Re: [qubes-users] dom0 update broken after upgrade to 4.1

2022-03-11 Thread Michael Carbone 

On 2/8/22 09:58, badgateway wrote:

Hello list,

after upgrading from 4.0.4 to 4.1 my dom0 update seems broken:

$ sudo qubesctl update.qubes-dom0
[ERROR   ] Failed to import module localemod, this is due most likely to 
a syntax error:

Traceback (most recent call last):
   File "/usr/lib/python3.8/site-packages/salt/loader.py", line 1685, in 
_load_module

     mod = spec.loader.load_module()
   File "", line 522, in 
_check_name_wrapper

   File "", line 1027, in load_module
   File "", line 852, in load_module
   File "", line 265, in _load_module_shim
   File "", line 702, in _load
   File "", line 671, in _load_unlocked
   File "", line 848, in exec_module
   File "", line 219, in 
_call_with_frames_removed
   File "/var/cache/salt/minion/extmods/modules/localemod.py", line 222, 
in 

     @decorators.which('locale-gen')
AttributeError: module 'salt.utils.decorators' has no attribute 'which'
'update.qubes-dom0' is not available.
DOM0 configuration failed, not continuing

I also found 
https://forum.qubes-os.org/t/error-failed-to-import-module-localemod/7938 which 
seems to be the exact same error.



On another note: I tried to install the new gentoo template by issuing 
`sudo qubes-dom0-update --enablerepo=qubes-templates-community 
qubes-template-gentoo`,
which results in `qvm-template: error: template 'gentoo' not found.` 
Could this be related, maybe because dom0 repo cache cannot be updated 
because of the error mentioned above?



Kind regards



tracked here: https://github.com/QubesOS/qubes-issues/issues/7114

no solution I've seen yet. (I'm also affected)

--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
my.pronoun.is/they

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48b7eb69-4701-fda0-d5b8-0a07ba7a2051%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] [Berlin] monthly Qubes Users Berlin meeting - Tuesday October 12 @ 7pm

2021-10-11 Thread Michael Carbone 

hi folks,

for those in Berlin you are invited to the monthly Qubes Users Berlin 
meeting!


the next one will be tomorrow Tuesday October 12 at 19h at xHain. more 
details here:


https://qubesusersberlin.github.io

Hope to see you there!
Michael

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78691168-3e07-1874-5aa2-c1f54015a627%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] Sunday March 21 - Free talk about Qubes-based SecureDrop Workstation at LibrePlanet

2021-03-19 Thread Michael Carbone 

https://libreplanet.org/2021/speakers/#4819

SecureDrop is a whistleblowing platform originally created in 2012 for 
journalists to accept leaked documents safely from anonymous sources. 
It's used by dozens of news organizations including The Guardian, The 
Washington Post and The New York Times.


This talk introduces the SecureDrop Workstation, the next-generation 
platform aimed at helping journalists communicate with sources in a 
high-security environment.


Based on Qubes OS, the SecureDrop Workstation leverages Xen hypervisor 
isolation to manage sensitive source material safely, including viewing, 
archiving, and processing documents. The talk will review the results of 
the recent security audit focusing on the Workstation, and outline 
future directions for the project as it approaches general availability.


--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
my.pronoun.is/they

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b948d38-f9e1-2ec6-c292-dee88c7382b5%40qubes-os.org.

Re: [qubes-users] Screenreader - accessibility

2020-12-14 Thread Michael Carbone 

On 12/13/20 5:17 PM, 'Reece O'Bryan' via qubes-users wrote:

Hello,

I am wondering if anyone has any ideas as to how I could run a screen reader in 
Qubes. I use Orca with Debian-based systems, would it be possible to do the 
same thing?
I do realize that blind people that want privacy or an extremely small 
minority. However, I think that people that are blind or that have became blind 
such as myself deserve the same right to privacy. :)


Thank you all very much in advance,

-Reece



Hi Reece,

We are interested in implementing screen-reading support and have an 
open issue about it here:


https://github.com/QubesOS/qubes-issues/issues/5907

as Sven mentions there are some technical/security aspects that make it 
difficult to implement right now, though with a dedicated GUI VM which 
is on the Qubes roadmap this will be made easier.


Michael

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6afd5e2e-4953-678a-259c-636988b1fe52%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-users] Playing Videos On Streaming Wesites

2020-08-07 Thread Michael Carbone 
On 8/6/20 3:09 PM, Qubes wrote:
> Perhaps someone here can suggest something better than what I currently
> have. A default Firefox on a default Fedora-32 template does not play
> videos on something like Invidio.us. The video thumbnails display
> everything looks exactly as it should just the videos will not play.
> 
> I've been scratching around and found that if I install the
> qt5-qtwebengine-freeworld package then videos play on various video
> streaming platforms, including Invidio.us.
> 
> The 'problem' with having qt5-qtwebengine-freeworld installed in a
> fedora-32-media template (cloned from fedora-32), along with other bits
> of software , is it creates dependency issues. This causes trouble with
> the updater widget, it never goes away and it always displays updates
> for the fedora-32-media template. If the template is fully updated the
> widget will say it has outstanding updates. If you run through the
> process you get the output I have attached in the four files. This
> becomes endless. It is after having updated fedora-32-media several
> times and noticing the output of the update widget staying exactly the
> same that I ran 'sudo dnf upgrade' in a fedora-32-media terminal. Then
> seeing the below output.
> 
> Instead of trying to fix this, which would likely mean I would have to
> install qt5-qtwebengine-freeworld in a dedicated template, the scenario
> I would like to avoid, is there perhaps a different package that I can
> install that also enables playing videos on streaming websites?
> 
> 
> [user@fedora-32-media ~]$ sudo dnf upgrade --refresh
> Fedora 32 openh264 (From Cisco) - x86_64
>     466 B/s
> | 986  B 00:02
> Fedora Modular 32 - x86_64
>     6.3 kB/s
> |  16 kB 00:02
> Fedora Modular 32 - x86_64 - Updates
>     6.3 kB/s
> |  16 kB 00:02
> Fedora 32 - x86_64 - Updates
>     5.7 kB/s
> |  14 kB 00:02
> Fedora 32 - x86_64
>     6.7 kB/s
> |  16 kB 00:02
> Qubes OS Repository for VM (updates)
>     1.5 kB/s
> | 3.8 kB 00:02
> RPM Fusion for Fedora 32 - Free
>     1.3 kB/s
> | 3.1 kB 00:02
> RPM Fusion for Fedora 32 - Nonfree
>     1.4 kB/s
> | 2.9 kB 00:02
> Dependencies resolved.
> 
>  Problem 1: package qt5-qtwebengine-freeworld-5.13.2-3.fc32.x86_64
> requires qt5-qtbase(x86-64) = 5.13.2, but none of the providers can be
> installed
>   - cannot install both qt5-qtbase-5.14.2-5.fc32.x86_64 and
> qt5-qtbase-5.13.2-4.fc32.x86_64
>   - cannot install both qt5-qtbase-5.13.2-4.fc32.x86_64 and
> qt5-qtbase-5.14.2-5.fc32.x86_64
>   - cannot install the best update candidate for package
> qt5-qtwebengine-freeworld-5.13.2-3.fc32.x86_64
>   - cannot install the best update candidate for package
> qt5-qtbase-5.13.2-4.fc32.x86_64
>  Problem 2: package vlc-core-1:3.0.9.2-3.fc32.x86_64 requires
> libdav1d.so.3()(64bit), but none of the providers can be installed
>   - cannot install both libdav1d-0.7.1-1.fc32.x86_64 and
> libdav1d-0.5.2-2.fc32.x86_64
>   - cannot install both libdav1d-0.5.2-2.fc32.x86_64 and
> libdav1d-0.7.1-1.fc32.x86_64
>   - cannot install the best update candidate for package
> vlc-core-1:3.0.9.2-3.fc32.x86_64
>   - cannot install the best update candidate for package
> libdav1d-0.5.2-2.fc32.x86_64
>  Problem 3: package vlc-1:3.0.9.2-3.fc32.x86_64 requires
> libvlccore.so.9()(64bit), but none of the providers can be installed
>   - package vlc-1:3.0.9.2-3.fc32.x86_64 requires vlc-core(x86-64) =
> 1:3.0.9.2-3.fc32, but none of the providers can be installed
>   - package vlc-core-1:3.0.9.2-3.fc32.x86_64 requires
> libebml.so.4()(64bit), but none of the providers can be installed
>   - cannot install both libebml-1.4.0-1.fc32.x86_64 and
> libebml-1.3.10-2.fc32.x86_64
>   - cannot install both libebml-1.3.10-2.fc32.x86_64 and
> libebml-1.4.0-1.fc32.x86_64
>   - cannot install the best update candidate for package
> vlc-1:3.0.9.2-3.fc32.x86_64
>   - cannot install the best update candidate for package
> libebml-1.3.10-2.fc32.x86_64
>  Problem 4: problem with installed package vlc-core-1:3.0.9.2-3.fc32.x86_64
>   - package vlc-core-1:3.0.9.2-3.fc32.x86_64 requires
> libmatroska.so.6()(64bit), but none of the providers can be installed
>   - cannot install both libmatroska-1.6.0-1.fc32.x86_64 and
> libmatroska-1.5.2-2.fc32.x86_64
>   - cannot install both libmatroska-1.5.2-2.fc32.x86_64 and
> libmatroska-1.6.0-1.fc32.x86_64
>   - cannot install the best update candidate for package
> libmatroska-1.5.2-2.fc32.x86_64
>  Problem 5: problem with installed package
>

Re: [qubes-users] Private Tor Bridge.

2020-05-27 Thread Michael Carbone 
On 5/26/20 9:39 AM, Catacombs wrote:
> Not sure if Qubes Users is the best place to bring this up.
> 
> As I look at the various means to get on the Internet, in risky situations:
> Public WiFi.
> Hotels.
> A country which is involved in spying on its citizens.  
> 
> I notice that Tor has a means for "Bridges."  A Bridge being an IP Address 
> that allow one to make a first hop to an IP Address that the ISP, or local 
> server is not expecting, or blocking.  
> 
> My problem being that if one was in a place like China, then the government 
> is surely trying to gather up all the Bridges which the Tor network has.   
> 
> Just generally, I see one could create a private webpage somewhere, and 
> place on it the software to allow one to use it as one's own personal, 
> private Bridge.  First hop out.  Then one could direct the software on the 
> Server to - which ever. start a standard Tor, Connect to a VPN.   
> 
> It does require trusting where the server is one has put one's software 
> on.   
> 
> Obviously, one could borrow the Software from Tor to create a Bridge.  I 
> did not mention it to Tor, because, as this is risky in several ways, Tor 
> website will not publicly agree to help create this project.   Although 
> some of their programmers might advise on how to minimize risks.   
> 
> And the implementation inside Qubes Network manager software -dom0 has its 
> own special issues.  
> 
> Any comments?  / is this already on the list of suggestions for Qubes?
> 

you are correct that this is not really the right place to get a good
response as there is nothing Qubes-specific about this topic, the Tor
community would make much more sense.

The Tor Project just came out with a new community portal that has more
information about running Tor relays (in your particular case, bridges):

https://community.torproject.org/relay/
https://community.torproject.org/relay/types-of-relays/

here is a community effort to make setting up a server to use as a Tor
bridge simpler:
https://github.com/StreisandEffect/streisand/

there are certainly other similar projects on github as well.

it sounds like you are interested in reading more about pluggable
transports, which are the different strategies for obfuscating the
initial hop to the Tor network:

https://www.pluggabletransports.info

for example, in China the "meek" pluggable transport still works:

https://www.pluggabletransports.info/transports/

some of these transports are included in Tor Browser so that a user can
still circumvent some censorship mechanisms without the need to create a
private bridge.

The Tor project "will not publicly agree to help create this project"
because it is clear you are just learning about these topics and the
first step should be to research more to understand the issues better,
through which you will find that many people within the Tor community,
in academia, & beyond are actively working on these topics and there is
already functionality within Tor Browser that takes these issues into
account. Because China and some other countries actively work on new
methods to identify and block such initial hops, it will continue to be
a topic for research & development for the foreseeable future.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9658dddf-e9ca-fbf3-f21d-d3dc52590e3d%40qubes-os.org.

[qubes-users] Re: Consider making tax deductable donations possible in the EU

2020-05-10 Thread Michael Carbone 
On 5/9/20 2:17 PM, Lorenzo Lamas wrote:
> Whonix Project has partnered up with the CCT (Center for the Cultivation of 
> Technology, which is a charitable non-profit host organization in Germany 
> for international Free Software projects.)
> This makes it possible for all EU citizens to deduct donations from 500 EUR 
> and up from their taxes. If Qubes project does the same, it may result in 
> more donations for the project.
> 
>  
> https://forums.whonix.org/t/european-union-eu-wide-tax-deductible-donations-to-whonix-are-now-possible/9389
> https://www.whonix.org/wiki/Donate/Tax-Deductible

thanks for letting me/us know Lorenzo! I'd been in talks with CCT when
they first started but they had told me to wait until they were finished
getting set up. sounds like they are taking projects now, I'll email them.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/33c23e8d-e40f-1a1f-56ae-2edac3a02160%40qubes-os.org.

[qubes-users] Re: [qubes-devel] Re: [qubes-project] Re: Google "Season of Docs" -- deadline April 22

2019-04-22 Thread Michael Carbone 
On 4/21/19 8:18 PM, Andrew David Wong wrote:
> On 19/04/2019 10.15 PM, Andrew David Wong wrote:
>> On 19/04/2019 1.12 AM, Michael Carbone wrote:
>>> hey all,
> 
>>> sorry for the short notice -- I'll be submitting the Season of Docs
>>> application on Monday night April 22 (deadline April 23).
> 
>>> Before then we need a 2019 Google Season of Docs page
>>> (https://www.qubes-os.org/gsod ?) that has project ideas for technical
>>> writing / documentation.
> 
>>> So let's get started with some brainstorming on technical writing /
>>> documentation needs!
> 
>>> Also with these ideas we need volunteer mentors - if you'd like to be a
>>> mentor, you need to register here:
> 
>>> https://forms.gle/a1x26WQGzURLerv66
> 
>>> More info here:
> 
>>> https://developers.google.com/season-of-docs/
> 
>>> https://developers.google.com/season-of-docs/docs/project-ideas
> 
>>> Thanks,
>>> Michael
> 
> 
>> Thanks, Michael. I've created an initial version of the GSoD page here:
> 
>> https://www.qubes-os.org/gsod/
> 
>> It's pretty minimal and bare. Everyone, please help add content to this
>> page, especially project ideas to the ideas list.
> 
> 
> Cross-posting to qubes-users for greater visibility. Everyone is
> welcome to contribute.


great thanks Andrew!

for anyone interested, please feel free to highlight any documentation
ideas that you would prospectively like to mentor a technical writer on.

I just did a pull request with some ideas:

https://github.com/QubesOS/qubes-doc/pull/816

It'll be ideal to have some ideas on the page by the end of tomorrow
April 23.

Thanks,
Michael


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b69005d-66f0-5c76-9684-34d66b43c3d1%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] meetup

2018-04-17 Thread Michael Carbone 
On 04/16/18 16:08, mai...@maiski.net wrote:
> Hello guys,
> 
> I am a qubes user for nearly three years now and would love to meet
> other people, discuss, learn from each other, contribute...
> That is why i would like to organize a meetup in the city where i am
> currently residing - Berlin.
> For starters (first meetup) i think a cafe would be fine. And then
> decide where and how often to meet, what do we want to do in particular
> etc.
> 
> Here is a small duddle poll. I think till the end of this week there is
> enough time to get an idea if there are enough people wanting to come:
> 
> https://dudle.inf.tu-dresden.de/would_I_like_to_participate_in_a_Berlin_Qubes_meetup/
> 
> 
> greets,
> 
> m
> 

hey, you may have missed previous emails about it but there is a monthly
meeting in Berlin for Qubes users at a local hackerspace. The most
recent meet-up was today.

You can find out more info here:

https://qubesusersberlin.github.io

There is also a mailing list that you can join to be notified about
meetings or otherwise talk.

Hope to see you at the next meet-up,
Michael

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e546bcb-7ef7-e425-a6a8-9c004ac8bf7d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Re: Enigmail v2.0 broke split-gpg

2018-03-28 Thread Michael Carbone 


On 03/27/2018 01:58 PM, 'TFQOS' via qubes-users wrote:
> On 27 March 2018 5:40 PM, cubit  wrote:
> 
>> 27. Mar 2018 09:45 by mich...@qubes-os.org:
>>
>>> couldn't figure out a fast solution so I downgraded back to v1.9.9 for
>>> the time being.
>>>
>>> You can do the same by downloading v1.9.9 and manually installing in
>>> thunderbird (and unchecking "update addons automatically"):
>>>
>>> https://www.enigmail.net/download/release/1.9/enigmail-1.9.9-sm+tb.xpi?type=application/octet-stream
>>>
>>> I will email Enigmail mailing list so that they are aware.
>>
>> Is anyone else who downgraded back to 1.9.9 getting stuck with a big 
>> autocrypt header being displayed and a missing email body when receiving 
>> emails from enigmail 2.0 users?
>>
>> Any persons got the workaround listed here: 
>> https://github.com/QubesOS/qubes-issues/issues/3750 to work in 3.2?   Is 
>> there a particular line it needs to be done on.When I add it to the 
>> file, all that happens is my work VM connects to my vault VM and I get a 
>> blank email no decrypted message
>
> Workaround proposed in
https://github.com/QubesOS/qubes-issues/issues/3750 works for me in R3.2
> I added a well formatted patch in the comments.
>
> TFQOS - Thanks For Qubes OS
>

Hi all,

Just to update/close the thread, Marek pushed some patches into all
testing repos and closed the issue:

https://github.com/QubesOS/qubes-issues/issues/3750

You can apply the patches immediately by enabling the testing repos:

https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories
https://www.qubes-os.org/doc/software-update-vm/#testing-repositories

or wait for them to land in stable/current.

The underlying bug is upstream of Enigmail in GnuPG, which Enigmail was
trying to work around:

https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-March/004870.html
https://dev.gnupg.org/T2019

Thanks all for the contributions and for the quick patches Marek.

Michael


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad250449-d141-ea54-d789-b080be609f9e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Enigmail v2.0 broke split-gpg

2018-03-27 Thread Michael Carbone 
On 03/27/2018 06:45 AM, Michael Carbone wrote:
> On 03/27/2018 06:41 AM, 'Eric Barrett' via qubes-users wrote:
>> On Tuesday, March 27, 2018 at 5:45:56 AM UTC-4, Michael Carbone wrote:
>>> couldn't figure out a fast solution so I downgraded back to v1.9.9 for
>>> the time being.
>>>
>>> You can do the same by downloading v1.9.9 and manually installing in
>>> thunderbird (and unchecking "update addons automatically"):
>>>
>>> https://www.enigmail.net/download/release/1.9/enigmail-1.9.9-sm+tb.xpi?type=application/octet-stream
>>
>> Thanks, Michael. That worked for me. How can we follow any updates if this 
>> is an Enigmail bug, at least in so far as we can know when we can update to 
>> the latest version?
> 
> You can follow the enigmail-users mailing list & the thread I created to
> watch for updates:
> 
> https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-March/004854.html

also there is a qubes-issues issue that has a workaround:

https://github.com/QubesOS/qubes-issues/issues/3750

Thanks TFQOS for clarifying what the issue is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e992e2d8-a131-b1d2-5db2-a0ae0fd78a4a%40accessnow.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Enigmail v2.0 broke split-gpg

2018-03-27 Thread Michael Carbone 
On 03/27/2018 06:41 AM, 'Eric Barrett' via qubes-users wrote:
> On Tuesday, March 27, 2018 at 5:45:56 AM UTC-4, Michael Carbone wrote:
>> couldn't figure out a fast solution so I downgraded back to v1.9.9 for
>> the time being.
>>
>> You can do the same by downloading v1.9.9 and manually installing in
>> thunderbird (and unchecking "update addons automatically"):
>>
>> https://www.enigmail.net/download/release/1.9/enigmail-1.9.9-sm+tb.xpi?type=application/octet-stream
> 
> Thanks, Michael. That worked for me. How can we follow any updates if this is 
> an Enigmail bug, at least in so far as we can know when we can update to the 
> latest version?

You can follow the enigmail-users mailing list & the thread I created to
watch for updates:

https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-March/004854.html

Michael

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1167516c-f54e-e8fb-ff71-b0618e3f3ef6%40accessnow.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread Michael Carbone 
On 12/18/2017 09:15 AM, donoban wrote:
> On 12/18/2017 03:10 PM, donoban wrote:
>> First:
>> - Block all traffic and whitelist your DNS provider IP with sys-firewall
>> (you should connect your VPN-VM to sys-firewall). For riseup and bitmask
>> you should permit some ip's.
> 
> Also consider disabling ICMP and DNS queries
> 
>> Then:
>> The solution is edit /etc/resolv.conf to the default gw of the tunnel.
>> Try 'sudo route -n' and see the gateway which uses tun0 interface.
>>
> 
> After editing /etc/resolv.conf you have to run:
> 
> 'sudo /usr/lib/qubes/qubes-setup-dnat-to-ns'
> 
> for doing it effective.

FYI this is the issue I created to try to collect clear instructions for
Bitmask users:

https://github.com/QubesOS/qubes-issues/issues/2021

the ticket is still open and once clear documentation is created we can
push it to the website.

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2dfaf4da-e931-ea8d-c1de-fda67d4137cb%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes Live Images

2017-10-17 Thread Michael Carbone 
On 10/16/2017 06:32 PM, Unman wrote:
> I had some enforced spare time last week and dusted off some old Live
> images for r3.2. They need tidying up but are usable now.
> 
> There are two iso images, suitable for burning to DVD or USB.
> Both use Debian templates.
> The smaller (2GB) is pretty vanilla, with some additional non-free
> drivers for wifi adapters.
> The larger (2.4GB) has a TorVM, and Tor Browser in an online qube.
> There are restrictive iptables on sys-net and TorVM, and MAC spoofing
> set on sys-net. The offline qube has libre office and veracrypt
> installed.
> 
> The menu system is simple, and wont update if you create new qubes.
> You'll need to use 'qvm-run -a  ', or practice working with
> the mysteries of xdg menus.
> 
> Both images will run(sort of) in 4GB RAM - 8 is better.
> 
> If you use DVD then get used to the sound of the disc thrashing. The
> faster DVD drive you have the better. (That said they work reasonably well
> on an old MacBook with 8GB RAM.) You also need patience - generally it
> seems better to start new qubes discretely.
> 
> Running from USB is fine. If you have ample RAM you'll forget it's a
> live system, unless you hammer the (limited) free disk space.
> 
> Both images are available from http://qubes.3isec.org - hashes and
> signatures to check included.
> 
> I hope to have updated versions ready for 4.0-rc2, along with a tidy build
> system, and (maybe) an installer.
> 
> Cheers
> 
> unman

hi unman,

this is really great, thanks for all your efforts! I've updated the
associated ticket with your email:

https://github.com/QubesOS/qubes-issues/issues/1552#issuecomment-337277453

and the more general live image ticket:

https://github.com/QubesOS/qubes-issues/issues/1018

there's also a ticket on documenting how to create live images for
developers, which you seem to have navigated:

https://github.com/QubesOS/qubes-issues/issues/1970

once Marek has had a chance to check it out it would be good to move it
over to the downloads page.

I also like your work on the QubesTor iso, moves us a bit towards
Tails-like functionality:

https://github.com/QubesOS/qubes-issues/issues/2024

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7228cdb-8bac-0daf-0e03-efa8d84e2483%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Again last dom0 update broke kernel connection

2017-09-21 Thread Michael Carbone 
On 09/21/2017 12:47 PM, Franz wrote:
> None vm starts except dom0
> 
> I am writing this email by a cell phone
> 
> -Changing the kernel with qubes manager GUI does not work

you can use the GUI, just change the VM to a different kernel in VM
Settings > Advanced (and click okay), then change it back to the kernel
you want. this was the same GUI-based workaround as last time.

> -the terminal line that worked last time runs without errors but does not
> solve the problem:
> 
> For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done
> 
> When I try to start a VM an alert message appears in the upper left telling
> that VM kernel does not exists at
> /var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels are
> all newer than 4.9.
> 
> But why is it looking for 4.4.67-13? Hope there is a fix.
> 
> Thanks
> Fran
> 

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0168844e-7f11-e110-510c-e3db79067e2f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Re: [qubes-devel] Re: Announcement: Recommended Fedora 25 TemplateVM Upgrade for Qubes 3.2

2017-08-04 Thread Michael Carbone 
Lorenzo Lamas:
> Because Fedora 25 has a newer version of NetworkManager, can the same
> method for MAC randomization for Debian now be used for Fedora
> instead of using macchanger as described here? 
> https://www.qubes-os.org/doc/anonymizing-your-mac-address/

yes that is correct. I have just submitted a pull request to update that
doc to reflect that fact:

https://github.com/QubesOS/qubes-doc/pull/452

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3df78c01-0afa-6136-b464-76edda48cf66%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes silently ditches Librem

2017-07-13 Thread Michael Carbone 
>>>> To summarise. Many months after Purism started taking orders
>>>> for Version 2 of the Librem 13, Qubes formally withdrew its
>>>> certification leaving users in the lurch. In the meantime Qubes
>>>> pocketed $100 per order in commission. This is unforgivable,
>>>> indefensible behavior.
>> 
>> It's worth noting that the commissions the project received were
>> never enough to cover the cost of our developers' time and labor in
>> performing the testing and certification process, but we knew this
>> would be the case going in. This was never about the money; it was
>> about trying to make it easier for Qubes users to find compatible
>> hardware. 
>
> That's easy to say Andy, but have you any proof? Qubes is
> an Open Source project so why not open up the qubes accounts and let
> the users see some factual information. Surely, there can't be
> anything to hide?

Purism doesn't publicly publish the number of laptops it sells?

If you convince them to do so, then multiple the number of
Librem 13 (rev1) that were chosen by the user to have Qubes OS
pre-installed by $100 to get the amount the Qubes project received from
them.

The "lurch" is that new users can no longer order laptops with Qubes
pre-installed and the Qubes project no longer receives a commission for
these laptops. These seem like not good things for the Qubes project --
why would we want this outcome?

Your Librem 13 rev2 will probably work fine with Qubes, feel free to
make a HCL report and share it with the rest of the community, I'm sure
others would appreciate it:

https://www.qubes-os.org/doc/hcl/

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7529916c-9942-a310-cc52-f12487e8092b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora 24 will EOL on 2017-08-08. Are F25/26 Templates ready?

2017-07-13 Thread Michael Carbone 
Noor Christensen:
> On Thu, Jul 13, 2017 at 10:05:34AM +0100, Unman wrote:
>> On Fri, Jun 30, 2017 at 01:19:48AM +0200, Illidan Pornrage wrote:
>>> The latest Fedora template, 24, in the repo will EOL soon on 2017-08-08.
>>>
>>> Are templates with newer Fedora Versions ready?
>>>
>>> If not, what is missing? Maybe I can help porting whatever.
>>
>> There are templates for Fedora-25 for both 3.2 and 4 , and the packages
>> are also available at yum.qubes-os.org. so you can either upgrade
>> existing templates or install a shiny new one.
> 
> Anybody know if 3.2 will ever support FC24, or if 4.0 is the only way?

As shown in the link you quote, you can download FC24 for 3.2:

http://yum.qubes-os.org/r3.2/templates-itl/rpm/

so in dom0:

F24:
sudo qubes-dom0-update qubes-template-fedora-24

F25:
sudo qubes-dom0-update qubes-template-fedora-25

as unman mentions you can also upgrade an existing Fedora template
rather than download a fresh new one:

https://www.qubes-os.org/doc/template/fedora/upgrade-23-to-24/

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35496c0e-e871-9398-4cee-03eccbab52ff%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: The issue of non-proprietary BIOS and Qubes OS

2017-06-21 Thread Michael Carbone 
Holger Levsen:
> On Wed, Jun 21, 2017 at 09:57:25AM +0200, math blanc wrote:
>> Installing Qubes OS 3.x on a X200 sounds like a bad idea to me, isn't ?
> 
> I'd rather choose an x220 or x230, where you can also clean the ME. 
> 
> Plus, an x230 is supported by heads, which you might also like to use.
> (see https://osresearch.net) - but start with plain coreboot+qubes, that's
> a steep enough learning curve already :)

FYI x220 also has heads support:

https://github.com/osresearch/heads/pull/190

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9df3071d-5861-2d6d-dae1-da808197eb7b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] feedback for todays kernel-qubes-vm update (4.4.55-11)

2017-04-18 Thread Michael Carbone 
Marek Marczykowski:
> On Tue, Apr 18, 2017 at 05:33:00PM +0000, Michael Carbone wrote:
>> Joonas Lehtonen:
>>> Hi,
>>>
>>> just a quick notice about todays kernel update.
>>>
>>> After upgrading, the new kernel 4.4.55 became the new default for all
>>> VMs that previously used the default kernel, but
>>> VMs would no longer boot because they claim that an old kernel the one
>>> that got removed during the upgrade (4.4.11?) is no longer present even
>>> though the VM was configured to boot the default (4.4.55).
>>>
>>> Easy workaround:
>>> configure the VM to boot 4.4.38 and save.
>>> reopen the preferences and configure it to boot the latest default
>>> -> boot the vm
> 
>> Encountered the same issues on update. There was also a broken pipe
>> error during the update process.
> 
>> Workaround works, needs to be done manually for each affected VM (which
>> qvm-ls -k lists).
> 
> Do we have an issue for this on github? I can't find one.

Just made one:

https://github.com/QubesOS/qubes-issues/issues/2757

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b05ecb8-3f1b-a9fb-9eb3-0e7428255356%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] feedback for todays kernel-qubes-vm update (4.4.55-11)

2017-04-18 Thread Michael Carbone 
Joonas Lehtonen:
> Hi,
> 
> just a quick notice about todays kernel update.
> 
> After upgrading, the new kernel 4.4.55 became the new default for all
> VMs that previously used the default kernel, but
> VMs would no longer boot because they claim that an old kernel the one
> that got removed during the upgrade (4.4.11?) is no longer present even
> though the VM was configured to boot the default (4.4.55).
> 
> Easy workaround:
> configure the VM to boot 4.4.38 and save.
> reopen the preferences and configure it to boot the latest default
> -> boot the vm

Encountered the same issues on update. There was also a broken pipe
error during the update process.

Workaround works, needs to be done manually for each affected VM (which
qvm-ls -k lists).

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe88ae84-be33-6f6a-86a6-d651bf8fe143%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Certified Hardware - Why purism and not system76 or thinkpenguin?

2017-02-19 Thread Michael Carbone 
taii...@gmx.com:
> Purism is selling snake oil and taking money away from the honest
> companies that admit they're selling a re-badged quanta laptop that will
> never ever have libre firmware.
> 
> Here is a reddit post with more info about the situation (yeah its from
> leah but whatever its true)
> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
> 
> 
> https://www.qubes-os.org/doc/certified-laptops/
> "In addition, the Qubes team will receive a small portion of the revenue
> from any Librem 13 sale that comes with Qubes pre-installed."
> The man that is always behind the curtain.
> Does one have to pay to be included on this list? how much? how come
> real libre computer sellers like gluglug and raptor engineering aren't
> listed on here?
> 
> If you want to be honest there are only two boards in the world period
> that check all the qubes 4.0 boxes, the KCMA-D8 and the KGPE-D16 both of
> which are legitimately libre blob free and also have a user configurable
> TPM CRTM which is very important if you don't want your TPM to be
> predictable.
> 
> Instead of putting in actual effort to make a real libre laptop with a
> few ARM cpus, maybe an AMD FM2 (FM2+ has PSP) or something like that
> they instead are satisfied "making" crappy quanta rebrands, taking
> credit for other peoples work and acting like buying unfused cpus is a
> revolutionary act.
> 
> The simple fact of the matter is that if google can't convince intel to
> hand over the ME code, the FSP code, the VGA BIOS and the signing keys
> for all of those then a small company with a 160K crowdfunding campaign
> won't ever be able to do that, and even if google somehow did the
> impossible it would apply to every intel device and not just theirs thus
> making a purism purchase absolutely pointless.

Our hardware certification process:

https://www.qubes-os.org/hardware-certification/

We have had discussions with ~5-10 manufacturers, including those you
reference, and so far only Purism has followed through with the hardware
certification process for Qubes 3.x.

Note that Librems currently do not meet the requirements for Qubes 4.x
branch:

https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

We would love to have more manufacturers and hardware certified, both
for 3.x and 4.x. There are some (potentially) on the horizon, like:

https://minifree.org/product/libreboot-d16/

Feel free to search this mailing list for past discussions on Purism.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1808e180-e512-f843-c778-c2ea7d7c24d2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Riseup Services Likely Compromised

2017-02-17 Thread Michael Carbone 
Me:
> Michael Carbone:
>> Me:
>>> Qubes users beware. Riseup Services (including email)are likely
>>> compromised by State actors.
>>> For more info and to verify above statement visit
>>> https://riseup.net/canary {here you'll see that the canary statement
>>> hasn't been updated quarterly as promised} and here
>>> https://www.whonix.org/blog/riseup.
>>> Google the topic and you'll see lots of other statements that Riseup is
>>> no longer trusted.
>>> Stay Safe
>>
>> https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/
>>
>> which includes statements from the Riseup team.
>>
>> It sounds like they were served with something boring, but because of
>> how they defined their warrant canary they had to not update it.
>> Removing a warrant canary does not mean compromise, which is one of the
>> weaknesses of poorly defined (and followed) warrant canaries.
>>
> The Intercept may be correct. However they do not publish this tweet
> from Riseup "listen to the hummingbird, whose wings you cannot see,
> listen to the hummingbird, don't listen to me." It doesn't take a rocket
> scientist to intepret this. In any case, I have my doubts about the
> integrity of The Intercept; which is funded by the owner of PAYPAL; that
> well known privacy activist! who in the past hast blocked donations to
> Wikileaks et al

and riseup has been ungaged regarding their court order:

https://riseup.net/en/about-us/press/canary-statement

"After exhausting our legal options, Riseup recently chose to comply
with two sealed warrants from the FBI, rather than facing contempt of
court (which would have resulted in jail time for Riseup birds and/or
termination of the Riseup organization). The first concerned the public
contact address for an international DDoS extortion ring. The second
concerned an account using ransomware to extort money from people."

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e917d41-888f-fe02-73ee-c17e622d89b6%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: create new sys-net

2017-02-07 Thread Michael Carbone 
haaber:
> On 01/28/2017 07:05 PM, Michael Carbone wrote:
>> haaber:
>>> On 01/27/2017 09:47 PM, taii...@gmx.com wrote:
>>>> On 01/27/2017 10:11 AM, '01v3g4n10' via qubes-users wrote:
>>>>> On Friday, January 27, 2017 at 7:19:10 AM UTC-6, Bernhard wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I still have my system bricked due to a dead sys-net.
>>>>>>
>>>>>> Could somebody help me to generate a new one, please?
>>>>>>
>>>>>> thank you, Bernhard
>>>>> Create a new VM : Name it, click the NetVM button then choose a color
>>>>> and template.
>>>>>
>>>>> Change sys-firewall to your new sys-net vm and use networkmanager or
>>>>> other means to establish connection.
>>>>>
>>>> Don't forget to check the "start on boot" option if you desire that.
>>>>
>>> Thank you that worked! Now my bricked system is only half-bricked :)
>>>
>>> 1) fedora-24 is still in koma: it shows the mysterious  "ERROR: Cannot
>>> execute qrexec-daemon" and stays yellow.I consider (a) renaming it
>>> old-fedora, (b) moving it to the harddrive (to make space on SSD), (c)
>>> symlink it (d) install a fresh fedora-24 template.
>>>  
>>> Does this sound right / the most easy solution to you?
>>>
>>> 2) my new debian based SYS-net can only acces ethernet. I installed the
>>> iwl-firmware in the template, and made sure the hardware is accessible
>>> in it. But that does not yet help. Do I have to verify the firmware
>>> in dom0 ?
>>> (wireless = intel 7620)
>>> Thank you, Bernhard
>> Bernhard,
>>
>> Specifying your wireless card (Intel 7620) is necessary for others to
>> help you with hardware troubleshooting, so in the future please lead
>> with such information.
>>
>> This card has issues with older versions of iwlwifi (in other distros
>> like debian, ubuntu, fedora, etc), so you will want to run the newest
>> version of iwlwifi possible, which is most easily done using debian
>> templates.
>>
>> What you are going to want to do is: (1) create a debian-9 template, (2)
>> install firmware-iwlwifi in that template, (3) make sure it is
>> up-to-Hidate, and then (4) base your sys-net on that template.
>>
>> In more detail:
>>
>> 1. follow all steps of:
>> https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
>>
>> 2. [you@debian-9 $] sudo apt install firmware-iwlwifi
>>
>> 3. [you@debian-9 $] sudo apt update && sudo apt upgrade
>>
>> shutdown your debian-9 template.
>>
>> 4. turn off your existing sys-net. change its template to debian-9 in VM
>> Manager > VM Settings. ensure that there is your wireless network
>> controller assigned to it in VM Settings > Devices. (If no network
>> controller exists, go into your BIOS and see if there are any settings
>> associated with your wireless card that you need to enable.) once there
>> is a wireless network controller that exists and is assigned to sys-net,
>> restart your sys-net.
>>
>> Michael
>>
> Hi Michael, I was for a long while in no-internet-land. Once back I gave
> it a try and it worked! Thanks a lot. I have been using debian-8 on the
> same machine since it was early-testing, and the wifi always worked. I
> do not understand that under qubes-debian I need a strech, but OK,
> "whatever works!" as Woody Allen says :)  Bernhard

glad it worked for you! in the future reply to list so that others who
encounter the same issue will know it worked.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c357032-f95c-137a-59bd-cde7f337034d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Advantage of connecting through a mobile router in public?

2017-02-01 Thread Michael Carbone 
Franz:
> On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise <tas...@openmailbox.org>
> wrote:
> 
>> On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
>>
>>> I keep reading examples where people are using something like mobile
>>> routers between thier phone/computer and public wifi spots, example like
>>> the blackholecloud <https://blackholecloud.com/>device or apparently
>>> Mike Perry of the tor project told arstechnica <
>>> https://arstechnica.com/security/2016/11/tor-phone-prototyp
>>> e-google-hostility-android-open-source/>that "He suggests leaving the
>>> prototype in airplane mode and connecting to the Internet through a second,
>>> less-trusted phone, or a cheap Wi-Fi cell router."
>>>
>>
>> This is pretty dubious advice. What is to stop an attacker from breaking
>> into the mobile router and using that as an attack platform to break into
>> your main device? A few minutes...?

The point of Mike Perry's strategy is to (1) protect against baseband
access/tracking by only using a phone's WiFi and to (2) protect against
the current poor situation of firewalling in Android to *protect against
non-Tor identity leaks*.

It seems pretty orthogonal to what you want to discuss with this thread
- using mobile routers as a firewall for non-phone devices (Qubes)
against active attackers.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5afcadcd-76ec-2e21-1c2e-50349051401e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: create new sys-net

2017-01-28 Thread Michael Carbone 
haaber:
> On 01/27/2017 09:47 PM, taii...@gmx.com wrote:
>> On 01/27/2017 10:11 AM, '01v3g4n10' via qubes-users wrote:
>>> On Friday, January 27, 2017 at 7:19:10 AM UTC-6, Bernhard wrote:
>>>> Hello,
>>>>
>>>> I still have my system bricked due to a dead sys-net.
>>>>
>>>> Could somebody help me to generate a new one, please?
>>>>
>>>> thank you, Bernhard
>>> Create a new VM : Name it, click the NetVM button then choose a color
>>> and template.
>>>
>>> Change sys-firewall to your new sys-net vm and use networkmanager or
>>> other means to establish connection.
>>>
>> Don't forget to check the "start on boot" option if you desire that.
>>
> Thank you that worked! Now my bricked system is only half-bricked :)
> 
> 1) fedora-24 is still in koma: it shows the mysterious  "ERROR: Cannot
> execute qrexec-daemon" and stays yellow.I consider (a) renaming it
> old-fedora, (b) moving it to the harddrive (to make space on SSD), (c)
> symlink it (d) install a fresh fedora-24 template.
>  
> Does this sound right / the most easy solution to you?
> 
> 2) my new debian based SYS-net can only acces ethernet. I installed the
> iwl-firmware in the template, and made sure the hardware is accessible
> in it. But that does not yet help. Do I have to verify the firmware
> in dom0 ?
> (wireless = intel 7620)
> Thank you, Bernhard

Bernhard,

Specifying your wireless card (Intel 7620) is necessary for others to
help you with hardware troubleshooting, so in the future please lead
with such information.

This card has issues with older versions of iwlwifi (in other distros
like debian, ubuntu, fedora, etc), so you will want to run the newest
version of iwlwifi possible, which is most easily done using debian
templates.

What you are going to want to do is: (1) create a debian-9 template, (2)
install firmware-iwlwifi in that template, (3) make sure it is
up-to-date, and then (4) base your sys-net on that template.

In more detail:

1. follow all steps of:
https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/

2. [you@debian-9 $] sudo apt install firmware-iwlwifi

3. [you@debian-9 $] sudo apt update && sudo apt upgrade

shutdown your debian-9 template.

4. turn off your existing sys-net. change its template to debian-9 in VM
Manager > VM Settings. ensure that there is your wireless network
controller assigned to it in VM Settings > Devices. (If no network
controller exists, go into your BIOS and see if there are any settings
associated with your wireless card that you need to enable.) once there
is a wireless network controller that exists and is assigned to sys-net,
restart your sys-net.

Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f25b0bc0-8122-ab95-b65f-efbdab1148f7%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Riseup Services Likely Compromised

2016-12-11 Thread Michael Carbone 
Me:
> Qubes users beware. Riseup Services (including email)are likely
> compromised by State actors.
> For more info and to verify above statement visit
> https://riseup.net/canary {here you'll see that the canary statement
> hasn't been updated quarterly as promised} and here
> https://www.whonix.org/blog/riseup.
> Google the topic and you'll see lots of other statements that Riseup is
> no longer trusted.
> Stay Safe

https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/

which includes statements from the Riseup team.

It sounds like they were served with something boring, but because of
how they defined their warrant canary they had to not update it.
Removing a warrant canary does not mean compromise, which is one of the
weaknesses of poorly defined (and followed) warrant canaries.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c698484b-4c1c-007f-cb58-582439ddc3dc%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] disable split-gpg notifications?

2016-11-18 Thread Michael Carbone 
Marek Marczykowski-Górecki:
> On Fri, Nov 18, 2016 at 02:49:00PM +0000, Michael Carbone wrote:
>> Is there an easy way to disable split-gpg notifications? They are just
>> screen noise, and in XFCE cover the time and systray by default.
> 
> The easy (hacky) way is to comment out notify-send in
> /etc/qubes-rpc/qubes.Gpg.

thanks.

>> From a security perspective without timestamps in the access logs
>> (https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
>> pre-approved email client could just decrypt emails in mass when the
>> user is AFK to avoid notifying the user, so I see little security benefit.
> 
> That's true indeed. I wonder if blocking split-gpg while screenlocker is
> engaged would make sense? Currently similar purpose have confirmation
> with a 5min timeout.

I think that's an excellent idea.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e391c797-5076-2955-77a1-597ebf302b9e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] disable split-gpg notifications?

2016-11-18 Thread Michael Carbone 
Is there an easy way to disable split-gpg notifications? They are just
screen noise, and in XFCE cover the time and systray by default.

>From a security perspective without timestamps in the access logs
(https://github.com/QubesOS/qubes-issues/issues/1835) a malicious
pre-approved email client could just decrypt emails in mass when the
user is AFK to avoid notifying the user, so I see little security benefit.

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bb8d2ad3-732c-0cff-f6e1-1046959cb8c9%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes at 33c3

2016-11-16 Thread Michael Carbone 
Hi all,

For those going to 33c3, some of the Qubes team and related projects
will be there. It will likely be part of the Secure OS/Desktops assembly
as with last year:

https://events.ccc.de/congress/2016/wiki/Projects:Qubes
https://events.ccc.de/congress/2016/wiki/Assembly:Secure_Desktops

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07e630db-7216-aac8-555a-e0256f8fc60c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Installing Chrome

2016-09-30 Thread Michael Carbone 
Andrew David Wong:
> On 2016-09-29 18:09, Ted Brenner wrote:
>> There are two programs I'd like to install to make Qubes more usable.
>> First, I'd like to install Chrome. Second, I'd like to install Flash
>> (though maybe I won't need that if I'm using Chrome?). I've searched and
>> searched and I know that I just need to authorize the repository in my
>> firewall. But I'm not sure how to do that. Is there instructions for how to
>> install Chrome? Specifics with how to allow the repository in your
>> firewall? I assume something similar would need to be done for Flash?
> 
>> Thanks in advance!
>> Ted
> 
> 
> Try this:
> 
> 1. In your Fedora TemplateVM, edit this file:
> 
>/etc/yum.repos.d/google-chrome.repo
> 
> 2. Change "enabled=0" to "enabled=1".
> 
> 3. Run this command:
> 
>$ sudo dnf install google-chrome

FYI if you use the Debian 8 template you can install Chromium (the free
and open source version of Chrome) with:

sudo apt-get install chromium

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1fafecb1-7b5e-c207-57c3-8e6ea40d1757%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] 3.2-rc1, xfce4 volume control

2016-09-04 Thread Michael Carbone 
sebastian@gmail.com:
> However the mute is still broken. When you press mute, it mutes both Master & 
> Speaker, when it unmutes it only unmutes property "active-track" which is 
> typically Master OR Speaker.

just want to highlight/confirm the muting issue, I created an issue for it:

https://github.com/QubesOS/qubes-issues/issues/2291

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0227746-05cb-92ea-ec7b-d756780ba91f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] debian template manager (was: Updates Proxy a security Risk?)

2016-08-13 Thread Michael Carbone 
Andrew David Wong:
> On 2016-08-12 15:31, johnyju...@sigaint.org wrote:
>> (Is that Debian Template manager a paid position?  :) )
> 
> I think that depends on the current funding situation (CCing Michael).

currently no, though funding is actively being sought for it.

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

*new GPG fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4*
old GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d54e3da-a559-d50d-ac4b-2ff6c4f8ecc6%40invisiblethingslab.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature