[qubes-users] Qubes - SSH (soon VNC) into Qubes dom0 - Testers Wanted!

['Patrick Schleizer' via qubes-users]

Encrypted, authenticated SSH or VNC into Qubes dom0 over an
authenticated Tor onion v3 service.

Only available in Qubes R4.1 and above.

User documentation:
 
https://www.whonix.org/wiki/Remote_Administration#Qubes_-_SSH_or_VNC_into_Qubes_dom0

Source code:
 https://github.com/QubesOS/qubes-remote-support

Development notes:
 https://www.whonix.org/wiki/Dev/Qubes_Remote_Support

Qubes ticket:
 https://github.com/QubesOS/qubes-issues/issues/6364

Qubes repository upload status:
 https://github.com/QubesOS/updates-status/issues/2353

x2go (VNC) support broken until upstream fix for issue flows to Qubes
R4.1 dom0:
 https://github.com/QubesOS/updates-status/issues/2353

Forum discussion:
https://forums.whonix.org/t/qubes-ssh-soon-vnc-into-qubes-dom0-testers-wanted/11330

Credits:
This has been a shared project among Qubes and Whonix project.

- conceptual planning: Patrick Schleizer, Whonix, Marek
Marczykowski-Górecki, Qubes OS, Insurgo
- command line backend utilities, Whonix integration: Patrick Schleizer,
Whonix
- graphical user interface (GUI), Qubes Remote Support GUI: Marta
Marczykowska-Górecka (Qubes OS)

Gratitude is expressed to NLnet for funding this functionality as part
of accessible security project!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/176bd8b8-ade0-3a60-1b12-f168719293a1%40whonix.org.

Re: [qubes-users] Whonix uwtwrapper Error using SSH / torsocks

['Patrick Schleizer' via qubes-users]

'qubebe' via qubes-users:
> Hi,
> 
> I am new to QubesOS, and now wanted to just ssh into my server.
> But if I want to ssh I get the following error message, I didn't changed 
> anything at the standard config (Whonix-ws-15):
> 
> user@host:~$ ssh
> uwtwrapper uwt wrapper ERROR: /usr/bin/ssh.anondist-orig does not exist.
> 
> Could you please help me?
> 


Install ssh.

sudo apt update

sudo apt install openssh-client

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d2bf5fe-cbd7-5012-bf8f-5a8ac7d6554d%40whonix.org.

Re: [qubes-users] Whonix: configure Torbrowser for use in DispVM

[Patrick Schleizer]

Sven Semmler:
> I think torbrowser is a whonix-specific script that somehow detects that
> it's running in a dispvm and then nukes the profile and replaces it with
> a default. Is that true?


No.

https://www.whonix.org/wiki/Qubes/DisposableVM

> I want only the
> default search engine to change and the security to be 'safest' (no
> scripts at all)
> 
> What's the best way to do this?


https://www.whonix.org/wiki/Qubes/DisposableVM#Tor_Browser_in_DVM_Template

https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#DVM_Template_Customization

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1d120dc-0894-f774-277c-dc85618ed9ea%40whonix.org.

Re: [qubes-users] Forgot to RTFM and now getting errors in whonix during update?

[Patrick Schleizer]

Note:

Bisq package is at that time neither available from packages.debian.org
nor deb.whonix.org. It's a third party package.

Same would happen in Debian. Therefore this isn't a Whonix related issue
either.

Whonix only happens to provide instructions on how to install Bisq
despite some issues which are neither caused by Whonix nor Qubes.

Stumpy:
> I had tried to install bisq on my whonix ws template and for "some
> reason" (which i later found out when i did read the whonix docs) it
> wasnt working.


Please follow the documentation.

> Setting up bisq (1.2.7) ...
> Adding shortcut to the menu
> xdg-desktop-menu: No writable system menu directory found.
> dpkg: error processing package bisq (--configure):
>  installed bisq package post-installation script subprocess returned
> error exit status 3
> Errors were encountered while processing:
>  bisq
> E: Sub-process /usr/bin/dpkg returned an error code (1)


As per documentation.

https://www.whonix.org/wiki/Bisq#xdg-desktop-menu_bug_workaround

sudo mkdir -p /usr/share/desktop-directories

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9beabd65-62ad-b2e9-b236-4fb92e9bbb93%40whonix.org.

Re: [qubes-users] Forgot to RTFM and now getting errors in whonix during update? (and deb template "qubes-core-agent-passwordless-root" error)

[Patrick Schleizer]

Issue:

>>> Setting up bisq (1.2.7) ...
>>> Adding shortcut to the menu
>>> xdg-desktop-menu: No writable system menu directory found.
>>> dpkg: error processing package bisq (--configure):
>>>   installed bisq package post-installation script subprocess returned
>>> error exit status 3
>>> Errors were encountered while processing:
>>>   bisq
>>> E: Sub-process /usr/bin/dpkg returned an error code (1)


Totally different issue:

>> Removing qubes-core-agent-passwordless-root (4.0.51-1+deb10u1) ...
>> Removing user user from group sudo
>> gpasswd: user 'user' is not a member of 'sudo'
>> dpkg: error processing package qubes-core-agent-passwordless-root
>> (--remove):
>>   installed qubes-core-agent-passwordless-root package post-removal
>> script subprocess returned error exit status 3
>> Errors were encountered while processing:
>>   qubes-core-agent-passwordless-root
>> E: Sub-process /usr/bin/dpkg returned an error code (1)


Please don't mix a totally different issue into the same mailing list
thread.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0653aafe-7919-23e0-2756-b961ca2d8f01%40whonix.org.

[qubes-users] Qubes-Whonix 15 TemplateVMs (4.0.1-202003070901) -- Testers Wanted!

[Patrick Schleizer]

https://www.whonix.org/wiki/Qubes/Install/Testing

Or.

https://www.whonix.org/wiki/Qubes/Reinstall/Testing

Let's test these templates!

* https://github.com/QubesOS/updates-status/issues/1674
* https://github.com/QubesOS/updates-status/issues/1675

Alternatively:

In-place release upgrade is possible upgrade using Whonix testers repository

https://www.whonix.org/wiki/Project-APT-Repository

Changes:

Contains all enhancements there were recently released.

https://forums.whonix.org/t/whonix-virtualbox-15-0-0-8-9-point-release-vanguards-tcp-isn-leak-protection-extensive-hardening/8994

https://forums.whonix.org/t/whonix-virtualbox-15-0-0-9-4-testers-wanted/9089

Whonix forums discussion:

https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-testers-wanted/9093

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6608954-8270-e4b7-12e1-e7eb6b92df13%40whonix.org.

Re: [qubes-users] Per-VM stream isolation in Whonix

[Patrick Schleizer]

tetrahedra via qubes-users:
> On Fri, Sep 27, 2019 at 01:37:06PM +, Claudia wrote:
>> Isolating apps in the same VM is a different issue, but you're saying
>> traffic from different VMs is appearing to come from the same address?
>>
>> Hmm, that definitely should not be happening. VM isolation is enabled
>> out of the box. Different VMs, whonix or otherwise, should never share
>> circuits. IsolateClientAddr (on by default) in whonix-gw's torrc
>> should isolate streams originating from different addresses/VMs, no
>> matter what OS or apps they're running.
> 
> I don't see that setting in
> /usr/local/etc/torrc.d/40_tor_control_panel.conf or in 50_user.conf ...
> which torrc is that setting supposed to be in?
> 


/usr/share/tor/tor-service-defaults-torrc

https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist

https://www.whonix.org/wiki/Dev/git#grep_Whonix_source_code

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b427b05-a407-283b-1ec1-8382ba47bb81%40whonix.org.

[qubes-users] Any virtualizer / emulator working in Qubes OS?

[Patrick Schleizer]

Is there any virtualizer / emulator working inside Qubes OS AppVMs?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d7d4f20-b255-ed3b-30ef-7b98bfd44e69%40whonix.org.

Re: [qubes-users] Whonix Tor Browser Starter safest setting fails

[Patrick Schleizer]

'b17b7bdb' via qubes-users:
> - JavaScript is ALLOWED on selected sites.
> To view these sites click on the NoScript Preferences button in the 
> about:addons page and then select the Per-Site Permissions tab.


Whonix source code doesn't write literally googlevideo, netflix,
outlook, etc. anywhere. It does not do anything to give special
treatment to any websites.

By policy, for simplicity, clean implementation and whatnot, the
"inside" of Tor Browser isn't modified by Whonix. This is elaborated here:

 
https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser_Settings.3F

Tor Browser upstream issue. Bug report written just now.

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser

https://trac.torproject.org/projects/tor/ticket/31798

See also:

https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

>From noscript FAQ:

Q: What websites are in the default whitelist and

https://noscript.net/faq#qa1_5

Q: What is a trusted site?

https://noscript.net/faq#qa1_11

Whonix forum discussion:

https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0104280d-a6d9-68e0-16fb-0fe080789c76%40whonix.org.

Re: [qubes-users] whonix-15 TB in dvm on Safest has whitelisted sites in NoScript by default

[Patrick Schleizer]

Whonix source code doesn't write literally googlevideo, netflix,
outlook, etc. anywhere. It does not do anything to give special
treatment to any websites.

By policy, for simplicity, clean implementation and whatnot, the
"inside" of Tor Browser isn't modified by Whonix. This is elaborated here:

 
https://www.whonix.org/wiki/FAQ#Does_Whonix_Change_Default_Tor_Browser_Settings.3F

Tor Browser upstream issue. Bug report written just now.

wipe all mentions of netflix, paypal, youtube, ... from noscript in Tor
Browser

https://trac.torproject.org/projects/tor/ticket/31798

See also:

https://www.helpnetsecurity.com/2015/07/01/researchers-point-out-the-holes-in-noscripts-default-whitelist/

https://thehackerblog.com/the-noscript-misnomer-why-should-i-trust-vjs-zendcdn-net/

>From noscript FAQ:

Q: What websites are in the default whitelist and

https://noscript.net/faq#qa1_5

Q: What is a trusted site?

https://noscript.net/faq#qa1_11

Whonix forum discussion:

https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d283bda-6150-8cbe-acce-5cc39c384d75%40whonix.org.

Re: [qubes-users] Is Qubes partnered with Whonix and is Whonix just as secure as Qubes if you're only using the computer for web stuff?

[Patrick Schleizer]

pixel fairy:

> qubes uses xen, which has a smaller attack surface and much better track 
> record for vm escape vulns. if you cant use that, make sure you keep up to 
> date on virtualbox. if you dont like virtualbox, you might be able to 
> import whonix to libvirt / kvm. 
> https://www.redhat.com/en/blog/importing-vms-kvm-virt-v2v 


https://www.whonix.org/wiki/KVM

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c79ae94-8a58-0a2c-5448-c65cade1f920%40whonix.org.

Re: [qubes-users] Re: whonix tor browser customization

[Patrick Schleizer]

panina:
> On 8/9/19 9:05 AM, Patrick Schleizer wrote:
>>> panina:
>>> Namely, they removed NoScript from the toolbar, so that the
>>> NoScript cannot be used as intended.
>>
>>
>> We did not. Decision by upstream, The Tor Project.
>>
>>
> https://forums.whonix.org/t/workstation-15-dropped-both-noscript-and-https/7733
> 
> Thanks, duly noted. Is there any chance to get them to add a setting for
> this? Or re-think their decision?


It's not up to me at all. The Tor Project is the only point of contact
fo this.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55ba1be6-e86f-940d-6c11-69557dc96a39%40whonix.org.

[qubes-users] Re: whonix tor browser customization

[Patrick Schleizer]

panina:
> Namely, they removed NoScript from the toolbar, so that the
> NoScript cannot be used as intended.


We did not. Decision by upstream, The Tor Project.

https://forums.whonix.org/t/workstation-15-dropped-both-noscript-and-https/7733

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42b8a0ae-8f0e-52e0-e639-b6d780919cef%40whonix.org.

Re: [qubes-users] whonix workstation 15 browser dropped both noscript and https

[Patrick Schleizer]

drok...@gmail.com:
> What are they doing over there?
> 


Decision by upstream, The Tor Project.

https://forums.whonix.org/t/workstation-15-dropped-both-noscript-and-https/7733

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fbe197f5-b015-2248-6d47-889841433784%40whonix.org.

Re: [qubes-users] Error on update on whonix-15 templates

[Patrick Schleizer]

> Hi, I made a fresh install of Qubes 4. I followed carefully the
> instructions on the whonix website for fresh installation of the new
> whonix-gw-15 and whonix-ws-15 (with previous complete uninstall of the
> whonix-14 templates and its VMs including DVM).
> 
> I can update any template like fedora-29 and 30 and debian-9 including
> dom0, nicely. When I but try to update whonix-gw-15 or whonix-ws-15
> through the arrow in Qube Manager, I get following error:
> 
> [Dom0] Error on qube update!
> Failed to apply DSA-4371 fix: Error: Error: Could not determine Debian
> release!
> 
> However if I enable in the Global settings to check for updates for
> all qubes automatically, it finds the updates for both whonix-15
> templates, shows it in the upper right corner orange-flower-icon, and
> updates both whonix-15 templates without any error.
> If I than try again to press the update arrow, it returns the same error
> .
> 
> Can I somehow work around this issue?
> 
> 



https://github.com/QubesOS/qubes-issues/issues/5150

https://github.com/QubesOS/qubes-issues/issues/5057

https://www.whonix.org/wiki/Operating_System_Software_and_Updates

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d63d316-bddb-ca8c-3636-b3b5f98b58e0%40whonix.org.

[qubes-users] OpenPGP signed websites

[Patrick Schleizer]

qubes-...@tutanota.com:
> Feb 23, 2019, 3:50 AM by patrick-mailingli...@whonix.org:
> 
>> Reminds me, would be good to have OpenPGP signed websites all over the
>> internet. Unfortunately there is no project working towards it.
>>
>> https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website
>>
> 
> Absolutely yes. What is the biggest hindrance to make it more widespread IYHO?

Speculation:

- lack of developer manpower
- lack of problem awareness
- lack of a real world case where such an incident happened which was
then widely popularized

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f04850c7-2655-d469-dbb9-1e14a6cf87ac%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Valid Concerns Regarding Integrity of Whonix Project

[Patrick Schleizer]

Reminds me, would be good to have OpenPGP signed websites all over the
internet. Unfortunately there is no project working towards it.

https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d931f65-c1ba-3d8b-f510-9d38dfb82802%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Valid Concerns Regarding Integrity of Whonix Project

[Patrick Schleizer]

cooloutac:
> The reason why I say privacy and anonymity are two diff things.  And way 
> apart from security. is For example if I log into a facebook .onion site.  
> Its still my identity.  All that information about you is still being sold to 
> ad agencies.  Governments are still watching it.   The only benefit I can 
> see, is again,   people hiding their location for fear of their life or 
> imprisonment.

Alternative end-to-end encryption without TLS certificate authorities
involved.

> And actually be using it you are using up bandwidth those people could be 
> using, just to feel special.

Citation required.

At no point Tor Project had the position that people should limit
themselves if possible, except for Bittorrent traffic. On the contrary.
They welcome Tor adaption.

See PDF:

Anonymity Loves Company: Usability and the Network Effect

By Roger Dingledine and Nick Mathewson (Tor founders and core developers)

https://freehaven.net/anonbib/cache/usability:weis2006.pdf

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4164f23b-06e2-e284-9f4e-dde38ea93ead%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Valid Concerns Regarding Integrity of Whonix Project

[Patrick Schleizer]

cooloutac:
> I read that whonix thread.  Still not sure why whonix doesn't have a canary.  
> What could it hurt?  Any aspect of the project could be compromised for any 
> reason.   Thats the same as people saying I have nothing to hide so why 
> worry.  In the other thread Patrick says US laws affect all countries.
> 
> Patrick banned me from the forums too once a long while ago.  I told him I'd 
> never post there again and never did. lol.

"banned" is wrong. Ban referring to a block from posting to Whonix
forum. That was never the case.

Reference:

https://forums.whonix.org/t/forward-and-reverse-dns-dont-match-up/2147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a24f3d1a-cd22-dabf-5429-a244b8b94e9a%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Valid Concerns Regarding Integrity of Whonix Project

[Patrick Schleizer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

* I was advised in private e-mail by @mig5 about this new law before
it took effect beforehand, and @mig5 offered to step aside because of
it. It was my decision to not to change anything. Below I will explain
why.

* I might have reacted in a better way by protectively discussing this
subject in public but that is really hard without nonproductive
discussions and without badmouthing @mig5 in unintended ways.

* @mig5 doesn't moderate Whonix's forums. That thread wasn't deleted
by @mig5.

* I've not researched that Australian law. And I like to avoid it. If
I had to bet, I guess their interpretation is reasonable. For
practical purposes explained below it wouldn't matter.

* From a security enthusiast perspective it's a reasonable question.
No one or only a few have the complete picture.

* The issue with one asking this question are the hidden presuppositions
.

* The presupposition is that the server location is somehow secure.

** That's not true.

** Assume a regular commercial server host.

** I don't know any people working there.

** I couldn't even find the place without navigation software.

** Just because it's from the Whonix project, doesn't mean server
security magically is a lot better than server security of let's say,
facebook. (And these are even known to have a front- and backdoor.)

* Regarding the server, it's easy to demand better security. Easy to
demand, that I pay for it rather than using a sponsored server, or to
demand other security enhancements. I'd be happy to do all of this,
but then please also provide reliable funding for it.

* We have a wiki page dedicated explaining all the attack vectors that
are related to the risks introduced since we are forced to trust
humans. [1]

* Whonix, same as Qubes, operates already on the assumption that the
infrastructure is compromised.

** The wiki page has a chapter "Should I Trust This Website?". [2] The
short answer is "no".

** Similarly the Qubes project has a chapter "What does it mean to
“distrust the infrastructure”?" [3]

** If a server administrator (such as mig5) were compelled to replace
an Whonix download, the OpenPGP verification of the file (iso, ova or
libvirt image) would fail (when using the project OpenPGP signing key
for OpenPGP signature verification).

** If a server administrator was compelled to also replace the OpenPGP
signature of that file, all the usual rules would apply: users should
verify the validity of the OpenPGP key by looking for it published in
different places, etc. The same advice provided by the Qubes project
for their isos.

** The Whonix server doesn't host the source code. A server
administrator cannot "insert code" into the Whonix project.

** Github is an organization with many Australian engineers. The same
threat applies there - perhaps even more so, in that Australian
engineers could be coerced into modifying git repository data directly
- - not just of Whonix, but Qubes too - and be unable to even tell their
boss.

** In such a situation, the threat of coercion or interference is
indeed real. The protection against that, seems to be all the usual
things: cryptography, ‘many eyes’, etc.

** The same argument could be made against developers, server
administrator or similar from USA and perhaps other countries as well?

** UK has Investigatory Powers Act, similar?

** Tor Project might have Australian developers and/or server
administrators, too? The point is that if you go down that road, there
really is no end. Whonix not special in this regard.

* As bad as that new law might be, I don't see that anything relevant
changed.

** Whatever circumstances do apply to @mig5 now, might have applied to
@mig5 before that new law as well.

** Even without that law directly applying to me, and while I've never
been in any territory of the USA, and while their laws may formally
not apply worldwide, yet USA laws are enforced worldwide. And as a
non-USA citizen even outside of USA, legal defense is even more
difficult than for USA citizen inside USA.

* What I witnessed over time is, that many users assume that security
focused projects are already very mature in all aspects and nothing
much needs to be done. This assumption is wrong.

** We don't have reproducible / deterministic builds; we don't have
automatic verification of deterministic builds; our repositories
aren't using multisig.

** We could use more code reviewers, auditors, unit tests, automated
tests, and whatnot.

** We don't have a volunteer server admin. [6]

** port Whonix package build process to Qubes package build process [7]

** See also our FAQ entry "Is the Linux User Experience Comparable to
Commercial Operating Systems?" [4]

** I'd like to tackle all of these issues.

* I am not really eager to build Whonix packages, Non-Qubes-Whonix
downloads, maintain whonix.org server, hold Whonix signing keys.

** Fun: development, source code, testing, design, answering good
questions

** Not 

Re: [qubes-users] sys-whonix-14 updates issues

[Patrick Schleizer]

Mathew:
> Hello,
> 
> Just to know if there is a solution for whonix-gw/whonix-ws updates ?
> Noted that I can update/upgrade sys-whonix-14 without any problems ! I have 
> to do it again after rebooting though.
> 
> $ sudo apt-get-update-plus dist-upgrade
> WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf 
> because no torified Qubes updates proxy found.
> 
> Please make sure Whonix-Gateway (commonly called sys-whonix) is running.
> 
> - If you are using Qubes R3.2: The NetVM of this TemplateVM should be set to 
> Whonix-Gateway (commonly called sys-whonix).
> 
> - If you are using Qubes R4 or higher: Check your _dom0_ 
> /etc/qubes-rpc/policy/qubes.UpdatesProxy settings.
> 
> _At the very top_ of that file.
> 
> Should have the following syntax:
> Name-Of-Whonix-TemplateVM $default 
> allow,target=Whonix-Gateway-TemplateBased-ProxyVM
> 
> Example entry for Whonix-Gateway TemplateVM:
> whonix-gw-14 $default allow,target=sys-whonix
> 
> Example entry for Whonix-Workstation TemplateVM:
> whonix-ws-14 $default allow,target=sys-whonix
> 
> Try running in Whonix-Gateway (commonly called sys-whonix):
> sudo systemctl restart qubes-whonix-torified-updates-proxy-check
> 
> If this warning message is transient, it can be safely ignored.
> 
> Thanks !
> 
> Regards,
> Mathew
> 

What's your /etc/qubes-rpc/policy/qubes.UpdatesProxy settings?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9df3628f-7e56-19b0-8754-0f2806f1372d%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix GW & WS upgrade failed (Help)

[Patrick Schleizer]

qubes123...@gmail.com:
> I press upgrade at Whonix GW & WS and get this message, see Screnshoot, what 
> should I do? thank you in advance ;)
> 
> https://ibb.co/XbCsJWQ
> 

The problem probably was that Whonix wasn't setup using Qubes salt.
Manual installation of Whonix is unsupported. Please use Qubes salt as
per documentation.

https://www.whonix.org/wiki/Qubes/Install

https://www.whonix.org/wiki/Qubes/Uninstall

https://www.whonix.org/wiki/Qubes/Reinstall

In response I improved that error message, created a new wiki page and
added a link from the error message to it.

https://www.whonix.org/wiki/Qubes/UpdatesProxy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e5b2a53-35b8-23c7-c53b-e36f2ed81427%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes-Whonix 14 (4.0.1-201811291216) Point Release for Qubes R4

[Patrick Schleizer]

This is a [point release](https://www.whonix.org/wiki/Point_Release).

> A **point release** is not a separate, new version of Whonix. Instead,
it is a re-release of Whonix which is inclusive of all updates up to a
certain point.
>
> Installing any version of Whonix 14 and fully updating it leads to a
system which is identical to installing a Whonix point release.
>
> **If the Whonix installation is
[updated](https://www.whonix.org/wiki/Update), no further action is
required.**
>
> Regardless of the current installed version of Whonix, if users wish
to install (or reinstall) Whonix for any reason, then the point release
is a convenient and more secure method, since it bundles all Whonix
updates that are available at that specific time.



Either:

* **A)** [uninstall](https://www.whonix.org/wiki/Qubes/Uninstall) and
[install](https://www.whonix.org/wiki/Qubes/Install) OR;
* **B)** [reinstall](https://www.whonix.org/wiki/Qubes/Reinstall).



* https://github.com/QubesOS/updates-status/issues/817
* https://github.com/QubesOS/updates-status/issues/818

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cfeb1ef-55d0-63d1-8803-3424faa6becd%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] seven new Meltdown and Spectre attacks

[Patrick Schleizer]

https://www.zdnet.com/article/researchers-discover-seven-new-meltdown-and-spectre-attacks/

**November 14, 2018**

Quote:

> Experiments showed that processors from AMD, ARM, and Intel are affected.

Is Qubes affected?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb98bfcb-2676-c540-f796-9bfe4dde75fb%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] salty whonix 14 -- problems.

[Patrick Schleizer]

haaber:
> Second, there is no Directory /var/lib/tor/.tor  shall I create it?
> which permissions?

No.

Apply this:

https://www.whonix.org/wiki/Tor#Permissions_Fix

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7083738e-033e-5194-9ce9-bd27d8c62709%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] updating tor browser in whonix-ws dispvms

[Patrick Schleizer]

J.M. Porup:
> Is anyone else using whonix-ws based dispvms?
> 
> Until recently, tor browser received updates via whonix repos. For some
> reason that seems to have stopped.
> 
> The problem is that every time I open a new whonix-ws based dispvm, I'm
> prompted to download a new version of TBB. Doing so a dozen times a day
> or more gets a bit tedious.
> 
> Per Whonix docs, I've tried running update-torbrowser in the templatevm,
> but the command line output tells me not to bother, because the download
> will be in /home and won't propagate to dispvms.
> 
> I've taken a close look at Qubes and Whonix docs, but nothing is jumping
> out at me as a possible solution. Maybe I'm missing something.
> 
> Any ideas?
> 
> thanks
> jmp
> 
> 
> 

Dedicated wiki page on Tor Browser update in Qubes-Whonix was recently
created:

https://www.whonix.org/wiki/Qubes/Tor_Browser

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/159b-57c2-5b80-6499-ea0d3208f13a%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Reinstall Qubes-Whonix TemplateVMs documentation revamped

[Patrick Schleizer]

https://www.whonix.org/wiki/Qubes/Reinstall

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/848894e9-5e3b-b4cb-327b-0e741aa0caf5%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] TOR browser updates.

[Patrick Schleizer]

William Fisher:
> How do I update the TOR browsers at the Template VM level? I've updated TOR 
> at the APP level but it doesn't stay updated.
> 

New documentation page just now created focusing only on updating Tor
Browser in Qubes-Whonix:

https://www.whonix.org/wiki/Qubes/Tor_Browser

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2149b99-9d5d-0ea0-be41-c8cd3388d135%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] debian-based templates (and whonix) ignore dom0 keyboard language in 4.0.1 but not 4.0

[Patrick Schleizer]

ryangr...@tuta.io:
> I'm pretty sure this is a bug (linked below), but am posting here just in 
> case there might be something I am missing:
> https://github.com/QubesOS/updates-status/issues/791 
> 
> I set the language/keymap settings via localectl as recommended, as well as 
> in the VMs themselves, but the debian-9 and whonix VMs default to english 
> querty still. Removing those and installing the 4.0 templates in the 4.0.1 
> host demonstrates expected inheritance of settings as it should. I could not 
> even find a way besides a startup script to set keyboard settings in the VMs 
> (even /etc/default/keyboard in the VMs was ignored by the templates). 
> Fedora-29 templates seem to be fine. Any ideas? 
> 
> Thanks!
> Ryan
> 

Every time I start a terminal.

Example:

setxkbmap de

Syntax:

setxkbmap yourkeymap

Likely possible to automate using /rw/config/rc.local, /etc/profile.d/,
/etc/X11/Xsession.d/, systemd or otherwise.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ad936e7-fd33-86d4-c35b-decdea1f6730%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Donation costs

[Patrick Schleizer]

Achim Patzner:
>> Crypto payments and cash in mail to trusted qubes people (with secret
>> shoppers to help ensure honesty) are the least terrible option.
> 
>> From my point of view on ecology: not. Besides throwing all your money 
> towards China, too or where do you think is most crypto mining being
> done because there currently is no place you're paying less for the
> ecological damage right now. So while China's censorship is not
> threatening me right now, adding unnecessary carbon dioxide to my
> environment is.

I don't think crypto currencies add much carbon dioxide compared to
legacy financial institutions.

How much unnecessary carbon dioxide by all...?

- bank towers (building, electricity, water, maintenance)
- bank employees commuting to banks every work day by cars emitting fumes
- server farms for financial institutions
- cash transports

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2a72de4-e639-cb32-393f-497225550649%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 whonix 14 connects to tor, but there is no connection

[Patrick Schleizer]

aaq via qubes-users:
> lørdag den 17. november 2018 kl. 17.01.02 UTC+1 skrev Patrick Schleizer:
>> Franz:
>>> I succesfully updated to whonix 14, when the VM start a message tells:
>>> "connected to tor" making me happy, But if I ping google I get:
>>>
>>> user@host:~$ ping google.com
>>> PING google.com (216.58.207.206) 56(84) bytes of data.
>>> >From 10.137.5.34 (10.137.5.34) icmp_seq=1 Destination Port Unreachable
>>> ping: sendmsg: Operation not permitted
>>>
>>>
>>> what may be wrong?
>>> Best
>>>
>>
>> ping is UDP. And Tor doesn't support UDP.
>>
>> https://www.whonix.org/wiki/Tor#UDP
> 
> Ping is ICMP, not UDP.
> https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
> 

Indeed however the basic point still stands - unsupported by Tor.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b664dcf2-a31c-0d19-f36a-49c1f212b17d%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] whonix upgrade, qubes4

[Patrick Schleizer]

b...@damon.com:
> I went thru the steps to remove any existing whonix.  No errors were reported.
> Then I issued the command to re-install whonix-14.
> 
> Whonix does not work.  Whenever I boot up one of the VMs based on the new 
> whonix, I find that qrexec-agent is crashing.
> 
> [   15.903799] qrexec-agent[789]: segfault at 70d5257f6ff8 ip 
> 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000]
> 
> This is similar to whonix-9 template issues some have seen.
> 
> 
> qubesdb-daemon also segfaults in the same manner earlier in the boot.
> 

Please report this to:

https://github.com/QubesOS/qubes-issues/issues

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/534a5c2e-b738-6c60-09e1-a3f4c9658ec7%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix upgrade failure

[Patrick Schleizer]

Documentation was upgraded meanwhile.

Black Beard:
> 
> Hey Community,
> 
> 
> i tried to following the tutorial to upgrade Whonix 13 to 14.
> 
> https://www.whonix.org/wiki/Qubes/Install
> 
> I first start to try uninstall the old Version of Whonix with Option B.
> 
> When i tried to install the dummy template with following command "sudo 
> qubes-dom0-update qubes-template-dummy" i become some error message "unable 
> to find a match".

This won't work.

Dummy template is covered in Qubes-Whonix documentation where needed.

https://www.whonix.org/wiki/Qubes/Install

https://www.whonix.org/wiki/Qubes/Reinstall

https://www.whonix.org/wiki/Qubes/Uninstall

> So i cant create the template and upgrade Whonix.
> 
> Can anybody says me how to update the Debian 9 Template? I found some 
> tutorials but always become an error message.
> 
> Did some profi how to fix the probleme?
> 
> About a message i would be happy.
> 
> regards
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee899d95-5209-e5d9-0968-3d0ec8cdc200%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 upgraded - only a couple of mis-steps

[Patrick Schleizer]

Dave:
> Success! but not without a few snags...
> 
> Using Qube-Manager to remove templateVM resulted in:
> [Dom0] Error removing Qube! ERROR: Domain is in use: details in system log
> 
> ran QVM-LS; verified Qube state halted
> 
> found reference: https://github.com/QubesOS/qubes-issues/issues/3193
> and followed instructions:
> 
> I wasn't aware of the Default-Disposable-VM setting on the Advanced tab in 
> Qube Mangager GUI
> 
> The required commands are:
> qvm-prefs --set whonix-ws-dvm netvm ""
> qvm-prefs --set whonix-ws-dvm default_dispvm ""
> qvm-remove whonix-ws-dvm
> qvm-remove sys-whonix
> 
> Took these actions:
> changed netVM's to "" in appVMs using sys-whonix
> changed templateVM in appVMs using whonix-** to other
> changed global-property-updatevm to another netVM
> 
> Again attempted: sudo qvm-remove whonix-ws
> 
> Now new err msg returned: ERROR: VM installed by package manager: whonix-ws
> but the correct command was: $ sudo dnf remove qubes-template-whonix-**
> 
> REINSTALLATION ran much smoother using 
> "The recommended approach is to use salt (wrapped by the command qubesctl in 
> Qubes), as this one call automatically:" 
> i/a/w https://www.whonix.org/wiki/Qubes/Install
> 
> That ran without a hitch. Then UPDATE the new templates.
> 
> sudo apt-get update (Whonix is Debian based, so dnf doesn't work)
> 
> Now to push on and upgrade Fedora 26 to 28 (starting to get this too, Wolf 
> moon)
> 

Could you please check if Qubes-Whonix wiki documentation is complete
and consider to contribute anything missing?

https://www.whonix.org/wiki/Qubes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8252d508-eaf3-0f05-9ae1-ab67213e83ef%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] pEp in Enigmail-Thunderbird in Whonix-14 Qubes

[Patrick Schleizer]

qubes-...@tutanota.com:
> Hi, I learned that in Whonix-14 in Qubes 4.0 there is no default support for 
> pEp in Enigmail-Thunderbird. Is it Qubes specific or Whonix specific? Is 
> there any reason for not supporting pEp in Whonix? 
> 
> In other templates after installing the Enigmail addon the support for pEp 
> jumps up automatically like Enigmail/pEp.
> 
> Thank you!
> 

Whonix uses the same package as Debian. So Debian specific and Whonix
inherits this.

This sort of question has a much higher chance of getting answered
timely in Whonix forums.

Check this out:

https://www.whonix.org/wiki/Encrypted_Email_with_Thunderbird_and_Enigmail

This may be useful later:

https://www.whonix.org/wiki/E-Mail#Pretty_Easy_Privacy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39206461-79ca-0d58-99a9-b08de707c2f6%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - Update errors?

[Patrick Schleizer]

sm...@tutamail.com:
> ...again I want to thank the Whonix/Qubes team for everything they do!! You 
> are awesome...
> 
> In the spirit of feedback:
> 
> I just tried updating Whonix-ws-14 and started receiving errors? I saw 
> another post with similar 
> issues(https://groups.google.com/forum/#!topic/qubes-users/ppdbaDAavRY), I 
> thought it best to call out the specific issue in the subject so it might 
> help others with this issue:
> 
> The error I get, when using the "Qubes Manager" -> "Whonix-ws-14" -> "Update 
> qube" is:
> 
> 
> Err:20
> tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion
> stretch Release
>   Connection failed
> Reading package lists... Done
> 
> 
> E: The repository
> 'tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion
> stretch Release' does no longer have a Release file.
> 
> N: Updating from such a repository can't be done securely, and is
> therefore disabled by default.
> 
> N: See apt-secure(8) manpage for repository creation and user
> configuration details. 
> 
> Whats strange is that I tried the update again while writing this post and it 
> appeared no updates were needed
> 
> I think I am OK but wanted to share.
>
Probably transient issue.

Documented here:

https://www.whonix.org/wiki/Qubes/Update

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/10dfe82a-22ad-741a-096f-f08779b14e05%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Cannot update whonix-gw-14

[Patrick Schleizer]

Probably transient issue.

Documented here:

https://www.whonix.org/wiki/Qubes/Update

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14f93694-d6d5-aa09-8048-01f097f70b97%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: update broke whonix, can't reinstall

[Patrick Schleizer]

Stay tuned!

Basically it's hopefully all been covered in news.

https://www.whonix.org/wiki/Stay_Tuned

Qubes-Whonix documentation:

https://www.whonix.org/wiki/Qubes

https://www.whonix.org/wiki/Qubes/Install

https://www.whonix.org/wiki/Qubes/Reinstall

https://www.whonix.org/wiki/Qubes/Uninstall

Ryan Tate:
> qubes-template-whonix-gw
> qubes-template-whonix-ws

This is now:

qubes-template-whonix-gw-14

qubes-template-whonix-ws-14

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5df1ddc6-a1c8-d4c7-29c0-347cf0e40278%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ERROR: Tor Bootstrap Result:

[Patrick Schleizer]

William Fisher:
> Turned out to be a clock settings problem. Set the clock to UTC and poof it 
> works!
> 

Host clock or VM clock?

How did you do it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4920a5b8-31cc-d932-57ea-fd20ad89ace1%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 whonix 14 connects to tor, but there is no connection

[Patrick Schleizer]

Franz:
> I succesfully updated to whonix 14, when the VM start a message tells:
> "connected to tor" making me happy, But if I ping google I get:
> 
> user@host:~$ ping google.com
> PING google.com (216.58.207.206) 56(84) bytes of data.
>>From 10.137.5.34 (10.137.5.34) icmp_seq=1 Destination Port Unreachable
> ping: sendmsg: Operation not permitted
> 
> 
> what may be wrong?
> Best
> 

ping is UDP. And Tor doesn't support UDP.

https://www.whonix.org/wiki/Tor#UDP

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d67b1aee-d43f-18b8-f0ae-5138b1d7537e%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 whonix 14 connects to tor, but there is no connection

[Patrick Schleizer]

Franz:
> On Thu, Nov 15, 2018 at 4:47 PM pieter lems  wrote:
> 
>> is sys-net connected to the network?
>>
> 
> yes
> 
> And are you using an ethernet cable to connect to internet,
>>
> 
> no I am connected by wifi
> 

Qubes-Whonix support ending for Qubes 3.2(.1) - upgrade to Qubes R4.0 or
above required.

https://www.qubes-os.org/news/2018/10/05/whonix-support-ending-for-qubes-32/

https://forums.whonix.org/t/qubes-whonix-support-ending-for-qubes-3-2-upgrade-to-qubes-r4-0-or-above-required/6113

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9fdb0f3-db53-4567-d30b-7bc5ba0a76d4%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tor still doesn't work in the new Qubes 3.2.1

[Patrick Schleizer]

Máté Kovács:
> After I installed the new version of qubes, I tried everything today 
> afternoon to make it work but it wasn't successfull. Update every software.
> Got these error messages.

If you are talking about Whonix...

Qubes-Whonix support ending for Qubes 3.2(.1) - upgrade to Qubes R4.0 or
above required.

https://www.qubes-os.org/news/2018/10/05/whonix-support-ending-for-qubes-32/

https://forums.whonix.org/t/qubes-whonix-support-ending-for-qubes-3-2-upgrade-to-qubes-r4-0-or-above-required/6113

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9063436-b6e4-85a4-950f-53a49caae097%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: please stay tuned on Whonix news

[Patrick Schleizer]

John S.Recdep:
> On 08/15/2018 07:23 PM, Patrick Schleizer wrote:
>> It is important to read the latest Whonix news to stay in touch with
>> ongoing developments. This way users benefit from notifications
>> concerning important security vulnerabilities and improved releases
>> which address identified issues, like those affecting the updater or
>> other core elements.
>>
>> Read more:
>> https://www.whonix.org/wiki/Stay_Tuned
>>
> 
> did something happen?

Nothing in particular. However, Whonix 14 release and deprecation notice
was missed by most.

> by "updater"  meaning sudo apt-get update && sudo apt-get dist-upgrade   ?

Yes, enable testers repository and that.

> seemed to be broken the other day, but seems ok
> don't see anything new on vuln issues
> https://forums.whonix.org/c/news
> 
> guess I can check again next month  :)
> 

RSS / e-mail or something would be better. A month is a long time. By
that time, testing may already be over.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f33defaa-026e-1737-de5a-7dead25cd5f6%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AppArmor enabled by default in templates

[Patrick Schleizer]

Chris Laprise:
> Its good (and interesting) that Whonix have persevered with apparmor.
> Yet even though Torbrowser is based on Firefox, I couldn't for example
> take a Torbrowser apparmor profile and adapt it to Firefox. Again, this
> was some time ago, but at the time it just didn't work correctly.

Why not https://www.whonix.org/wiki/Tor_Browser_without_Tor would give
better security.

https://forums.whonix.org/t/todo-research-and-document-how-to-use-tor-browser-for-security-not-anonymity-how-to-use-tbb-using-clearnet

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25f617af-e2e3-4d51-5fa3-3f70ab17acc3%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Whonix 14 - Updated, just lost Tor Browser for Whonix-dvm??

[Patrick Schleizer]

code9n:
> Same issue but when I try to update-torbrowser (or via Tor Browser 
> Downloader) the install fails because ttb's signature has expired.

Separate issue being discussed and answered here:

https://forums.whonix.org/t/update-torbrowser-key-expired/5782

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1635f116-bd79-e53b-494f-0f82d97c2562%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - Updated, just lost Tor Browser for Whonix-dvm??

[Patrick Schleizer]

All updates regarding this issue here:

https://forums.whonix.org/t/bug-tor-browser-missing-in-dispvm-tor-browser-missing-in-whonix-ws-14-templatevm/5712/4

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a82326c-dd83-1c70-f8f6-c3b43dc11979%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Whonix 14 - Updated, just lost Tor Browser for Whonix-dvm??

[Patrick Schleizer]

qubes-...@tutanota.com:
>The dvm should just get the Tor Browser from the whonix-ws-14-dvm same as 
>anon-whonix for example, right?

Yes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df8846be-ecba-74b2-b913-b88a784dbfd0%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

qubes-...@tutanota.com:
> Hi Patrick, should one switch the Qubes Tor networking backed normally by the 
> sys-whonix to newly created sys-whonix-backup? It make sense to 
> update/upgrade whonix through Tor.
> thx

If you manage to do that, sure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c03beeec-6dcc-1a22-f952-2d229bb4a735%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

Franz:
> On Tue, Aug 14, 2018 at 1:55 PM, Patrick Schleizer <
> patrick-mailingli...@whonix.org> wrote:
> 
>> Franz:
>>> when I try to uninstall whonix-ws
>>>
>>> sudo dnf remove qubes-template-whonix-ws*
>>>
>>> I get
>>> No match for argument: qubes-template-whonix-ws*
>>> Error: No packages marked for removal
>>>
>>> I followed this guide: https://www.whonix.org/wiki/Qubes/Uninstall
>>>
>>
>>
>> Output of...?
>>
>> dnf list | grep qubes-template-whonix
>>
> 
> 
> No output and no error. I forgot to mention I am using 3.2
> 

Output of...?

qvm-ls | grep whonix

Well, if didn't have Whonix installed yet/anymore then there is nothing
to uninstall. All ok then.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cf132bc8-e8bb-2e35-f052-6abbce1a196a%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - Updated, just lost Tor Browser for Whonix-dvm??

[Patrick Schleizer]

Please contribute here:

https://www.whonix.org/wiki/Qubes/Disposable_VM

sm...@tutamail.com:
> I just transitioned to the new Whonix 14 templates, everything was working 
> great however I just updated both the -gw and -ws templates and lost the Tor 
> Browser(AnonDist) from the whonix-ws-14-dvm after update? When I launch a 
> "whonix-ws-14-dvm" browser I get a pop-up asking: "Tor Browser not 
> installed/Start Tor Browser download?".

Will look into it.

> The problem I am having is:
> 1) The "whonix-ws-14-dvm" starts but no gnome terminal launches?

Doesn't have gnome-terminal. Use:

konsole

> 2) Since whonix doesn't use "Firefox" what would I type to launch the "Tor 
> Browser"? Assuming I eventually get a gnome terminal to launch

torbrowser

> 3) How do I install the Tor Browser safely into either the template or -dvm?

Installed by default.

https://www.whonix.org/wiki/Tor_Browser#In_Qubes-Whonix

> Other notes:
> - I created an AppVM using the updated "whonix-ws-14" template, received a 
> popup that "Tor Browser" is not installed, installed the oldest browser per 
> the recommendation on the pop-up, however after installing another pop-up 
> states: "Signature looks quite old already...check signature looks sane".

https://www.whonix.org/wiki/Tor_Browser#Installation_Confirmation_Notification

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/baad6309-50f7-3d8f-10c2-212a021d9dcd%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] please stay tuned on Whonix news

[Patrick Schleizer]

It is important to read the latest Whonix news to stay in touch with
ongoing developments. This way users benefit from notifications
concerning important security vulnerabilities and improved releases
which address identified issues, like those affecting the updater or
other core elements.

Read more:
https://www.whonix.org/wiki/Stay_Tuned

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6cf495d-79e8-003f-5945-bd232b69aa83%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide: Monero wallet/daemon isolation w/qubes+whonix

[Patrick Schleizer]

https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html
is missing how to actually use it.

I guess it is simply: run `monero-wallet-cli` or monero gui in
monero-wallet-ws."

0xB44EFD8751077F97:
> Patrick Schleizer:
>> I didn't notice this thread until now.
>>
>> Interesting!
>>
>> Now reference here:
>> https://www.whonix.org/wiki/Monero
>>
>>
>> I am wondering how to save users from as many manual steps as possible.
>>
>>
>> To save users from having to edit /rw/config/rc.local...
>>
>>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
>> monerod-ws user.monerod"
>>
>> Could maybe replaced by file:
>>
>> /etc/anon-ws-disable-stacked-tor.d/40_monero.conf
>>
>> content:
>>
>> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1
>> EXEC:"qrexec-client-vm monerod-ws user.monerod"
>>
>> Should work after reboot (or after "sudo systemctl restart
>> anon-ws-disable-stacked-tor").
>>
>> Untested.
>>
>> Reference:
>> https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf
>>
> 
> Tested, works on Whonix 14/Qubes 4.0.
> 
> Would you consider shipping this as a default Whonix file, or maybe part
> of a package?

In package https://github.com/Whonix/qubes-whonix when using socket
activation, yes.

Similar to:

-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.socket

-
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.service

File name should not contain "anon-ws-disable-stacked-tor" / "autogen".

File names...?

/lib/systemd/system/qubes-whonix-monerod.socket
/lib/systemd/system/qubes-whonix-monerod.service

Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050"

with:

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
monerod-ws user.monerod"

Untested. Does that work?

Would this break monerod for users not using this Monero wallet/daemon
isolation? I mean, does monerod use local port 18081 by default? In that
case we'd need to change that port.

> If not, the user will have to put this on the TemplateVM
> or config bind-dirs; which are both additional steps.
>>
>>
>> /etc/qubes-rpc/policy/user.monerod could maybe become:
>> /etc/qubes-rpc/policy/whonix.monerod
>>
>> To have users from manually creating it, could be dropped here:
>>
>> https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy
>>
>> If you like, create a pull request and see what Marek thinks.
>>
> 
> This would be useful. It's on my radar.
> 
>>
>>
>> /home/user/monerod.service would be better in /rw so only root can write
>> to it. Even better perhaps systemd user services?
>>
>> https://www.brendanlong.com/systemd-user-services-are-amazing.html
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111
>>
>>
> 
> Interesting, I didn't know about this. I don't see how moving the file
> from /home/user/ to /home/user/.config/systemd/user is more secure,
> though.

> I think moving it to /rw may be slightly better, but
> passwordless sudo kind of negates that.

Indeed only useful for users of these:

- https://www.qubes-os.org/doc/vm-sudo/
- https://github.com/tasket/Qubes-VM-hardening

Qubes-VM-hardening will be easily available one day probably.

https://github.com/QubesOS/qubes-issues/issues/2748

I guess password protected sudo will get more and more easy in Qubes so
very much worth going for proper access rights.

> The best would be to put it on the TemplateVM in /lib/systemd/system/,
> but, again, this is more steps for the user.
> 
> In regards to monero being in stretch-backports now, I think it might be
> an equal number of steps or more than there is now, and more confusing
> for the user, to add stretch-backports to the TemplateVM's sources and
> install via apt. If it were in stretch this would be no question.
> 

And only monerod is in Debian. monero gui is not.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/66b6ac66-17dc-64a2-b547-54246de0c46b%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

This is completely untested. Let me know what you think and if this
works for you.

* A backup of all Qubes VMs using the usual Qubes backup mechanism
(independent from below) is advisable anyhow.

* One who mind about their contents could clone their sys-whonix to
sys-whonix-backup and clone their anon-whonix to anon-whonix-backup.
Those who don't mind about their contents probably don't have this issue
anyhow?

* Then delete anon-whonix and sys-whonix.

* Then proceed as per https://www.whonix.org/wiki/Qubes/Install

* Then delete the newly created sys-whonix / anon-whonix.

* Clone sys-whonix-backup to sys-whonix.

* Clone anon-whonix-backup to anon-whonix.

* Finally delete superfluous sys-whonix-backup / anon-whonix-backup.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c99cf0c7-5fcd-f75c-cc61-3cb8ebf5a703%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

Thank you for looking into this!

Chris Laprise:
> It was a bit confusing, but from the wiki Install page I picked out
> these relevant steps for dom0 (Qubes 4.0):
> 
> $ sudo qubes-dom0-update qubes-core-admin-addon-whonix
> $ sudo qubesctl state.sls qvm.anon-whonix
> 
> The second command will start the download and install, although it does
> not give much feedback.

Created 'add salt download progress indicator' #4215
https://github.com/QubesOS/qubes-issues/issues/4215
for it.

> Also, there is no need to clone old whonix-gw in the steps I mentioned
> earlier;

Why not?

> Also, there is no need to clone old whonix-gw in the steps I mentioned
> earlier; only whonix-ws is needed. Once you have your appVMs switched
> over to whonix-ws-14 you can delete the clone.

Why needs whonix-ws to be cloned anyhow if you like to install from
Qubes repository?

whonix-ws should be ignored by salt since the template name changed to
whonix-ws-14?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/baac5869-ed98-03ea-e31b-8e155273a2ed%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide: Monero wallet/daemon isolation w/qubes+whonix

[Patrick Schleizer]

I didn't notice this thread until now.

Interesting!

Now reference here:
https://www.whonix.org/wiki/Monero


I am wondering how to save users from as many manual steps as possible.


To save users from having to edit /rw/config/rc.local...

> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm
monerod-ws user.monerod"

Could maybe replaced by file:

/etc/anon-ws-disable-stacked-tor.d/40_monero.conf

content:

$pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1
EXEC:"qrexec-client-vm monerod-ws user.monerod"

Should work after reboot (or after "sudo systemctl restart
anon-ws-disable-stacked-tor").

Untested.

Reference:
https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf



/etc/qubes-rpc/policy/user.monerod could maybe become:
/etc/qubes-rpc/policy/whonix.monerod

To have users from manually creating it, could be dropped here:

https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy

If you like, create a pull request and see what Marek thinks.



/home/user/monerod.service would be better in /rw so only root can write
to it. Even better perhaps systemd user services?

https://www.brendanlong.com/systemd-user-services-are-amazing.html

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8ae85ac-5c08-fb3c-83a9-0cf752847cff%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Whonix 14 installation problem...using 4.0?

[Patrick Schleizer]

sm...@tutamail.com:
> Not sure it was happening in the background but waited for 1 1/2 hrs
with no feedback after the "sudo qubesctl state.sls qvm.anon-whonix"
command in Dom0.

Created...

add salt download progress indicator #4215
https://github.com/QubesOS/qubes-issues/issues/4215

... for it.

> Regardless I have it running...thanks Whonix/Qubes!
>

Thanks! :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92c05694-d2c1-8574-ffb3-5b8039aedfd0%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

Andrew David Wong:
> On 2018-08-12 14:26, 'awokd' via qubes-users wrote:
>> On Sun, August 12, 2018 6:16 pm, qubes-...@tutanota.com wrote:
>>> I am planning to move from my Whonix 13 to Whonix 14 on Qubes. My
>>> question is what way it should be easier, based on the Q user
>>> experiences. What would you propose - upgrade or re-install? Are
>>> there any known issues which would call for one or other way?
>
>> Re-install is usually easier.
>
>>> I have few VMs based on the Whonix template with data and
>>> settings on it. Will the contents of these VMs remain, or will
>>> it be destroyed - re-install vs upgrade?
>
>> Contents should remain, just set them to the new Whonix template.
>> Make sure to back up everything first.
>
>
> The installation guide [1] states:
>
> "Re-installation will destroy any existing user data stored in Whonix
> VMs, unless it is backed up first. To avoid this scenario, it is
> possible to upgrade Whonix 13 to 14 instead of following these
> instructions."
>
> This was puzzling to me, too, since TemplateVM upgrades usually don't
> affect user data in TemplateBasedVMs. Could you shed some light on
> this, Patrick?
>
> [1] https://www.whonix.org/wiki/Qubes/Install

I see. Indeed it is not clear from the text alone without jumping over
to the reference and other links.

https://www.whonix.org/wiki/Qubes/Install links to
https://www.whonix.org/wiki/Qubes/Uninstall which suggests to get rid of
Whonix entirely (whonix-gw, whonix-ws TemplateVM, sys-whonix,
anon-whonix) before proceeding. Therefore all data gets lost unless
backup exists. Otherwise reinstall using salt would not be possible and
manual reinstall is too difficult (too much room for user error).

This is due to a hard to solve issue with Qubes salt:

https://github.com/QubesOS/qubes-issues/issues/4177

Help welcome with these salt issues as well as other salt issues (or any
Whonix issue):

https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aopen+label%3A%22C%3A+Whonix%22

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ebac22b8-1ec2-120b-b057-f1154cb8f0bd%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 - upgrade or re-install? Whats more smooth, less troublesome?

[Patrick Schleizer]

Franz:
> when I try to uninstall whonix-ws
> 
> sudo dnf remove qubes-template-whonix-ws*
> 
> I get
> No match for argument: qubes-template-whonix-ws*
> Error: No packages marked for removal
> 
> I followed this guide: https://www.whonix.org/wiki/Qubes/Uninstall
> 


Output of...?

dnf list | grep qubes-template-whonix

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be202356-226e-683a-95fc-4406279a7683%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Stable Template list 06/2018? eg whonix 14

[Patrick Schleizer]

How to know when new Whonix versions are out?

https://www.whonix.org/wiki/Stay_Tuned

Also posted subject "Whonix 14 has been Released" on this list yesterday.

Not sure how we can do better.

notify Whonix 14 release on qubes-announce

https://github.com/QubesOS/qubes-issues/issues/4193

799:
> Hello,
> 
>  schrieb am So., 3. Juni 2018, 09:47:
> 
>> 2. Jun 2018 23:54 by qubes-users@googlegroups.com:
>>
>> Is there a list of Stable Templates somewhere ,
>>
>>  https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14

Was testers-only by that time. By that time, that wiki page indicated
that. Released stable yesterday.

> I assume that we will see a Whonix 14 template in the "official qubes
> repository" soon, correct?
> 
> Or do we really need to manually upgrade from Whonix 13?

https://www.whonix.org/wiki/Qubes/Install

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/131fdf9b-5281-f7b8-b0ee-6a4b338f2ebb%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix ERROR: Systemd Clock Check Result: Unexpected results by timedatectl

[Patrick Schleizer]

> Unexpected results by timedatectl

- Please enter error messages into search engines

"Unexpected results by timedatectl"

Then often find already existing discussions.

https://github.com/QubesOS/qubes-issues/issues/3469

- Upgrade to Whonix 14 - fixed there.

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/843c8f55-4f54-0c84-0f4f-9a5ec9b477be%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Delete whonix and install again

[Patrick Schleizer]

'Andrzej Andrzej' via qubes-users:
> Very funny: D I've already solved the problem. I did not notice one thing. In 
> qvm-prefs whonix, I need to give False in option installed_by_rpm
> 

Just now reported a bug.

when restoring a VM from backup, don't restore setting installed_by_rpm

https://github.com/QubesOS/qubes-issues/issues/4192

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b7b74bb-b729-dd3e-db0b-bb9affae1a24%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] sys-whonix-14 won't 'bootstrap' hangs @ 25-40% etc

[Patrick Schleizer]

none:
> I've noticed that sys-whonix-14  appears to fail after
> suspend and resume . is this a known issue?

Depends on exact terminology. Suspend or pause?

Does
https://www.whonix.org/wiki/Post_Install_Advice#Network_Time_Syncing
clarify?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fa20b1e1-e2e5-8d2a-ef78-75137fd15842%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] whonix clock sync error on boot

[Patrick Schleizer]

cooloutac:
> anyone else getting Unexpected results by timedatectl message from sys-whonix 
> when booting Qubes?
> 
> Tried updating doesn't seem to be going away.
> 

> Unexpected results by timedatectl

- Please enter error messages into search engines

"Unexpected results by timedatectl"

Then often find already existing discussions.

https://github.com/QubesOS/qubes-issues/issues/3469

- Upgrade to Whonix 14 - fixed there.

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad8f0ada-336d-9382-b468-c9539939949d%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] whonix doesnt sync time -> mfa totp oathtool not working?

[Patrick Schleizer]

qubes-...@tutanota.com:
> Hi, I experience an issue with the mfa oathtool totp. 
Application similar to google authenticator?

Whonix's sdwdate might not be accurate enough for it.

Can you use that tool offline? Doing such code generation you're much
better off doing this in a non-Whonix offline (vault) VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b757e7eb-32ab-2041-2bfb-e7beb6f9b65d%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix and problem with Proxy Policy

[Patrick Schleizer]

Let salt do it for you.

Refer to:

https://www.whonix.org/wiki/Qubes/Install

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6e7d8eb3-3ae3-d785-3635-db3d8489bbab%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to change TemplateVM update method from Whonix to just another appvm?

[Patrick Schleizer]

Sphere:
> So upon installation of Qubes I have set updating of TemplateVMs through 
> Whonix but now I'm actually stuck with it and I want to change it to updating 
> through just another AppVM.
> 
> Could anyone guide me to what commands I need to use in order to fix this? (I 
> actually wish this was an option in Qubes settings UI as well)
> 

Qubes R4?

modify:

/etc/qubes-rpc/policy/qubes.UpdatesProxy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b28346f-8d99-1289-127a-93586110ac81%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Confusing whonix check error

[Patrick Schleizer]

ray242012:
> Unexpected results by timedatectl

- Please enter error messages into search engines

"Unexpected results by timedatectl"

Then often find already existing discussions.

https://github.com/QubesOS/qubes-issues/issues/3469

- Upgrade to Whonix 14 - fixed there.

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43826bab-b04d-80dc-235c-44f966a8412f%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 has been Released

[Patrick Schleizer]

Franz:
> Many thanks, so, following this link, the command
> 
> sudo qubesctl state.sls qvm.anon-whonix
> 
>  should download Whonix 14, correct?
> 
> But the same link tells that this would download templates whonix-gw and
> whonix-ws. But these are the same names of the old templates. So am I
> expected to rename the old templates before calling the above command?
> 

Hi,

thanks!

Please refer to:
https://www.whonix.org/wiki/Qubes/Install

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7e1b391-e085-e274-95ce-eca5fb994634%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Whonix 14 has been Released

[Patrick Schleizer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

After more than two years of development, the Whonix Project is proud
to announce the release of Whonix 14.

Whonix 14 is based on the Debian stretch (Debian 9) distribution which
was released in June 2017. This means users have access to many new
software packages in concert with existing packages such as a modern
branch of GNuPG, and more. [1][2][3]

**Major Changes and New Features**

Whonix 14 contains extensive security and usability improvements, new
features and bug fixes. For a detailed description of these and other
changes, please refer to the official release notes. [4]

* Rebased Whonix on **Debian stretch** (Debian 9).
* Whonix 14 is **64-bit** (amd64) only - 32-bit (i386) images will no
longer be built and made available for download. [5]
* The new **Anon Connection Wizard** [6] feature in Whonix simplifies
connections to the Tor network via a Tor bridge and/or a proxy.
* The Tor pluggable transport **meek_lite** [7] is now supported,
making it much easier to connect to the Tor network in heavily
censored areas, like China. [8]
* **Onioncircuits** are installed by default in Whonix. [9]
* Tails' **onion-grater** program has been implemented to enable
**OnionShare, Ricochet and Zeronet** compatibility with Whonix. [10]
* **Onion sources** are now preferred for Whonix updates/upgrades for
greater security.
* Reduced the size of the default, binary Whonix images by
approximately **35 per cent** using zerofree. [11] [12]
* **Updated Tor** to version 3.3.7 (stable) release to enable full v3
onion functionality for both hosting of onion services and access to
v3 onion addresses in Tor Browser.
* Created the **grub-live package** [13] which can run Whonix as a
**live system** on non-Qubes-Whonix platforms. [14]
* Corrected and hardened various **AppArmor profiles** to ensure the
correct functioning of Tor Browser, obfsproxy and other applications.


**Known Issues**

* Desktop shortcuts are no longer available in non-Qubes-Whonix.
* OnionShare is not installed by default in Whonix 14 as it is not in
the stretch repository. [15] It can still be manually installed by
following the Whonix wiki instructions [16] or building it from source
code. [17]
* Enabling seccomp (Sandbox 1) in /usr/local/etc/torrc.d/50_user.conf
causes the Tor process to crash if a Tor version lower than 0.3.3 is
used. [18] [19]


While there may be other issues that exist in this declared stable
release, every effort has been made to address major known problems.

Please report any other issues to us in the forums, after first
searching for whether it is already known.

  https://www.whonix.org/wiki/Known_Issues

**Download Whonix 14**

Whonix is cross-platform and can be installed on the Windows, macOS,
Linux or Qubes operating systems. Choose your operating system from
the link below and follow the instructions to install it.

  https://www.whonix.org/download/

**Upgrade to Whonix 14**

Current Whonix users (or those with 32-bit hardware) who would prefer
to upgrade their existing Whonix 13 platform should follow the upgrade
instructions below.

  https://whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14

**What’s Next?**

Work on Whonix 15 is ongoing and interested users can refer to the
roadmap to see where Whonix is heading. [20]

Developer priorities are currently focused on easing the transition to
the next Debian release due in 2019 (“buster”; Debian 10) and
squashing existing bugs, rather than implementing new features.

We need your help and there are various ways to contribute to Whonix -
donating or investing your time will help the project immensely. Come
and talk with us! [21]

**References**

[1] https://www.debian.org/News/2017/20170617
[2] https://www.debian.org/releases/stable/amd64/release-notes/
[3] https://www.debian.org/releases/stable/i386/release-notes/
[4] https://whonix.org/wiki/Whonix_Release_Notes#Whonix_14
[5] Whonix 13 users with 32-bit systems can however upgrade their
platform by following the available wiki instructions, rather than
download new Whonix-WS and Whonix-GW images.
[6] https://whonix.org/wiki/Anon_Connection_Wizard
[7] https://www.whonix.org/blog/meek_lite-whonix-14
[8]
https://github.com/Yawning/obfs4/commit/611205be681322883a4d73dd00fcb13c
4352fe53
[9] https://packages.debian.org/stretch/onioncircuits
[10] https://phabricator.whonix.org/T657
[11] https://phabricator.whonix.org/T790
[12] VirtualBox .ova and libvirt qcow2 raw images. The Whonix-Gateway
is reduced from 1.7 GB to 1.1 GB, while the Whonix-Workstation is
reduced from 2 GB to 1.3 GB.
[13] https://whonix.org/wiki/Whonix_Live
[14] grub-live is optional and requires the user to first enable it
manually.
[15] https://packages.debian.org/search?searchon=names&keywords=onionsha
re
[16] https://whonix.org/wiki/Onionshare
[17] https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulin
ux
[18] https://trac.torproject.org/projects/tor/ticket/22605
[19] https://packages.debian.

[qubes-users] port filtering using Qubes firewall?

[Patrick Schleizer]

https://www.qubes-os.org/doc/firewall/

Is it possible to use "any" as address?

In other words, is it possible to do simple port filtering? As in block
port XX or allow port YY only?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2cb05067-1cd4-4d5a--0dd71e7b9069%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes R4: DispVM Template vs DispVM initial startup vs startup usability bug?

[Patrick Schleizer]

When trying to start a DispVM for the first time, it actually starts the
DispVM template such as whonix-ws-dvm. After shut down, using the very
same shortcut to start the DispVM, it starts an actual DispVM starting
Disp[...]. The user may be confusing the DispVM template for the actual
DispVM since there is no graphical explanation what is happening. Is
that right? If so, shall we open a usability bug?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3400925-7e75-f97d-d724-83b6f0e07cf1%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes R4: How to start the DispVM Template another time for reconfiguration?

[Patrick Schleizer]

How to start the DispVM Template (such as whonix-ws-dvm) for a second or
subsequent time?

When I start it the second time, it actually starts a DispVM named
Disp[...].

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b346b4c-8b23-8555-3cca-46aecd8498a1%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anything like Split GPG for Keepass?

[Patrick Schleizer]

Eric Shelton:
> I am curious how people are making effective use of Keepass in a vault 
> domain.  It seems like with a browser plugin, you might be able to take a 
> Split GPG type of approach, and avoid all of the cutting and pasting across 
> domains.  Any comments or suggestions?
> 
> - Eric
> 


An inter-VM password manager for Qubes OS based on pass (
https://www.passwordstore.org/ )

https://github.com/Rudd-O/qubes-pass

https://groups.google.com/forum/#!topic/qubes-users/amry7Shb94o

(Adding this here since search for "Keepass" "Qubes" leads to this old
thread which claims there is no solution at all.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d12a34d-a034-ba4f-dbd7-b339baf7722d%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Anti Evil Maid (AEM) - possible to use text and picture at the same time?

[Patrick Schleizer]

Got secret.txt as well as secret.png - now it's only showing the image
at plymouth but no text. Looks like both cannot be combined?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d828548-19b1-7422-6c52-2775038e444b%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Anti Evil Maid (AEM) - SRK password strength? Sane to use same password as for full disk encryption?

[Patrick Schleizer]

How strong should the SRK password strength be? Should it be as strong
as a password for full disk encryption?

Is it sane to use same password as SRK password as well as for full disk
encryption?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/452590b6-339c-b1ae-233b-3260972665d4%40whonix.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Ledger Nano S works for me with Qubes OS R3.2 and R4 - now documented

[Patrick Schleizer]

Experimented with this. Documented it. Feel free to test and contribute
to the instructions.

https://www.whonix.org/wiki/Ledger_Hardware_Wallet

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e852ff07-1456-547f-11da-210a93e11203%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Ledger Nano S works great with Qubes OS R3.2 [Debian 8 and Fedora 24 AppVMs]

[Patrick Schleizer]

Does it still work for your with Qubes R4?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b48660a-f523-33f2-c212-54f7f01ae548%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HIDPI - Qubes R4

[Patrick Schleizer]

Did anyone manage to get HiDPI working in Qubes R4?


https://groups.google.com/forum/#!msg/qubes-users/GQOLttJeJTg/hubZ7gX8AwAJ

https://github.com/QubesOS/qubes-issues/issues/1951

R.B.:
> Hello,
> 
> For the people who want to use a HIDPI display, or have one on their
> laptop, Here's an easy way to get your vm's up to scale while issue
> #1951 is open ;-)
> 
> Settings that I use on my machine with 3.2rc1:
> gsettings set org.gnome.desktop.interface scaling-factor 2
> gsettings set org.gnome.desktop.interface text-scaling-factor 0.75
> 
> You could run it through qvm-run from dom0 for all your vm's.
> 
> Note that for some reason it won't affect templates. The
> (gnome-)terminal for instance remains the same size and scale.
> 
> For reference: https://github.com/QubesOS/qubes-issues/issues/1951
> 
> Enjoy.
> 
> Regards,
> 
> RB
> 

I tried this in a Qubes R4 AppVM. However it didn't have any effect.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50a20835-e96b-c4b6-4869-a954139f34e2%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Trying to replace

> cd /mnt/var/lib/qubes/servicevms mv sys-usb sys-usb.bak

with qvm-prefs. (That may be even better than using systemctl.)

Please have a look at the following instructions, modified what you
wrote. I hope we could simplify/clarify for novice users and add this to
the Qubes documentation.


You should be able to fix this in grub: something like this -
Interrupt the boot process and change the parameters to remove
rd.qubeshideallusb, and add
rd.break=cleanup.

You'll be prompted to decrypt disks and then drop to shell.
The root filesystem will be mounted ro at /sysroot.

umount /sysroot

mkdir /mnt/disk

mount /dev/mapper/qubes_dom0-root /mnt/disk

chroot /mnt/disk

qvm-prefs -s sys-usb autostart false

exit

sudo umount /mnt/disk

reboot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/469c182c-e108-954f-5540-7dcc1d80a803%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Trying to replace

> cd /mnt/var/lib/qubes/servicevms mv sys-usb sys-usb.bak

with systemctl disabling the autostart of the VM. Could that work?

Please have a look at the following instructions, modified what you
wrote. I hope we could simplify/clarify for novice users and add this to
the Qubes documentation.


You should be able to fix this in grub: something like this -
Interrupt the boot process and change the parameters to remove
rd.qubeshideallusb, and add
rd.break=cleanup.

You'll be prompted to decrypt disks and then drop to shell.
The root filesystem will be mounted ro at /sysroot.

umount /sysroot

mkdir /mnt/disk

mount /dev/mapper/qubes_dom0-root /mnt/disk

chroot /mnt/disk

systemctl disable qubes-vm@sys-usb

exit

sudo umount /mnt/disk

reboot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ef756af-308d-83d8-2db4-f51e36f41e4c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] iommu=force - security risks?

[Patrick Schleizer]

I had to use iommu=force to make a notebook boot Qubes R4. [1]

Does that pose any security risk?

Cheers,
Patrick

[1] (Because 'BIOS did not enable IDB for VT properly. - TUXEDO
InfinityBook Pro 13' [2])

[2] https://groups.google.com/forum/#!topic/qubes-users/gAKEomiulUY

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2aa931c7-9076-dc1f-2c0e-0ba65f37a73c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] BIOS did not enable IDB for VT properly. - TUXEDO InfinityBook Pro 13

[Patrick Schleizer]

Patrick Schleizer:
> Qubes R4 RC1 with TUXEDO InfinityBook Pro 13 [1]. Xen crashes. Boot aborts.
> 
>> BIOS did not enable IDB for VT properly. crash Xen for security purposes
> 
> Did anyone see this error ever before? Any idea how to fix it?
> 
> Cheers,
> Patrick
> 
> [1]
> https://www.tuxedocomputers.com/Linux-Hardware/Linux-Notebooks/10-14-Zoll/TUXEDO-InfinityBook-Pro-13-matt-Full-HD-IPS-Aluminiumgehaeuse-Intel-Core-i7-U-CPU-bis-32GB-RAM-zwei-HDD/SSD-bis-12h-Akku-Typ-C-Thunderbolt.geek
> 

Could get it to boot using

iommu=force

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/160fea68-ca6e-ad51-c21a-be16826b93ac%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] BIOS did not enable IDB for VT properly. - TUXEDO InfinityBook Pro 13

[Patrick Schleizer]

Qubes R4 RC1 with TUXEDO InfinityBook Pro 13 [1]. Xen crashes. Boot aborts.

> BIOS did not enable IDB for VT properly. crash Xen for security purposes

Did anyone see this error ever before? Any idea how to fix it?

Cheers,
Patrick

[1]
https://www.tuxedocomputers.com/Linux-Hardware/Linux-Notebooks/10-14-Zoll/TUXEDO-InfinityBook-Pro-13-matt-Full-HD-IPS-Aluminiumgehaeuse-Intel-Core-i7-U-CPU-bis-32GB-RAM-zwei-HDD/SSD-bis-12h-Akku-Typ-C-Thunderbolt.geek

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f69a6fe-6478-8f58-fe51-8d9f3f4ce5f5%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes R4 RC1 GUI backup tool doesn't exist yet?

[Patrick Schleizer]

I guess a GUI backup tool doesn't exist as of Qubes R4 RC1 (plus all
stable upgrades)?

The progress in

'Qubes Manager Decomposition for Qubes 4.0'
https://github.com/QubesOS/qubes-issues/issues/2132

is a bit hard to follow in such a lengthy ticket. May I suggest
splitting the remaining tasks into new tasks and close that one?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7bc1cc10-8fa7-36d7-ee5b-2bc90bac242e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Yethal:
> W dniu środa, 27 września 2017 14:08:56 UTC+2 użytkownik Patrick Schleizer 
> napisał:
>> cooloutac:
>>> On Sunday, September 24, 2017 at 12:23:39 PM UTC-4, cooloutac wrote:
>>>> On Sunday, September 24, 2017 at 12:23:23 PM UTC-4, cooloutac wrote:
>>>>> On Sunday, September 24, 2017 at 9:25:24 AM UTC-4, Patrick Schleizer 
>>>>> wrote:
>>>>>> Quote from https://www.qubes-os.org/doc/usb/
>>>>>>
>>>>>>> Caution: By assigning a USB controller to a USB qube, it will no
>>>>>> longer be available to dom0. This can make your system unusable if, for
>>>>>> example, you have only one USB controller, and you are running Qubes off
>>>>>> of a USB drive.
>>>>>>
>>>>>> How can one recover from such a situation if there is no PS2
>>>>>> keyboard/mice available?
>>>>>>
>>>>>> I guess... Unless there is a better way...? Boot the system using from
>>>>>> an external disk using a USB recovery operating system... Then modify
>>>>>> the local disk (with broken Qubes)... Then do what?
>>>>>>
>>>>>> Cheers,
>>>>>> Patrick
>>>>>
>>>>> ya that. exactly.
>>>>
>>>> that would be the only way I would know of.
>>>
>>> sorry i misunderstood.  you could use the qubes keyboard proxy.  or unhide 
>>> it from dom0.  think they are both explained in the docs there, but don't 
>>> think either are recommended but if you have no choice.
>>>
>>
>> The Qubes documentation explains how to hide/unhide it with the gui. But
>> when the disk is not booted (for recovery booted from USB), the gui
>> cannot be used since it refers to the USB booted and not internal disk
>> supposed to be recovered.
>>
>> To undo it some file on the internal disk needs to be modified. Which
>> files needs what modification?
> 
> Remove rd.qubeshideallusb parameter from grub and then rebuild grub
> 

That requires to chroot into the mounted disk system?

Isn't it difficult to run grub from a chrooted disk without messing up
bootloader of the disk that was booted or messing up which devices grub
is referring to?

> Remove rd.qubeshideallusb parameter from grub [...]

If that's all... Then why not just do this during normal system boot at
grub?

Even if it's not hidden all the time from dom0... Won't the
keyboard/mice USB controller be quickly assigned to sys-usb, detached
from dom0 and still leave an unbootable system?

As I understand the documentation rd.qubeshideallusb is "only" for
improved security. One can render its system unusable even without using
rd.qubeshideallusb.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2f00cd4-2636-e9da-d349-451d619180fe%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

cooloutac:
> On Sunday, September 24, 2017 at 12:23:39 PM UTC-4, cooloutac wrote:
>> On Sunday, September 24, 2017 at 12:23:23 PM UTC-4, cooloutac wrote:
>>> On Sunday, September 24, 2017 at 9:25:24 AM UTC-4, Patrick Schleizer wrote:
>>>> Quote from https://www.qubes-os.org/doc/usb/
>>>>
>>>>> Caution: By assigning a USB controller to a USB qube, it will no
>>>> longer be available to dom0. This can make your system unusable if, for
>>>> example, you have only one USB controller, and you are running Qubes off
>>>> of a USB drive.
>>>>
>>>> How can one recover from such a situation if there is no PS2
>>>> keyboard/mice available?
>>>>
>>>> I guess... Unless there is a better way...? Boot the system using from
>>>> an external disk using a USB recovery operating system... Then modify
>>>> the local disk (with broken Qubes)... Then do what?
>>>>
>>>> Cheers,
>>>> Patrick
>>>
>>> ya that. exactly.
>>
>> that would be the only way I would know of.
> 
> sorry i misunderstood.  you could use the qubes keyboard proxy.  or unhide it 
> from dom0.  think they are both explained in the docs there, but don't think 
> either are recommended but if you have no choice.
> 

The Qubes documentation explains how to hide/unhide it with the gui. But
when the disk is not booted (for recovery booted from USB), the gui
cannot be used since it refers to the USB booted and not internal disk
supposed to be recovered.

To undo it some file on the internal disk needs to be modified. Which
files needs what modification?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/edcf8c23-7748-4931-aff6-16512e22010c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Quote from https://www.qubes-os.org/doc/usb/

> Caution: By assigning a USB controller to a USB qube, it will no
longer be available to dom0. This can make your system unusable if, for
example, you have only one USB controller, and you are running Qubes off
of a USB drive.

How can one recover from such a situation if there is no PS2
keyboard/mice available?

I guess... Unless there is a better way...? Boot the system using from
an external disk using a USB recovery operating system... Then modify
the local disk (with broken Qubes)... Then do what?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60e93375-e4dc-78ce-80e5-2414c263874b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: UEFI Troubleshooting workaround does not work

[Patrick Schleizer]

Mirosław Wojciechowski:
> W dniu niedziela, 17 września 2017 12:35:40 UTC+2 użytkownik Patrick 
> Schleizer napisał:
>> Hi!
>>
>> Got a new notebook. Tried to install Qubes R3.2 as well as Qubes R4 RC1
>> but failed so far.
>>
>> Got this
>>
>> Filepath:
>> ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)/File(/EFI/Boot)/file(Xen.efi)/EndEntire
>>
>> boot loop bug. The workarround
>> https://www.qubes-os.org/doc/uefi-troubleshooting/ does not help. Still
>> a boot loop. Tried installation from USB as well as DVD.
>>
>> And I couldn't find a legacy boot option in the BIOS.
>>
>> For comparison, an Ubuntu dvd booted.
>>
>> Meaning, no Qubes for that notebook?
>>
>> So the only option left nowadays is "when you buy a new notebook, make
>> sure it supports legacy boot"?
>>
>> Cheers,
>> Patrick
> 
> You can try these steps from this post: 
> https://groups.google.com/forum/#!topic/qubes-users/ZFZT7mQNeWY
> 
> Regards
> 

That guide totally does not apply. It starts with "1/ You will need to
install Qubes in UEFI mode, *NOT* BIOS/CSM mode". Doesn't fly - cannot
boot Qubes anyhow.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4de8bc1-14e9-9f34-aeb8-651e358611ef%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] UEFI Troubleshooting workaround does not work

[Patrick Schleizer]

Hi!

Got a new notebook. Tried to install Qubes R3.2 as well as Qubes R4 RC1
but failed so far.

Got this

Filepath:
ACPI(a0341d0,0)/PCI(2,1f)/UnknownMessaging(12)/File(/EFI/Boot)/file(Xen.efi)/EndEntire

boot loop bug. The workarround
https://www.qubes-os.org/doc/uefi-troubleshooting/ does not help. Still
a boot loop. Tried installation from USB as well as DVD.

And I couldn't find a legacy boot option in the BIOS.

For comparison, an Ubuntu dvd booted.

Meaning, no Qubes for that notebook?

So the only option left nowadays is "when you buy a new notebook, make
sure it supports legacy boot"?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c16bf935-728d-66ea-2abf-834a414470b1%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [bug] DispVM savefile creation hangs at "Waiting for DVM..."

[Patrick Schleizer]

Andrew:
> Hi,
>
> I recently experienced a very frustrating bug, where my Whonix
> disposable VM could not be recreated after a `dist-upgrade` in the
> underlying Whonix workstation template.  The symptoms were, after trying
> to create it with `qvm-create-default-dvm`:
>   -the VM becomes yellow in Qubes Manager and never becomes green
>   -qrexec could not connect
>   -qvm-create-default-dvm hangs at "Waiting for DVM ..."
>   -`xl console` access still worked fine
>   -no DVM savefile created
>
> Following Patrick's advice in
>
https://forums.whonix.org/t/dvm-fails-to-start-after-whonix-update-dist-upgrade/3109/5
> (a user reporting seemingly the same bug), I found that three systemd
> units failed:
>   -apparmor
>   -qubes-gui-agent
>   -tb-updater-first-boot

qubes-gui-agent bug? Probably should not break under this condition?

> Patrick, is there some way to detect if the tor-browser directory has
> been changed, and only then save a copy?

As a user: you would know if you made changes to
/var/cache/tb-binary/.tb/ / if you started Tor Browser in Qubes TemplateVM.

As a developer at the code level: create a checksum of the folder in
tb-updater after:

tb_run_function tb_patch

(add a new function tb_checksum)

Then delete older folders that have not been modified. (add new function
tb_delete)

Not sure what do do about old versions not previously checksummed.

Or perhaps super simple: Maybe we should not support customizations in
/var/cache/tb-binary/.tb/ at all and delete all old versions without
asking in postinst.

Or a bit nicer: delete all old versions but one or two without asking.

TODO ticket:
https://phabricator.whonix.org/T671

developer discussion:
https://forums.whonix.org/t/7-0a3-tor-browser-series-defunct-in-whonix/3786/17

> Or perhaps it's better to
> explicitly ask what to do on each invocation of the Tor Browser
> Downloader?

No. Usability mess. Also not possible/sane in postinst.

> At the very least, it should detect when there is not
> enough space and give some sort of warning/instructions.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2de1a179-cb72-f37f-63a0-06b04accbdf3%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: coldkernel status update

[Patrick Schleizer]

Reg Tiangha:
> Thanks for all the hard work! WillyPillow just pointed out to me today
> on the qubes-devel mail list that installing busybox and updating
> initramfs in Whonix is all you need to do to get it to boot with
> coldkernel,

busybox will be installed on Whonix 14 by default.

https://github.com/Whonix/anon-meta-packages/commit/92c70963ed34953a81f8e53273453926b738ea18

On the other hand, what about adding busybox as a dependency to the
coldkernel Debian package?

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/587f68f5-a342-b55a-6b39-4d5cd555c255%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: coldkernel status update

[Patrick Schleizer]

Reg Tiangha:
> On 04/08/2017 08:17 PM, Colin Childs wrote:
> Thanks for all the hard work! WillyPillow just pointed out to me today
> on the qubes-devel mail list that installing busybox and updating
> initramfs in Whonix is all you need to do to get it to boot with
> coldkernel,

Source:
https://groups.google.com/forum/#!topic/qubes-devel/lbeVnhxNIP8

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4611325-fb4c-df27-81a7-4fe5e312a7b7%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] grsecurity kernel 4.9.20 not working - Qubes ErrorHandler: BadAccess MIT-SHM

[Patrick Schleizer]

Proxying a message from torjunkie at Whonix forums here due to google
group vs Tor spam false positive issues. Source:

https://forums.whonix.org/t/long-wiki-edits-thread/3477/55?

#

Greetings,

I am currently using Qubes 3.2 and have had success to date with
running the 4.8 grsec kernel series (coldkernel) with Debian-8 AppVMs
following the steps / advice outlined on the coldhak blog and github
account.

I have recently tried to apply the 4.9.20 upgraded kernel to the
Debian-8 TemplateVM and hit some problems.

I have followed the advice to install the latest
qubes-kernel-vm-support package from the Qubes testing repository (for
the Debian-8 TemplateVM) and avoided the error messages around "Bad
return status for module build."
[https://github.com/coldhakca/coldkernel/issues/55]
[https://github.com/QubesOS/qubes-issues/issues/2691]

The upgraded kernel successfully builds and the TemplateVM boots.
However, the TemplateVM state light soon shifts from green to yellow.
The qrexec.log and console.log look okay (no obvious error messages),
but the guid.log shows a new cryptic error message I've never seen before:

ErrorHandler: BadAccess (attempt to access private resource denied)
Major opcode: 130 (MIT-SHM)
Minor opcode: 1 (X_ShmAttach)
ResourceID: 0x219
Failed serial number: 49
Current serial number: 50

Any attempts to run applications fail e.g. terminal. So, grsec
groups can't be set, paxtest can't be run, and obviously it's not
functional, so there is no point creating a new AppVM based on it.

Can anyone who has the 4.9 grsec kernel up and running provide any
advice on how to resolve this problem?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54ee6082-ee7e-78f9-55fa-1bcae3c4cdc9%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Why doesn't whonix-gw run the latest 0.2.8.x tor?

[Patrick Schleizer]

cezg...@gmail.com:
> Den søndag den 29. januar 2017 kl. 12.36.04 UTC+1 skrev Joonas
> My guess is lack of time and funding.
> [...]

Right.

Gave the upgrade low priority and I am pretty conservative when it comes
to stable upgrades. It's not too hard to upload a package to the stable
repository that then would wreck connectivity for most users.

Posted on January 29, 2017:

> Tor was updated to 0.2.9.9-1~d80.jessie+1 in Whonix
stable-proposed-updates as well as in testers repository.

https://forums.whonix.org/t/tor-0-2-9-9-1-d80-jessie-1-stable-upgrade-testers-wanted

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e94b7f3-50b7-f5d4-9259-80c9fa75e448%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to switch to xfce in Whonix?

[Patrick Schleizer]

6057tx+48r8anehh4c4wazsony08z2dlvc via qubes-users:
> Hello @all,
> 
> I noticed that Whonix (in particular whonix-ws) uses a lot of RAM.
> It seems to me that this is due in part to the fact that it is
> based on KDE. So how can I disable KDE in it and switch to xfce?
> 
> Thanks in advance.

This was answered here:

https://forums.whonix.org/t/how-to-switch-to-xfce-in-whonix-qubes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e9c055c-a2d7-c3c0-f7b2-45d9541c6d32%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes-Whonix DisposableVM documentation created

[Patrick Schleizer]

https://www.whonix.org/blog/qubes-whonix-dispvm

Before we had just a [stub][1]. Now [Qubes-Whonix][2] [DisposableVMs][3]
are fully [documented][4] thanks to [contributions][5] by the
[community][6]. ([wiki history][7])

**What are DisposableVMs?**

Under the Qubes TemplateVM model, any changes made to a
TemplateBasedVM's root filesystem are lost upon reboot. This is
advantageous for several reasons: it allows centralized (and therefore
faster) updates for all applications (most) inside the root filesystem,
saves time and disk space.

However, certain directories are designed to persist between reboots in
order to store files and settings. These directories are stored in /rw/
and include /home/user as well as additional directories defined by
"[bind directory][8]" settings.

To ensure that all changes to the filesystem are discarded after a
session, Qubes offers [DisposableVMs][9]. When a DisposableVM is
shutdown, the VM is removed from Qubes and all related VM images are
deleted from the host filesystem.

**What is a Whonix-Workstation DisposableVM?**

As the name suggests, this is a [Qubes][10] DisposableVM template based
on the Whonix-Workstation. This allows [Qubes-Whonix][2] users to create
throw-away instances of their Whonix-Workstation.

**Why Should I Consider Using a Whonix-Workstation DisposableVM?**

Whonix-Workstation DisposableVMs:

* Are quickly generated;
* Are disposed of (deleted) when the user has finished browsing and
other activities in a single session; and
* Will not remember any of the user's activities across DisposableVM
sessions, unless customized.

The major benefit of this approach is that the Whonix-Workstation
DisposableVM can be created in order to host a single application
usually the Tor Browser  mitigating the risk that a compromise of the
browser will affect any of your other VMs.

Critically, a Tor Browser exploit will not effect (poison) later
instances of the Tor Browser running in a subsequent DisposableVM
session, because the DisposableVM is always started in its original state.

**Can I Customize Whonix-Workstation DisposableVMs?**

Yes. For advanced users, the instructions include steps to create a
customized savefile that will remember specific changes, such as
personalized Tor Browser settings. Due to concerns over possible
fingerprinting issues, users should carefully read the wiki warnings
before proceeding on this course of action.

**Can I Easily Add DisposableVM Entries to the Qubes Menu?**

Not yet for Qubes R3.2 XFCE 4, but you can [edit existing DispVM start
menu entries][11] and [desktop shortcuts can be created][12].

**What Else Should I Know?**

Due to a few usability issues affecting anonymity, do not use
Whonix-Workstation DisposableVMs until:

* You understand Whonix-WS DispoableVMs are NOT yet amnesic; and
* Have carefully read and understood the available Qubes-Whonix
DisposableVM documentation.

Alternatively, you may wish to wait for Qubes 4.0 before you start using
Qubes DisposableVMs, due to [significant enhancements][13] planned for
the later release.

_Credits:_
_This blog post [was written][14] by [torjunkie][14]._

[1]:
https://www.whonix.org/w/index.php?title=Qubes/Disposable_VM&oldid=24228
[2]: https://www.qubes-os.org/doc/whonix/
[3]: https://www.qubes-os.org/doc/dispvm/
[4]: https://www.whonix.org/wiki/Qubes/Disposable_VM
[5]:
https://forums.whonix.org/t/using-whonix-workstation-as-a-disposablevm-dispvm
[6]: https://forums.whonix.org/t/qubes-dispvm-technical-discussion
[7]:
https://www.whonix.org/w/index.php?title=Qubes/Disposable_VM&action=history
[8]: https://www.qubes-os.org/doc/bind-dirs/
[9]: https://theinvisiblethings.blogspot.de/2010/06/disposable-vms.html
[10]: https://www.qubes-os.org
[11]: http://Qubes/Disposable_VM#Edit_Qubes_DisposableVM_start_menu
[12]:
https://www.whonix.org/wiki/Qubes/Disposable_VM#Adding_desktop_shortcut
[13]:
https://github.com/QubesOS/qubes-issues/issues/866#issuecomment-220495485
[14]: https://forums.whonix.org/t/qubes-dispvm-technical-discussion

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b8eee33-52e3-dee9-682d-7e29b67ed172%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes VM snapshots using git / SVN

[Patrick Schleizer]

Why I used git:

* I found it simpler and quicker to type to manage the whole
/var/lib/qubes/vm-templates/vm-name including all files using git rather
than manually that folder.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c2188b6-2b95-2cd8-4672-dc2df92957a4%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes VM snapshots using git / SVN

[Patrick Schleizer]

Has anyone used git / SVN on huge Qubes templates (in case they break
during upgrades or for development purposes) for snapshot / rollback
purposes and can can share some tips (for speeding git it up)?

(Since qvm-revert-template-changes works only on templates and can
revert only to the previews state, not any after multiple VM restarts.)

(Previously posted here:)
https://forums.whonix.org/t/qubes-vm-snapshots-using-git-svn

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e68dd70e-3831-621d-a842-13d7802f845a%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

[Patrick Schleizer]

Chris Laprise:
> On 11/16/2016 01:26 PM, Andrew wrote:
>> 3n7r0...@gmail.com:
>>> On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote:
 On 11/15/2016 04:04 PM, Unman wrote:
> On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:
>> On 11/15/2016 07:20 AM, Unman wrote:
>>> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:
 On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
> Following the instructions for the 'vm-sudo' doc, I get the
> following error
> in Debian 9:
>
> /usr/lib/qubes/qrexec-client-vm failed: exit code 1
> sudo: PAM authentication error: System error
>
>
> Also, in the Debian 8 template the instructions don't match, as
> there
> appears to be no file '/etc/pam.d/common-auth'.
>
> Chris
>
 Where did you get that template? The file is present in the
 default 3.2,
 and even in a minimal-no-recommends template for Debian-8.

 I'll look at the Debian-9 issue now.

>>> I'm afraid I don't see this issue in a Debian-9 template.
>>> Can you check your editing?
>>>
>>> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
>>> command, and making sure you get the expected output.
>>> You should see the prompt(from the policy) and then  output from
>>> dom0.
>>>
>>> unman
>>>
>> Thanks for checking. However, I triple-checked my editing in
>> Debian 9 and
>> Debian 8 template is 'stock' basically nothing added to it.
>>
>> The qubes.VMAuth request said 'Request refused'. The doc appears
>> to have a
>> typo for the second command in Step 1. "Adding Dom0 “VMAuth”
>> service" that
>> causes '$anyvm' to disappear from the output. This line should use
>> single
>> quotes instead.
>>
>> Chris
> You're right about that typo. Once you fixed it what happened?
 It works now for Debian 9, submitted PR to fix the doc. I don't know
 what the issue is with the missing file in Debian 8... The template's
 basic form may not have a necessary package.

 Chris
>>> FWIW, the instructions work when applied to Whonix-Debian-8.
>>>
>>> If I may piggyback on this thread with a related issue... The
>>> instructions (pre-typo) worked fine for both Fedora & Whonix VMs. But
>>> while the Fedora VMs would spin up silently, each Whonix VM required
>>> 4 sudo authorizations at each boot. Do you have any idea what that
>>> might be or how I could trace it? I don't have any user scripts /
>>> rc.local configured. The authorization requests sometimes appear
>>> while the VM light is yellow and other times won't appear until it's
>>> green. I'm worried that they might need to be clicked in the proper
>>> order and there's not enough identifying information on the dialogue
>>> to know what I'm authorizing. Would it be possible to pass the name
>>> of the triggering command to the dom0 sudo prompt?
>>>
> 
> The typo causes the string '$anyvm dom0 ask' to be stored as ' dom0 ask'
> because the shell expands $anyvm to nothing.
> 
> So its definitely a bug, IMHO.
> 
> The Whonix issue sounds like a decision they made to use sudo from a
> user startup script...? I think Patrick may know which ones they are.
> 
> Chris

Probably related issues:
- https://github.com/QubesOS/qubes-doc/pull/176
- https://github.com/QubesOS/qubes-doc/pull/228

Which lead to some changes to https://www.qubes-os.org/doc/vm-sudo/
[which was reported to work now] (and the qubes-whonix package).

I may not work much on this issue however due to Qubes project policy,
explained in detail here:
https://github.com/QubesOS/qubes-doc/pull/176#issuecomment-242894132

Btw I almost missed this mail. As of now, best way to get my attention
btw is adding my e-mail address adrela...@riseup.net or adding Whonix to
the subject. Otherwise I cannot monitor / read all on this kinda high
traffic mailing list.

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ac311d2-b24f-f536-d7a0-eb362e4e22b5%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4 with Grsec could make a big splash

[Patrick Schleizer]

https://github.com/coldhakca/coldkernel/issues/35#issuecomment-262175541

https://www.coldhak.ca

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43cd9fbd-2b1a-1212-3e07-d78de81500fa%40riseup.net.
For more options, visit https://groups.google.com/d/optout.