[qubes-users] Yum errors trying to update dom0 on Qubes 4.0

2021-01-14 Thread Miguel Jacq 

Hi,

My 'Qubes Updates' notifier told me there were updates available for the 
dom0.

I tried running my usual command: 

qubes-dom0-update --enablerepo=qubes-dom0-security-testing --clean

but I am getting the error below. Any ideas? This is Qubes 4.0, and the 
Debian repository for my TemplateVMs is still working fine, successfully 
fetching some Xen updates on the securitytesting repo.

Thanks!

Log message:

Using sys-firewall as UpdateVM to download updates for Dom0; this may take 
some time...
Cleaning repos: fedora qubes-dom0-current qubes-dom0-security-testing
  : qubes-templates-itl updates
Cleaning up Everything
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in 
yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 288, in user_main
errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 140, in main
result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 436, in doCommands
self._getTs(needTsRemove)
  File "/usr/lib/python2.7/dist-packages/yum/depsolve.py", line 101, in 
_getTs
self._getTsInfo(remove_only)
  File "/usr/lib/python2.7/dist-packages/yum/depsolve.py", line 112, in 
_getTsInfo
pkgSack = self.pkgSack
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 892, in 

pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 673, in 
_getSacks
self.repos.populateSack(which=repos)
  File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 294, in 
populateSack
sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 168, in 
populate
if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 226, in 
_check_db_version
return repo._check_db_version(mdtype)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1268, in 
_check_db_version
repoXML = self.repoXML
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1467, in 

repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1459, in 
_getRepoXML
self._loadRepoXML(text=self)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1449, in 
_loadRepoXML
return self._groupLoadRepoXML(text, self._mdpolicy2mdtypes())
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1424, in 
_groupLoadRepoXML
if self._commonLoadRepoXML(text):
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1242, in 
_commonLoadRepoXML
result = self._getFileRepoXML(local, text)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1020, in 
_getFileRepoXML
size=102400) # setting max size as 100K
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 835, in 
_getFile
result = self.grab.urlgrab(misc.to_utf8(relative), local,
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 531, in 

grab = property(lambda self: self._getgrab())
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 526, in 
_getgrab
self._setupGrab()
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 496, in 
_setupGrab
self._grab = mgclass(self._grabfunc, self.urls,
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 711, in 

urls = property(fget=lambda self: self._geturls(),
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 708, in 
_geturls
self._baseurlSetup()
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 654, in 
_baseurlSetup
mirrorurls.extend(list(self.metalink_data.urls()))
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 751, in 

metalink_data = property(fget=lambda self: self._getMetalink(),
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 738, in 
_getMetalink
self._metalink = metalink.MetaLinkRepoMD(result)
  File "/usr/lib/python2.7/dist-packages/yum/metalink.py", line 209, in 
__init__
max_connections = int(celem.get("maxconnections"))
TypeError: int() argument must be a string or a number, not 'NoneType'
qubes-dom0-current/metalink | 1.8 kB  
00:00 
Traceback (most recent call last):
  File "/usr/bin/yumdownloader", line 327, in 
util = YumDownloader()
  File "/usr/bin/yumdownloader", line 71, in __init__
self.main()
  File "/usr/bin/yumdownloader", line 94, in main
self.doUtilYumSetup(opts)
  File "/usr/bin/yumdownloader", line 296, in doUtilYumSetup
self._getSacks(archlist=archlist)
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 673, in 
_getSacks
self.repos.populateSack(which=repos)
  File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 294, in 
populateSack
sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 168, in 
populate

Re: New Tor Browser behavior (Re: [qubes-users] Upgrading to Fedora 32...)

2020-06-20 Thread miguel . jacq 


On Saturday, June 20, 2020 at 4:13:28 PM UTC+10, migue...@gmail.com wrote:
>
>
> https://github.com/QubesOS/qubesos.github.io/blob/be1a8b965c518fd4b5711a9540fccfd9561ca4bb/_includes/head.html#L5
>  
> 
>
> Maybe there's a dynamic variable for injecting the permalink into this 
> tag? 
>
>
I bet you something like this would work (the variable is already used for 
the 'canonical' link tag):

http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion{{ 
page.url }}" />

:)

mig5

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52cc13cb-971d-4899-9089-c0396a89aadeo%40googlegroups.com.

Re: New Tor Browser behavior (Re: [qubes-users] Upgrading to Fedora 32...)

2020-06-20 Thread miguel . jacq 
Hi,

On Tuesday, June 16, 2020 at 2:00:44 AM UTC+10, Sven Semmler wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
> On 6/14/20 5:37 PM, Ulrich Windl wrote: 
> > Tor browser 9.5 suggests ".onion available", but when clicking on 
> > it, you end up on a different page.  Is that intended? 
>
> I see the same. If you say yes you get the start page of the Qubes OS 
> website on the .onion URL instead of the page you navigated too. 
>
> But this really is a TorBrowser issue not a Qubes issue. I figure this 
> will annoy a lot more people and it's safe just to wait for the next 
> release. 
>

It's not a Tor Browser error, it looks merely like a misconfiguration (or a 
side-effect of a decision, see below). The Onion-Location is being set in 
the 'meta' tag of the HTML source, but it lacks the request URI on the end.

That's probably because the site is hosted at Github and so there is no 
control over the vhost configuration, so it was done in the meta tag, but 
apparently not as a 'dynamic' link per page, just a static link in a header 
template.

https://github.com/QubesOS/qubesos.github.io/blob/be1a8b965c518fd4b5711a9540fccfd9561ca4bb/_includes/head.html#L5

Maybe there's a dynamic variable for injecting the permalink into this tag? 

mig5 (from OnionShare, etc)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bad5f367-2bb8-4bb5-811e-708a68cb4057o%40googlegroups.com.

[qubes-users] Split SSH

2017-05-21 Thread miguel . jacq 
I haven't seen it discussed yet here, but some users might be interested to 
know that there's a Split SSH agent implementation at 
https://github.com/henn/qubes-app-split-ssh

I am unsure if the developer intends to work further on it. Therefore, users 
may also be interested in several pull requests that are, at time of writing, 
available at https://github.com/henn/qubes-app-split-ssh/pulls:

1) Adds the autostart .desktop file which starts the ssh-agent in the vault
2) Improves the socket permissions in the client AppVM
3) Adds the notification in the UI, like Split GPG, when the agent is accessed
4) Adds the ability to set a 'timeout' so as not to be prompted on every SSH 
request but (say) only if 10 minutes has passed without any SSH requests having 
been made. (similar to Split GPG behavior)

Thanks to the developer for progressing this effort. It's working well for me :)

Cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7a2d81df-285a-4585-ab54-94b1f9b6c449%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: start application on startup

2017-05-21 Thread miguel . jacq 
Hi,

On Sunday, May 21, 2017 at 4:47:19 AM UTC+10, aforete wrote:
> Am I doing something wrong here? is there any other way to start
> applications once a vm starts?

Yes, you can do the following in your AppVM:

1) make the directory /home/user/.config/autostart if it doesn't already exist

2) add a file inside that directory called (e.g) thunderbird.desktop that 
contains the following lines

[Desktop Entry]
Name=thunderbird
Exec=thunderbird
Type=Application

Reboot your AppVM and Thunderbird should start. Rinse and repeat for any other 
app.

The reason this works is that the autostart files are processed *after* the 
user's X session has started up.

Cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b41f2753-7dd9-4af7-858f-616f0ed7c173%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Thinkpad T450s - After upgrade to 3.2, can't boot into new 4.4 kernel

2017-03-26 Thread miguel . jacq 
On Monday, March 27, 2017 at 1:51:34 PM UTC+11, migue...@gmail.com wrote:
> Thanks!

Forgot to add - yes, my BIOS settings are as per the bottom section 
'Instructions for getting your Lenovo 450 laptop working with Qubes/Linux' of 
https://www.qubes-os.org/doc/thinkpad-troubleshooting/, though I suspect those 
instructions are mainly for install attempts, not normal boots (and it didn't 
help my attempted fresh install of 3.2 in any case)

Cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb27d5cf-7458-49cb-aabc-90c0c8ee0a77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Thinkpad T450s - After upgrade to 3.2, can't boot into new 4.4 kernel

2017-03-26 Thread miguel . jacq 
Hi,

On the weekend I upgraded my Qubes 3.1 to 3.2, on my Thinkpad T450s.

(I had attempted a fresh install with the 3.2 ISO, but found that I could not 
actually get the installer going, likely due to UEFI issues as per the docs 
[1]. However 'use rEFInd' per the docs meant absolutely nothing to me, I wasn't 
sure whether that implies I'm to install rEFInd on the dom0 or what, in order 
to access the grub menu? Docs could maybe be a bit less vague here, but that's 
another story).

After experiencing issues trying to do a manual upgrade with a Debian UpdateVM 
(yes I followed the instructions per [2], but I still had some undocumented 
perl dependency issue that I couldn't resolve), I was able to complete the 3.2 
upgrade manually with a Fedora UpdateVM, without any issue. Hooray!

The only problem is that I can't seem to boot into the 4.4 kernel - at boot-up, 
if I select the 4.4 kernel (the default), it just goes into a reboot cycle.

I am guessing this is still UEFI related somehow, but I see no messages to the 
screen (cursor just blinks after the Qubes boot menu and then reboots).

I am able to boot into the 4.1 kernels that I still have in the boot menu, left 
over from my 3.1 installation. Phew! Everything else looks fine with the 
upgrade.

I tried the steps in the last section of the UEFI troubleshooting docs 'Boot 
device not recognized after installing' but it didn't help.

Does anyone have any tips on how to troubleshoot the 4.4 issue e.g what to do 
to get more debug info as to why it goes into a reboot cycle? 

Is this something I can fix while booted into the 4.1 kernel, or will I have to 
look at this rEFInd thing to attempt the other UEFI troubleshooting steps?

Thanks!


[1] https://www.qubes-os.org/doc/uefi-troubleshooting/
[2] https://www.qubes-os.org/doc/upgrade-to-r3.2/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41379e5e-c02b-4f3f-8ac6-bb47364d5df3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Intrusion detection daemons in VMs

2016-11-03 Thread miguel . jacq 
Coming out of a discussion in 
https://groups.google.com/forum/#!topic/qubes-users/hs2yapPlUVA

I am interested, does anyone run intrusion detection tools within their VMs? 

I use OSSEC [1] extensively elsewhere (on servers), but not sure it would work 
so well in agent-server model in Qubes. 

'local' mode would work, but I would still want to get notifications of 
events/attacks, even from vaulted VMs that can't send email.

Since Qubes design suggests we should expect VM compromise, I think it makes 
sense to having something looking for such a compromise rather than just 
periodically rebuild my VMs (as I currently do).

Anyone else looked into a nice solution?

[1] http://ossec.github.io



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de52cd24-e836-4153-86c4-2edfa4304447%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: No Kernel update since dirtycow (copy-on-write) exploit?

2016-11-03 Thread miguel . jacq 
On Friday, November 4, 2016 at 9:27:24 AM UTC+11, Marek Marczykowski-Górecki 
wrote:
> 
> In Qubes VM, it's nothing more than "sudo -s" which you have for free
> already. Basically, the idea is that someone get code execution in the
> VM, there is nothing worse in that VM. Getting root gives you nothing
> more - all the user data is in /home/user, accessible from normal user.
> For lengthier explanation, see /etc/sudoers.d/qubes[1] in the VM.
> 
> Anyway there is updated kernel package in current-testing repository.

Thanks Marek

It does raise something else I've been thinking about: since the user home dir 
is persistent across VM reboots, seems quite likely to store malware there so 
that it's persistent. So in a way /home/user becomes even more interesting 
target to someone who wants to attack Qubes..

Perhaps should be a separate topic, but does anyone run intrusion detection 
tools within their VMs? I use OSSEC extensively but not sure it would work so 
well in agent-server model in Qubes, perhaps 'local' mode is best.. but would 
still want to get notifications, even from vaulted VMs that can't send email.

Actually I think I'll make that separate topic :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02fd1011-58ed-4c9d-86cc-f9c51ed13a43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: No Kernel update since dirtycow (copy-on-write) exploit?

2016-11-03 Thread miguel . jacq 
On Saturday, October 29, 2016 at 5:27:11 AM UTC+11, dede wrote:
> Qubes still use 4.4.14-11.
> 
> So it's still vulnerable, right?
> 
> Even qubes not like a normal linux distribution i would sleep better if 
> we get a update.

I'd second this, and I'm surprised not more people are talking about it.

I know that QubesOS design means we should plan for any VM compromise, and I 
even make a routine of rebuilding my more important network-facing VMs just in 
case. 

But even still, it would be nice to have a bit of 'defense in depth' - this 
Dirty Cow vuln so trivial to exploit, no reason to make it easier. Is it a big 
problem to patch the kernel in 3.1/3.2 ? Happy to test a fix in securitytesting 
repo.

Mig

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23955332-e3d5-435d-ac2e-dac2e21e2708%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: qubes-template-debian-7 missing?

2016-10-19 Thread miguel . jacq 
Looks indeed like it is missing from 
http://yum.qubes-os.org/r3.1/templates-itl/rpm/ but is present in 3.0 at 
http://yum.qubes-os.org/r3.0/templates-itl/rpm/

Docs probably need updating if this was deliberate. A shame as Debian 7 still 
gets 'long term support' security updates so would still be good to keep around 
for a while longer.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af994b6f-e551-47f6-b636-a986c1313582%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes-template-debian-7 missing?

2016-10-19 Thread miguel . jacq 
Hi,

I'm trying to install the Debian 7 (Wheezy) template on Qubes 3.1.

Per https://www.qubes-os.org/doc/templates/debian I run:

sudo qubes-dom0-update qubes-template-debian-7

The result I get is

No Match for argument qubes-template-debian7
Nothing to download


Has the template disappeared?

My /etc/yum.repos.d/qubes-templates.repo shows both [qubes-templates-itl] and 
[qubes-templates-community] as being enabled.

Thanks

Mig

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02196ef6-d6bd-4846-bd85-3b817641fd1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.