qubes-certified hardware?

[Qubes-certified hardware](https://www.qubes-os.org/doc/certified-hardware/) is 
hardware that has been certified by the Qubes developers as compatible with a 
specific [major release](https://www.qubes-os.org/doc/version-scheme/) of Qubes 
OS. All Qubes-certified devices are available for purchase with Qubes OS 
preinstalled. Beginning with Qubes 4.0, in order to achieve certification, the 
hardware must satisfy a rigorous set of [requirements], and the vendor must 
commit to offering customers the very same configuration (same motherboard, 
same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.

[Qubes-certified 
computers](https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-computers)
 are specific models that are regularly tested by the Qubes developers to 
ensure compatibility with all of Qubes' features. The developers test all new 
major versions and updates to ensure that no regressions are introduced.

It is important to note, however, that Qubes hardware certification certifies 
only that a particular hardware *configuration* is *supported* by Qubes. The 
Qubes OS Project takes no responsibility for any vendor's manufacturing, 
shipping, payment, or other practices, nor can we control whether physical 
hardware is modified 

Re: [qubes-users] Some issues during / after upgrading to 4.2.0

2024-01-10 Thread Andrew David Wong
On 1/9/24 2:11 PM, Ulrich Windl (Google) wrote:
> Hi!
> 
> Sorry for the delay, but attached is what I see.
> 
> Kind regards,
> Ulrich
> 

Thank you for your report. This is a known bug:

https://github.com/QubesOS/qubes-issues/issues/8725

> 06.01.2024 04:10:29 Andrew David Wong :
> 
>> On 1/4/24 3:20 PM, Ulrich Windl wrote:
>>> * fedora-38 is obsolete already? I thought fedora-37 is???
>>>
>>
>> No, Fedora 38 has not reached EOL:
>>
>> https://docs.fedoraproject.org/en-US/releases/eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b045fd81-ce1a-4b03-a206-eac9a5c2edc2%40qubes-os.org.


Re: [qubes-users] Some issues during / after upgrading to 4.2.0

2024-01-05 Thread Andrew David Wong
On 1/4/24 3:20 PM, Ulrich Windl wrote:
> * fedora-38 is obsolete already? I thought fedora-37 is???
> 

No, Fedora 38 has not reached EOL:

https://docs.fedoraproject.org/en-US/releases/eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b1c06c8-629c-4c53-a05f-12bda46e266f%40qubes-os.org.


[qubes-users] Whonix 16 approaching EOL

2023-12-22 Thread Andrew David Wong
Dear Qubes Community,

Whonix 16 is currently 
[scheduled](https://www.whonix.org/wiki/About#Qubes_Hosts) to reach EOL 
(end-of-life) on 2024-01-18. We strongly recommend that all Whonix users 
upgrade to Whonix 17 before then. For more information, see [Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol). 
Please note that Whonix 17 is available only on Qubes OS 4.2.

There are three ways to upgrade to Whonix 17:

- *Recommended*: Perform a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) of [Qubes OS 
4.2.0](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/),
 which comes with Whonix 17 templates preinstalled (if selected during 
installation).

- *Recommended*: [Install fresh Whonix templates to replace the existing 
ones.](https://www.whonix.org/wiki/Qubes/Install) After you install the new 
templates, redo all desired template modifications and [switch everything that 
was set to the old templates to the new 
templates](https://www.qubes-os.org/doc/templates/#switching).

- *Advanced*: Perform an [in-place upgrade from Whonix 16 to Whonix 
17](https://www.whonix.org/wiki/Release_Upgrade_16_to_17). This option will 
preserve any modifications you've made to the templates, *but it may be more 
complicated for less experienced users.*


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/12/22/whonix-16-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75e1a980-1fb5-4b19-b59c-8de642e5707d%40qubes-os.org.


[qubes-users] Qubes OS 4.2.0 has been released!

2023-12-18 Thread Andrew David Wong
Dear Qubes Community,

Qubes OS 4.2.0 brings a host of new features, major improvements, and numerous 
bug fixes. The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes OS 4.2.0?

- Dom0 upgraded to Fedora 37 
([#6982](https://github.com/QubesOS/qubes-issues/issues/6982))
- Xen upgraded to version 4.17
- Default Debian template upgraded to Debian 12
- Default Fedora and Debian templates use Xfce instead of GNOME 
([#7784](https://github.com/QubesOS/qubes-issues/issues/7784))
- SELinux support in Fedora templates 
([#4239](https://github.com/QubesOS/qubes-issues/issues/4239))
- Several GUI applications rewritten, including:
  - Applications Menu (also available as preview in R4.1) 
([#6665](https://github.com/QubesOS/qubes-issues/issues/6665)), 
([#5677](https://github.com/QubesOS/qubes-issues/issues/5677))
  - Qubes Global Settings 
([#6898](https://github.com/QubesOS/qubes-issues/issues/6898))
  - Create New Qube
  - Qubes Update ([#7443](https://github.com/QubesOS/qubes-issues/issues/7443))
- Unified `grub.cfg` location for both UEFI and legacy boot 
([#7985](https://github.com/QubesOS/qubes-issues/issues/7985))
- PipeWire support 
([#6358](https://github.com/QubesOS/qubes-issues/issues/6358))
- fwupd integration for firmware updates 
([#4855](https://github.com/QubesOS/qubes-issues/issues/4855))
- Optional automatic clipboard clearing 
([#3415](https://github.com/QubesOS/qubes-issues/issues/3415))
- Official packages built using Qubes Builder v2 
([#6486](https://github.com/QubesOS/qubes-issues/issues/6486))
- Split GPG management in Qubes Global Settings
- Qrexec services use new qrexec policy format by default (but old format is 
still supported) ([#8000](https://github.com/QubesOS/qubes-issues/issues/8000))

For further details, see the [Qubes 4.2 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) and the [full 
list of issues completed for Qubes 
4.2](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+milestone%3A%22Release+4.2%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).

## Known issues in Qubes OS 4.2.0

DomU firewalls have completely switched to nftables. Users should add their 
custom rules to the `custom-input` and `custom-forward` chains. (For more 
information, see issues 
[#5031](https://github.com/QubesOS/qubes-issues/issues/5031) and 
[#6062](https://github.com/QubesOS/qubes-issues/issues/6062).)

Also see the [full list of open bug reports affecting Qubes 
4.2](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2+label%3A%22T%3A+bug%22+is%3Aopen).

We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## How to get Qubes OS 4.2.0

- If you don't have Qubes OS installed, or if you're currently on Qubes 4.0 or 
earlier, follow the [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).
- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/).
- If you're currently on a Qubes 4.2 release candidate (RC), [update 
normally](https://www.qubes-os.org/doc/how-to-update/).

In all cases, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new release signing key for Qubes 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 

Re: [qubes-users] Re: Introducing Qubes 3.0 LiveUSB (alpha)

2023-12-18 Thread Andrew David Wong
On 12/17/23 3:24 PM, leore...@gmail.com wrote:
> Hello Joanna there is any iso more recent?
> 

The "LiveUSB" version of Qubes is discontinued. However, you can install Qubes 
OS onto a USB drive and run it from there. Please see the installation guide 
for details:

https://www.qubes-os.org/doc/installation-guide/#installation-destination

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2dae55fd-f4ca-43e3-8c19-60dcb2e96d78%40qubes-os.org.


[qubes-users] QSB-098: CPU microcode updates not loaded with dom0 kernel version 6.6.x

2023-12-15 Thread Andrew David Wong
thod is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
  

[qubes-users] XSAs released on 2023-12-12

2023-12-12 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-447](https://xenbits.xen.org/xsa/advisory-447.html)
  - Qubes OS does not support ARM.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/12/12/xsas-released-on-2023-12-12/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa81e468-6e1c-4343-acaa-df59cc3e8d3a%40qubes-os.org.


[qubes-users] Qubes Canary 037

2023-12-11 Thread Andrew David Wong
 the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: I

[qubes-users] Qubes OS 4.2.0-rc5 is available for testing

2023-11-26 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the fifth [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page. For 
more information about the changes included in this version, see the [Qubes OS 
4.2.0 release notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) 
and the [full list of bugs affecting Qubes 4.2 that have been 
fixed](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+label%3Aaffects-4.2+label%3A%22T%3A+bug%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement. Here is 
the latest update:

At this point, we are hopeful that RC5 will be the final RC.

## Testing Qubes 4.2.0-rc5

Thank you to everyone who tested the previous Qubes 4.2.0 RCs! Due to your 
efforts, this new RC includes fixes for several bugs that were present in the 
previous RCs.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc5

If you're currently running any Qubes 4.2.0 RC, you can upgrade to the latest 
RC by [updating normally](https://www.qubes-os.org/doc/how-to-update/). 
However, please note that there have been some recent template changes, which 
are detailed in the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

If you're currently on Qubes 4.1 and wish to test 4.2, please see [how to 
upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/), which details 
both clean installation and in-place upgrade options. As always, we strongly 
recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is 

[qubes-users] QSB-097: "Reptar" Intel redundant prefix vulnerability

2023-11-15 Thread Andrew David Wong
: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: pub

[qubes-users] XSAs released on 2023-11-14

2023-11-14 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected* by at least one of these XSAs.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-446](https://xenbits.xen.org/xsa/advisory-446.html)
  - For more information, see 
[QSB-096](https://www.qubes-os.org/news/2023/11/14/qsb-096/).

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-445](https://xenbits.xen.org/xsa/advisory-445.html)
  - Qubes OS uses only "basic" quarantine mode.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/11/14/xsas-released-on-2023-11-14/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6750749-011a-4bbc-be8c-c5f1963c59b9%40qubes-os.org.


[qubes-users] QSB-096: BTC/SRSO fixes not fully effective (XSA-446)

2023-11-14 Thread Andrew David Wong
tures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.


Re: [qubes-users] Fedora 37 approaching EOL

2023-10-22 Thread Andrew David Wong
On 10/22/23 8:31 AM, Ulrich Windl (Google) wrote:
> Hi!
> 
> Wondering about "Dom0 upgraded to Fedora 37 
> (#6982[https://github.com/QubesOS/qubes-issues/issues/6982])":
> Is it planned to upgrade before final release?
> 
> Regards,
> Ulrich
> 

No, please see our note on dom0 and EOL:

https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6f8eff9-34f3-4ac8-b2f6-9cf1076d2ed1%40qubes-os.org.


[qubes-users] Qubes OS 4.2.0-rc4 is available for testing

2023-10-13 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the fourth [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page.

## Main changes from RC3 to RC4

- Fixed: ["qvm-move fails, deletes origin file anyway" 
(#8516)](https://github.com/QubesOS/qubes-issues/issues/8516)
- Fixed: ["`90-default.policy` not upgraded after in-place upgrade from 4.1 to 
4.2" (#8458)](https://github.com/QubesOS/qubes-issues/issues/8458)
- Fixed: ["Qube Manager freezes while opening settings" 
(#8387)](https://github.com/QubesOS/qubes-issues/issues/8387)
- Fixed: ["Error when attempting to update dom0 in the Qube Manager" 
(#8117)](https://github.com/QubesOS/qubes-issues/issues/8117)
- Fixed: ["XScreenSaver & XScreenSaver Settings not opening window" 
(#8266)](https://github.com/QubesOS/qubes-issues/issues/8266)
- Fixed: ["Setting no-strict-reset option via salt on already attached devices 
doesn't work" (#8514)](https://github.com/QubesOS/qubes-issues/issues/8514)
- Fixed: ["qvm-copy-to-vm incorrect progress report" 
(#1519)](https://github.com/QubesOS/qubes-issues/issues/1519)
- Fixed: ["qubes-video-companion-receiver missing dependency on acl package" 
(#8426)](https://github.com/QubesOS/qubes-issues/issues/8426)
- Fixed: ["OpenBSD 7.3 ISO doesn't boot anymore" 
(#8502)](https://github.com/QubesOS/qubes-issues/issues/8502)
- Fixed: ["Kernel compile bogs down rest of system" 
(#8176)](https://github.com/QubesOS/qubes-issues/issues/8176)
- Fixed: ["rpm-oxide makes unjustified assumptions about RPM ABI" 
(#8522)](https://github.com/QubesOS/qubes-issues/issues/8522)
- Fixed: ["yk-auth YubiKey PAM script incorrectly expects \0 to be appended to 
hash" (#8517)](https://github.com/QubesOS/qubes-issues/issues/8517)
- Fixed: ["Qubes Application Menu isn't updated when using salt to modify 
menu-items" (#8494)](https://github.com/QubesOS/qubes-issues/issues/8494)
- Fixed: ["Different values for `menu-items` and `default-menu-items` are not 
preserved when cloning templates" 
(#8518)](https://github.com/QubesOS/qubes-issues/issues/8518)
- Fixed: ["Fix handling of menu items in GUI VM" 
(#8528)](https://github.com/QubesOS/qubes-issues/issues/8528)
- Fixed: ["Firefox does not start on 4.2-rc3 after upgrading template" 
(#8571)](https://github.com/QubesOS/qubes-issues/issues/8571)
- Fixed: ["Qubes R4.2.0-rc2 Qubes OS Global Config tool not see qubes-u2f 
installed in sys-usb" 
(#8463)](https://github.com/QubesOS/qubes-issues/issues/8463)
- Fixed: ["global config: policy rules for U2F incorrectly assume wildcard 
argument" (#8525)](https://github.com/QubesOS/qubes-issues/issues/8525)
- Fixed: ["Pipewire on some systems causes a lot of underruns" 
(#8576)](https://github.com/QubesOS/qubes-issues/issues/8576)
- Fixed: ["Listing PCI devices breaks when there is some with non- PCI 
domain" (#6932)](https://github.com/QubesOS/qubes-issues/issues/6932)
- Done: ["Prepare R4.1 -> R4.2 upgrade tool" 
(#7832)](https://github.com/QubesOS/qubes-issues/issues/7832)
- Done: ["Phase out legacy qrexec policy files" 
(#8000)](https://github.com/QubesOS/qubes-issues/issues/8000)
- Done: ["Better qrexec service configuration format" 
(#8153)](https://github.com/QubesOS/qubes-issues/issues/8153)
- Done: ["QRexec services should be able to specify the user they must run as" 
(#6354)](https://github.com/QubesOS/qubes-issues/issues/6354)
- Done: ["Qube Manager: Enable the 'restart qube' button for named disposables" 
(#8382)](https://github.com/QubesOS/qubes-issues/issues/8382)
- Done: ["Utilize memory hotplug to add VM memory by qmemman" 
(#7956)](https://github.com/QubesOS/qubes-issues/issues/7956)

For an overview of major changes from Qubes 4.1 to 4.2, please see the [Qubes 
OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement. Here is 
the latest update:

At this point, we are hopeful 

[qubes-users] Fedora 37 approaching EOL

2023-10-12 Thread Andrew David Wong
Dear Qubes Community,

Fedora 37 is currently 
[scheduled](https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html) 
to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
2023-11-21. We strongly recommend that all users 
[upgrade](https://www.qubes-os.org/doc/templates/fedora/#upgrading) their 
Fedora templates and standalones to [Fedora 
38](https://www.qubes-os.org/news/2023/05/26/fedora-38-templates-available/) 
before then. For more information, see [Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).

There are two ways to upgrade your template to a new Fedora release:

- *Recommended*: [Install a fresh template to replace the existing 
one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. To see a log of package manager actions, 
open a terminal in the old Fedora template and use the `dnf history` command.

- *Advanced*: [Perform an in-place upgrade of an existing Fedora 
template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template 
releases](https://www.qubes-os.org/doc/supported-releases/#templates). Please 
note that no user action is required regarding the OS version in dom0 (see our 
[note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/10/12/fedora-37-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/24a1cbd8-c6e8-46fb-839b-57af7a3086f2%40qubes-os.org.


[qubes-users] XSAs released on 2023-10-10

2023-10-10 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-442](https://xenbits.xen.org/xsa/advisory-442.html)
  - Please see [QSB-095](https://www.qubes-os.org/news/2023/10/10/qsb-095/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-440](https://xenbits.xen.org/xsa/advisory-440.html)
  - Denial of service (DoS) only
- [XSA-441](https://xenbits.xen.org/xsa/advisory-441.html)
  - Denial of service (DoS) only
- [XSA-443](https://xenbits.xen.org/xsa/advisory-443.html)
  - Qubes OS does not use pygrub.
- [XSA-444](https://xenbits.xen.org/xsa/advisory-444.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/10/10/xsas-released-on-2023-10-10/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cdb04e5-735c-4eb9-bdf5-9f77b48d1127%40qubes-os.org.


[qubes-users] QSB-095: Missing IOMMU TLB flushing on x86 AMD systems

2023-10-10 Thread Andrew David Wong
n quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4

[qubes-users] XSAs released on 2023-09-25

2023-09-27 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-439](https://xenbits.xen.org/xsa/advisory-439.html)
  - Please see [QSB-094](https://www.qubes-os.org/news/2023/09/27/qsb-094/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/27/xsas-released-on-2023-09-25/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5c334e27-25fb-4b75-16da-def3dbf8a298%40qubes-os.org.


[qubes-users] QSB-094: x86/AMD: Divide speculative information leak

2023-09-27 Thread Andrew David Wong
w far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`gpg: Good signature from...` followed by an appropriate key. The `[full]` 

Re: [qubes-users] Update problem with a 'debian-12-minimal' based template

2023-09-27 Thread Andrew David Wong
On 9/26/23 10:29 PM, Viktor Ransmayr wrote:
> Hello community,
> 
> I've started to update my Debian-based VMs from 11 to 12.
> 
> As part of this exercise, I also switched from 'debian-11' to 
> 'debian-12-minimal' as the initial template to clone from.
> 
> In general I'm quite happy with the results in one working Test-VM. - 
> However, when the system tries to update the new template, I consistently 
> get the following error:
> 
> 
> 
> Updating debian-12-vrsq
> 
> Error on updating debian-12-vrsq: Command '['sudo', 'qubesctl', 
> '--skip-dom0', '--targets=debian-12-vrsq', '--show-output', 'state.sls', 
> 'update.qubes-vm']' returned non-zero exit status 20.
> debian-12-vrsq:
>   --
>   _error:
>   Failed to return clean data
>   retcode:
>   1
>   stderr:
>   Traceback (most recent call last):
> File "/var/tmp/.root_dd8a91_salt/salt-call", line 27, in 
> 
>   salt_call()
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/scripts.py", line 
> 437, in salt_call
>   import salt.cli.call
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/call.py", line 
> 3, in 
>   import salt.cli.caller
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py", 
> line 12, in 
>   import salt.channel.client
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/channel/client.py", 
> line 13, in 
>   import salt.crypt
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/crypt.py", line 26, 
> in 
>   import salt.payload
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/payload.py", line 
> 12, in 
>   import salt.loader.context
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/loader/__init__.py", line 15, in 
> 
>   import salt.config
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 107, in 
> 
>   _DFLT_IPC_WBUFFER = int(_gather_buffer_space() * 0.5)
>   ^^
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 95, in 
> _gather_buffer_space
>   import salt.grains.core
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/grains/core.py", 
> line 30, in 
>   import salt.modules.cmdmod
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/modules/cmdmod.py", 
> line 32, in 
>   import salt.utils.templates
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/utils/templates.py", line 21, in 
> 
>   import salt.utils.http
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/utils/http.py", 
> line 27, in 
>   import salt.ext.tornado.simple_httpclient
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/simple_httpclient.py", 
> line 9, in 
>   from salt.ext.tornado.http1connection import HTTP1Connection, 
> HTTP1ConnectionParameters
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/http1connection.py", 
> line 31, in 
>   from salt.ext.tornado import iostream
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/iostream.py", line 42, 
> in 
>   import urllib3.util.ssl_match_hostname
>   ModuleNotFoundError: No module named 'urllib3'
>   [ERROR   ] An un-handled exception was caught by Salt's global 
> exception handler:
>   ModuleNotFoundError: No module named 'urllib3'
>   Traceback (most recent call last):
> File "/var/tmp/.root_dd8a91_salt/salt-call", line 27, in 
> 
>   salt_call()
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/scripts.py", line 
> 437, in salt_call
>   import salt.cli.call
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/call.py", line 
> 3, in 
>   import salt.cli.caller
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py", 
> line 12, in 
>   import salt.channel.client
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/channel/client.py", 
> line 13, in 
>   import salt.crypt
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/crypt.py", line 26, 
> in 
>   import salt.payload
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/payload.py", line 
> 12, in 
>   import salt.loader.context
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/loader/__init__.py", line 15, in 
> 
>   import salt.config
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 107, in 
> 
>   _DFLT_IPC_WBUFFER = int(_gather_buffer_space() * 0.5)
>   ^^
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 95, in 
> _gather_buffer_space
>   import 

[qubes-users] XSAs released on 2023-09-20

2023-09-20 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-438](https://xenbits.xen.org/xsa/advisory-438.html)
  - Shadow paging is not built-in.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/20/xsas-released-on-2023-09-20/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6fc17a42-23b1-dc44-1886-48c6c0e7e174%40qubes-os.org.


[qubes-users] Tickets for Qubes OS Summit 2023 are now available!

2023-09-19 Thread Andrew David Wong
Dear Qubes Community,

The following announcement is from 3mdeb:

[![Tickets are available for Qubes OS Summit 
2023](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023-tickets.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023-tickets.png)

We have options for everyone:

- Virtual Qubes Pass for online attendees
- On-site Qubes Pass for those ready to join us in Berlin

Number of the On-site Qubes Passes is limited, so book only if you will be 
there. Both tickets are free. Read more at: 


Have insights to share?   
Want to be a sponsor? 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/19/tickets-for-qubes-os-summit-2023-now-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67264932-83a1-a0f8-390a-a117cfc5423a%40qubes-os.org.


[qubes-users] Qubes Canary 036

2023-09-13 Thread Andrew David Wong
just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security

Re: [qubes-users] Re: The NitroPC Pro is Qubes-certified!

2023-09-07 Thread Andrew David Wong
On 9/7/23 1:38 PM, Leo28C wrote:
> Is it "not certified" as in it doesn't run at all, or is it just to stop
> people from paying an extra 3 grand when the OS is software-rendered?
> 

When Nitrokey asked for the NitroPC Pro to be Qubes-certified, they did not ask 
for any discrete graphics configurations to be included in the evaluation, so 
the Qubes hardware certification team has not tested any such configuration.

On 9/7/23 5:15 PM, Sven Semmler wrote:
> Certification includes giving one machine to the Qubes OS team, so it can be 
> used in ongoing regression testing. It appears Nitrokey has provided the 
> variant without the discrete GPU [...]
> 

This is correct, except that it is actually two units:

https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-process

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d04e85fb-dc7b-d55c-4429-0a07e7791af8%40qubes-os.org.


[qubes-users] Re: The NitroPC Pro is Qubes-certified!

2023-09-07 Thread Andrew David Wong
On 9/6/23 10:57 AM, Andrew David Wong wrote:
> Dear Qubes Community,
> 
> It is our pleasure to announce that the [NitroPC 
> Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is [officially 
> certified](https://www.qubes-os.org/doc/certified-hardware/) for Qubes OS 
> Release 4!
> 
> ## The NitroPC Pro: a secure, powerful workstation
> 
> The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is 
> a workstation for high security and performance requirements. The open-source 
> [Dasharo coreboot](https://github.com/Dasharo/coreboot) firmware ensures high 
> transparency and security while avoiding backdoors and security holes in the 
> firmware. The device is certified for compatibility with Qubes OS 4.X by the 
> Qubes developers. Carefully selected components ensure high performance, 
> stability, and durability. The Dasharo Entry Subscription guarantees 
> continuous firmware development and fast firmware updates. 
> 
> [![Photo of NitroPC 
> Pro](https://www.qubes-os.org/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
> 
> Here's a summary of the main component options available for this mid-tower 
> desktop PC:
> 
> | Component| Options  
> |
> |- | 
>  |
> | Motherboard  | MSI PRO Z690-A DDR5 (Wi-Fi optional) 
> |
> | Processor| 12th Generation Intel Core i5-12600K or 
> i9-12900K|
> | Memory   | 16 GB to 128 GB DDR5 
> |
> | NVMe storage (optional)  | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB 
> each |
> | SATA storage (optional)  | Up to two SATA SSDs, up to 7.68 TB each  
> |
> | Integrated graphics  | Intel UHD 770
> |
> | Discrete graphics (optional) | Nvidia Geforce RTX 4070 or 4090  
> |
> | Wireless (optional)  | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, 
> Bluetooth 5.2 |
> | Operating system (optional)  | Qubes OS 4.1 or Ubuntu 22.04 LTS 
> |
> 
> [...]
> 

*Important addendum*: As indicated in the table above, when configuring your 
NitroPC Pro on the Nitrokey website, there is an option for a discrete graphics 
card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics 
(e.g., Intel UHD 770, which is always included because it is physically built 
into the CPU). Please note that NitroPC Pro configurations that include 
discrete graphics cards are *not* Qubes-certified. The only NitroPC Pro 
configurations that are Qubes-certified are those that contain *only* 
integrated graphics.

> 
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2023/09/06/nitropc-pro-qubes-certified/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43000146-1ac7-8419-0e9f-9565f970db97%40qubes-os.org.


[qubes-users] XSAs released on 2023-09-05

2023-09-05 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-437](https://xenbits.xen.org/xsa/advisory-437.html)
  - This affects only 32-bit ARM processors, which Qubes OS does not support.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/05/xsas-released-on-2023-09-05/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39fa7f7b-7920-c77e-18e5-4ffac09ea7a2%40qubes-os.org.


[qubes-users] Qubes OS 4.2.0-rc3 is available for testing

2023-09-03 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the third [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page.

## Explanation for the early RC

We [announced 
RC2](https://www.qubes-os.org/news/2023/08/28/qubes-os-4-2-0-rc2-available-for-testing/)
 approximately one week ago. Normally, RC2 would have been tested for 
[approximately five 
weeks](https://www.qubes-os.org/doc/version-scheme/#release-schedule) before we 
announced RC3. However, RC2 contained several bugs (listed below), some of 
which prevented certain users from testing it. These bugs have been fixed in 
RC3. We've decided to release RC3 early, as an exception to our usual policy, 
in order to get these fixes out as quickly as possible so that more users can 
test 4.2 for longer before the eventual stable release.

## Main changes from RC2 to RC3

- Fixed: ["Installer in R4.2 does not warn about incompatible hardware" 
(#8345)](https://github.com/QubesOS/qubes-issues/issues/8345)
- Fixed: ["Wi-Fi firmware missing from default templates on 4.2.0-rc2 ISO" 
(#8452)](https://github.com/QubesOS/qubes-issues/issues/8452)
- Fixed: ["Qubes R4.2.0-rc2 cannot be installed on legacy BIOS system" 
(#8462)](https://github.com/QubesOS/qubes-issues/issues/8462)
- Fixed: ["R4.2 (rc1, rc2) unable to boot on Thinkpad T430 when UEFI is 
enabled" (#8464)](https://github.com/QubesOS/qubes-issues/issues/8464)

For an overview of major changes from Qubes 4.1 to 4.2, please see the [Qubes 
OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement.

At this point, we can say that there will be at least one more RC after this 
one.

## Testing Qubes 4.2.0-rc3

Thank you to everyone who tested the previous Qubes 4.2.0 RCs! Due to your 
efforts, this new RC includes fixes for several bugs that were present in the 
previous RCs.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc3

If you're currently running any Qubes 4.2.0 RC, you can upgrade to the latest 
RC by [updating normally](https://www.qubes-os.org/doc/how-to-update/). 
However, please note that there have been some recent template changes, which 
are detailed in the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

If you're currently on Qubes 4.1 and wish to test 4.2, please see [how to 
upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/), which details 
both clean installation and in-place upgrade options. As always, we strongly 
recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the 

Re: [qubes-users] Error installing Debian-12 template

2023-08-28 Thread Andrew David Wong
On 8/28/23 1:53 PM, Ulrich Windl wrote:
> Hi!
> 
> Following the instructions at 
> https://www.qubes-os.org/doc/templates/debian/#installing I repeatedly got 
> this error messages:
> 
> $ sudo qubes-dom0-update qubes-template-debian-12
> Redirecting to 'qvm-template install  debian-12'
> Downloading 'qubes-template-debian-12-0:4.0.6-202307240307'...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:01 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> Error: 'qubes-template-debian-12-0:4.0.6-202307240307' download failed.
> 
> I have no idea what might be wrong. Most likely the instructions are 
> incomplete.
> 
> 
> Kind regards,
> 
> Ulrich
> 

Marek posted about this on the forum:

https://forum.qubes-os.org/t/debian-12-templates-available/20604/9

I think it should be working now, since it's past 22:00 UTC. Could you try 
again?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af000bcf-e6ff-2f5e-ffc2-9f45a69fb85b%40qubes-os.org.


[qubes-users] Qubes OS 4.2.0-rc2 is available for testing

2023-08-28 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the second [release 
candidate](#what-is-a-release-candidate) (RC) for Qubes OS 4.2.0 is now 
available for [testing](https://www.qubes-os.org/doc/testing/). Qubes 4.2.0-rc2 
is available on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.0-rc2?

- Dom0 upgraded to Fedora 37
- Xen updated to version 4.17
- Default Debian template upgraded to Debian 12
- Default Fedora and Debian templates use Xfce instead of GNOME
- SELinux support in Fedora templates
- Several GUI applications rewritten, including:
  - Applications Menu
  - Qubes Global Settings
  - Create New Qube
  - Qubes Update
- Unified `grub.cfg` location for both UEFI and legacy boot
- PipeWire support
- fwupd integration for firmware updates
- Optional automatic clipboard clearing
- Official packages built using Qubes Builder v2
- Split GPG and Split SSH management in Qubes Global Settings

Please see the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) for details.

## When is the stable release?

That depends on the number of bugs discovered in this release candidate and 
their severity. As explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new release candidate is to 
collect bug reports, triage the bugs, and fix them. This usually takes around 
five weeks, depending on the bugs discovered. If warranted, we then issue a new 
release candidate that includes the fixes and repeat the whole process again. 
We continue this iterative procedure until we're left with a release candidate 
that's good enough to be declared the stable release. No one can predict, at 
the outset, how many iterations will be required (and hence how many release 
candidates will be needed before a stable release), but we tend to get a 
clearer picture of this with each successive release candidate, which we'll 
share in this section in future release candidate announcements. The feedback 
we receive on this release candidate will determine whether another one is 
required.

## Testing Qubes 4.2.0-rc2

Thank you to everyone who tested 4.2.0-rc1! Due to your efforts, this new 
release candidate includes fixes for several bugs that were present in the 
first release candidate.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new 
release candidate, you can help us improve the eventual stable release by 
[reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc2

[In-place upgrades from Qubes 4.1 to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/) are now implemented and ready 
for testing! As always, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

Current Qubes 4.2.0-rc1 systems should be [updated 
normally](https://www.qubes-os.org/doc/how-to-update/), but please note that 
some templates have changed from the first release candidate. These changes are 
listed [above](#whats-new-in-qubes-420-rc2).

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 

[qubes-users] Re: Debian 12 templates available

2023-08-27 Thread Andrew David Wong
> [supported template releases]

Link: https://www.qubes-os.org/doc/supported-releases/#templates

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7c83cfc-b52c-3edb-4edd-1b174d658fb9%40qubes-os.org.


[qubes-users] Debian 12 templates available

2023-08-27 Thread Andrew David Wong
Dear Qubes Community,

The following new templates are now available:

*Qube OS 4.1*
- Debian 12
- Debian 12 [minimal](https://www.qubes-os.org/doc/templates/minimal/)

*Qubes OS 4.2-rc1*
- Debian 12
- Debian 12 [minimal](https://www.qubes-os.org/doc/templates/minimal/)
- Debian 12 [Xfce](https://www.qubes-os.org/doc/templates/xfce/)

There are two ways to upgrade your template to a new Debian release:

- *Recommended*: [Install a fresh template to replace the existing 
one.](https://www.qubes-os.org/doc/templates/debian/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. In the old Debian template, see 
`/var/log/dpkg.log` and `/var/log/apt/history.log` for logs of package manager 
actions.

- *Advanced*: [Perform an in-place upgrade of an existing Debian 
template.](https://www.qubes-os.org/doc/templates/debian/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template releases]. Please note that no user 
action is required regarding the OS version in dom0 (see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/27/debian-12-templates-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd4c2c8f-a747-be3c-63b4-5eacf2365dc8%40qubes-os.org.


Re: [qubes-users] "GVFS is not available"

2023-08-27 Thread Andrew David Wong
On 8/27/23 10:43 AM, Demi Marie Obenour wrote:
> On Sat, Aug 26, 2023 at 10:39:22PM -0700, Andrew David Wong wrote:
>> On 8/26/23 8:55 AM, ales...@magenta.de wrote:
>>> Steve Coleman:
>>>>
>>>>
>>>> On Sat, Aug 12, 2023, 12:54 PM >>> <mailto:ales...@magenta.de>> wrote:
>>>>
>>>> ales...@magenta.de <mailto:ales...@magenta.de>:
>>>>  > I am using a fresh installation of Qubes 4.1.1.
>>>>  >
>>>>  > When I use the File Manager Preferences tab there is a message
>>>>  > indicating that GVFS is not available.
>>>>
>>>>
>>>> You need to install the gvfs package in the template you are using for 
>>>> your AppVM.
>>>>
>>>> It's not a standard package installed by default because it relies on many 
>>>> other packages. Do a search in your flavor repository (fedora,debian,etc) 
>>>> for the package and install it in your template, and then restart your 
>>>> AppVM.
>>>>
>>>>
>>>> https://wiki.gnome.org/Projects/gvfs <https://wiki.gnome.org/Projects/gvfs>
>>>
>>> But this is not an AppVM or a template, I think. I am seeing this message 
>>> from Dom0 environment.
>>>
>>> Troubleshooting Steps:
>>> a) Boot Qubes 4 and enter password to start login session
>>> b) Open Qubes menu in top panel
>>> c) Open System Tools, File Manager Settings
>>> d) Open Advanced tab
>>>
>>> The window title is "[Dom0] File Manager Preferences".
>>>
>>> Here is the message under a title "Missing dependencies" and inside a blue 
>>> box:
>>>
>>>> It looks like gvfs is not available.
>>>> Important features ... will not work.
>>>
>>> It seems like this must be a problem I must fix.
>>>
> 
>> No. It is recommended to avoid using the GUI file manager in dom0.
> 
> Should the default install omit the GUI file manager in dom0?  Having it
> and telling people not to use it is rather strange.

Yes: https://github.com/QubesOS/qubes-issues/issues/2458

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c835b83b-6c17-b11b-c069-7fc276d2ae57%40qubes-os.org.


Re: [qubes-users] "GVFS is not available"

2023-08-26 Thread Andrew David Wong
On 8/26/23 8:55 AM, ales...@magenta.de wrote:
> Steve Coleman:
>>
>>
>> On Sat, Aug 12, 2023, 12:54 PM > > wrote:
>>
>>     ales...@magenta.de :
>>  > I am using a fresh installation of Qubes 4.1.1.
>>  >
>>  > When I use the File Manager Preferences tab there is a message
>>  > indicating that GVFS is not available.
>>
>>
>> You need to install the gvfs package in the template you are using for your 
>> AppVM.
>>
>> It's not a standard package installed by default because it relies on many 
>> other packages. Do a search in your flavor repository (fedora,debian,etc) 
>> for the package and install it in your template, and then restart your AppVM.
>>
>>
>> https://wiki.gnome.org/Projects/gvfs 
> 
> But this is not an AppVM or a template, I think. I am seeing this message 
> from Dom0 environment.
> 
> Troubleshooting Steps:
> a) Boot Qubes 4 and enter password to start login session
> b) Open Qubes menu in top panel
> c) Open System Tools, File Manager Settings
> d) Open Advanced tab
> 
> The window title is "[Dom0] File Manager Preferences".
> 
> Here is the message under a title "Missing dependencies" and inside a blue 
> box:
> 
>> It looks like gvfs is not available.
>> Important features ... will not work.
> 
> It seems like this must be a problem I must fix.
> 

No. It is recommended to avoid using the GUI file manager in dom0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c95a5da8-c67c-04df-abcf-860ebf37e6e8%40qubes-os.org.


[qubes-users] CORRECTION: Qubes OS Summit 2023: OCTOBER 6-8 in Berlin

2023-08-25 Thread Andrew David Wong
Dear Qubes Community,

_My apologies for the incorrect subject line in my previous email. The correct 
month is OCTOBER, not September!_

In conjunction with [3mdeb](https://3mdeb.com/), the fifth edition of our Qubes 
OS Summit will be held live this year from October 6 to 8 in Berlin, Germany! 
For more information about this event, including the CFP (which is open until 
October 2), please see: 

[![Qubes OS Summit 2023 
poster](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/25/qubes-os-summit-2023/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d1e397d-9d25-d6a7-9be9-9a30a9d2db81%40qubes-os.org.


[qubes-users] Qubes OS Summit 2023: September 6-8 in Berlin

2023-08-25 Thread Andrew David Wong
Dear Qubes Community,

In conjunction with [3mdeb](https://3mdeb.com/), the fifth edition of our Qubes 
OS Summit will be held live this year from October 6 to 8 in Berlin, Germany! 
For more information about this event, including the CFP (which is open until 
October 2), please see: 

[![Qubes OS Summit 2023 
poster](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/25/qubes-os-summit-2023/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8bdb30a5-93cb-fb09-5d60-d62005cf37e0%40qubes-os.org.


[qubes-users] XSAs released on 2023-08-08

2023-08-09 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-432](https://xenbits.xen.org/xsa/advisory-432.html): See 
[QSB-092](https://www.qubes-os.org/news/2023/08/08/qsb-092/) for details.
- [XSA-434](https://xenbits.xen.org/xsa/advisory-434.html): See 
[QSB-093](https://www.qubes-os.org/news/2023/08/09/qsb-093/) for details.
- [XSA-435](https://xenbits.xen.org/xsa/advisory-435.html): See 
[QSB-093](https://www.qubes-os.org/news/2023/08/09/qsb-093/) for details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/09/xsas-released-on-2023-08-08/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1977072f-92f4-40da-811e-953472551c73%40qubes-os.org.


[qubes-users] QSB-093: Transient execution vulnerabilities in AMD and Intel CPUs

2023-08-09 Thread Andrew David Wong
ated
   gpg: keybox '/home/user/.gnupg/pubring.kbx' created
   gpg: requesting key from 
'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
   gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
   gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
   gpg: Total number processed: 1
   gpg:   imported: 1
   ```

   (See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more ways to obtain the QMSK.)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported

[qubes-users] Changing the way we use milestones in the issue tracker

2023-08-09 Thread Andrew David Wong
## Summary

Issues will no longer be assigned to milestones by default. Most issues won't 
have milestones. The Qubes developers will manually assign issues to 
milestones. We'll use labels like "affects-4.1" and "affects-4.2" to represent 
affected releases instead of milestones. The "Release TBD" and "Non-release" 
milestones are being phased out, as are milestones of the form "Release X.Y 
updates." Read on for a more detailed explanation.

## How milestones work right now

Currently, our milestone guidelines are as follows:

- Every issue should be assigned to *exactly one* milestone.
- For *bug reports*, the milestone designates the *earliest supported release* 
in which that bug is believed to exist.
- For *enhancements* and *tasks*, the milestone indicates that the goal is to 
implement or do that thing *in* or *for* that release.

For example, if you were to report a bug that affects both 4.1 and 4.2 right 
now, it would be assigned to the "Release 4.1 updates" milestone, because 4.1 
is the earliest supported release that the bug is believed to affect. As 
another example, if you were to open an enhancement issue right now, it would 
most likely be assigned to the "Release TBD" milestone, which means something 
like, "This enhancement, if it is ever implemented, will be implement in some 
Qubes release or other, but it has not yet been determined which specific Qubes 
release that will be." If it were decided that this enhancement would be 
implemented for 4.2, for example, then the issue's milestone would be changed 
to "Release 4.2."

## Problems with the current system

Some people find our current use of milestones to be counterintuitive. For 
example, suppose that a bug is reported that affects both 4.1 and 4.2. The 
Qubes devs decide that it's not too serious, so it's okay just to fix it in 4.2 
and leave it be in 4.1. Some people have the intuition that the issue should be 
reassigned to the 4.2 milestone, since the devs just decided that's where it'll 
be fixed. However, under the current rules, that would be wrong, since the bug 
still affects 4.1, and 4.1 is the earliest affected supported release.

Similarly, suppose that someone reported a bug against 4.0, but it's one of 
those "we'll get around to fixing it someday, maybe" sort of bugs. Some people 
would be tempted to assign this issue to the "Release TBD" milestone on the 
grounds that the plan is to fix it at some yet-to-be-determined point in the 
distant future. However, this would again be wrong under the current rules, 
since the milestone for a bug report is supposed to represent the earliest 
supported release in which the bug is believed to exist, which is 4.0.

The current method also presents problems when it comes time to close old 
issues. As many of you have probably noticed, I recently closed a large number 
of issues that were on the "Release 4.0 updates" milestone, since 4.0 reached 
EOL over one year ago, and those issues had not seen any activity in over a 
year. The problem arises when an issue affects more than one release. For 
example, there were some issues that affected both 4.0 and 4.1. In accordance 
with our milestone rules, those issues were assigned to the 4.0 milestone. When 
it came time to bulk-close the old 4.0 issues, issues were closed even though 
they also affect 4.1, which is still supported. The fact that those issues also 
affect 4.1 wasn't represented in a label or milestone (just in a free-text 
comment), so I had no way to filter them out when performing the bulk close 
action.

Finally, each milestone has a progress indicator that shows the percentage of 
completed issues on that milestone, but this indicator isn't very useful when 
every issue that affects a given release gets assigned to that milestone, 
regardless of whether the devs actually plan to act on it. When every release 
ships with a partially-completed milestone, it becomes an unreliable indicator.

## Analyzing the nature of milestones

Let's step back for a moment and think about what milestones are and what 
purpose they're supposed to serve. An issue tracking system doesn't actually 
*have* to have milestones at all. They're an optional feature. All an issue 
tracking system really needs is a single type of "tag" functionality (what 
GitHub calls "labels"). You can re-create almost any other type of issue 
tracking functionality (including milestones) with just tags. From this 
perspective, GitHub's milestones are basically the same as labels, except for 
two distinctive features:

- Unlike labels, milestones are mutually exclusive. An issue can have an 
unlimited number of labels, but it can be assigned to at most one milestone.
- Unlike labels, milestones have progress indicators.

So, if we're going to use milestones, it makes sense to use them in a way that 
takes advantage of these distinctive features.

## How we plan to use milestones going forward

Issues will no longer immediately be assigned to milestones. 

[qubes-users] QSB-092: Buffer overrun in Linux netback driver (XSA-432)

2023-08-08 Thread Andrew David Wong
ore ways to obtain the QMSK.)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A

[qubes-users] Update for QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

2023-08-02 Thread Andrew David Wong
 order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total nu

[qubes-users] XSAs released on 2023-08-01

2023-08-01 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-436](https://xenbits.xen.org/xsa/advisory-436.html)
  - This affects only ARM processors, which Qubes OS does not support.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/01/xsas-released-on-2023-08-01/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d78c1ed3-28ce-6134-1ad9-074cdc1f477d%40qubes-os.org.


Re: [qubes-users] Disabling Hibernation universally

2023-07-29 Thread Andrew David Wong
On 7/29/23 8:48 AM, ales...@magenta.de wrote:
> I am still in the process of configuring Qubes (4.1.1). I am trying now to 
> disable Hibernation at all level of the system.
> 
> I couldn't find any reference of Hibernation in the official documentation or 
> the Wiki. Could someone describe the way to disable it universally?
> 

Xen does not hibernation, so it is already "disabled" by default.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1601b435-abc4-5d3e-c08a-c265259336f9%40qubes-os.org.


[qubes-users] QSB-091: Windows PV drivers potentially compromised

2023-07-27 Thread Andrew David Wong
: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key &q

[qubes-users] XSAs released on 2023-07-24

2023-07-24 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-433](https://xenbits.xen.org/xsa/advisory-433.html)
  - See [QSB-090](https://www.qubes-os.org/news/2023/07/24/qsb-090/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/07/24/xsas-released-on-2023-07-24/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9bc749c-703f-8c92-7e41-52f5e118bfa8%40qubes-os.org.


[qubes-users] QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

2023-07-24 Thread Andrew David Wong
thod is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg

Re: [qubes-users] QubesIncoming folder in /tmp ??

2023-06-30 Thread Andrew David Wong
On 6/30/23 3:27 AM, haaber wrote:
> Hi I was wondering if it would not me preferable (at least in some VM's)
> to delocalise the QubesIncoming folder in /tmp to have it "cleaned up"
> regularly. It's a pain to do so manually. Is there a problem doing so ? 
> What would be the cleanest way to do it? A symlink ??  thank you, Bernhard
> 

I thought there was already an open issue for this, but I couldn't find one, so 
I just opened this:

https://github.com/QubesOS/qubes-issues/issues/8307

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/155da573-87c0-1c9e-6c4b-66f8edcc%40qubes-os.org.


Re: [qubes-users] split firefox & thunderbird credentials?

2023-06-23 Thread Andrew David Wong
On 6/22/23 7:38 AM, haaber wrote:
> I was wondering if the awesome split-ssh and split-gpg  family could be
> extended by a split-mozilla brother, that outsources passwords to vault
> without exposing them? The lack of such a feature obliges me *not* to
> save them within the two apps, which is a terrible pain, of corse 
> 
> thanks in advance
> 

Rusty wrote this:

https://github.com/rustybird/qubes-app-split-browser

(Disclaimers: It's unofficial. I haven't tried it myself.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1326f48c-856d-5a66-c838-b8a250fec2e8%40qubes-os.org.


Re: [qubes-users] Q4.1 xfce - "clicks in the void"

2023-06-06 Thread Andrew David Wong
On 6/5/23 3:39 AM, haaber wrote:
> I often experience clicks that get lost "in the void" meaning that the
> actual xfce windows does not seem to receive them.
> 
> Typical example: I use firefox, and a noscript pop-up ("load
> anonymously") with a button to click on: but I can't. What helps then,
> is changing the virtual screen (go away) and coming back: after this, 
> the click arrives again at the destination window. Very annoying!
> 
> Am I alone with this problem???  Best, Bernhard
> 

There's a longstanding bug where certain types of windows sometimes can't be 
clicked until focus is removed from that window, then given back again. I 
usually alt+tab to another window, then back to the original window to fix 
this. I'm not sure if you're experiencing the same thing, but it sounds 
similar. Also, I'm not sure if this is the right issue for what I'm describing, 
but it seems to fit:

https://github.com/QubesOS/qubes-issues/issues/3267

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e20a937-deef-665a-f9dc-56b519d840df%40qubes-os.org.


[qubes-users] Qubes OS 4.2.0-rc1 is available for testing

2023-06-03 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce that the first [release 
candidate](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available 
for [testing](https://www.qubes-os.org/doc/testing/). This [minor 
release](#what-is-a-minor-release) includes several new features and 
improvements over Qubes OS 4.1.0. Qubes 4.2.0-rc1 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.0?

- Dom0 upgraded to Fedora 37
- Xen updated to version 4.17
- SELinux support in Fedora templates
- Several GUI applications rewritten, including:
  - Applications Menu
  - Qubes Global Settings
  - Create New Qube
  - Qubes Update
- Unified `grub.cfg` location for both UEFI and legacy boot
- PipeWire support
- fwupd integration for firmware updates
- Optional automatic clipboard clearing
- Official packages built using Qubes Builder v2

Please see the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) for details.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page under the Qubes 
OS 4.2.0-rc1 ISO.

## Testing Qubes 4.2.0-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this release 
candidate, you can help us improve the eventual stable release by [reporting 
any bugs you encounter](https://www.qubes-os.org/doc/issue-tracking/). We 
encourage experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of known bugs in Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.2%22+label%3A%22T%3A+bug%22).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc1

It is not yet possible to perform an in-place upgrade from Qubes 4.1 to Qubes 
4.2. For this initial release candidate, a clean installation is required. An 
in-place upgrade tool is in development.

## When is the stable release?

That depends on the number of bugs discovered in this release candidate and 
their severity. As explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new release candidate is to 
collect bug reports, triage the bugs, and fix them. This usually takes around 
five weeks, depending on the bugs discovered. If warranted, we then issue a new 
release candidate that includes the fixes and repeat the whole process again. 
We continue this iterative procedure until we're left with a release candidate 
that's good enough to be declared the stable release. No one can predict, at 
the outset, how many iterations will be required (and hence how many release 
candidates will be needed before a stable release), but we tend to get a 
clearer picture of this with each successive release candidate, which we'll 
share in this section in future release candidate announcements.

In the case of Qubes 4.2.0 specifically, we already know that there will be a 
second release candidate (in order to test the in-place upgrade procedure, if 
nothing else). As mentioned above, we expect to announce that second release 
candidate in approximately five weeks. The results of that second release 
candidate will determine 

[qubes-users] Qubes Canary 035

2023-05-22 Thread Andrew David Wong
94
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid Open

[qubes-users] XSAs released on 2023-05-16

2023-05-16 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-431](https://xenbits.xen.org/xsa/advisory-431.html)
  - Qubes OS 4.1 uses an unaffected version of Xen (4.14).

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/05/16/xsas-released-on-2023-05-16/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/034437ff-1944-fa19-76c9-fd4f673b509a%40qubes-os.org.


Re: [qubes-users] Best practice VPN in Qubes

2023-05-13 Thread Andrew David Wong
On 5/13/23 7:33 AM, taran1s wrote:
> 
> 
> Demi Marie Obenour:
>> On Sat, May 13, 2023 at 10:57:00AM +, Qubes OS Users Mailing List wrote:
>>> Andrew David Wong:
>>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to 
>>>>> sys-whonix it doesn't connect to internet. If one uses Debian or Fedora 
>>>>> based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>>
>>>>> Any ideas how to solve this?
>>>>>
>>>>
>>>> I think that's by design. Whonix does that to protect you from 
>>>> accidentally compromising your own privacy.
>>
> 
> The answer below was meant to you David. I misidentified Patrick as the 
> author of the answer.
> 

You can call me "Andrew." "David" is my middle name. :)

>>
>>> Thank you for the answer Patrick. It is possible. The question is how does
>>> one use VPN over Tor in this case with Torbrowser that doesn't compromise
>>> the privacy (see the use case below please).
>>> The use case is to connect to a service like Twitter that is not Tor
>>> friendly from a static non-tor IP address (VPN), but at the same time hide
>>> my real IP address from the VPN provider by using Tor before I connect to
>>> the VPN.
>>
>>> Some services, like Twitter even if they have onion site keep forcing me to
>>> reset password periodically, reminding me that there is a suspicious
>>> behavior (just by connecting from Tor, not even posting anything) in an
>>> endless loop.
>>
>>> I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
>>> for connection to that particular account only and nothing else, no other
>>> apps or even websites ever used in that anon-whonix-twitter AppVM.
>>
>>> Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
>>> to work in the VPN over Tor scenario?
>>
>> I would use the onion service and deal with the Twitter-side brokenness.
> 

You should read this, then decide whether you still think this setup would be a 
good idea for you:

https://www.whonix.org/wiki/Tunnels/Introduction

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1780d3b7-c915-9a75-0a0a-fa01cf8a9aae%40qubes-os.org.


Re: [qubes-users] Best practice VPN in Qubes

2023-05-12 Thread Andrew David Wong
On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
> If anon-whonix AppVM is set to use mullvad-VPN that is connected to 
> sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based 
> AppVM and runs vanilla Firefox, it works like a breeze.
> 
> Any ideas how to solve this?
> 

I think that's by design. Whonix does that to protect you from accidentally 
compromising your own privacy.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1855e2e4-f9f2-7c37-735b-f6a36e112533%40qubes-os.org.


Re: [qubes-users] Re: QSB-089: Qrexec: Memory corruption in service request handling

2023-05-12 Thread Andrew David Wong
On 5/11/23 11:00 PM, Vít Šesták wrote:
> If the process is not reused, just an update without restarting anything is 
> enough, isn't it? (This wouldn't be the case if the process was forking 
> from a zygote.)

Marek has previously told me that only Xen and Kernel updates require a reboot. 
FWIW, `needs-restarting -r` also didn't detect anything requiring a restart.

> After the update, I got a shower of notifications “Failed to execute 
> qubes.WindowIconUdater (from  to dom0)”, probably for each 
> running domU qube. 

Same.

> But this looks like a temporary issue, as QRPc seems to 
> continue working, either for newly launched qubes and for qubes launched 
> before update.

I haven't noticed any unusual behavior either.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b3d8443-454f-045c-dcec-4156d34c96bd%40qubes-os.org.


[qubes-users] Fedora 36 reaches EOL on 2023-05-16

2023-05-11 Thread Andrew David Wong
Dear Qubes Community,

The Fedora Project has 
[announced](https://lists.fedoraproject.org/archives/list/annou...@lists.fedoraproject.org/thread/4GXBZJSGQ2PEKIBM2APCTLXBS6IDKSOP/)
 that Fedora 36 will reach EOL 
([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 2023-05-16. We 
strongly recommend that all users 
[upgrade](https://www.qubes-os.org/doc/templates/fedora/#upgrading) their 
Fedora templates and standalones to [Fedora 
37](https://www.qubes-os.org/news/2023/03/03/fedora-37-templates-available/) no 
later than 2023-05-16.

We provide fresh Fedora 37 template packages through the official Qubes 
repositories, which you can install in dom0 by following the standard 
[installation 
instructions](https://www.qubes-os.org/doc/templates/fedora/#installing). 
Alternatively, we also provide step-by-step instructions for [performing an 
in-place 
upgrade](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) of an 
existing Fedora template. After upgrading your templates, please remember to 
[switch all qubes that were using the old template to use the new 
one](https://www.qubes-os.org/doc/templates/#switching).

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template 
releases](https://www.qubes-os.org/doc/supported-releases/#templates).

Please note that no user action is required regarding the OS version in dom0. 
For details, please see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/05/11/fedora-36-reaches-eol-on-2023-05-16/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1201eea6-25ed-8305-a050-d9638c57c29d%40qubes-os.org.


[qubes-users] QSB-089: Qrexec: Memory corruption in service request handling

2023-05-11 Thread Andrew David Wong
out these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`gpg: Good signature from...` followed by an appropriate key. The `[full]` 
indicates full trust, which this key inherits in virtue of being validly signed 
by the QMSK.

8. Verify PGP signatures, e.g.:

   ```shell_session
   $ cd QSBs/
   $ gpg --verify qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
   gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   $ gpg --verify qsb-087-2022.txt.sig.simon qsb-087-2022.txt
   gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
   gpg:using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
   gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" 
[full]
   $ cd ../canaries/
   $ gpg --verify canary-034-2023.txt.sig.marmarek canary-034-2023.txt
   gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   $ gpg --verify canary-034-2023.txt.sig.simon canary-034-2023.txt
   gpg: Signature made Thu 02 Mar 2023 01:47:52 AM PST
   gpg:using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
   gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" 
[full]
   ```

   Aga

Re: [qubes-users] Colourful prompt

2023-05-04 Thread Andrew David Wong
On 5/3/23 4:02 AM, Qubes wrote:
> I have noticed on Fedora, the cli prompt itself is not colourful although the 
> rest of the output is. Is there a way to get the prompt itself in colour as 
> well? The prompt on Debian is in colour, it makes it easier to find things 
> when the prompt is in colour aswell.
> 

Since this is not a Qubes-specific question, you might have better luck 
searching the web for how to do this in Fedora (or Linux in general) or asking 
in a Fedora (or general Linux) venue.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3100e550-911f-c078-72a8-e075512009e9%40qubes-os.org.


Re: [qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

2023-05-04 Thread Andrew David Wong
On 5/3/23 8:30 AM, Leo28C wrote:
> On Wed, May 3, 2023 at 5:12 AM Andrew David Wong  wrote:
> 
>> nor can we control whether physical hardware is modified (whether
>> maliciously or otherwise) *en route* to the user.
>>
> 
> Actually you could:
> 
> 1) Laminate product with `warranty void if removed` stickers of various
> brands and types
> 2) Send PGP-signed high-res photo of sticker placement to buyer before
> shipping
> 3) Buyer receives product and compares sticker placement to the photo to
> verify integrity
> 

We (the Qubes OS Project) can't do that, because we never take possession of 
inventory. When you purchase a Qubes-certified computer from a vendor, you are 
purchasing directly from that vendor.

However, you could offer your suggestion to the vendors who sell 
Qubes-certified hardware.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b69230c2-621f-6650-f104-4f2e1fe242dd%40qubes-os.org.


[qubes-users] The NovaCustom NV41 Series laptop is Qubes-certified!

2023-05-03 Thread Andrew David Wong
Dear Qubes Community,

It is our pleasure to announce that the [NovaCustom NV41 
Series](https://configurelaptop.eu/nv41-series/) laptop has become the fifth 
[Qubes-certified computer](https://www.qubes-os.org/doc/certified-hardware/) 
for Qubes 4.X!

## About the NovaCustom NV41 Series

The [NV41 Series](https://configurelaptop.eu/nv41-series/) is a 14-inch laptop 
from [NovaCustom](https://configurelaptop.eu/), a European vendor known for 
their highly customizable, Linux-friendly laptops. This 12th Generation Intel 
Core (Alder Lake) laptop comes with Dasharo coreboot open-source firmware, 
USB-C charging, the latest Intel Xe graphics, and up to 64 GB of memory.

## Qubes-certified configurations

The following configuration options are certified for Qubes OS 4.X:

Processor:
- Intel Core i5-1240P processor
- Intel Core i7-1260P processor

Memory (Dual Channel):
- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)

M.2 storage chip:
- Samsung 980 SSD (all capacities)
- Samsung 980 Pro SSD (all capacities)

Wi-Fi and Bluetooth:
- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + 
Bluetooth 5.3
- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
- No Wi-Fi/Bluetooth chip

### Notes on Wi-Fi and Bluetooth options

- When viewed in a Linux environment with `lspci`, the "Killer (Intel) 
Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3" device 
displays the model number "AX210." However, according to its [Intel Ark 
entry](https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html)
 (in the "Product Brief" file), they are actually the same Wi-Fi module.

- Similarly, when viewed in a Linux environment with `lspci`, the "Blob-free: 
Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0" device displays 
the model number "AR9462," which seems to be just the Wi-Fi chip model number, 
whereas "QCNFA222" seems to be the model number of the whole device (which 
include Bluetooth). Meanwhile, the Bluetooth device presents itself as "IMC 
Networks Device 3487."

- The term "blob-free" is used in different ways. In practice, being 
"blob-free" generally does *not* mean that the device does not use any 
closed-source firmware "blobs." Rather, it means that the device comes with 
firmware *preinstalled* so that it does not have to be loaded from the 
operating system. In theory, the preinstalled firmware could be open-source, 
but as far as we know, that is not the case with this particular Atheros 
Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the 
past, but only for other device models, as far as we are aware.) Meanwhile, the 
Free Software Foundation (FSF) 
[considers](https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary)
 unmodifiable preinstalled firmware to be part of the hardware, hence they 
regard such hardware as "blob-free" from a software perspective. While common 
usage of the term "blob-free" often follows the FSF's interpretation, it is 
worthwhile for Qubes users who are concerned about closed-source firmware to 
understand the nuance.

## Special note regarding the need for `kernel-latest`

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. At the time of this announcement, `kernel-latest` is 
*required* for the NovaCustom NV41 Series to function properly. Therefore, all 
potential purchasers and users of this model should be aware that they will 
have to select a non-default option (`Install Qubes OS RX using kernel-latest`) 
from the GRUB menu when booting the installer. However, since Linux 6.1 has 
officially been promoted to being a long-term support (LTS) kernel, it will 
become the default kernel at some point, which means that the need for this 
non-default selection is only temporary.

## What is Qubes-certified hardware?

[Qubes-certified hardware](https://www.qubes-os.org/doc/certified-hardware/) is 
hardware that has been certified by the Qubes developers as compatible with a 
specific [major release](https://www.qubes-os.org/doc/version-scheme/) of Qubes 
OS. All Qubes-certified devices are available for purchase with Qubes OS 
preinstalled. Beginning with Qubes 4.0, in order to achieve certification, the 
hardware must satisfy a rigorous set of [requirements], and the vendor must 
commit to offering customers the very same configuration (same motherboard, 
same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.

[Qubes-certified 
computers](https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-computers)
 are specific models that are regularly tested by the Qubes developers to 
ensure 

[qubes-users] XSAs released on 2023-04-25

2023-04-25 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-430](https://xenbits.xen.org/xsa/advisory-430.html)
  - Shadow paging is disabled in Qubes OS at build time.
  - Qubes OS 4.1 uses an unaffected version of Xen (4.14).

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/04/25/xsas-released-on-2023-04-25/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/084e12d4-d234-5989-d08d-faea0aafa8e0%40qubes-os.org.


Re: [qubes-users] networking in minimal-qube ??

2023-04-25 Thread Andrew David Wong
On 4/24/23 11:25 PM, haaber wrote:
> I grabbed a debian-11-minimal, updated it & installed thunderbird into
> it to have a mail-reading template.
> 
> It worked for some hours, but now it lost network access in its AppVM's.
> When I restart the same appvm with debian-11 network is back.  Do I miss
> a package ??
> 
> 
> thank you, Bernhard
> 

Minimal templates require the 'qubes-core-agent-networking' package for 
networking:

https://www.qubes-os.org/doc/templates/minimal/#distro-specific-notes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6fa98af-3bf6-d004-f3e5-58f6074d7dd2%40qubes-os.org.


Re: [qubes-users] Odd behavior wile running two separate Whonix gateways

2023-03-24 Thread Andrew David Wong
On 3/23/23 9:23 PM, tiesta_symonne61 via qubes-users wrote:
> I'm pretty
> sure the actual traffic is being routed through the correct gateways, but
> my only metric for knowing that is looking at CPU usage while stressing
> the connection and making sure the correct chain of net vm's light up.
> 

Why not use the preinstalled "Nyx - Status Monitor for Tor" tool? It creates a 
nice traffic graph for you and shows you upload and download usage in real 
time. There's even a menu entry for it by default, so it's easy to open.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8439c1c5-4829-c9da-2517-f28708929403%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature


[qubes-users] QSB-088: Two Xen issues affecting PV (stub-)domains (XSA-428, XSA-429)

2023-03-21 Thread Andrew David Wong
cates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D:

[qubes-users] Marek Marczykowski-Górecki to be interviewed at Dasharo virtual event

2023-03-15 Thread Andrew David Wong
Dear Qubes Community,

Our project lead, [Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)
 will be interviewed tomorrow during the [Dasharo Developers 
vPub](https://vpub.dasharo.com/e/1/dasharo-user-group-1). This is a virtual 
event hosted by the [Dasharo](https://www.dasharo.com/) team, who just 
introduced [the first Qubes-certified desktop 
computer](https://www.qubes-os.org/news/2023/03/15/dasharo-fidelisguard-z690-first-qubes-certified-desktop).

[![Dasharo User Group (DUG) #1 and Dasharo Developers vPub 0x6 informational 
poster](https://www.qubes-os.org/attachment/posts/dasharo-event-1.png)](https://vpub.dasharo.com/e/1/dasharo-user-group-1)

The Dasharo Developers vPub will be preceded by the first Dasharo User Group 
meeting, which may be of interest for Qubes users who wish to learn more about 
open-source firmware or are curious about the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 Qubes-certified computer.

[Read the full announcement for more 
information.](https://vpub.dasharo.com/e/1/dasharo-user-group-1)

## About Dasharo

"Dasharo is an open-source firmware distribution focusing on seamless 
deployment, clean and simple code, long-term maintenance, professional support, 
transparent validation, superior documentation, privacy-respecting 
implementation, liberty for the owners and trustworthiness for all." [Learn 
more about Dasharo.](https://docs.dasharo.com/osf-trivia-list/dasharo/)

Dasharo is a registered trademark of and a product developed by 
[3mdeb](https://3mdeb.com/).

## About 3mdeb

3mdeb and the Qubes OS Project have been partnering together for years to hold 
Qubes OS Summits. Michał Żygowski shared the story with us in [Qubes OS Summit: 
History from organizer's 
perspective](https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/).
 You can watch videos from the 2022 summit 
[here](https://www.youtube.com/watch?v=hkWWz3xGqS8) and 
[here](https://www.youtube.com/watch?v=A9GrlQsQc7Q). 3mdeb has also been 
instrumental in recent work on [TrenchBoot Anti Evil Maid for Qubes 
OS](https://www.qubes-os.org/news/2023/01/31/trenchboot-aem-for-qubes-os/). 
[Learn more about 3mdeb.](https://3mdeb.com/about-us/)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/15/marek-marczykowski-gorecki-interviewed-dasharo-virtual-event/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e775f93-aa64-eb50-b215-12125183563b%40qubes-os.org.


[qubes-users] The Dasharo FidelisGuard Z690 is the first Qubes-certified desktop computer!

2023-03-15 Thread Andrew David Wong
Dear Qubes Community,

It is our pleasure to announce that the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 has become the fourth [Qubes-certified 
computer](https://www.qubes-os.org/doc/certified-hardware/) for Qubes 4.X and 
the *first* Qubes-certified desktop computer *ever*!

(In related news, the [Dasharo User Group #1 and Dasharo Developers vPub 
0x6)](https://www.qubes-os.org/news/2023/03/15/marek-marczykowski-gorecki-interviewed-dasharo-virtual-event)
 virtual event is tomorrow and will include an interview with our project lead, 
[Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)!)

## About the Dasharo FidelisGuard Z690

[![Photo of MSI PRO Z690-A DDR4 
motherboard](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_1.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

The [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 is a full desktop PC build that brings the [Dasharo](https://dasharo.com/) 
open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with 
Qubes OS preinstalled. The full configuration includes:

| Part | Model Name 
|
|- | -- 
|
| CPU  | Intel Core i5-12600K, 3.7GHz   
|
| Cooling  | Noctua CPU NH-U12S Redux   
|
| RAM  | Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17 
|
| Power Supply | Seasonic Focus PX 750W 80 Plus Platinum
|
| Storage  | SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe  
|
| Enclosure| SilentiumPC Armis AR1  
|

[![Photo of Dasharo FidelisGuard Z690 with open 
case](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_2.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

This computer comes with a "Dasharo Supporters Entrance Subscription," which 
includes the following:

- Full access to [Dasharo Tools Suite 
(DTS)](https://docs.dasharo.com/dasharo-tools-suite/overview/)
- The latest Dasharo releases issued by the Dasharo Team
- Special Dasharo updates for supporters
- Dasharo Premier Support through an invite-only Matrix channel
- Influence on the Dasharo feature roadmap

[![Photo of Dasharo FidelisGuard Z690 with open 
case](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_3.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

For further details, please see the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 product page.

[![Photo of the outside of the Dasharo FidelisGuard 
Z690](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_4.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

## Special note regarding the need for `kernel-latest`

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. At the time of this announcement, `kernel-latest` is 
*required* for the Dasharo FidelisGuard Z690's graphics drivers to function 
properly. Therefore, all potential purchasers and users of this model should be 
aware that they will have to select a non-default option (`Install Qubes OS RX 
using kernel-latest`) from the GRUB menu when booting the installer. However, 
since Linux 6.1 has officially been promoted to being a long-term support (LTS) 
kernel, it will become the default kernel at some point, which means that the 
need for this non-default selection is only temporary.

## About Dasharo

"Dasharo is an open-source firmware distribution focusing on seamless 
deployment, clean and simple code, long-term maintenance, professional support, 
transparent validation, superior documentation, privacy-respecting 
implementation, liberty for the owners and trustworthiness for all." [Learn 
more about Dasharo.](https://docs.dasharo.com/osf-trivia-list/dasharo/)

Dasharo is a registered trademark of and a product developed by 
[3mdeb](https://3mdeb.com/).

## About 3mdeb

3mdeb and the Qubes OS Project have been partnering together for years to hold 
Qubes OS Summits. Michał Żygowski shared the story with us in [Qubes OS Summit: 
History from organizer's 
perspective](https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/).
 You can watch videos from the 2022 summit 
[here](https://www.youtube.com/watch?v=hkWWz3xGqS8) and 
[here](https://www.youtube.com/watch?v=A9GrlQsQc7Q). 3mdeb has also been 

[qubes-users] Qubes OS 4.1.2 has been released!

2023-03-14 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce the stable release of Qubes 4.1.2! This release aims 
to consolidate all the security patches, bug fixes, and upstream template OS 
upgrades that have occurred since the initial Qubes 4.1.0 release. Our goal is 
to provide a secure and convenient way for users to install (or reinstall) the 
latest stable Qubes release with an up-to-date ISO.

Qubes 4.1.2 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.


## Existing installations

If you are already using any version of Qubes 4.1 (including 4.1.0, 4.1.1, 
4.1.2-rc1, and 4.1.2-rc2), then you should simply [update 
normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system effectively equivalent to this 
stable Qubes 4.1.2 release. No reinstallation or other special action is 
required.


## New installations

If you would like to install Qubes OS for the first time or perform a clean 
reinstallation on an existing system, there has never been a better time to do 
so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.1.2 ISO 
and follow our [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).


## What's new in Qubes 4.1.2?

Qubes 4.1.2 includes numerous updates over the initial 4.1.0 release, in 
particular:

- All 4.1 dom0 updates to date
- Fedora 37 template
- USB keyboard support in the installer 
([#7674](https://github.com/QubesOS/qubes-issues/issues/7674))
- `kernel-latest` available as a boot option when starting the installer 
([#5900](https://github.com/QubesOS/qubes-issues/issues/5900))


## What is a patch release?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. Hence, we 
refer to releases that increment the third number as "patch releases." A patch 
release does not designate a separate, new major or minor release of Qubes OS. 
Rather, it designates its respective major or minor release (in this case, 4.1) 
inclusive of all updates up to a certain point. (See [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive 
list of major and minor releases.) Installing any prior Qubes 4.1 release and 
fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in 
essentially the same system as installing Qubes 4.1.2. You can learn more about 
how Qubes release versioning works in the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.


## Reminder: Qubes 4.0 has reached end-of-life

Qubes 4.0 [reached EOL (end-of-life) on 
2022-08-04](https://www.qubes-os.org/news/2022/07/04/qubes-os-4-0-eol-on-2022-08-04/).
 If you're still using Qubes 4.0, we strongly recommend upgrading to Qubes 4.1.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/15/qubes-4-1-2/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23dc76fa-d8e6-1374-7f61-3eeb15b9576e%40qubes-os.org.


Re: [qubes-users] Qubes Canary 034

2023-03-03 Thread Andrew David Wong
On 3/3/23 1:33 AM, Cristian Margine wrote:
> Hello,
> You sent the wrong canary. text(it is the text from 033) The current canary 
> is not signed on December 04. 2022.
> 
> 
> Cristian
> 

Fixed, thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92588110-11cb-b1a6-ff01-539865379915%40qubes-os.org.


[qubes-users] Re: [CORRECTED] Qubes Canary 034

2023-03-03 Thread Andrew David Wong
Dear Qubes Community,

*Editor's note*: An earlier version of this announcement mistakenly contained 
the text of an older canary. This has been corrected below. As always, we 
encourage readers to verify the cryptographic signatures on canaries, which can 
always be found in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

We have published a new [Qubes 
canary](https://www.qubes-os.org/security/canary/). The text of this canary is 
reproduced below. This canary and its accompanying cryptographic signatures 
will always be available in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

```

---===[ Qubes Canary 034 ]===---


Statements
---

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is March 02, 2023.

2. There have been 87 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

   427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the last
   fourteen days of May 2023. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
--

None.


Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
---

Thu, 02 Mar 2023 09:45:31 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Dubious Alliance: How Present Is the Far Right in Germany's New Peace Movement?
Kaja Kallas: Estonia's High-Profile Prime Minister - a Star in the Making
The Special Tribunal Debate: "An Arrest Warrant Against Putin Would Be Immense"
The War in Ukraine: China Is Reportedly Negotiating with Russia To Supply 
Kamikaze Drones
Volodymyr Zelenskyy's Heroes: Ukraine's Best Respond to the Earthquake in Turkey

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
How Russia Lost an Epic Tank Battle, Repeating Earlier Mistakes
Kyiv Sends Reinforcements to Besieged Bakhmut
Bola Tinubu Elected to Be Nigeria’s Next President
Video: How an Israeli Raid on a Safe House Ended With Civilians Killed
Bola Tinubu’s Victory Extends His Party’s Time in Power in Nigeria

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Greece train crash: Angry protests erupt after disaster
India PM Modi urges G20 foreign ministers to overcome differences
How fake copyright complaints are muzzling journalists
Whiskey fungus lawsuit forces Jack Daniels to halt building project
Indian guru's fictional country attended UN events

Source: Blockchain.info
00037ab2816f3100fc37acee47a63571b5d3b7ca72145906


Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/
```


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/02/canary-034/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

[qubes-users] Qubes Canary 034

2023-03-02 Thread Andrew David Wong
Dear Qubes Community,

We have published a new [Qubes 
canary](https://www.qubes-os.org/security/canary/). The text of this canary is 
reproduced below. This canary and its accompanying cryptographic signatures 
will always be available in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

```

---===[ Qubes Canary 034 ]===---


Statements
---

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 04, 2022.

2. There have been 87 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

   427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the first
   fourteen days of March 2023. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
--

None.


Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
---

Sun, 04 Dec 2022 03:11:56 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Friends or Frenemies?: Significant Trans-Atlantic Divides Emerge in Global Chip 
War
The Russian Mobilization: One Soldier's Effort to Avoid the War
Tragedy in Mariupol: The Boy Who Lost His Family But Not His Hope
A Year with Angela Merkel: "You're Done with Power Politics"
Fears of Chinese Aggression Grow in Taiwan: "Where Are We Supposed to Go?"

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
He Returned a Dazed Soldier to the Russians. Ukraine Calls It Treason.
Landslide Tragedy Turns Italy’s Focus to Illegal Construction
Why Is Rahul Gandhi Walking 2,000 Miles Across India?
How China’s Police Used Phones and Faces to Track Protesters
Ukraine Calls for Evacuations From a Russian-Controlled Area

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Cyril Ramaphosa: South Africa leader won't resign, says spokesman
Ukraine war: Zelensky calls West's Russian oil cap 'weak'
Ukraine war: New images show Russian army base built in occupied Mariupol
Elnaz Rekabi: Family home of Iranian climber demolished
Columbia peace talks with leftist ELN rebels make progress

Source: Blockchain.info
955f2976b1fbff0d0c47c262ea3ae6410e43f8218fb7


Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/
```


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/02/canary-034/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1aa2663-c33d-f11f-93b9-178184387481%40qubes-os.org.


Re: [qubes-users] HCL - Yoga 7 16IAP7

2023-02-24 Thread Andrew David Wong
On 2/23/23 7:05 AM, disp...@proslo.dev wrote:
> Empty Message
> 

Hi there,

It looks like you sent an empty message with no body text and no attachments. 
Did you mean to add your HCL report to this email?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae4e6dc7-b00c-59c3-7b7e-5f52af046bc8%40qubes-os.org.


[qubes-users] XSAs released on 2023-02-14

2023-02-15 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- XSA-426 (SMT is disabled in Qubes OS by default)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/02/15/xsas-released-on-2023-02-14/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0f5f316-3706-ec86-6a96-ddee80c6f812%40qubes-os.org.


[qubes-users] Qubes OS 4.1.2-rc1 has been released!

2023-02-09 Thread Andrew David Wong
Dear Qubes Community,

We're pleased to announce the first [release 
candidate](#what-is-a-release-candidate) for Qubes 4.1.2! This [patch 
release](#what-is-a-patch-release) aims to consolidate all the security 
patches, bug fixes, and upstream template OS upgrades that have occurred since 
prior Qubes 4.1 releases. Our goal is to provide a secure and convenient way 
for users to install (or reinstall) the latest stable Qubes release with an 
up-to-date ISO.

Qubes 4.1.2-rc1 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.


## What's new in Qubes 4.1.2?

Qubes 4.1.2-rc1 includes numerous updates over the initial 4.1.0 release, in 
particular:

- All 4.1 dom0 updates to date
- Fedora 37 template
- USB keyboard support in the installer 
([#7674](https://github.com/QubesOS/qubes-issues/issues/7674))
- `kernel-latest` available as a boot option when starting the installer 
([#5900](https://github.com/QubesOS/qubes-issues/issues/5900))


## Testing Qubes 4.1.2-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this release 
candidate, you can help to improve the eventual stable release by [reporting 
any bugs you encounter](https://www.qubes-os.org/doc/issue-tracking/). We 
strongly encourage experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190)!


## Existing Qubes 4.1 users

If you're not interested in testing this release candidate, and you're already 
using Qubes 4.1, then you should simply [update 
normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system essentially equivalent to this 
patch release. No special action is required on your part.


## Release candidate planning

If no significant bugs are discovered in 4.1.2-rc1, we expect to announce the 
stable release of 4.1.2 in two to three weeks.


## What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a 
stable release, unless significant bugs are discovered in testing. Release 
candidates are intended for more advanced (or adventurous!) users who are 
comfortable testing early versions of software that are potentially buggier 
than stable releases. You can read more about Qubes OS [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) and the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) in our documentation.


## What is a patch release?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. Hence, we 
refer to releases that increment the third number as "patch releases." A patch 
release does not designate a separate, new major or minor release of Qubes OS. 
Rather, it designates its respective major or minor release (in this case, 4.1) 
inclusive of all updates up to a certain point. (See [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive 
list of major and minor releases.) Installing any prior Qubes 4.1 release and 
fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in 
essentially the same system as installing Qubes 4.1.2. You can learn more about 
how Qubes release versioning works in the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/02/09/qubes-4-1-2-rc1/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f968bb2b-3947-74b8-3a95-7b240951b338%40qubes-os.org.


Re: [qubes-users] Passing a YubiKey to a VM?

2023-02-07 Thread Andrew David Wong
On 2/7/23 12:24 PM, Ulrich Windl wrote:
> How do you use a YubiKey (OpenPGP card, etc.) in Qubes OS?

In case you (or anyone else reading this) has not already seen it, there is a 
documentation page on this:

https://www.qubes-os.org/doc/yubikey/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6114872a-3d66-79f7-7313-e9cc0cb73f95%40qubes-os.org.


Re: [qubes-users] network in template (Qubes 4.1)

2023-02-01 Thread Andrew David Wong
On 2/1/23 12:54 PM, davaiigoo wrote:
> According to the documentation, there is way to enable networking in Qubes 
> templates for sources other than updates from apt-get or dnf .
> 
> https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-other-sources
> 
> Tried different combinations without success.
> 
> I definitely need to use git (github.com cannot be resolved) and to a less 
> extent, snap and/or flatpak.
> 

Are you sure you followed the instructions in that section correctly? Following 
them should give your template normal network access.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/163404e1-5675-e500-30cf-7e32ad0d7c32%40qubes-os.org.


[qubes-users] Guest post: "TrenchBoot Anti Evil Maid for Qubes OS" by Michal Zygowski of 3mdeb

2023-01-31 Thread Andrew David Wong
Dear Qubes Community,

The following is a guest post by Michal Zygowski from 
[3mdeb](https://3mdeb.com/) on the work they've been doing to upgrade [Anti 
Evil Maid (AEM)](https://www.qubes-os.org/doc/anti-evil-maid/). The original 
post can be found on the [3mdeb 
blog](https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/). This 
work was made possible through generous 
[donations](https://www.qubes-os.org/donate/) from the Qubes community via 
[OpenCollective](https://opencollective.com/qubes-os). We are immensely 
grateful to the Qubes community for your continued support and to 3mdeb for 
contributing this valuable work.

"TrenchBoot Anti Evil Maid for Qubes OS"
by Michal Zygowski
https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
https://www.qubes-os.org/news/2023/01/31/trenchboot-aem-for-qubes-os/

As a courtesy to plain text email users, the Markdown source of the article 
body is reproduced below.

8<--

## Abstract

Qubes OS Anti Evil Maid (AEM) software heavily depends on the
availability of the DRTM technologies to prevent the Evil Maid
attacks. However, the project has not evolved much since the
beginning of 2018 and froze on the support of TPM 1.2 with Intel TXT
in legacy boot mode (BIOS). In the post we show how existing
solution can be replaced with TrenchBoot and how one can install it
on the Qubes OS. Also the post will also briefly explain how
TrenchBoot opens the door for future TPM 2.0 and UEFI support for
AEM.

## Introduction

As Qubes OS users, promoters, and developers, we understand how essential it is
to be aware of the latest developments in maintaining the security of your
favorite operating system. We're excited to share our plans to integrate the
TrenchBoot Project into Qubes OS's new Anti-Evil Maid (AEM) implementation. As
you may know, traditional firmware security measures like UEFI Secure Boot and
measured boot, even with a Static Root of Trust (SRT), may only sometimes be
enough to ensure a completely secure environment for your operating system.
Compromised firmware may allow for the injection of malicious software into
your system, making it difficult to detect. To overcome these limitations, many
silicon vendors have started implementing Dynamic Root of Trust (DRT)
technologies to establish a secure environment for operating system launch and
integrity measurements. We're excited to take advantage of these advancements
through integration with the [TrenchBoot Project](https://trenchboot.org/).

The usage of DRT technologies like Intel Trusted Execution Technology (TXT) or
AMD Secure Startup is becoming more and more significant; for example, Dynamic
Root of Trust for Measurement (DRTM) requirements of [Microsoft Secured Core 
PCs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure#what-makes-a-secured-core-pc).
DRTM has yet to find its place in open-source projects, but that gradually
changes. The demand for having firmware-independent Roots of Trust is
increasing, and projects that satisfy this demand are growing TrenchBoot is a
framework that allows individuals and projects to build security engines to
perform launch integrity actions for their systems. The framework builds upon
Boot Integrity Technologies (BITs) that establish one or more Roots of Trust
(RoT) from which a degree of confidence that integrity actions were not
subverted.

[Qubes OS Anti Evil Maid 
(AEM)](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html)
software heavily depends on the availability of DRTM technologies to prevent
Evil Maid attacks. However, the project hasn't evolved much since the beginning
of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode
(BIOS). Because of that, the usage of this security software is effectively
limited to older Intel machines only. TPM 1.2 implemented SHA1 hashing
algorithm, which is nowadays considered weak in the era of forever-increasing
computer performance and quantum computing. The solution to this problem comes
with a newer TPM 2.0 with more agile cryptographic algorithms and SHA256
implementation by default.

The post will present the TrenchBoot solution for Qubes OS AEM replacing the
current TPM 1.2 and Intel TXT-only implementation. The advantage of TrenchBoot
solution over existing [Trusted 
Boot](https://sourceforge.net/p/tboot/wiki/Home/)
is the easier future integration of AMD platform support, as well as TPM 2.0
and UEFI mode support.

Before we dive into the technical details, it is important to highlight that
this achievement was made possible through the generous contributions of Qubes
OS community via OpenCollective. We would like to express our gratitude and
extend a special thank you to all who have supported our favourite operating
system. To continue supporting Qubes OS, please consider donating through
[OpenCollective 

[qubes-users] XSAs released on 2023-01-25

2023-01-27 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- XSA-425 (Qubes 4.1 does not use the affected Xen version; denial-of-service 
only)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/01/27/xsas-released-on-2023-01-25/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0dcb1285-9783-d528-c06e-5db13aae167f%40qubes-os.org.


[qubes-users] Support the Qubes OS Project via Proton's charity fundraiser!

2022-12-16 Thread Andrew David Wong
Dear Qubes Community,

The Qubes OS Project is grateful to have been selected as one of the 
beneficiaries of this year's Proton charity fundraiser alongside so many other 
wonderful organizations. The continued support of the privacy community means 
the world to us! For details about the fundraiser and how you can participate, 
please see the official Proton blog post: 

https://proton.me/blog/2022-lifetime-account-charity-fundraiser

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c763720a-102b-5a14-07f5-7c2873f2c237%40qubes-os.org.


Re: [qubes-users] Obsidian - PKB under Q?

2022-12-11 Thread Andrew David Wong
On 12/10/22 8:20 AM, Foilsurf wrote:
> Hello,
> Obsidian is quite simple tech (text-files), but quite clever for taking 
> notes. And run under Linux (TheBrain e.g. not any more). Additionally it 
> has the local principal, so it would be found a perfect place in a own VM, 
> I think.
> Would it make sense to offer an Obsidian VM straight away out of the box 
> for QubesOS?
> Kind Regards
> 
> https://obsidian.md/about
> 

IMHO no, for the reasons explained here:

https://www.qubes-os.org/faq/#could-you-please-make-my-preference-the-default

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da82f303-f609-379d-09f9-9dad2cd876d4%40qubes-os.org.


[qubes-users] Fedora 35 reaches EOL on 2022-12-13

2022-12-08 Thread Andrew David Wong
Dear Qubes Community,

The Fedora Project has 
[announced](https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org/thread/OGTVKLX7OXBYCEUQ66UY4YK3T6QHAYW5/)
 that Fedora 35 will reach EOL 
([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 2022-12-13. We 
strongly recommend that all users 
[upgrade](https://www.qubes-os.org/doc/templates/fedora/#upgrading) their 
Fedora templates and standalones to Fedora 36 no later than 2022-12-13.

We provide fresh Fedora 36 template packages through the official Qubes 
repositories, which you can install in dom0 by following the standard 
[installation 
instructions](https://www.qubes-os.org/doc/templates/fedora/#installing). 
Alternatively, we also provide step-by-step instructions for [performing an 
in-place 
upgrade](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) of an 
existing Fedora template. After upgrading your templates, please remember to 
[switch all qubes that were using the old template to use the new 
one](https://www.qubes-os.org/doc/templates/#switching).

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template 
releases](https://www.qubes-os.org/doc/supported-releases/#templates).

Please note that no user action is required regarding the OS version in dom0. 
For details, please see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/12/08/fedora-35-reaches-eol-on-2022-12-13/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/635e14c4-d155-7af8-5dbd-702f45fe6532%40qubes-os.org.


[qubes-users] XSAs released on 2022-12-06

2022-12-06 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- XSA-423 (denial-of-service only)
- XSA-424 (denial-of-service only)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/12/06/xsas-released-on-2022-12-06/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6071065-1ba9-7c68-bdb5-967b875e4ee3%40qubes-os.org.


[qubes-users] Qubes Canary 033

2022-12-04 Thread Andrew David Wong
Dear Qubes Community,

We have published Qubes Canary 033. The text of this canary is
reproduced below.

This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).

View Qubes Canary 033 in the qubes-secpack:



Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:



View all past canaries:



```

---===[ Qubes Canary 033 ]===---


Statements
---

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 04, 2022.

2. There have been 87 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

   427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the first
   fourteen days of March 2023. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
--

None.


Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
---

Sun, 04 Dec 2022 03:11:56 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Friends or Frenemies?: Significant Trans-Atlantic Divides Emerge in Global Chip 
War
The Russian Mobilization: One Soldier's Effort to Avoid the War
Tragedy in Mariupol: The Boy Who Lost His Family But Not His Hope
A Year with Angela Merkel: "You're Done with Power Politics"
Fears of Chinese Aggression Grow in Taiwan: "Where Are We Supposed to Go?"

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
He Returned a Dazed Soldier to the Russians. Ukraine Calls It Treason.
Landslide Tragedy Turns Italy’s Focus to Illegal Construction
Why Is Rahul Gandhi Walking 2,000 Miles Across India?
How China’s Police Used Phones and Faces to Track Protesters
Ukraine Calls for Evacuations From a Russian-Controlled Area

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Cyril Ramaphosa: South Africa leader won't resign, says spokesman
Ukraine war: Zelensky calls West's Russian oil cap 'weak'
Ukraine war: New images show Russian army base built in occupied Mariupol
Elnaz Rekabi: Family home of Iranian climber demolished
Columbia peace talks with leftist ELN rebels make progress

Source: Blockchain.info
955f2976b1fbff0d0c47c262ea3ae6410e43f8218fb7


Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/
```


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/12/04/canary-033/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eefc55d9-32c9-3753-055d-1b75d56db194%40qubes-os.org.


[qubes-users] QSB-087: Qrexec: Injection of unsanitized data into log output

2022-11-23 Thread Andrew David Wong
Dear Qubes Community,

We have just published [Qubes Security Bulletin (QSB) 087: Qrexec: Injection of 
unsanitized data into log 
output](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-087-2022.txt).
 The text of this QSB is reproduced below. This QSB and its accompanying 
signatures will always be available in the [Qubes Security Pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/). More information 
about QSBs, including a complete historical list, is available 
[here](https://www.qubes-os.org/security/qsb/).

```

 ---===[ Qubes Security Bulletin 087 ]===---

 2022-11-23

  Qrexec: Injection of unsanitized data into log output

User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in templates, standalones and dom0:
  - qrexec packages version 4.1.19

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Summary


Due to a bug in qrexec [3], a malicious qube that is allowed to call a
qrexec service inside of another qube can inject unsanitized data into
the log output of a process that handles incoming qrexec calls in the
receiving qube. This log output may end up in
`/var/log/qubes/qrexec.*.log`, `~/.xsession-errors`, or systemd's
journal.

Impact
---

An attacker could use this vulnerability in order to inject malicious
data, such as terminal control codes, into log output in the hope that
this data will be processed in a unsafe way, for example, by writing it
directly to a potentially-vulnerable terminal emulator.

In the default Qubes OS configuration, for example, there are qrexec
services like `qubes.WindowIconUpdater` that any qube can call in dom0.
An attacker who gains control of an untrusted qube could inject data
containing malicious terminal control sequences into
`/var/log/qubes/qrexec.*.log` in dom0. If the user views that log in a
terminal emulator in a way that doesn't filter terminal escape codes (by
simply using `cat` on the file, for example), the malicious data might
then exploit a hypothetical bug in the terminal emulator.

Note that this attack scenario, as described, has several layered
requirements:

1. The user must voluntarily open a log file containing malicious data
   (or otherwise take action that causes the log file data to be
   parsed).

2. There must exist an independent vulnerability in the user's terminal
   emulator or in whichever program parses the log. (In other words, the
   attacker must chain independent vulnerabilities together.)

3. If using a terminal emulator, a command-line tool that does not
   filter control codes must be used. (`journalctl` prevents the display
   of unsafe sequences by default, but many other tools do not.)

To be clear, the scenario in which the attacker uses the
`qubes.WindowIconUpdater` service in order to exploit a hypothetical bug
in a terminal emulator is just one conceivable scenario for how an
attacker might exploit the vulnerability described in this bulletin. It
is not the only way in which this vulnerability could be exploited, and
the requirements listed for this scenario may not necessarily apply to
other scenarios featuring different types of attacks (for example, using
other qrexec services and exploiting other software that handles log
output). Rather, this example is merely intended as an aid for
understanding the nature of the vulnerability.

Discussion
---

Qubes OS features a framework known as "qrexec," which allows different
qubes to communicate with each other in a controlled manner. [3][4]
These interactions are restricted by the system's RPC policies. [5] In
particular, qrexec can be used to allow less trusted qubes to
communicate with more trusted qubes, including dom0.

Normally, the calling side can send data to the remote services'
standard input and receive its standard output, standard error, and exit
code data. Since it handles untrusted data flows, qrexec is designed
under the assumption that an adversary will use it in order to launch an
attack against one qube from another qube. Therefore, qrexec treats
incoming data as untrusted and carefully sanitizes it. For example, when
qrexec output is connected to a terminal, `qrexec-client` and
`qrexec-client-vm` remove terminal control sequences.

However, due to a mistake in qrexec message type handling, the calling
side can send data marked as "standard error" (`MSG_DATA_STDERR`), and
the remote side will print it to the standard error of the process
handling incoming qrexec connections. This data flow was not expected.
Such messages should be rejected, as they are expected only in the other
direction. Consequently, this data 

[qubes-users] XSAs released on 2022-11-08

2022-11-08 Thread Andrew David Wong
Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- XSA-422

Please see [QSB-086](https://www.qubes-os.org/news/2022/11/08/qsb-086/) for 
further details.


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/11/08/xsas-released-on-2022-11-08/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c720b745-266f-d303-1523-182a239b37b9%40qubes-os.org.


  1   2   3   4   5   6   7   8   9   10   >