[qubes-users] NFC and other creative communications with your qubes-os
I have a simple question, around "things that you have" (like sec. tokens, etc). Many "fido tokens" (yubi, nitro, google) allow NFC communication, most computers as well, but i do not find anything in my qubes (maybe the chips acts as USB client and my USB is down by default?) => Is there a solution to that? I am pretty sure I am not the first one to meditate that question ... Another, more creative idea could be to use the build-in fingerprint scanner but feed it artificial "precalculated random fingerprints". They could work as a second password that you have printed put on a plastic card (using standard, "fingerprint forgery" ideas, i.e. via a laser printer in a positive way) and carry it with you; They might even use as one-time-tokens, if you precalulate a bunch of them :) => did someone ever hear of such ideas? thanks, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/044ed16e-67cc-4b1c-a4bc-9ab2b4641082%40web.de.
Re: [qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)
Thank you very much for the help. Time for a crash course on qubes-core-admin. On Mon, Apr 15, 2024 at 9:30 AM Rusty Bird wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Rusty Bird: > > Boryeu Mao: > > > An attempt to shutdown `sys-firewall` in `Qube Manager` receive a > warning > > > about running processes in the qube; similarly on command line > > > `qvm-shutdown sys-firewall` fails with an error. Is it possible to > > > designate an appVM to behave similarly so it won't get shutdown > > > accidentally? > > > > Not as a user-facing feature AFAIK. But you could use the qubes.ext > > Python entry point > > > > > https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/__init__.py#L57-L59 > > > > to add another "domain-pre-shutdown" event handler like this one > > (yours could e.g. check if the VM has a certain tag): > > > > > https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L65-L75 > > Sorry, that second link should have been: > > > https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L31-L38 > > Rusty > -BEGIN PGP SIGNATURE- > > iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmYdQPRfFIAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0 > QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv > Kt9fGw/+JHmmCw+Ly/YXJ5uYJknlH/Z8hpViEwPnIGuuz7dkiHYa53BeKg+ub035 > EOt0Z2ir8NuhHGXdN77A4j1PA6gXypEBme3sxDoP0uHv1Tc3GSAgbR4NzF0qucxy > EQisGL7LAw05raT5vFv8eWsHwfR1OHAupXZKJzHfjX3CBUce51K2N/eyPiuoX4es > m/1lpLmLWJgXAk2MgvwNop4coRiexLuXGWYpeG+64SrDmB0oJhFZ+8rhUig5UZ41 > ImpkZl+cbFIxVL+j0tcWLlaDt8yTIJzR2lw0afOvHZcqNHlNo2OPSm4HiMfrThVP > 9oAAU5fvTLQtnVJ0Qw49/wm6nr2IFuR3J3Zkz4PA0jVzxuXL6OGzjLuJuFlj01Sj > qxK3oU9dsN2cXCkp0k8gq39UAyHZwaeViFnAxKNm/U/ykRlFhLiloTF3ZvJYl7Vv > 1N54BKKY5RjjtVsBgbDfKVcfSR4UwNt6v2PECfp+l7SpJb4XFiCNb9AoU2UoPQjj > icOPXw8r7AAMZdm+ANuMhTivGIi+7HR4MQ4xKRmD1bJ1qhQPGyuq+6loYJQQX+r4 > 1evr5+hCbQjapWN5IA7mRSgzaUEPC0Yrc5Ttirw81dbuCIPyv+B2c8LwQDvcorIR > A5EhArjwq1nY1N1ArMUKVf5+ONcIu7K56fjnMxyZXer3zExcYyA= > =mP8j > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAOBBCnbBeizsTM9GfvMTc7S7TBUSzpE2KMs4zcvv_wCQ%2BqX8qA%40mail.gmail.com.
Re: [qubes-users] Re: Qubes 4.2 installation problems due to Salt alone - what to do?
Thank you! The hardware clock had the wrong date. Therefore the error with salt. Hmm, You might find it more useful to join the Qubes Forum, https://forum.qubes-os.org/ I wanted to reply, so you felt someone will help. Perhaps Clarify some things. Seems from your discussion of SALT, you know something of Linux. If the standard install did not finish correctly. I am not thinking whatever is going on with SALT is the problem. But SALT commands might reveal to some what is happening? So, for me in your situation, I would go through the detail of what I assumed was true, but might not be. Can you clarify. Why are you sure the computer in question is compaitble with Qubes? Have you used Qubes on it before? Did you install UEFI or Legacy? I use Legacy, UEFI is a different set of problems. Does your computer have one or two drives? (I have one computer, with two drives, that will only let me install Qubes to one drive, and the other drive must not have anything on it. Other computers don't care. and I did not say it made sense) Are you trying to accomplish a dual boot? (Qubes wants to be alone on the drive. Some folks have gotten dual boot to work. I have not tried) Did you try to install Qubes on a drive that already had -something? (I have discovered that sometimes Qubes does not like to installed over something else. Sometimes does not care.) Can you devote this computer to using Qubes right now? Or is it a computer you use daily with another OS? (helps to limit suggestions to something that is more reasonable for you to try) I think someone more knowledgeable than myself will come by and recognize your symptoms, and you don't have to worry about answering this. But it can't hurt. In a coupla days, If you have not gotten it going, I will come back and add more suggetions. More confusion. but someone might recognize symptoms and make an easier fix. Cheers. On Sunday, April 14, 2024 at 12:58:26 PM UTC-4 Michael Singer wrote: Dear Qubes Community, I am trying to install Qubes 4.2. in vain, not because the hardware is incompatible, but because of Salt problems. I verified the downloaded ISO according to the instructions, burned the ISO with various programs on a USB stick, among others with the DD command: dd if="./Qubes-R4.2.1-x86_64.iso" of="/dev/sda" status="progress" conv="fsync" I have checked the result and it shows that the hash sum of the USB stick under /dev/sda is the same as the downloaded file: sudo dd if=/dev/sda bs=1M count=$(stat -c %s /home/user/QubesIncoming/XXX/Qubes-R4.2.1-x86_64.iso) iflag=count_bytes | sha256sum a942911a3a4975831324a064f70b34c6965c4e9f6c95afbc531f04d55f947376 When I start the computer with the USB stick and test the medium, the following appears first: Fragment sums: 2695f8d1(...) supported iso: no Then, when the test has run 100 percent, the following appears: [FAILED] If I install anyway, I have to cancel the automatic creation of sys-net, sys-usb and personal AppVMs, because otherwise I get an installation error because the installer does not set the PCI devices to disable strict reset. At the end of the setup it still says: "initial config failed", see /var/log/salt/minion The log there says: Specified ext_pillar interface qvm_prefs unavailable And when I try to update dom0, it fails. The reason is noted in the same log file: Unable to detect release version Cannot prepare internal mirror list: SSL peer certificate or SSH remote key was not OK for https://mirrors.fedora(...) Everything otherwise works according to the HCL report, including Suspend, Ethernet, USB, Speaker. Strange thing was that no default-mgmt-dvm seemed to be present and was not started during update attempts. I have already tried the installation with 4.2.0 and 4.2.1, with standard kernel and with the latest kernel. How could I solve the problem? Thank you, Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/04644821-831b-4657-990d-84ab2c56309f%40posteo.de.
[qubes-users] HCL : NitroPC 2 - MSI Z790-P Intel i9 14900K
HCL report NitroPC 2 - MSI Z790-P Intel i9 14900K This is Qubes certified, of course, but here's an HCL report anyway. --- layout: 'hcl' type: 'Desktop' hvm: 'yes' iommu: 'yes' slat: 'yes' tpm: 'unknown' remap: 'yes' brand: | Micro-Star International Co., Ltd. model: | MS-7E06 bios: | Dasharo (coreboot+UEFI) v0.9.1 cpu: | Intel(R) Core(TM) i9-14900K cpu-short: | FIXME chipset: | Intel Corporation Device [8086:a700] (rev 01) chipset-short: | FIXME gpu: | Intel Corporation Raptor Lake-S GT1 [UHD Graphics 770] [8086:a780] (rev 04) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Intel Corporation Ethernet Controller I225-V [8086:15f3] (rev 03) memory: | 65376 scsi: | usb: | 1 certified: 'no' versions: - works: 'yes' qubes: | R4.2.1 xen: | 4.17.3 kernel: | 6.6.21-1 remark: | No problems noticed. Qubes certified. Very Fast. credit: | code9n link: | FIXLINK -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/54d6b847-4390-45c1-ac7a-b35347d76713n%40googlegroups.com.
Re: [qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rusty Bird: > Boryeu Mao: > > An attempt to shutdown `sys-firewall` in `Qube Manager` receive a warning > > about running processes in the qube; similarly on command line > > `qvm-shutdown sys-firewall` fails with an error. Is it possible to > > designate an appVM to behave similarly so it won't get shutdown > > accidentally? > > Not as a user-facing feature AFAIK. But you could use the qubes.ext > Python entry point > > https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/__init__.py#L57-L59 > > to add another "domain-pre-shutdown" event handler like this one > (yours could e.g. check if the VM has a certain tag): > > https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L65-L75 Sorry, that second link should have been: https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L31-L38 Rusty -BEGIN PGP SIGNATURE- iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmYdQPRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0 QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv Kt9fGw/+JHmmCw+Ly/YXJ5uYJknlH/Z8hpViEwPnIGuuz7dkiHYa53BeKg+ub035 EOt0Z2ir8NuhHGXdN77A4j1PA6gXypEBme3sxDoP0uHv1Tc3GSAgbR4NzF0qucxy EQisGL7LAw05raT5vFv8eWsHwfR1OHAupXZKJzHfjX3CBUce51K2N/eyPiuoX4es m/1lpLmLWJgXAk2MgvwNop4coRiexLuXGWYpeG+64SrDmB0oJhFZ+8rhUig5UZ41 ImpkZl+cbFIxVL+j0tcWLlaDt8yTIJzR2lw0afOvHZcqNHlNo2OPSm4HiMfrThVP 9oAAU5fvTLQtnVJ0Qw49/wm6nr2IFuR3J3Zkz4PA0jVzxuXL6OGzjLuJuFlj01Sj qxK3oU9dsN2cXCkp0k8gq39UAyHZwaeViFnAxKNm/U/ykRlFhLiloTF3ZvJYl7Vv 1N54BKKY5RjjtVsBgbDfKVcfSR4UwNt6v2PECfp+l7SpJb4XFiCNb9AoU2UoPQjj icOPXw8r7AAMZdm+ANuMhTivGIi+7HR4MQ4xKRmD1bJ1qhQPGyuq+6loYJQQX+r4 1evr5+hCbQjapWN5IA7mRSgzaUEPC0Yrc5Ttirw81dbuCIPyv+B2c8LwQDvcorIR A5EhArjwq1nY1N1ArMUKVf5+ONcIu7K56fjnMxyZXer3zExcYyA= =mP8j -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Zh1A9DYFnKTnQt_z%40mutt.
Re: [qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Boryeu Mao: > An attempt to shutdown `sys-firewall` in `Qube Manager` receive a warning > about running processes in the qube; similarly on command line > `qvm-shutdown sys-firewall` fails with an error. Is it possible to > designate an appVM to behave similarly so it won't get shutdown > accidentally? Not as a user-facing feature AFAIK. But you could use the qubes.ext Python entry point https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/__init__.py#L57-L59 to add another "domain-pre-shutdown" event handler like this one (yours could e.g. check if the VM has a certain tag): https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L65-L75 Rusty -BEGIN PGP SIGNATURE- iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmYdP79fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0 QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv Kt/s0A//d0ks6I+il3Y/rnG5IINmEUMC8yKdTQM9E/xQQZlqSZOUHh4OSkdZB6ON N/Iv1skUvVRuUxF8kFJ9M88FYH8X+fZsWr9ZQ18xPk+oQuQBarWTgT+TeprGj8CX WSG1dfzyFs/m5DuE4M0xvzV9efIyfA80hRl/5VwLYLscMas2Dkvfcc8yWcdDkoY7 zKcI9jZzkUPfA5gAp92NWH10kYBdWlMYiqRLW22OT+Xe/dkohs/a80B1smKRZf7D K9sF4CXauJxqxV8m+wMO8yma1jBEBoijkPZxf3m/z4SNl+cfcvLRvy+zV41dsTca nkfvP2LflDWCpJFsdK77GQPGvx7ojX09ExAXu56kZJiQAn+rWFcX8edI+E+RQ0Z/ UMZ9a8Juj3s/myNEGr+MrhrdQ5qvUEafCOVBpLJG65xAw0B7eAAqG/vbboucaaVy pQMFcYCyPxMzlMZQz82JHpzGiVscislC8naMYFneM9jsSL2K9D+P99tlHIziKt9w dwUwvbuUOJtaZm94YMIbJkUaSK9BDInx49LAlzA5pAtRX4CMHY2YzYkLEUis2oAe Ynj620eSnEwmPPa4sS97T+dnuO94S32UZrDLzYu7FZn4Rm5Gp6vq5pgbxXqkp8id BdRn5dzQI6l4fijl+6FgfMTSZzVBNr7svjuGY8D0v3OfbywnT9Y= =3CXB -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Zh0_v3dVrNYbjzcT%40mutt.
[qubes-users] Re: Qubes 4.2 installation problems due to Salt alone - what to do?
Hmm, You might find it more useful to join the Qubes Forum, https://forum.qubes-os.org/ I wanted to reply, so you felt someone will help. Perhaps Clarify some things. Seems from your discussion of SALT, you know something of Linux. If the standard install did not finish correctly. I am not thinking whatever is going on with SALT is the problem. But SALT commands might reveal to some what is happening? So, for me in your situation, I would go through the detail of what I assumed was true, but might not be. Can you clarify. Why are you sure the computer in question is compaitble with Qubes? Have you used Qubes on it before? Did you install UEFI or Legacy? I use Legacy, UEFI is a different set of problems. Does your computer have one or two drives? (I have one computer, with two drives, that will only let me install Qubes to one drive, and the other drive must not have anything on it. Other computers don't care. and I did not say it made sense) Are you trying to accomplish a dual boot? (Qubes wants to be alone on the drive. Some folks have gotten dual boot to work. I have not tried) Did you try to install Qubes on a drive that already had -something? (I have discovered that sometimes Qubes does not like to installed over something else. Sometimes does not care.) Can you devote this computer to using Qubes right now? Or is it a computer you use daily with another OS? (helps to limit suggestions to something that is more reasonable for you to try) I think someone more knowledgeable than myself will come by and recognize your symptoms, and you don't have to worry about answering this. But it can't hurt. In a coupla days, If you have not gotten it going, I will come back and add more suggetions. More confusion. but someone might recognize symptoms and make an easier fix. Cheers. On Sunday, April 14, 2024 at 12:58:26 PM UTC-4 Michael Singer wrote: > Dear Qubes Community, > > I am trying to install Qubes 4.2. in vain, not because the hardware is > incompatible, but because of Salt problems. I verified the downloaded ISO > according to the instructions, burned the ISO with various programs on a > USB stick, among others with the DD command: > > > dd if="./Qubes-R4.2.1-x86_64.iso" of="/dev/sda" status="progress" > conv="fsync" > > I have checked the result and it shows that the hash sum of the USB stick > under /dev/sda is the same as the downloaded file: > > > sudo dd if=/dev/sda bs=1M count=$(stat -c %s > /home/user/QubesIncoming/XXX/Qubes-R4.2.1-x86_64.iso) iflag=count_bytes | > sha256sum > > a942911a3a4975831324a064f70b34c6965c4e9f6c95afbc531f04d55f947376 > > When I start the computer with the USB stick and test the medium, the > following appears first: > > > Fragment sums: 2695f8d1(...) > > supported iso: no > > Then, when the test has run 100 percent, the following appears: > > > [FAILED] > > If I install anyway, I have to cancel the automatic creation of sys-net, > sys-usb and personal AppVMs, because otherwise I get an installation error > because the installer does not set the PCI devices to disable strict reset. > At the end of the setup it still says: > > > "initial config failed", see /var/log/salt/minion > > The log there says: > > > Specified ext_pillar interface qvm_prefs unavailable > > And when I try to update dom0, it fails. The reason is noted in the same > log file: > > > Unable to detect release version > > Cannot prepare internal mirror list: SSL peer certificate or SSH remote > key was not OK for https://mirrors.fedora(...) > > Everything otherwise works according to the HCL report, including Suspend, > Ethernet, USB, Speaker. Strange thing was that no default-mgmt-dvm seemed > to be present and was not started during update attempts. > > I have already tried the installation with 4.2.0 and 4.2.1, with standard > kernel and with the latest kernel. > > How could I solve the problem? > > Thank you, > Michael Singer > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/df925c81-1683-4cff-b183-aaeb36ea49ben%40googlegroups.com.
[qubes-users] Installing a managed windows VPS on qubes.
I bought a managed windows VPS that I want to add to QubesOS/whonix(Debian-12). How do I proceed? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF4vDVCsxbStJgjabRsvRVqnyj4vNx%3DyaDBaOUxzZSGUZjAmFQ%40mail.gmail.com.
[qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)
An attempt to shutdown `sys-firewall` in `Qube Manager` receive a warning about running processes in the qube; similarly on command line `qvm-shutdown sys-firewall` fails with an error. Is it possible to designate an appVM to behave similarly so it won't get shutdown accidentally? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d4820fc-c6d9-4d2d-97d1-268c8abd5876n%40googlegroups.com.
[qubes-users] Qubes 4.2 installation problems due to Salt alone - what to do?
Dear Qubes Community, I am trying to install Qubes 4.2. in vain, not because the hardware is incompatible, but because of Salt problems. I verified the downloaded ISO according to the instructions, burned the ISO with various programs on a USB stick, among others with the DD command: dd if="./Qubes-R4.2.1-x86_64.iso" of="/dev/sda" status="progress" conv="fsync" I have checked the result and it shows that the hash sum of the USB stick under /dev/sda is the same as the downloaded file: sudo dd if=/dev/sda bs=1M count=$(stat -c %s /home/user/QubesIncoming/XXX/Qubes-R4.2.1-x86_64.iso) iflag=count_bytes | sha256sum a942911a3a4975831324a064f70b34c6965c4e9f6c95afbc531f04d55f947376 When I start the computer with the USB stick and test the medium, the following appears first: Fragment sums: 2695f8d1(...) supported iso: no Then, when the test has run 100 percent, the following appears: [FAILED] If I install anyway, I have to cancel the automatic creation of sys-net, sys-usb and personal AppVMs, because otherwise I get an installation error because the installer does not set the PCI devices to disable strict reset. At the end of the setup it still says: "initial config failed", see /var/log/salt/minion The log there says: Specified ext_pillar interface qvm_prefs unavailable And when I try to update dom0, it fails. The reason is noted in the same log file: Unable to detect release version Cannot prepare internal mirror list: SSL peer certificate or SSH remote key was not OK for https://mirrors.fedora(...) Everything otherwise works according to the HCL report, including Suspend, Ethernet, USB, Speaker. Strange thing was that no default-mgmt-dvm seemed to be present and was not started during update attempts. I have already tried the installation with 4.2.0 and 4.2.1, with standard kernel and with the latest kernel. How could I solve the problem? Thank you, Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba7c6888-12ce-4ccc-87d5-38b8b80e9569%40posteo.de.
[qubes-users] XSAs released on 2024-04-09
Dear Qubes Community, The [Xen Project](https://xenproject.org/) has released one or more [Xen security advisories (XSAs)](https://xenbits.xen.org/xsa/). The security of Qubes OS *is affected*. ## XSAs that DO affect the security of Qubes OS The following XSAs *do affect* the security of Qubes OS: - [XSA-455](https://xenbits.xen.org/xsa/advisory-455.html) - See [QSB-102](https://www.qubes-os.org/news/2024/04/10/qsb-102/) - [XSA-456](https://xenbits.xen.org/xsa/advisory-456.html) (At the time of publication, this page was missing from the Xen Project website, so we are also including a link to the [email announcement for XSA-456](https://lists.xenproject.org/archives/html/xen-announce/2024-04/msg4.html).) - See [QSB-102](https://www.qubes-os.org/news/2024/04/10/qsb-102/) ## XSAs that DO NOT affect the security of Qubes OS The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - [XSA-454](https://xenbits.xen.org/xsa/advisory-454.html) - Denial of service (DoS) only ## About this announcement Qubes OS uses the [Xen hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its [architecture](https://www.qubes-os.org/doc/architecture/). When the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a [Xen security advisory (XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a [Qubes security bulletin (QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only *positive* confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs cannot provide *negative* confirmation that other XSAs do *not* affect the security of Qubes OS. Therefore, we also maintain an [XSA tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/04/10/xsas-released-on-2024-04-09/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23faf24b-9c58-48ca-a496-3635efa667ac%40qubes-os.org.
[qubes-users] QSB-102: Multiple speculative-execution vulnerabilities: Spectre-BHB, BTC/SRSO (XSA-455, XSA-456)
wFpqe 9Bhifj28JPUhQyY/el/gcMXacxnGulp+XOXHDMCKZ9aL+bWXs0OiI28se/zMWvUt 0uKFDaj/dXkcpOsprG7Jlh/XRqXfH0AkAlmoLznpPdNBZXIImQA/hoFP1Lorab9z XjfUJYkYUwq0+jU2snIJxF5MFxwMbxFHtY0zrlZVraB0MrY1xQKCBg05dUC0eF7N jaTCW1p1pRCm/Ph/qo6jc4AkQNw/70JozO1EXMZfDLYMPYs7mGu5WSRxELKyLGgb nJFwjPPgapNvXQmLTFa067iK89FO2zH6VuLEHbId+vt+slncOuZEXR08XvNt8brd Sm6QsZyy63oTbzGyvpLUutxff3NYkYN0018M13Aigi94RZwUvowLDuFTERh+wmQI OE78851LZg5RxAhkY/fgRtNiLkpEdLAQ8/vq8kFthwUg4FgS+Qv0bGWWVz7Sl5np POMvyN/aaFqI6XGWhQtrjGVoqkHcO1ISuIjxkHw1QhXY1/OkEITGNshn0AB3Zj0M bEqJMBdYMzQaKFl6+ijGSOe3tO/7jeVFyuaA2Sh9u3qC4tnaoIwhthTlHDJTmzgb GEYRGfkSV/ZFCN/j4RzSSMtGdhTeHu957NBxv/WEmpdVIoeTUiE= =6Hyn -END PGP SIGNATURE- ``` *Source*: [qsb-102-2024.txt.sig.marmarek](https://github.com/QubesOS/qubes-secpack/blob/b1891ece2e914f644a9141b1d6f8e8ae07091dab/QSBs/qsb-102-2024.txt.sig.marmarek) ## [Simon Gaiser (aka HW42)](https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)'s PGP signature ``` -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmYVnSEACgkQSsGN4REu FJCefw//T4I2eEkRzhic2ltZxuRDr17B2HreVv0uch/VFAL/P3gNQk64SlE+cgFu 49lPjfcdOOoGuUZnpqcSoBxT3w44BsZDKb1LHlU1qjTVOAMrN3DKmbH94h97Xniv VYng2CDX/rP9MWZ6wEzsrTW+RfHCE6HGBUrHSXoQSfQHb9TMLFS5wnONLorLUWDG uOiT+SiZErbgs5HknzSkR40ip66rS6ijr1lPQEekKbnySZOMC1RnTcD2CNTNA0SJ X2GBh06Izd8dPUPX+P8yyfY7whZrS+JHZA9KlQxbTigzjhkMCsAMgXOYjBbPxszb WPveDNFZrR6qbQ3qkf4PmoxMVgnJlkDT94nwaYA/yVzd1TDbjds3fX6ugzUa71iS Qh0lUThIVRy2i/rXPLVz1z+0rn66o/lvn4MlPISrnEcz3RG1z9dVff3/opbmgvkV b9INOf+f8l5ZtV8Alz3DKeOPqWmFeiIyWU59WN4V8nekusW4Ui3G/g9KPGx3cGHV QjjLatmhqdwb+CuKrV64A2SjxBExTicUklkFNZgKC4gvt+Nz5DBpzd8nIdbZ+UvX zeyL8rXtUvPNTj2KuX341jHEgShvd45K7Ep0yYx/NZFeYYUVywHsbeJIRmm4pn5/ +pqujK+aMXzu6ZUoOBIWK0lb9mhToZ+4iTomi+YdTYg1v+ww7/s= =6Z50 -END PGP SIGNATURE- ``` *Source*: [qsb-102-2024.txt.sig.simon](https://github.com/QubesOS/qubes-secpack/blob/b1891ece2e914f644a9141b1d6f8e8ae07091dab/QSBs/qsb-102-2024.txt.sig.simon) ## What is the purpose of this announcement? The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published. ## What is a Qubes security bulletin (QSB)? A Qubes security bulletin (QSB) is a security announcement issued by the [Qubes security team](https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see [Qubes security bulletins (QSBs)](https://www.qubes-os.org/security/qsb/). ## Why should I care about QSBs? QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by [updating normally](https://www.qubes-os.org/doc/how-to-update/). However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs. ## What are the PGP signatures that accompany QSBs? A [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic [digital signature](https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like [GNU Privacy Guard (GPG)](https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures. ## Why should I care whether a QSB is authentic? A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project. ## How do I verify the PGP signatures on a QSB? The following command-line instructions assume a Linux system with `git` and `gpg` installed. (For Windows and Mac options, see [OpenPGP software](https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).) 1. Obtain the Qubes Master Signing Key (QMSK), e.g.: ```shell_session $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 ``` (For more ways to obtain the QMSK, see [How to import and authenticate the Qubes Master Signing Key]
[qubes-users] Let's close this thread ...
On Thu, 4 Apr 2024, 19:45 Viktor Ransmayr, wrote: > Hello 'Haaber' & Qubes OS community, > > Am Di., 20. Feb. 2024 um 20:12 Uhr schrieb Viktor Ransmayr < > viktor.ransm...@gmail.com>: > >> ... >> Am Di., 20. Feb. 2024 um 11:10 Uhr schrieb 'haaber' via qubes-users < >> qubes-users@googlegroups.com>: >> >>> ... >>> >>> all updates go via tor network (sys-whonix) by default. You could click >>> on the blue qube widget -> sys-wonix -> run terminal and see if sys-whonix >>> has network. But I >>> >> It took much longer due to private reasons - but - I can report that I > was able to fully recover from the backups ! > > What I did different than suggested was that I started with a clean > re-install of Qubes OS 4.1 ... > Let's close this thread ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAeSrGKe6ErPWJmi%2BbrC_hrvPBTiR-7m%3DjD0AUo6FnSKagPM7A%40mail.gmail.com.
Re: [qubes-users] Need help after a failed in-place upgrade attempt
Hello 'Haaber' & Qubes OS community, Am Di., 20. Feb. 2024 um 20:12 Uhr schrieb Viktor Ransmayr < viktor.ransm...@gmail.com>: > ... > Am Di., 20. Feb. 2024 um 11:10 Uhr schrieb 'haaber' via qubes-users < > qubes-users@googlegroups.com>: > >> ... >> >> all updates go via tor network (sys-whonix) by default. You could click >> on the blue qube widget -> sys-wonix -> run terminal and see if sys-whonix >> has network. But I guess not. Here is why: >> >> https://www.qubes-os.org/doc/firewall/ >> >> I wild-guess that you are in a "half-state" where one part of the system >> expects iptables, another one nftables ... >> >> Did you download / start to download new (debian/fedora) Templates or are >> they the "old" ones? >> >> I did not see any other user jump to your help, and I am not good enough >> to fix that alone for you. So honestly, at your place I would >> >> (1) backup data (again) >> >> (2) extract the list of manually installed packages in each of your >> templates and stock them on your backup drive >> >> ("apt-mark showmanual > manual.packages.list" in a terminal is your >> friend, no root priv needed) >> >> (3) re-install a clean 4.2 >> >> (4) replay your manual installs of packages in your templates: >> >> "cat manual.packages.list | apt-get install " or something of this >> type should work (run as root) >> >> (5) restore your data. >> >> It's a pain and takes half a day, but I fear that it is, at the end of >> the day, faster than any other solution... >> >> good luck! >> > > Thanks a lot ! > > This is exactly the feedback I was hoping for. > > I'll investigate further on my side & will provide an update from my side > before the end of the week ... > It took much longer due to private reasons - but - I can report that I was able to fully recover from the backups ! What I did different than suggested was that I started with a clean re-install of Qubes OS 4.1 ... Now I've started a second attempt of an in-place upgrade - and - are already running into issues again at STAGE 1: Here is the dom0 - log: ### [vr@dom0 ~]$ [vr@dom0 ~]$ sudo qubes-dist-upgrade --update WARNING: /!\ MAKE SURE YOU HAVE MADE A BACKUP OF ALL YOUR VMs AND dom0 DATA /!\ -> Launch upgrade process? [y/N] y ---> Allow shutdown of unnecessary VM (use --keep-running to exclude some): fedora-feedly-vm fedora-qubes-study-vm? [y/N] y ---> (STAGE 1) Do you want to make a dom0 snapshot? [y/N] y WARNING: Sum of all thin volume sizes (<2.83 TiB) exceeds the size of thin pools and the size of whole volume group (<475.34 GiB). Logical volume "Qubes41UpgradeBackup" created. --> If upgrade to 4.2 fails, you can restore your dom0 snapshot with sudo lvconvert --merge qubes_dom0/Qubes41UpgradeBackup. Reboot after restoration. ---> (STAGE 1) Updating dom0... Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time... Qubes OS Repository for Dom02.9 MB/s | 3.0 kB 00:00 Qubes OS Repository for Dom06.7 MB/s | 192 kB 00:00 kernel-latest.x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached kernel-latest-devel.x86_641000:6.7.7-1.qubes.fc32 qubes-dom0-cached kernel-latest-modules.x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached kernel-latest-qubes-vm.x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached qubes-usb-proxy-dom0.noarch 1.2.0-1.fc32 qubes-dom0-cached Qubes OS Repository for Dom02.9 MB/s | 3.0 kB 00:00 Dependencies resolved. PackageArch Version Repository Size Installing: kernel-latest x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached 12 M kernel-latest-develx86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached 15 M kernel-latest-modules x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached 76 M kernel-latest-qubes-vm x86_64 1000:6.7.7-1.qubes.fc32 qubes-dom0-cached 18 M Upgrading: qubes-usb-proxy-dom0 noarch 1.2.0-1.fc32 qubes-dom0-cached 25 k Transaction Summary Install 4 Packages Upgrade 1 Package Total size: 121 M Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transacti
[qubes-users] S0ix (s2idle sleep) on 13th gen intel draining battery
Dear all, My 13th gen intel raptor lake Dell laptop only supports one sleep mode: s2idle a.k.a. S0ix, which drains the battery 7%/h -> empty over night. I am not the only one with that problem https://discussion.fedoraproject.org/t/please-improve-the-s0ix-experience-under-linux/79113/2 Installed TLP on dom0, no difference. https://www.phoronix.com/news/Intel-S0ix-Linux-Failure-Hot reports that https://lore.kernel.org/linux-acpi/20220505015814.3727692-1-rui.zh...@intel.com/T/ can help. Any hope that this makes it into the qubes kernel? Maybe some other HW needs to be explicitly configured. Any idea? Peter. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/954ab4c7-8a57-409c-9b79-3a90db7c0151n%40googlegroups.com.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
On 4/2/24 1:20 AM, qubist wrote: > On Mon, 1 Apr 2024 16:33:13 -0700 Andrew David Wong wrote: > >> [...] to the average user [...] > > Targeting abstract entities is confusing. > Feel free to replace that part with "to the vast majority of users," then. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe28f939-9cf8-4b2d-ae90-016738d29725%40qubes-os.org.
[qubes-users] Per computer model wiki
Hello, Is there any official, user editable documentation, where we can submit configuration tips for specific computer models ? Once the initial HCL report is out, it would be great to link from there to specific instructions for a given model to fix remaining issues when possible. For example the HCL for the *Framework Laptop 13 * Ryzen 7 7840U AMD still states that the touchpad is not working while a fix is available. Thanks. Sébastien -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43e0a3ea-d782-4304-9d32-0805c35f2652n%40googlegroups.com.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
On Mon, 1 Apr 2024 16:33:13 -0700 Andrew David Wong wrote: > [...] to the average user [...] Targeting abstract entities is confusing. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240402082029.3a4c2a7e%40localhost.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
On 4/1/24 2:38 PM, Demi Marie Obenour wrote: > On Sun, Mar 31, 2024 at 03:45:29PM -0700, Andrew David Wong wrote: >> On 3/27/24 2:57 AM, qubist wrote: >>> On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote: >>> >>>> ## What's new in Qubes OS 4.2.1? >>>> >>>> [...] >>>> >>>> For more information about the changes included [...] >>> >>> It would be much better to have a more detailed (yet concise) >>> changelog. It is highly unlikely that the user will read pages upon >>> pages of issues on a bug tracker, just to find out what is new. >>> >>> My $0.02. :) >>> > >> The concise changelog is already present, in the part you elided. Unlike >> major and minor releases, the primary purpose of patch releases is not to >> deliver new features or enhancements worth showcasing. Rather, the primary >> purpose is to provide a secure and convenient way for users to install (or >> reinstall) the latest stable Qubes release with an up-to-date ISO. > >> Imagine if we had a major or minor release, then we didn't have any further >> releases for a year. Users who wanted to (re)install Qubes would have to use >> a year-old ISO, then immediately catch up on a year's worth of updates, >> which could take quite a long time. Moreover, any bugs that affected the >> installation or initial update processes themselves might be complete >> blockers for some users. A security vulnerability in the update mechanism >> could make that initial update risky. > >> The purpose of these patch releases is mainly just to move up the "starting >> point" so that fresh installations don't have as far to "catch up" before >> they're on par with existing, regularly-updated installations. That's why >> the main summary of changes is just "all the routine updates you would've >> gotten if you had installed 4.2.0 and kept it up to date." Some of these >> routine updates will be of interest to some users while being of no interest >> at all to most other users. There should rarely be any that are of interest >> to *all* users. (Those should usually go in major or minor releases instead.) > > With the obvious exception of security patches. It occurred to me after I sent this that someone would probably point this out. Yes, but we already make a separate announcement for each and every QSB, so it would be somewhat redundant to repeat that in every patch release announcement. I'm not sure why listing the exact QSB patches included in a given patch release would be more useful to the average user than just saying "includes all security patches to date" (which is entailed by "includes all updates to date"). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/01ec459d-876c-46e3-88de-3ef2640a00c4%40qubes-os.org.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Mar 31, 2024 at 03:45:29PM -0700, Andrew David Wong wrote: > On 3/27/24 2:57 AM, qubist wrote: > > On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote: > > > >> ## What's new in Qubes OS 4.2.1? > >> > >> [...] > >> > >> For more information about the changes included [...] > > > > It would be much better to have a more detailed (yet concise) > > changelog. It is highly unlikely that the user will read pages upon > > pages of issues on a bug tracker, just to find out what is new. > > > > My $0.02. :) > > > > The concise changelog is already present, in the part you elided. Unlike > major and minor releases, the primary purpose of patch releases is not to > deliver new features or enhancements worth showcasing. Rather, the primary > purpose is to provide a secure and convenient way for users to install (or > reinstall) the latest stable Qubes release with an up-to-date ISO. > > Imagine if we had a major or minor release, then we didn't have any further > releases for a year. Users who wanted to (re)install Qubes would have to use > a year-old ISO, then immediately catch up on a year's worth of updates, which > could take quite a long time. Moreover, any bugs that affected the > installation or initial update processes themselves might be complete > blockers for some users. A security vulnerability in the update mechanism > could make that initial update risky. > > The purpose of these patch releases is mainly just to move up the "starting > point" so that fresh installations don't have as far to "catch up" before > they're on par with existing, regularly-updated installations. That's why the > main summary of changes is just "all the routine updates you would've gotten > if you had installed 4.2.0 and kept it up to date." Some of these routine > updates will be of interest to some users while being of no interest at all > to most other users. There should rarely be any that are of interest to *all* > users. (Those should usually go in major or minor releases instead.) With the obvious exception of security patches. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYLKVsACgkQsoi1X/+c IsF/+A//UsDrsR/wwgeSJgGgIVkElvB+W4TWMCOsx7NSTjZ4yWXw7e63hOTvVGTo 6tegSUDcfYMUty27KJKSsjc9difhQUuDco/CEvK2DOLDpEKO8IJtHU18+3zrk+0N xweBTXuPD1T/FNbJAH3dKSdSsvXXmcqHW3FW6+q7AsnY3icg6zmdAsnqKVh7dylq b3NwWLva/JOn1sxa214kxJmRkfG53o01jv9QTDviYqmGb0FBJ7P6tXFIp9sEMNlX AqEGHF6Tj0fxQdvml3HlBZT0XZ265e6Th4xVhuA6titwML7HlIZDYu3AZP72u02E NPOOZ29rgrUwTQsNPgDzJe3eAgxEiynOnAiabLSwF4HW8A0yJVgR02Lm46Vr+Npg /LLxrmh4jRurhlpElvwA44nIenKpjprG5wFz48JHhrK+vyktxteyWTdvhE343nZh tQYUEj9hsNscPuiwuNmbxqAhsuNMndhRHAcL/H/r6Sw88NmYj0YiWH7+NtrilVAs Lp9S3oBeSjX+5QaD2abH8KnbjH7VdbynRFK1o3wXwUG/05KkT35RYw7eIojtDbCy QWJpykgJfy50xn97s5Mtm5TvkN5TnE9TQx1UIOia/36IZBwatdPtO/lPZGCpSaDZ 9IF64BucZGcZts2xJnwV0s9VPfPpG9XN4IiB1EZzg6ko0XLrsVA= =HFwF -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZgspXMfjRaMrx_Zo%40itl-email.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
Thanks for explaining. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240401172142.2b375807%40localhost.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
On 3/27/24 2:57 AM, qubist wrote: > On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote: > >> ## What's new in Qubes OS 4.2.1? >> >> [...] >> >> For more information about the changes included [...] > > It would be much better to have a more detailed (yet concise) > changelog. It is highly unlikely that the user will read pages upon > pages of issues on a bug tracker, just to find out what is new. > > My $0.02. :) > The concise changelog is already present, in the part you elided. Unlike major and minor releases, the primary purpose of patch releases is not to deliver new features or enhancements worth showcasing. Rather, the primary purpose is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. Imagine if we had a major or minor release, then we didn't have any further releases for a year. Users who wanted to (re)install Qubes would have to use a year-old ISO, then immediately catch up on a year's worth of updates, which could take quite a long time. Moreover, any bugs that affected the installation or initial update processes themselves might be complete blockers for some users. A security vulnerability in the update mechanism could make that initial update risky. The purpose of these patch releases is mainly just to move up the "starting point" so that fresh installations don't have as far to "catch up" before they're on par with existing, regularly-updated installations. That's why the main summary of changes is just "all the routine updates you would've gotten if you had installed 4.2.0 and kept it up to date." Some of these routine updates will be of interest to some users while being of no interest at all to most other users. There should rarely be any that are of interest to *all* users. (Those should usually go in major or minor releases instead.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1aa33712-c69f-47e6-ba8b-63552559d326%40qubes-os.org.
Re: [qubes-users] sshuttle?
Thanks Tim! In my case (Qubes 4.2) it was nft add rule ip qubes custom-input iifname "vif*" accept On Saturday, March 30, 2024 at 3:00:59 PM UTC+1 Tim Faber wrote: > Hi Peter, > > that does the trick for me (in /rw/config/rc.local on Qubes 4.1): > iptables -I INPUT 2 -i vif+ -j ACCEPT > ip route add local default dev lo table 100 > ip rule add fwmark 1 lookup 100 > > sshuttle --dns -D --method tproxy --exclude REMOTE_SERVER --exclude > 10.0.0.0/8 --disable-ipv6 --listen 0.0.0.0:0 -r REMOTE_SERVER 0/0 > > > All the best > > > On 3/30/24 12:52, Peter Palensky wrote: > > I need a sys-sshuttle qube to encapsulate traffic via sshuttle. Locally > > (from sys-sshuttle) it works, but connected qubes get the previously > > mentioned "no connection to host" message. > > > > Played around with various nft ideas, but no success. > > > > tcpdump on the vif shows requests (e.g. DNS, http, etc.) but they are > > not answered. > > > > How do i redirect incoming traffic from vif to the sshuttle process > > listening on port 12300 as it is happening with local traffic? > > On Wednesday, February 18, 2015 at 9:05:10 PM UTC+1 HW42 wrote: > > > > D. J. Bernstein: > > > Has anyone tried setting up sshuttle under Qubes? > > > > Haven't used it before but I did a quick test. > > > > > After setting up root@netvm to be able to ssh to another machine > > ("ssh > > > speed"), I ran > > > > > > sshuttle -v -r speed 0/0 -x 10/8 > > > > > > and expected that outgoing TCP connections would be transparently > > > proxied via the ssh connection. The sshuttle program reported > > that it > > > was doing > > > > > > iptables -t nat -N sshuttle-12300 > > > iptables -t nat -F sshuttle-12300 > > > iptables -t nat -I OUTPUT 1 -j sshuttle-12300 > > > iptables -t nat -I PREROUTING 1 -j sshuttle-12300 > > > iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 > > <http://127.0.0.0/8> -p tcp > > > iptables -t nat -A sshuttle-12300 -j RETURN --dest 10.0.0.0/8 > > <http://10.0.0.0/8> -p tcp > > > iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 > > <http://0.0.0.0/0> -p tcp --to-ports 12300 -m ttl ! --ttl 42 > > > > > > as I expected, and outgoing TCP connections _from netvm_ were > > proxied as > > > I expected, but outgoing TCP connections from other VMs failed > > with "no > > > route to host". > > > > > > I haven't explored how the Qubes intra-host networking setup works, > > > haven't started debugging with tcpdump, etc.; I'm just hoping that > > > someone else has already looked at this. > > > > sshuttle needs to accept connection from external ips (only > > localhost by > > default) and listen on fixed port: > > sshuttle -v -l 0.0.0.0:123000 -r speed 0/0 -x 10/8 > > > > Allow the redirected packets: > > iptables -I INPUT 1 -i vif+ -p tcp --dport 12300 -j ACCEPT > > > > WARNING: This makes FORWARD firewall rules ineffective. > > > > > > HW42 > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "qubes-users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to qubes-users...@googlegroups.com > > <mailto:qubes-users...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/qubes-users/6cc6eba0-a1ac-48de-9146-1b3e3db8948dn%40googlegroups.com > > < > https://groups.google.com/d/msgid/qubes-users/6cc6eba0-a1ac-48de-9146-1b3e3db8948dn%40googlegroups.com?utm_medium=email_source=footer > >. > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ee4407b-c3c9-4653-b16d-b79213fa7428n%40googlegroups.com.
Re: [qubes-users] sshuttle?
Hi Peter, that does the trick for me (in /rw/config/rc.local on Qubes 4.1): iptables -I INPUT 2 -i vif+ -j ACCEPT ip route add local default dev lo table 100 ip rule add fwmark 1 lookup 100 sshuttle --dns -D --method tproxy --exclude REMOTE_SERVER --exclude 10.0.0.0/8 --disable-ipv6 --listen 0.0.0.0:0 -r REMOTE_SERVER 0/0 All the best On 3/30/24 12:52, Peter Palensky wrote: I need a sys-sshuttle qube to encapsulate traffic via sshuttle. Locally (from sys-sshuttle) it works, but connected qubes get the previously mentioned "no connection to host" message. Played around with various nft ideas, but no success. tcpdump on the vif shows requests (e.g. DNS, http, etc.) but they are not answered. How do i redirect incoming traffic from vif to the sshuttle process listening on port 12300 as it is happening with local traffic? On Wednesday, February 18, 2015 at 9:05:10 PM UTC+1 HW42 wrote: D. J. Bernstein: > Has anyone tried setting up sshuttle under Qubes? Haven't used it before but I did a quick test. > After setting up root@netvm to be able to ssh to another machine ("ssh > speed"), I ran > > sshuttle -v -r speed 0/0 -x 10/8 > > and expected that outgoing TCP connections would be transparently > proxied via the ssh connection. The sshuttle program reported that it > was doing > > iptables -t nat -N sshuttle-12300 > iptables -t nat -F sshuttle-12300 > iptables -t nat -I OUTPUT 1 -j sshuttle-12300 > iptables -t nat -I PREROUTING 1 -j sshuttle-12300 > iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 <http://127.0.0.0/8> -p tcp > iptables -t nat -A sshuttle-12300 -j RETURN --dest 10.0.0.0/8 <http://10.0.0.0/8> -p tcp > iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 <http://0.0.0.0/0> -p tcp --to-ports 12300 -m ttl ! --ttl 42 > > as I expected, and outgoing TCP connections _from netvm_ were proxied as > I expected, but outgoing TCP connections from other VMs failed with "no > route to host". > > I haven't explored how the Qubes intra-host networking setup works, > haven't started debugging with tcpdump, etc.; I'm just hoping that > someone else has already looked at this. sshuttle needs to accept connection from external ips (only localhost by default) and listen on fixed port: sshuttle -v -l 0.0.0.0:123000 -r speed 0/0 -x 10/8 Allow the redirected packets: iptables -I INPUT 1 -i vif+ -p tcp --dport 12300 -j ACCEPT WARNING: This makes FORWARD firewall rules ineffective. HW42 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6cc6eba0-a1ac-48de-9146-1b3e3db8948dn%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/6cc6eba0-a1ac-48de-9146-1b3e3db8948dn%40googlegroups.com?utm_medium=email_source=footer>. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f43b952-f4ff-4973-84bb-baa981913b32%40posteo.net.
Re: [qubes-users] sshuttle?
I need a sys-sshuttle qube to encapsulate traffic via sshuttle. Locally (from sys-sshuttle) it works, but connected qubes get the previously mentioned "no connection to host" message. Played around with various nft ideas, but no success. tcpdump on the vif shows requests (e.g. DNS, http, etc.) but they are not answered. How do i redirect incoming traffic from vif to the sshuttle process listening on port 12300 as it is happening with local traffic? On Wednesday, February 18, 2015 at 9:05:10 PM UTC+1 HW42 wrote: > D. J. Bernstein: > > Has anyone tried setting up sshuttle under Qubes? > > Haven't used it before but I did a quick test. > > > After setting up root@netvm to be able to ssh to another machine ("ssh > > speed"), I ran > > > > sshuttle -v -r speed 0/0 -x 10/8 > > > > and expected that outgoing TCP connections would be transparently > > proxied via the ssh connection. The sshuttle program reported that it > > was doing > > > > iptables -t nat -N sshuttle-12300 > > iptables -t nat -F sshuttle-12300 > > iptables -t nat -I OUTPUT 1 -j sshuttle-12300 > > iptables -t nat -I PREROUTING 1 -j sshuttle-12300 > > iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp > > iptables -t nat -A sshuttle-12300 -j RETURN --dest 10.0.0.0/8 -p tcp > > iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp > --to-ports 12300 -m ttl ! --ttl 42 > > > > as I expected, and outgoing TCP connections _from netvm_ were proxied as > > I expected, but outgoing TCP connections from other VMs failed with "no > > route to host". > > > > I haven't explored how the Qubes intra-host networking setup works, > > haven't started debugging with tcpdump, etc.; I'm just hoping that > > someone else has already looked at this. > > sshuttle needs to accept connection from external ips (only localhost by > default) and listen on fixed port: > sshuttle -v -l 0.0.0.0:123000 -r speed 0/0 -x 10/8 > > Allow the redirected packets: > iptables -I INPUT 1 -i vif+ -p tcp --dport 12300 -j ACCEPT > > WARNING: This makes FORWARD firewall rules ineffective. > > > HW42 > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6cc6eba0-a1ac-48de-9146-1b3e3db8948dn%40googlegroups.com.
Re: [qubes-users] Tails VM: network broken since Qubes r4.2 (was online in r4.1)
an you try this command? $ sudo ip neighbour replace to 10.137.0.9 dev eth0 \ lladdr fe:ff:ff:ff:ff:ff nud permanent That adds a permanent neighbour entry. If it changes stuff it means that ARP is broken. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1cfb9530-6c8a-4064-bfdc-1cc0f33a844e%40posteo.de. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Tails VM: network broken since Qubes r4.2 (was online in r4.1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, Mar 28, 2024 at 10:29:15PM +, Stickstoff wrote: > Hello everyone, > > I have a difficult time with my Tails VM in Qubes (which I need for Tails > specific developing and documentation work). > It gets no network connectivity no matter what I try. With "network > connectivity" I mean the Tails VM can't even ping any network VM. > > I set up a Tails VM [1] a while ago on an up-to-date Qubes r4.1 system (so it > should be similar to r4.2?). After assigning the Tails VM a static ip [2], > it was online right away. Now I had to reinstall Qubes on new hardware, and > installed r4.2. I copied the old Tails VM into the r4.2, and it is stuck > offline. > I then created a new Tails VM, exactly the same way I did before with [1] and > [2], it couldn't reach any networking VM neither. > Next, I purged iptable [3], removed all routes [4] except the default route > and shutdown all network devices except eth0 [5]. > Still, there is no ping response even from the networking VM (which does > reply to other VM's pings). > > Finally, I used a regular Debian 12 live image to create another standalone > VM with [1]. It was online right away. > Tails is based on Debian 12 too. > The only meaningful difference between the Tails and the Debian VMs I could > find was that their default routes [6] look a bit different, where I don't > know if this might be related. > > So it does look like a Tails problem after all. But then, why was the same > Tails VM online when hosted by an up-to-date r4.1 Qubes and offline on > a fresh installed r4.2 Qubes? > I found hints online that others experience the same [7] symptoms of non > reachable networking VMs, where r4.1 vs r4.2 was brought up. > > > Does anyone have suggestions what else I might check and try? > I would be very grateful for any help. It would feel archaic and > counterproductive to use another machine for working on Tails.. > > Stickstoff > > > > > > > > > > > [1] Installing a live linux into a standalone Qubes vm: > Create a new standalone qube: HVM, 2GB+ memory. > dom0: sudo sh -c 'qvm-run --pass-io BrowserVM "cat > ~/downloads/tailsimage.img"' > /tmp/tailsimage.img > dom0: sudo dd if=/dev/zero of=root.img bs=1 count=0 seek=8G > # new empty 8GB root.img as sparse file > dom0: sudo dd bs=32M conv=notrunc status=progress if=/tmp/tailsimage.img > of=root.img # copy the image to the start of root.img > Tails: remove "live-media=removable" in grub bootloader (necessary at each > boot of Tails) > > > [2] Setting up networking in Tails: > dom0: qvm-ls -n TailsVM # get the IP that dom0 assigned > to the Tails VM > Tails: set static ip, netmask, gateway and dns > > [3] purge iptable rules, allow everything: > Tails: sudo iptables -F > Tails: sudo iptables -X > Tails: sudo iptables -P INPUT ACCEPT > Tails: sudo iptables -P OUTPUT ACCEPT > Tails: sudo iptables -P FORWARD ACCEPT > > [4] purge routes and add new default route: > Tails: sudo ip route del > Tails: sudo ip route add default via 10.137.0.9 dev eth0 > > [5] shutdown network devices: > sudo ip link set dev down > > [6] > ip route Tails: > default via 10.137.0.9 dev eth0 proto static metric 100 > 10.137.0.0/24 dev eth0 proto kernel scope link src 10.137.0.32 metric 100 > ^ > > ip route Debian: > default via 10.137.0.9 dev enX0 proto static metric 100 > 10.137.0.9 dev enX0 proto kernel scope link src 10.137.0.32 metric 100 > ^^ > > > [7] > https://forum.qubes-os.org/t/tailsos-template/23635/6 Does using the static route you have in Debian, and adding static neighbor entries for the peer, fix the problem? If not, can you try this command? $ sudo ip neighbour replace to 10.137.0.9 dev eth0 \ lladdr fe:ff:ff:ff:ff:ff nud permanent That adds a permanent neighbour entry. If it changes stuff it means that ARP is broken. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYF+2YACgkQsoi1X/+c IsFJ8Q/+NTsgrVCFAqn3IHkWbgni8WJxwFHZ0spRiPxCb/B+iBQnS/tk5phId5Wn B8Sfscoq79vTlVZJrK7GoYfTTvgcd60xDj6HsQRy/ymyqhJ3SQtlw7l+xi//acDY 7A38Un+UXwN4QtGLQQ0mCqm8/YjeugqwHQq7sy7jodehjFDJkx021urlqob49xkc 40CFG6sI+PWZYMxzqphyICu2sMX8SnKzyKpPXJzKD3LSkFzukbVU3524EgGTv3Th Rfliq/tljOhaIzZQSNsTiLAi0aPblPQ9PlO0X5gC8rzPF7YPIwYfEDJIEM+41UH6 l0OuhkE21rXOBbXnijmtesTHHYUzIcOUQWIuTdMGjjBYRlQ1igrRzc8WvFXXr7d6 tWYvaHXfIimpcfcM3CE15aMXmoEfjTkoHfnkpscZECzqxK5fKz0bLyIqqeilr92t HLnKtWaiYnFXYcYtxwpWJ4vo4CdMMoJH1DEL6zM3EA3ajQsiN8Bx1T23qvFgj1wQ OjfepcB2xpbOCjXgqUCR8uCPJKTLFxCbxAYduO1xQN9wY
[qubes-users] Tails VM: network broken since Qubes r4.2 (was online in r4.1)
Hello everyone, I have a difficult time with my Tails VM in Qubes (which I need for Tails specific developing and documentation work). It gets no network connectivity no matter what I try. With "network connectivity" I mean the Tails VM can't even ping any network VM. I set up a Tails VM [1] a while ago on an up-to-date Qubes r4.1 system (so it should be similar to r4.2?). After assigning the Tails VM a static ip [2], it was online right away. Now I had to reinstall Qubes on new hardware, and installed r4.2. I copied the old Tails VM into the r4.2, and it is stuck offline. I then created a new Tails VM, exactly the same way I did before with [1] and [2], it couldn't reach any networking VM neither. Next, I purged iptable [3], removed all routes [4] except the default route and shutdown all network devices except eth0 [5]. Still, there is no ping response even from the networking VM (which does reply to other VM's pings). Finally, I used a regular Debian 12 live image to create another standalone VM with [1]. It was online right away. Tails is based on Debian 12 too. The only meaningful difference between the Tails and the Debian VMs I could find was that their default routes [6] look a bit different, where I don't know if this might be related. So it does look like a Tails problem after all. But then, why was the same Tails VM online when hosted by an up-to-date r4.1 Qubes and offline on a fresh installed r4.2 Qubes? I found hints online that others experience the same [7] symptoms of non reachable networking VMs, where r4.1 vs r4.2 was brought up. Does anyone have suggestions what else I might check and try? I would be very grateful for any help. It would feel archaic and counterproductive to use another machine for working on Tails.. Stickstoff [1] Installing a live linux into a standalone Qubes vm: Create a new standalone qube: HVM, 2GB+ memory. dom0: sudo sh -c 'qvm-run --pass-io BrowserVM "cat ~/downloads/tailsimage.img"' > /tmp/tailsimage.img dom0: sudo dd if=/dev/zero of=root.img bs=1 count=0 seek=8G # new empty 8GB root.img as sparse file dom0: sudo dd bs=32M conv=notrunc status=progress if=/tmp/tailsimage.img of=root.img# copy the image to the start of root.img Tails: remove "live-media=removable" in grub bootloader (necessary at each boot of Tails) [2] Setting up networking in Tails: dom0: qvm-ls -n TailsVM # get the IP that dom0 assigned to the Tails VM Tails: set static ip, netmask, gateway and dns [3] purge iptable rules, allow everything: Tails: sudo iptables -F Tails: sudo iptables -X Tails: sudo iptables -P INPUT ACCEPT Tails: sudo iptables -P OUTPUT ACCEPT Tails: sudo iptables -P FORWARD ACCEPT [4] purge routes and add new default route: Tails: sudo ip route del Tails: sudo ip route add default via 10.137.0.9 dev eth0 [5] shutdown network devices: sudo ip link set dev down [6] ip route Tails: default via 10.137.0.9 dev eth0 proto static metric 100 10.137.0.0/24 dev eth0 proto kernel scope link src 10.137.0.32 metric 100 ^ ip route Debian: default via 10.137.0.9 dev enX0 proto static metric 100 10.137.0.9 dev enX0 proto kernel scope link src 10.137.0.32 metric 100 ^^ [7] https://forum.qubes-os.org/t/tailsos-template/23635/6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b57c3dfb-f3af-46cf-a44d-86b233269910%40posteo.de. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Star Labs StarBook certified with intel only?
On 2024-03-26 23:05, 'జిందం వాఐి' via qubes-users wrote: On 2024-03-26 22:18, Andrew David Wong wrote: On 3/25/24 11:25 AM, 'జిందం వాఐి' via qubes-users wrote: As you can see, only Intel processors are listed. I'm not personally aware of any changes since then, but when it comes to Qubes-certified hardware, you should always consult the vendor's website for the latest information. thanks for headsup, i will contact them * contacted vendor * hardware is certified for intel only * my query and vendor reply_ https://support.starlabs.systems/conversations/starbook-qubesos-certification-intel-amd-or-both/perma?token=06aab71bb3930 * hope this helps -- regards, జిందం వాఐి [ jindam, vani ] web_ jindam.neocities.org [matrix]_ @jindam:oikei.net -- regards, జిందం వాఐి [ jindam, vani ] web_ jindam.neocities.org [matrix]_ @jindam:oikei.net -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c4341b68c14f0f9822a12cab904743e%40disroot.org.
Re: [qubes-users] Qubes OS 4.2.1 has been released!
On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote: > ## What's new in Qubes OS 4.2.1? > > [...] > > For more information about the changes included [...] It would be much better to have a more detailed (yet concise) changelog. It is highly unlikely that the user will read pages upon pages of issues on a bug tracker, just to find out what is new. My $0.02. :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240327095752.29f39474%40localhost.
Re: [qubes-users] Star Labs StarBook certified with intel only?
On 2024-03-26 22:18, Andrew David Wong wrote: On 3/25/24 11:25 AM, 'జిందం వాఐి' via qubes-users wrote: As you can see, only Intel processors are listed. I'm not personally aware of any changes since then, but when it comes to Qubes-certified hardware, you should always consult the vendor's website for the latest information. thanks for headsup, i will contact them -- regards, జిందం వాఐి [ jindam, vani ] web_ jindam.neocities.org [matrix]_ @jindam:oikei.net -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef689eaffdd99ccdb995f9847ee4db9a%40disroot.org.
Re: [qubes-users] Star Labs StarBook certified with intel only?
On 3/25/24 11:25 AM, 'జిందం వాఐి' via qubes-users wrote: > * i see an option to purchase > laptop for amd also on their > website > * is this certified with only > intel? > As far as I know, that's correct, but you should check with Star Labs to be sure. The original certification announcement listed the certified configuration options at the time: https://www.qubes-os.org/news/2024/01/10/starlabs-starbook-qubes-certified/ As you can see, only Intel processors are listed. I'm not personally aware of any changes since then, but when it comes to Qubes-certified hardware, you should always consult the vendor's website for the latest information. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b434b32-7486-4115-aa4c-48b081960837%40qubes-os.org.
[qubes-users] Qubes OS 4.1 reaches EOL on 2024-06-18
Dear Qubes Community, Qubes OS 4.1 is scheduled to reach end-of-life (EOL) on 2024-06-18, approximately three months from the date of this announcement. ## Recommended actions If you're already using Qubes 4.2, then you don't have to do anything. This announcement doesn't affect you. If you're still using Qubes 4.1, then now is the perfect opportunity to upgrade, since a brand new [Qubes OS 4.2.1 ISO was just released today](https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/)! (This is also the best way to get started with Qubes if you don't have it installed yet.) If you'd prefer not to reinstall, you can instead perform an [in-place upgrade from Qubes 4.1 to 4.2](https://www.qubes-os.org/doc/upgrade/4.2/#in-place-upgrade). Whichever option you choose, we strongly recommend [making a full backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) beforehand and ensuring you're on Qubes 4.2 by 2024-06-18. ## What does end-of-life (EOL) mean? When a Qubes OS release reaches end-of-life (EOL), it is no longer supported. This means that bugs discovered in that release will no longer be fixed, and enhancements will no longer be added. Most importantly, releases that have reached EOL no longer receive security updates, which is why it's critically important to upgrade to a supported release. ## What about patch releases? The Qubes OS Project uses the [semantic versioning](https://semver.org/) standard. Version numbers are written as `..`. When a major or minor release reaches EOL, all of its patch releases also reach EOL. For example, in this case, when we say that "Qubes 4.1" (without specifying a `` number) is approaching EOL, we're specifying a particular minor release, inclusive of all patch releases within it. This means that Qubes 4.1.0, 4.1.1, and 4.1.2 will all reach EOL at the same time (on 2024-06-18), since they are all just patch releases of the same minor release. ## How are EOL dates determined? According to our [support policy](https://www.qubes-os.org/doc/supported-releases/), stable Qubes OS releases are supported for six months after each subsequent [major or minor release](https://www.qubes-os.org/doc/version-scheme/). This means that Qubes 4.1 reaches EOL six months after Qubes 4.2 was released. Since Qubes 4.2.0 was [released on 2023-12-18](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/), Qubes 4.1's EOL date is six months later, on 2024-06-18. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/26/qubes-os-4-1-reaches-eol-on-2024-06-18/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0e20b8fa-8d37-485c-b747-8cf51010e31f%40qubes-os.org.
[qubes-users] Qubes OS 4.2.1 has been released!
/) documentation. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ccb1335-c9c8-4b5d-946f-e3f22ea98094%40qubes-os.org.
Re: [qubes-users] Configure Network Qubes 4.2
Also, in the future. This might be faster to get responses https://forum.qubes-os.org/ Welcome to our forum. On Mon, Mar 25, 2024 at 6:12 PM Catacombs wrote: > HI, Not exactly sure if this is what you want. > It is an excellent question for a newcomer. > Upper right hand side of screen. Red, > Two red terminals. Click on this. > What do you get? > > On Monday, March 25, 2024 at 11:43:31 AM UTC-4 Bapak Ireng wrote: > >> Sorry, i discuss in the Qubes Communityfaster responses, better >> systemthen google groups >> >> Bapak Ireng schrieb am Montag, 25. März 2024 um 16:32:33 UTC+1: >> >>> i tried sudo /usr/libexec/initial-setup/initial-setup-graphical >>> >>> and the following is the output / result: >>> >>> >>> >>> >>> i tried to sent pictures, but google did not let me sent them. Sh >>> >>> >>> >>> >>> >>> >>> -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/2bc3dbd0-2f6c-4e43-a411-1eac28bbe359n%40googlegroups.com > <https://groups.google.com/d/msgid/qubes-users/2bc3dbd0-2f6c-4e43-a411-1eac28bbe359n%40googlegroups.com?utm_medium=email_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABsyOzHsrwP%3D2%3DaitHVEcwkWLS%2BQSZ9tHA0i%3DkU%3D0TAPFhJJVA%40mail.gmail.com.
Re: [qubes-users] Configure Network Qubes 4.2
I am sorry I was slow to reply. I was having problems today, apparently from the large solar flares we have been having the last several days. Some of it is reflective of a earlier version, but https://www.qubes-os.org/doc/ On Monday, March 25, 2024 at 5:12:23 PM UTC-5 Catacombs wrote: > HI, Not exactly sure if this is what you want. > It is an excellent question for a newcomer. > Upper right hand side of screen. Red, > Two red terminals. Click on this. > What do you get? > > On Monday, March 25, 2024 at 11:43:31 AM UTC-4 Bapak Ireng wrote: > >> Sorry, i discuss in the Qubes Communityfaster responses, better >> systemthen google groups >> >> Bapak Ireng schrieb am Montag, 25. März 2024 um 16:32:33 UTC+1: >> >>> i tried sudo /usr/libexec/initial-setup/initial-setup-graphical >>> >>> and the following is the output / result: >>> >>> >>> >>> >>> i tried to sent pictures, but google did not let me sent them. Sh >>> >>> >>> >>> >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c24bc1d4-6648-430e-8c27-528ba31c73f1n%40googlegroups.com.
[qubes-users] Star Labs StarBook certified with intel only?
* i see an option to purchase laptop for amd also on their website * is this certified with only intel? -- regards, జిందం వాఐి [ jindam, vani ] web_ jindam.neocities.org [matrix]_ @jindam:oikei.net -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ccfaea3acfd69873fb339ebf90d74178%40disroot.org.
Re: [qubes-users] Configure Network Qubes 4.2
HI, Not exactly sure if this is what you want. It is an excellent question for a newcomer. Upper right hand side of screen. Red, Two red terminals. Click on this. What do you get? On Monday, March 25, 2024 at 11:43:31 AM UTC-4 Bapak Ireng wrote: > Sorry, i discuss in the Qubes Communityfaster responses, better > systemthen google groups > > Bapak Ireng schrieb am Montag, 25. März 2024 um 16:32:33 UTC+1: > >> i tried sudo /usr/libexec/initial-setup/initial-setup-graphical >> >> and the following is the output / result: >> >> >> >> >> i tried to sent pictures, but google did not let me sent them. Sh >> >> >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2bc3dbd0-2f6c-4e43-a411-1eac28bbe359n%40googlegroups.com.
[qubes-users] Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)
0HKVrhR8oOPZMaVTUmr2hqbuFB+d73DBtE L6J0bTCst3TPDRvMSCt2xi3bO1KsjCWtgupJZd3KSHa0UZT4XKQN0S4F+mXvwmF1 b7278Wh62e20yN1+GYqmYuIXBOVuMcthCGPS6FtJwJqUWLVhU4Zx4lNqUeSJn03l x8t5pXUUbLW5ODu0qi+CHIBEarx/GtVuFSc5Tv9GZoS6XTU/HTlc0U43EMRfrGjM nvE84LTY1U4XxpvoyZ4vBdajruO4d1U+p+F+9CbxcidgKUoS5K9Kn8zNF/QO/o+H /OC/kcxm3p4UqrLT2bh+3GhFhPPiGZvHsWwbRxpUFczmghU+X2I9VcEjt3ARFAwV QA2ONCrGs1+PHLKN/SKBJg1Nu2ACj4Sx8kQk11ztjCfM+IqeJnvgDgVuPqkiUvBQ yaEOoNP22ic2gH+rCV79Wb11Yibsc+9ywZ7PaAea6OEM6ZaXqBkyutOpDbNRGQg8 a7AzPB0/iacfWPdqJ7AhXE2u5ii+DeRZdZYjcmm6E0QE89SeBzYOX2BTnTunc/jX MwYjl0edZ7I/b89Vja6fXSEYS6LYdTpRL4ZtswfwwAE8fRqdVo7qmPTTU1XoHZYs jJIM2hxAB+JbEZNPzYL2MtGkkzsb4xMX6LQDEMXEZzjAXIlM5L0= =SBLT -END PGP SIGNATURE- ``` *Source*: <https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.marmarek> ## [Simon Gaiser (aka HW42)](https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)'s PGP signature ``` -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmX3fZEACgkQSsGN4REu FJAHCg/5AYLGAcnMRzZ1JgSJXQLLuQqIXfpNfZWHT4e9u6gkDYcrI4Z4AEzab5Lv YqSeNbtMys1WCxCUXyPUNG+ZNrD9xcCfmaZuC+MNINwRoAcg+V5+B8cCMU9NUB+V IquFrepWJcimsBeAvCPkCV4nk1BABqEu0vsViifwFvS0MWr7VFUkQom5/XkXwmZY uUTrNWSKoJzmzwq3x0yWVNhLmjD2nMg2BKeJUiwpy1wE9Q0w9dLrHEwwewuHP7t1 JAiOFLvEAw55D9Cw8YbOWskIfHWeyhA4a8nrbPVMRTBJAryUgRtDQx6GCcn5uLiM +/vnYu26UigX9eQy2T/O5fs3ti4BF+/D7XO9QnKXVsmAtSTfvP7/nzY8nWL9SzpB 7cBX5AH9QTHa2Rji/EpqSsZawXXs5pMTWbzObkBORObNgkHUMPOhaM+8qZaEhm5h DMZrsCHbOsi38pmrXhuIhzY/j5Sk+wp3Wgvkqq4CXO8n7H+jjPNTrMEfcgYI/C8U U17OvqA/iC/C/z1BRQnhiAp98/fYN6jgNWAGVMBM+XgbrCHExnP/OCH6X5pgTYwY JbwMyFxv9XuQMDFc9zF4AVPHdAAGssU9qZDZlJg/72Az7J4kxHNlT3m9u02ljmgC POHJyjO071i6xlCMMEuYyrgT/1qs5NjocpWaXfYSl45a3DWeHMo= =ZGQ8 -END PGP SIGNATURE- ``` *Source*: <https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.simon> ## What is the purpose of this announcement? The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published. ## What is a Qubes security bulletin (QSB)? A Qubes security bulletin (QSB) is a security announcement issued by the [Qubes security team](https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see [Qubes security bulletins (QSBs)](https://www.qubes-os.org/security/qsb/). ## Why should I care about QSBs? QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by [updating normally](https://www.qubes-os.org/doc/how-to-update/). However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs. ## What are the PGP signatures that accompany QSBs? A [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic [digital signature](https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like [GNU Privacy Guard (GPG)](https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures. ## Why should I care whether a QSB is authentic? A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project. ## How do I verify the PGP signatures on a QSB? The following command-line instructions assume a Linux system with `git` and `gpg` installed. (For Windows and Mac options, see [OpenPGP software](https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).) 1. Obtain the Qubes Master Signing Key (QMSK), e.g.: ```shell_session $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 ``` (For more ways to obtain the QMSK, see [How to import and authenticate the Qubes Master Signing Key](https://www
Re: [qubes-users] Configure Network Qubes 4.2
Sorry, i discuss in the Qubes Communityfaster responses, better systemthen google groups Bapak Ireng schrieb am Montag, 25. März 2024 um 16:32:33 UTC+1: > i tried sudo /usr/libexec/initial-setup/initial-setup-graphical > > and the following is the output / result: > > > > > i tried to sent pictures, but google did not let me sent them. Sh > > > > > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f09b820-5a8d-4ba3-804a-142aa513f828n%40googlegroups.com.
Re: [qubes-users] Configure Network Qubes 4.2
i tried sudo /usr/libexec/initial-setup/initial-setup-graphical and the following is the output / result: i tried to sent pictures, but google did not let me sent them. Sh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af6316e9-b3a7-461a-9fac-2ff5bd66f324n%40googlegroups.com.
Re: [qubes-users] Configure Network Qubes 4.2
Hi, after successfully installing Qubes 4.2 i am left all alone to configure network (internet) Access. I appreciate it very much if somebody could guide me to the right options. The question is so vague, no one can reasonably answer it. Does sys-net start on boot? Does it have access to the hardware (qubes settings -> devices tab)? Do we talk about ethernet / wireless? If wireless, are the needed drivers in your sys-net linux distri? and so forth -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/358c320a-15dd-4fd4-8486-b1c5c973d5a0%40web.de.
[qubes-users] Configure Network Qubes 4.2
Hi, after successfully installing Qubes 4.2 i am left all alone to configure network (internet) Access. I appreciate it very much if somebody could guide me to the right options. Best regards, Bapak Hitam -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7e187f48-3bc5-4153-9703-fdb84bc38f1bn%40googlegroups.com.
Re: [qubes-users] Re: Qubes 4.2: Attach usb audio device to appvm
It was not fixed... Apparently just an example of how random it is. It was working for an hour or so. Now it is back to mic not working, just sending out that beep beep sound. On Wed, Mar 20, 2024 at 9:16 AM 'Rune Philosof' via qubes-users < qubes-users@googlegroups.com> wrote: > Installing a new template fixed it. > I installed fedora-39 and switched to it. > > The old template had been upgraded in-place several times, back from > fedora-36, I think. > Maybe something is missing in the upgrade from 4.1 to 4.2, or in the > instructions on how to upgrade existing templates to 4.2. > > > On Wednesday, March 20, 2024 at 8:17:25 AM UTC+1 Rune Philosof wrote: > >> Now it is more consistent in how it is not working. >> Audio output is connected properly. >> But microphone is still not working. It does not capture any sound from >> the microphone, but it does repeat a ticking sound. I have attached a 3 >> second recording of the ticking sound. >> >> I have not changed any audio settings. >> I have tested with two different usb soundcards. >> It worked in Qubes 4.1. >> >> I wonder what has changed in the audio setup from Qubes 4.1 to 4.2. >> >> On Thursday, February 29, 2024 at 12:23:30 PM UTC+1 Rune Philosof wrote: >> >>> After upgrading to 4.2 my audio device does not work. >>> >>> I plug in a usb audio device, then attach that usb device to an appvm >>> and try to use it in e.g. meet.google.com. >>> For some reason it only works for the audio microphone or the speaker, >>> not both. >>> Example: >>> 1. I attach the usb device to the appvm. >>> 2. meet.google.com automatically switches to the new microphone, but I >>> cannot hear anything and the speaker list does not show the usb device. >>> 3. I then detach from the appvm and reattach the usb device to the same >>> appvm. >>> 4. meet.google.com does not show the usb device in the list of >>> microphones. but somehow the "default" speaker now outputs through the usb >>> device. >>> >>> In 4.1 it would either work for both mic and speaker or for none. >>> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/NDRrrYrLkpQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/f66bbd6a-ad20-4c30-a005-32bad82c8282n%40googlegroups.com > <https://groups.google.com/d/msgid/qubes-users/f66bbd6a-ad20-4c30-a005-32bad82c8282n%40googlegroups.com?utm_medium=email_source=footer> > . > -- Med venlig hilsen / Best regards Rune Philosof Software developer +45 28 45 64 08 r...@abtion.com Vesterbrogade 15, 3 1620 København V Sverigesgade 18 5000 Odense C https://abtion.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAL8J5gaHuuvugFkwSEOTc6n2VnfzE0U-1yngaFu3zxqBAn2aZg%40mail.gmail.com.
[qubes-users] Re: HVM standalone: no mouse after suspend-to-ram
Dear group, After I wake Qubes from suspend-to-ram, the mouse doesn't work in Tails any more. this issue resolved itself after reinstalling qubes r4.2 freshly, on another hardware. Maybe because it was a fresh install, maybe because it was directly r4.2 and not upgraded from earlier versions, maybe the difference is the different hardware. I did not, however, change anything in the Tails VM for it to now work. Cheers, Stickstoff On 2024-02-01 13:40, Stickstoff wrote: Dear group, I am having issues with the mouse not coming back after standby. I am running Qubes 4.1.2 (R4.1), kernel 5.15.52-1.fc32.qubes.x86_64 The VM is a HVM standalone, running Tails OS, kernel 6.1.0-13-amd64 (Debian 6.1.55-1). After I wake Qubes from suspend-to-ram, the mouse doesn't work in Tails any more. The mouse still works in Qubes OS and other VMs. The (internal, non-usb) keyboard still works everywhere. I do not have any other standalone VMs installed to compare. In Tails, after waking up I only see two errors: clocksource: timekeeping watchdog on CPU3: Marking clocksource 'tsc' as unstable because the skew is too large and usb 1-1: Failed to suspend device, error -110 where usb 1-1 seems to be the "QEMU USB Tablet" virtual mouse. Reading up, "error -110" seems to be some kind of timeout error. Any ideas on this one? Is it even Qubes or XEN or qemu related, or rather on the Tails side? (Yes, Tails doesn't like to be in VMs. Yes, this comes with its own security implications.) Thank you, Stickstoff -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ffa2654d-8c5e-4518-9b67-d29c67a9a689%40posteo.de. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Inconsistency between `qvm-template list` and `qvm-template-gui`
Without seeing the screenshot, I think I know the issue. They are from the same repository. qvm-template lists *all* the template in the repo, whereas qvm-template-gui filters to only show the most recent supported versions. -- I never presume to speak for the Qubes team. When I comment in the mailing lists I speak for myself. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Zfq6MxZ7JMd5HZqM%40thirdeyesecurity.org.
[qubes-users] Re: Qubes 4.2: Attach usb audio device to appvm
Installing a new template fixed it. I installed fedora-39 and switched to it. The old template had been upgraded in-place several times, back from fedora-36, I think. Maybe something is missing in the upgrade from 4.1 to 4.2, or in the instructions on how to upgrade existing templates to 4.2. On Wednesday, March 20, 2024 at 8:17:25 AM UTC+1 Rune Philosof wrote: > Now it is more consistent in how it is not working. > Audio output is connected properly. > But microphone is still not working. It does not capture any sound from > the microphone, but it does repeat a ticking sound. I have attached a 3 > second recording of the ticking sound. > > I have not changed any audio settings. > I have tested with two different usb soundcards. > It worked in Qubes 4.1. > > I wonder what has changed in the audio setup from Qubes 4.1 to 4.2. > > On Thursday, February 29, 2024 at 12:23:30 PM UTC+1 Rune Philosof wrote: > >> After upgrading to 4.2 my audio device does not work. >> >> I plug in a usb audio device, then attach that usb device to an appvm and >> try to use it in e.g. meet.google.com. >> For some reason it only works for the audio microphone or the speaker, >> not both. >> Example: >> 1. I attach the usb device to the appvm. >> 2. meet.google.com automatically switches to the new microphone, but I >> cannot hear anything and the speaker list does not show the usb device. >> 3. I then detach from the appvm and reattach the usb device to the same >> appvm. >> 4. meet.google.com does not show the usb device in the list of >> microphones. but somehow the "default" speaker now outputs through the usb >> device. >> >> In 4.1 it would either work for both mic and speaker or for none. >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f66bbd6a-ad20-4c30-a005-32bad82c8282n%40googlegroups.com.
[qubes-users] Where exactly does qubesdb-write write the data?
Hi, Where exactly does qubesdb-write write the data? What RPC policy is necessary for qube A to be able to read/write '/somepath' of qube B? (but *no* other paths) What can this be used for (safely)? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240318165349.46dbf170%40localhost.
[qubes-users] Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)
//github.com/QubesOS/qubes-secpack/blob/ea3a31c4295b91e3f77ee39a15bcabbbd956678b/QSBs/qsb-101-2024.txt.sig.marmarek) on the [original version](https://github.com/QubesOS/qubes-secpack/blob/ea3a31c4295b91e3f77ee39a15bcabbbd956678b/QSBs/qsb-101-2024.txt) of this QSB. For more information, see the [original QSB-101 announcement](https://www.qubes-os.org/news/2024/03/13/qsb-101/). ## [Simon Gaiser (aka HW42)](https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)'s PGP signature ``` -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmX3fZEACgkQSsGN4REu FJAHCg/5AYLGAcnMRzZ1JgSJXQLLuQqIXfpNfZWHT4e9u6gkDYcrI4Z4AEzab5Lv YqSeNbtMys1WCxCUXyPUNG+ZNrD9xcCfmaZuC+MNINwRoAcg+V5+B8cCMU9NUB+V IquFrepWJcimsBeAvCPkCV4nk1BABqEu0vsViifwFvS0MWr7VFUkQom5/XkXwmZY uUTrNWSKoJzmzwq3x0yWVNhLmjD2nMg2BKeJUiwpy1wE9Q0w9dLrHEwwewuHP7t1 JAiOFLvEAw55D9Cw8YbOWskIfHWeyhA4a8nrbPVMRTBJAryUgRtDQx6GCcn5uLiM +/vnYu26UigX9eQy2T/O5fs3ti4BF+/D7XO9QnKXVsmAtSTfvP7/nzY8nWL9SzpB 7cBX5AH9QTHa2Rji/EpqSsZawXXs5pMTWbzObkBORObNgkHUMPOhaM+8qZaEhm5h DMZrsCHbOsi38pmrXhuIhzY/j5Sk+wp3Wgvkqq4CXO8n7H+jjPNTrMEfcgYI/C8U U17OvqA/iC/C/z1BRQnhiAp98/fYN6jgNWAGVMBM+XgbrCHExnP/OCH6X5pgTYwY JbwMyFxv9XuQMDFc9zF4AVPHdAAGssU9qZDZlJg/72Az7J4kxHNlT3m9u02ljmgC POHJyjO071i6xlCMMEuYyrgT/1qs5NjocpWaXfYSl45a3DWeHMo= =ZGQ8 -END PGP SIGNATURE- ``` *Source*: <https://github.com/QubesOS/qubes-secpack/blob/c5693c8a4b81b3afb7cd7e6e44db3bbc36987049/QSBs/qsb-101-2024.txt.sig.simon> ## What is the purpose of this announcement? The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published. ## What is a Qubes security bulletin (QSB)? A Qubes security bulletin (QSB) is a security announcement issued by the [Qubes security team](https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see [Qubes security bulletins (QSBs)](https://www.qubes-os.org/security/qsb/). ## Why should I care about QSBs? QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by [updating normally](https://www.qubes-os.org/doc/how-to-update/). However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs. ## What are the PGP signatures that accompany QSBs? A [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic [digital signature](https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like [GNU Privacy Guard (GPG)](https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures. ## Why should I care whether a QSB is authentic? A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project. ## How do I verify the PGP signatures on a QSB? The following command-line instructions assume a Linux system with `git` and `gpg` installed. (For Windows and Mac options, see [OpenPGP software](https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).) 1. Obtain the Qubes Master Signing Key (QMSK), e.g.: ```shell_session $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 ``` (For more ways to obtain the QMSK, see [How to import and authenticate the Qubes Master Signing Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).) 2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.) ```shell_session $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free soft
[qubes-users] Qubes OS 4.2.1-rc1 is available for testing
se, unless significant bugs are discovered in testing. RCs are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS [supported releases](https://www.qubes-os.org/doc/supported-releases/) and the [version scheme](https://www.qubes-os.org/doc/version-scheme/) in our documentation. ## What is a patch release? The Qubes OS Project uses the [semantic versioning](https://semver.org/) standard. Version numbers are written as `..`. Hence, we refer to releases that increment the third number as "patch releases." A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See [supported releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the [version scheme](https://www.qubes-os.org/doc/version-scheme/) documentation. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/16/qubes-os-4-2-1-rc1-available-for-testing/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd1c955a-7c9b-4578-be90-796e4af0fb55%40qubes-os.org.
Re: [qubes-users] Qubes OS Summit 2024: September 20-22 in Berlin
Anybody going from USA willing to take me in their luggage hit me up. I bring my own food and oxygen On Wed, Mar 13, 2024 at 3:56 PM Andrew David Wong wrote: > Dear Qubes Community, > > In conjunction with [3mdeb](https://3mdeb.com/), the sixth edition of our > Qubes OS Summit will be held live this year from September 20 to 22 in > Berlin, Germany! For more information about this event, please see: < > https://vpub.dasharo.com/e/16/qubes-os-summit-2024> > > If you would like to submit a proposal, the Call for Participation (CFP) > is open until August 5: <https://cfp.3mdeb.com/qubes-os-summit-2023/cfp> > > > This announcement is also available on the Qubes website: > https://www.qubes-os.org/news/2024/03/13/qubes-os-summit-2024/ > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/b9b4b9d7-7283-44c0-b1db-fe4264d71f6e%40qubes-os.org > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAALhvVbdxNdtmkt43yWvFMR6kHULTs6rJgvno1ZEOV3KcW48qw%40mail.gmail.com.
[qubes-users] Qubes OS Summit 2024: September 20-22 in Berlin
Dear Qubes Community, In conjunction with [3mdeb](https://3mdeb.com/), the sixth edition of our Qubes OS Summit will be held live this year from September 20 to 22 in Berlin, Germany! For more information about this event, please see: <https://vpub.dasharo.com/e/16/qubes-os-summit-2024> If you would like to submit a proposal, the Call for Participation (CFP) is open until August 5: <https://cfp.3mdeb.com/qubes-os-summit-2023/cfp> This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/13/qubes-os-summit-2024/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9b4b9d7-7283-44c0-b1db-fe4264d71f6e%40qubes-os.org.
[qubes-users] XSAs released on 2024-03-12
Dear Qubes Community, The [Xen Project](https://xenproject.org/) has released one or more [Xen security advisories (XSAs)](https://xenbits.xen.org/xsa/). The security of Qubes OS *is affected*. ## XSAs that DO affect the security of Qubes OS The following XSAs *do affect* the security of Qubes OS: - [XSA-452](https://xenbits.xen.org/xsa/advisory-452.html) - See [QSB-101](https://www.qubes-os.org/news/2024/03/13/qsb-101/) ## XSAs that DO NOT affect the security of Qubes OS The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - [XSA-453](https://xenbits.xen.org/xsa/advisory-453.html) - The Qubes security team concurs with the Xen security team's assessment in the "VULNERABLE SYSTEMS" section of XSA-453. ## About this announcement Qubes OS uses the [Xen hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its [architecture](https://www.qubes-os.org/doc/architecture/). When the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a [Xen security advisory (XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a [Qubes security bulletin (QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only *positive* confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs cannot provide *negative* confirmation that other XSAs do *not* affect the security of Qubes OS. Therefore, we also maintain an [XSA tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/13/xsas-released-on-2024-03-12/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/332b7027-9eae-4cb5-9b23-f4456d5f8204%40qubes-os.org.
[qubes-users] QSB-101: Register File Data Sampling (XSA-452)
tUzId3T9WPy9pnazcKnd6zT4HB6J+5bf LNmriCIgQZ1B7yG7312Cadrrq3ktJPVEzUwYwx7I+7j/wQfQvaii0Lr+WM1DZUxH KN+9pNV/SJ0I2gd5ObcX0gf8uchc548A5fIw21Oq1WopXtNEm48= =XY1y -END PGP SIGNATURE- ``` *Source*: <https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-101-2024.txt.sig.simon> ## What is the purpose of this announcement? The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published. ## What is a Qubes security bulletin (QSB)? A Qubes security bulletin (QSB) is a security announcement issued by the [Qubes security team](https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see [Qubes security bulletins (QSBs)](https://www.qubes-os.org/security/qsb/). ## Why should I care about QSBs? QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by [updating normally](https://www.qubes-os.org/doc/how-to-update/). However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs. ## What are the PGP signatures that accompany QSBs? A [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic [digital signature](https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like [GNU Privacy Guard (GPG)](https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures. ## Why should I care whether a QSB is authentic? A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project. ## How do I verify the PGP signatures on a QSB? The following command-line instructions assume a Linux system with `git` and `gpg` installed. (For Windows and Mac options, see [OpenPGP software](https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).) 1. Obtain the Qubes Master Signing Key (QMSK), e.g.: ```shell_session $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 ``` (For more ways to obtain the QMSK, see [How to import and authenticate the Qubes Master Signing Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).) 2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.) ```shell_session $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key gpg> fpr pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 ``` 3. *Important*: At this point, you still don't know whether the key you just imported is the genuine QMSK or a forgery. In order for this entire procedure to provide meaningful security benefits, you *must* authenticate the QMSK out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK fingerprint from *multiple independent sources in several different ways* and check to see whether they match the key you just imported. For more information, see [How to import and authenticate the Qubes Master Signing Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key). *Tip*: After you have authenticated the QMSK out-of-band to your satisfaction, r
[qubes-users] Error updating Whonix Workstation 17
I had updated the Whonix Workstation 17 successfully, but a System Check suggested that there are updates outstanding, so I tried another round: Unfortunately there was an odd error: ... Get:20 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages T-2024-03-12-0211.22-F-2024-02-23-1408.06.pdiff [19.4 kB] Ign:18 https://deb.qubes-os.org/r4.2/vm bookworm InRelease Ign:18 https://deb.qubes-os.org/r4.2/vm bookworm InRelease Err:18 https://deb.qubes-os.org/r4.2/vm bookworm InRelease Something wicked happened resolving 'deb.qubes-os.org:https' (-4 - Non-recoverable failure in name resolution) Fetched 566 kB in 15s (37.2 kB/s) Reading package lists... Done E: Failed to fetch https://deb.qubes-os.org/r4.2/vm/dists/bookworm/InRelease Something wicked happened resolving 'deb.qubes-os.org:https' (-4 - Non-recoverable failure in name resolution) E: Some index files failed to download. They have been ignored, or old ones used instead. zsh: exit 100 upgrade-nonroot When retrying after a while, it worked! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f19e92d-bace-490d-b6d1-24ee586a0f75%40gmail.com.
[qubes-users] Qubes Canary 038
mailing lists, forum, or social media platforms, you should not be concerned about the canary. - *Last-minute signature(s).* If the canary is signed at the last minute but before the deadline, that's okay. (People get busy and procrastinate sometimes.) - *Signatures at different times.* If one signature is earlier or later than the other, but both are present within a reasonable period of time, that's okay. (For example, sometimes one signer is out of town, but we try to plan the deadlines around this.) - *Permitted changes.* If something about a canary changes without violating any of statements in prior canaries, that's okay. (For example, canaries are usually scheduled for the first fourteen days of a given month, but there's no rule that says they have to be.) - *Unusual but planned changes.* If something unusual happens, but it was announced in advance, and the appropriate statements are signed, that's okay (e.g., when Joanna left the security team and Simon joined it). In general, it would not be realistic for an organization to exist that never changed, had zero turnover, and never made mistakes. Therefore, it would be reasonable to expect such events to occur periodically, and it would be unreasonable to regard *every* unusual or unexpected canary-related event as a sign of compromise. For example, if something usual happens with a canary, and we say it was a mistake and correct it, you will have to decide for yourself whether it's more likely that it really was just a mistake or that something is wrong and that this is how we chose to send you a subtle signal about it. This will require you to think carefully about which among many possible scenarios is most likely given the evidence available to you. Since this is fundamentally a matter of judgment, canaries are ultimately a *social* scheme, not a technical one. ## What are the PGP signatures that accompany canaries? A [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic [digital signature](https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the [OpenPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like [GNU Privacy Guard (GPG)](https://en.wikipedia.org/wiki/GNU_Privacy_Guard). The Qubes security team cryptographically signs all canaries so that Qubes users have a reliable way to check whether canaries are genuine. The only way to be certain that a canary is authentic is by verifying its PGP signatures. ## Why should I care whether a canary is authentic? If you fail to notice that a canary is unhealthy or has died, you may continue to trust the Qubes security team even after they have signaled via the canary (or lack thereof) that they been compromised or coerced. Falsified canaries could include manipulated text designed to sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project. ## How do I verify the PGP signatures on a canary? The following command-line instructions assume a Linux system with `git` and `gpg` installed. (For Windows and Mac options, see [OpenPGP software](https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).) 1. Obtain the Qubes Master Signing Key (QMSK), e.g.: ```shell_session $ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1 ``` (For more ways to obtain the QMSK, see [How to import and authenticate the Qubes Master Signing Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).) 2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.) ```shell_session $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key gpg> fpr pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 ``` 3. *Important*: At this point, you still don't know whether the key you just imported is th
Re: [qubes-users] Windows 10 and Qubes OS Dualboot
Hi one7two99, I have Qubes and Linux already installed in different partitions in legacy mode and both work fine. Now I need to install windows 10 (to run Fusion 360 for personal use). I don't want to install it as a qube as my hardware is not very powerful. I don't need Bitlocker. Could you please help? All info I've found is for installing qubes after windows. Thanks Regards Marcelo On Monday 27 January 2020 at 18:38:02 UTC-3 one7two99 wrote: > Hello Maria, > > Yes it is perfectly possible to run Windows 10 and Qubes in a dual boot > environment. > > I have spent several hours when I was researching how to put everything > together but mainly because I wanted to have the following setup: > > - CoreBoot > > - Dualboot with Windows 10 and Qubes > > - Bitlocker Encryption (to be compliant to my corporate standards) > > > As I often spent some time to get everything working like I want it to > be, I keep notes and those might also be a good starting point for you: > > > https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-dualboot-qubes-win-coreboot-bitlocker.md > > If you need further help, do not hesitate to contact, I can also > translate my notes to english, if it will help you. > > > Regarding a Laptop for Qubes I can and will always suggest the Lenovo > Thinkpad X230 with 16 GB RAM and a SSD. It is working perfect with > Qubes, can be Coreboot'ed and you can also plugin a LTE-card which will > also work great with Qubes. > > - one7two99 > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f816b64-3140-43b4-bd80-8f7cb71e2d75n%40googlegroups.com.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
On Wed, 6 Mar 2024 14:48:54 -0800 Andrew David Wong wrote: > I rejected it, because although it contains a "Why did you implement > XYZ this way...?" question, the rest of the message implies a "How do > I...?" request for help or support. Well, it was rather "I am trying to modify existing functionality". Anyway, thanks for clarifying. It's a blurry line I guess. :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240307080813.5cec4b2f%40localhost.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, Mar 07, 2024 at 01:52:58AM +0100, Marek Marczykowski-Górecki wrote: > On Wed, Mar 06, 2024 at 06:16:03PM -0500, Demi Marie Obenour wrote: > > On Wed, Mar 06, 2024 at 10:49:11PM +0100, Marek Marczykowski-Górecki wrote: > > > On Wed, Mar 06, 2024 at 06:13:50PM +0100, Ulrich Windl wrote: > > > > Haven't done it for ages, but can't you configure the size using X > > > > resources? > > > > Like this: > > > > Now to set the size of the console itself, you would add this to the > > > > ~/.Xresources file:xterm*geometry: 127x37 > > > > > > It isn't the problem of changing xterm window size. It's a problem of > > > telling the target VM what the size is. You can probably do that > > > manually by calling `stty cols W rows H` inside (after you resize the > > > window), but I don't know how to make automatic. If anybody has some > > > idea, patches welcome. > > > > For PV consoles, I wonder if there should be a side-channel in the > > protocol. > > Maybe? I don't think there is one. BTW I think the same issue applies to > a real serial console too. SSH has such side-channel. And AFAIR telnet > does it in-band via some special bytes. There isn’t one _right now_, hence me proposing that one should be added. I assume that it would be sufficiently simple that if we need to do any conversions in dom0, those conversions could be done securely. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXpFCwACgkQsoi1X/+c IsHDuxAAn9xSU4nS2iIdbQbOWGyD6QCJUkgriuLdf5MXYXAvzVvJ039jSYlf8/yZ AgRhHNhX5jBhXXV439sAL9Vv+uq6u8KGc1BMfYCzjBrS3HnwNqin8mex+ueF8LT9 l2nUYHr5XrCwclMYgJcD/hSmnx1J1dtKnih58Xz93Wc+GCmBo3tuomUIpFSPXORw O0THhHyWGzmGzNH8w82EdISz9nkiSOcXXuoINRSO+piP2leXzDpnIURq3YlajGa8 7JdflPUkgKP5jSOCS7jNLonN/IuiMYyLRmsh5LNKTUQv97mMXNz4zvFjmaDGc5xm 0MGkYrg2Nsu4FdiEZMzdaucO1U4xKekBFzhWTSy6d8lytvlPDRH4p9UOvQWLJfFl Wy21AoTHzaDBbob+voboBLaAiLbxEfPaAGVA3lzeLSCivexz2LKuXaKiuMJk0icZ Xru/xJ2CerlZ+aldsutVhn9AI84aN4mjpPfy1Ngo7ijTWtxGxHBwYV1bGF5lrbCJ ZUI20I3Q9TFWgiMDxRwRZXyg+vSXIJRVW2kSHlGJP4IWRTuBeIlOM9BoNVuXSLFH 0GnQBAZQoiq+1MvCvZFx2R46h9Ne0ByWaPas7cTQ8t8kNwdPZz255wfzcu1JOBMA t4KJ9MVA2xPxaYM6Y+gOTbhPWXhCzaEAIlZxvw228Yazbxm67BU= =ErqT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZekUK_wgASUIjqHo%40itl-email.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 06, 2024 at 06:16:03PM -0500, Demi Marie Obenour wrote: > On Wed, Mar 06, 2024 at 10:49:11PM +0100, Marek Marczykowski-Górecki wrote: > > On Wed, Mar 06, 2024 at 06:13:50PM +0100, Ulrich Windl wrote: > > > Haven't done it for ages, but can't you configure the size using X > > > resources? > > > Like this: > > > Now to set the size of the console itself, you would add this to the > > > ~/.Xresources file:xterm*geometry: 127x37 > > > > It isn't the problem of changing xterm window size. It's a problem of > > telling the target VM what the size is. You can probably do that > > manually by calling `stty cols W rows H` inside (after you resize the > > window), but I don't know how to make automatic. If anybody has some > > idea, patches welcome. > > For PV consoles, I wonder if there should be a side-channel in the > protocol. Maybe? I don't think there is one. BTW I think the same issue applies to a real serial console too. SSH has such side-channel. And AFAIR telnet does it in-band via some special bytes. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXpD+oACgkQ24/THMrX 1yxnhAf/bzFwsUtwDb0Ylu+aSE96wkboLAbWFqPFUAr3fagrTek4N6uACLw4MRdo j6wPGg5G5dvJZlSa6K3UDbjJamQzPazHzk+SN0ROX+AkixlF0eiEMcl3Tg14PZCr 9Xx+lE+MMtCvaWjKO4xWxKY8K4jAMU8foQlQsFftWKgCBBneQGoqjQDYyuALhfCO bU+Nem9hBDg7WCDpLeEc1emtYSLWkBDvTyz3HhmyopfbVxBE5EM6WQSNUSGaeRap ejK/xtfjxspxO3IfT6GWllIoAKdMr3u4xNJEQkqOm/AWIXSOJ/wvJ/boioqKbtQA LxvXhjhvSMYkfO4qtFn7uty6DE4prA== =nyiP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZekP6uoxgl_WEz3N%40mail-itl.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, Mar 06, 2024 at 10:49:11PM +0100, Marek Marczykowski-Górecki wrote: > On Wed, Mar 06, 2024 at 06:13:50PM +0100, Ulrich Windl wrote: > > Haven't done it for ages, but can't you configure the size using X > > resources? > > Like this: > > Now to set the size of the console itself, you would add this to the > > ~/.Xresources file:xterm*geometry: 127x37 > > It isn't the problem of changing xterm window size. It's a problem of > telling the target VM what the size is. You can probably do that > manually by calling `stty cols W rows H` inside (after you resize the > window), but I don't know how to make automatic. If anybody has some > idea, patches welcome. For PV consoles, I wonder if there should be a side-channel in the protocol. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXo+TMACgkQsoi1X/+c IsHNShAAn9edCHCMdfv5wO9UzhBcf3uAwK5TdlW0bD3Zy9rDZcmkk8wN8NIHsc0V CQxvoGUYrSYHR4i3y+49rMG3MUUvSIqVMinjNyMskapWZeLqr7KIU+EhA03Vr6lG kS0xkamCNvOP5copx7G9A655c5cpxGOxitGxyC4iP6RhBhiUSWqxmo9m6sPPFwV4 qa/a28KEIC6e8d0FxEDGk6y7QqyA/oXCrLg5BgY9odPOj4W4Y1ABqldpREoITeQZ e3H5rnRJnKd7qcHjz3iz9r0PxG6InFOZPf7+7MfF83zvlTSHYCGVtkiHbBtxjBI1 Q/O0UjWXDpsOV/RSiuTGXld4OG56Q+ZG/RUROS+PuGpQVIfV4Ex4sl/qj2ttDvxp +sUTdiWB76E6PYtxVEZRkYwSTN+Y0F9xw/aUoejNNZk+DGJgOj9p62WrLRTLQU/e 9hAv+8Wd9ew04wJkxNlAMFm/plKpVAb88DJFHSsNGDcC6+RTKFkioqAtli71Yd63 mEReuX+VbBo6kWHEPCDYYjwgf6dmorEvbAKqJUNOvUX2jI3kCavYkgPlH9dgAF7Q tMZ/kupyfy4F/KGzAO76275ZzeyiMhePuKLnXEey31PTs246Z1HRHtUJMABnJulO JJxNPLE1IEuUpCqmO8AZo4yT6PzcY7L9r63QN0D3G6XNMZH0yh0= =HeWx -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Zej5M30rCvKJBnfZ%40itl-email.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
On 3/6/24 10:37 AM, qubist wrote: > On Wed, 6 Mar 2024 18:14:53 +0100 Marek Marczykowski-Górecki wrote: > >> The way that console works does not support sending information about >> window size (changes). > > Do I understand correctly there is no way to change it and it is > impossible, hence not planned? > > >> You must subscribe to qubes-devel mailing list to post there. > > I am subscribed. I was subscribed at the time of posting it, yet it was > explicitly rejected: > > On Tue, 05 Mar 2024 14:26:01 -0800 Google Groups wrote: > >> Google Groups (https://groups.google.com/d/overview) >> >> Unfortunately, your recent post to the qubes-devel >> (https://groups.google.com/d/forum/qubes-devel) group >> was rejected by a group owner or manager. >> >> Message from the group owner or manager: >> Your message to the qubes-devel group has been rejected. For more >> information, please see: >> >> https://www.qubes-os.org/support/ >> >> You may wish to send your message to the qubes-users mailing list >> instead: >> >> https://www.qubes-os.org/support/#qubes-users >> >> Possible reasons your post was rejected include: >>* Your post was more relevant to a different group or conversation. >>* Your post did not conform to the posting guidelines of this >> group. >>* Your post needs more information. >> >> Google Groups allows you to create and participate in online forums >> and email-based groups with a rich community experience. You can also >> use your Group to share documents, pictures, calendars, invitations, >> and other resources. >> >> >> Visit Google Groups Help Center at >> https://support.google.com/groups/answer/46601?hl=en. > I rejected it, because although it contains a "Why did you implement XYZ this way...?" question, the rest of the message implies a "How do I...?" request for help or support. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a9c8788-b988-4da4-8fef-de839c947c1a%40qubes-os.org.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 06, 2024 at 06:13:50PM +0100, Ulrich Windl wrote: > Haven't done it for ages, but can't you configure the size using X resources? > Like this: > Now to set the size of the console itself, you would add this to the > ~/.Xresources file:xterm*geometry: 127x37 It isn't the problem of changing xterm window size. It's a problem of telling the target VM what the size is. You can probably do that manually by calling `stty cols W rows H` inside (after you resize the window), but I don't know how to make automatic. If anybody has some idea, patches welcome. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXo5NcACgkQ24/THMrX 1yys0Qf6AmYB8Z7OIahL8zabnZ+RZkGc+YmJNcAnxeayFDBBkbOXjuNqKUSvCJ8w 1sKGOiV03tZzztfxMLqZvf03xjLz8l9807t15fFtjXD/pfJDts35nFcGYsLw9zZz j4KjDbJNZNgxgxS1URKh3X3KNR1lCSEhGjI0z3ZWjTHC0MYebOSOfjoe3vSg1Gj9 xTQy4i+yxZkFJ4kuo1vCIyah/K1oY8UetjwCtvmfYbLf7QbXrqqLgb9YZXAWOjox faSTtl4HNLNf3DBgAJrgKQFygqfb7B825yFwCOTWdBrRnXg7L3OidIDu52lbrZMQ YRaShECp/WzRrHmQQcds2exx9hDcMw== =3kg0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Zejk154ohmR-bei6%40mail-itl.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
On Wed, 6 Mar 2024 18:14:53 +0100 Marek Marczykowski-Górecki wrote: > The way that console works does not support sending information about > window size (changes). Do I understand correctly there is no way to change it and it is impossible, hence not planned? > You must subscribe to qubes-devel mailing list to post there. I am subscribed. I was subscribed at the time of posting it, yet it was explicitly rejected: On Tue, 05 Mar 2024 14:26:01 -0800 Google Groups wrote: > Google Groups (https://groups.google.com/d/overview) > > Unfortunately, your recent post to the qubes-devel > (https://groups.google.com/d/forum/qubes-devel) group > was rejected by a group owner or manager. > > Message from the group owner or manager: > Your message to the qubes-devel group has been rejected. For more > information, please see: > > https://www.qubes-os.org/support/ > > You may wish to send your message to the qubes-users mailing list > instead: > > https://www.qubes-os.org/support/#qubes-users > > Possible reasons your post was rejected include: >* Your post was more relevant to a different group or conversation. >* Your post did not conform to the posting guidelines of this > group. >* Your post needs more information. > > Google Groups allows you to create and participate in online forums > and email-based groups with a rich community experience. You can also > use your Group to share documents, pictures, calendars, invitations, > and other resources. > > > Visit Google Groups Help Center at > https://support.google.com/groups/answer/46601?hl=en. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240306183705.48152996%40localhost.
Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 06, 2024 at 03:42:23PM -, qubist wrote: > Hello, > > What is the reason for the '80x24' geometry of xterm used by > qvm-console-dispvm through the management_dispvm? > > I tried to remove the option in the policy file in order to utilize the > full available workspace, as well as to change it to a bigger window, > but in both cases it just stops working. That's the standard terminal size that various tools assume in lack of other information. Technically you can use bigger window, but tools like vim or top will still assume it's 80x24. The way that console works does not support sending information about window size (changes). > P.S. I posted that initially in qubes-devel because it fits completely > the "Why did you implement XYZ this way and not the other way?" example > in https://qubes-os.org/support/ but it was rejected. Quite confusing. You must subscribe to qubes-devel mailing list to post there. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXopI0ACgkQ24/THMrX 1yy46gf9FCrYbcTkY9BYGOVSY9JUSU2d7XAdflrQeL+uQIVljhXTLBA9iN3P3euW lO+1AVNIpEgt+hwwAfd3A75EHt/zbXw6xjdxDZxo/aXqvjFl3OHffT39hViNCr20 HtFNH9DsonCvc08TmGxbPQsIGpQFhdEI8hr26AQ//MnJrfCNUjUIUpcCmmbirAII bZZTHMdIWaa5yD5lWiCtaCdo0tmzxJzHRswGHyJBCQy8wynH3QMwMEXfAdm6bWk/ eInWbarRBRwJX9fuR+xJfyMlJar0YQhFqkNf5LRgReNnC+y9nZjizdWoqxb94mSg C5H5VEzS3BZj0eEVRHK2erIDeodtCQ== =RdnV -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZeikjeH0dPBxAvjj%40mail-itl.
[qubes-users] 80x24 geometry used by qvm-console-dispvm
Haven't done it for ages, but can't you configure the size using X resources? Like this: Now to set the size of the console itself, you would add this to the ~/.Xresources file:xterm*geometry: 127x37 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/179f126d-075b-4261-99d9-bdd465f7e64e%40gmail.com.
[qubes-users] 80x24 geometry used by qvm-console-dispvm
Hello, What is the reason for the '80x24' geometry of xterm used by qvm-console-dispvm through the management_dispvm? I tried to remove the option in the policy file in order to utilize the full available workspace, as well as to change it to a bigger window, but in both cases it just stops working. P.S. I posted that initially in qubes-devel because it fits completely the "Why did you implement XYZ this way and not the other way?" example in https://qubes-os.org/support/ but it was rejected. Quite confusing. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240306154223.450b2348%40localhost.
[qubes-users] Re: HCL - Dell Inspiron 5570 (P75F, P75F001)
My, Dell Inspiron 15 5570 has i5 8250, 12GB DDR RAM , 1TB SATA HDD. I have created a bootable Qubes 4.2.0 with dd command in Ubuntu and trying to boot my Dell Inspiron with it. However it is failing to boot and restarting and falling back to Ubuntu 23.10. Should I try to boot in legacy BIOS mode ? Currently I am trying to boot in UEFI mode with Secure Boot and PTT (TPM) enabled. To boot in Legacy BIOS mode I have to disable Secure Boot and PTT(TPM). Please advice. On Saturday 5 January 2019 at 06:11:11 UTC+5:30 rex mat wrote: > Need mouse to install. Install base system (not usbvm, whonix etc.), add > those later from packages. Ethernet must be active at startup, does not > detect cable plug-in. Slow (8 Gb, rotating hd, i5), but works. > > > Citromail.hu levelezőrendszerből küldve > Lépj be <https://www.citromail.hu/> vagy regisztrálj > <https://auth.citromail.hu/regisztracio/> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bcb8ca66-1613-4c90-b10e-33b19fddc502n%40googlegroups.com.
Re: [qubes-users] HCL - Beelink SER5 Ryzen 7 5800H AMD Integrated Graphics (RX Vega 8)
Suspend works On Monday, March 4th, 2024 at 2:33 PM, 'bozoslivehere' via qubes-users wrote: > ---layout: > 'hcl' > type: > 'Mini PC' > hvm: > 'yes' > iommu: > 'yes' > slat: > 'yes' > tpm: > '2.0' > remap: > 'yes' > brand: | > AZW > model: | > SER > bios: | > 5800H603 > cpu: | > AMD Ryzen 7 5800H with Radeon Graphics > cpu-short: | > FIXME > chipset: | > Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne Root Complex [1022:1630] > chipset-short: | > FIXME > gpu: | > Advanced Micro Devices, Inc. [AMD/ATI] Cezanne [Radeon Vega Series / Radeon > Vega Mobile Series] [1002:1638] (rev c5) (prog-if 00 [VGA controller]) > gpu-short: | > FIXME > network: | > Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit > Ethernet Controller [10ec:8168] (rev 15) > Intel Corporation Wi-Fi 6 AX200 [8086:2723] (rev 1a) > memory: | > 29618 > scsi: | > > usb: | > 4 > certified: > 'no' > versions: > - works: > 'FIXME:yes|no|partial' > qubes: | > R4.2.0 > xen: | > 4.17.2 > kernel: | > 6.1.62-1 > remark: | > FIXME > credit: | > FIXAUTHOR > link: | > FIXLINK > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/gbc92TxqDjODOV7Paes3zsLMjLiaQ1rTcC9qg6bK8k8PKyQ3bxOJLrli4QgnVJ6mOzSAoUHRRgCGgNXlqzVtn0QP_FRvRUY0SWZMPhM78i4%3D%40protonmail.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/EGB9Fy7Bx8dUd9xqNv11QMV4_1IZ0NgwuH5bxjWQJcyhD3ANVb1h-sTcc71pImk-bFxiVeEzsc53_bwRYcys2wW79tI-MdkY96T-M4p1YhE%3D%40protonmail.com. publickey - bozoslivehere@protonmail.com - 0x25C30629.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[qubes-users] HCL - Beelink SER5 Ryzen 7 5800H AMD Integrated Graphics (RX Vega 8)
---layout: 'hcl' type: 'Mini PC' hvm: 'yes' iommu: 'yes' slat: 'yes' tpm: '2.0' remap: 'yes' brand: | AZW model: | SER bios: | 5800H603 cpu: | AMD Ryzen 7 5800H with Radeon Graphics cpu-short: | FIXME chipset: | Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne Root Complex [1022:1630] chipset-short: | FIXME gpu: | Advanced Micro Devices, Inc. [AMD/ATI] Cezanne [Radeon Vega Series / Radeon Vega Mobile Series] [1002:1638] (rev c5) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 15) Intel Corporation Wi-Fi 6 AX200 [8086:2723] (rev 1a) memory: | 29618 scsi: | usb: | 4 certified: 'no' versions: - works: 'FIXME:yes|no|partial' qubes: | R4.2.0 xen: | 4.17.2 kernel: | 6.1.62-1 remark: | FIXME credit: | FIXAUTHOR link: | FIXLINK -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/gbc92TxqDjODOV7Paes3zsLMjLiaQ1rTcC9qg6bK8k8PKyQ3bxOJLrli4QgnVJ6mOzSAoUHRRgCGgNXlqzVtn0QP_FRvRUY0SWZMPhM78i4%3D%40protonmail.com. Qubes-HCL-AZW-SER-20240302-173628.yml Description: application/yaml publickey - bozoslivehere@protonmail.com - 0x25C30629.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[qubes-users] Qubes-certified NovaCustom NV41 Series laptop now available with Heads firmware
Dear Qubes Community, Last year, we [announced](https://www.qubes-os.org/news/2023/05/03/novacustom-nv41-series-qubes-certified/) that the [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) became a [Qubes-certified computer](https://www.qubes-os.org/doc/certified-hardware) for Qubes OS 4. We noted in the announcement that the NV41 Series came with [Dasharo](https://www.dasharo.com/) [coreboot](https://www.coreboot.org/) open-source firmware. We are now pleased to announce that the NV41 Series is also available with [Heads firmware](https://osresearch.net/). When you [configure your NV41 Series](https://novacustom.com/product/nv41-series/), you can now choose either Dasharo coreboot+EDK-II (default) or Dasharo coreboot+Heads for the firmware. Both options are certified for Qubes OS 4. This makes the NV41 Series the first modern Qubes-certified computer available with Heads! Current NV41 Series owners who wish to change from Dasharo coreboot+EDK-II to the Heads firmware version can [buy the Dasharo Entry Subscription](https://novacustom.com/product/dasharo-entry-subscription/) for an easy transition to Heads. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/03/03/novacustom-nv41-series-with-heads-certified/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0a4b53ec-6449-4dec-a084-2c0f67ec1a1a%40qubes-os.org.
Re: [qubes-users] Ethernet socket device not available in Network Connections
[quote] my sys-net is also sys-usb because I used the USB ethernet adapter so I think this is the problem but I don't know how to fix. [/quote] I doubt that this is the problem. Have you assigned the device to sys-net in the "devices" tab of sys-net settings. When sys-net boots up, can you run `sudo journalctl -b ` in sys-net and look for any entries relating to networking devices. It may be that you need specific drivers for the NIC, so knowing what it is would be a help. -- I never presume to speak for the Qubes team. When I comment in the mailing lists I speak for myself. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZeO5oqfRsyO49pVY%40thirdeyesecurity.org.
[qubes-users] Ethernet socket device not available in Network Connections
I was using USB ethernet adapter before, but now I have enabled my laptop's own Gb socket and I would like to use this. The device is listed in lspci: > Ethernet controller: Intel Corporation Ethernet Connection blabla The device is not listed in Network Connections application. The only device there is `vif`. I know this device is working in Ubuntu which I am using before. my sys-net is also sys-usb because I used the USB ethernet adapter so I think this is the problem but I don't know how to fix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d50f5b93-e244-4423-900d-34469b414478%40magenta.de.
[qubes-users] Where to run undervolt script?
What is the safest way to use undervolt script in Qubes? https://github.com/georgewhewell/undervolt.git This is running on Python. Is it better to use new service qube for this or can I run it in dom0/sys-net/sys-firewall? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85e151b0-3709-441a-9f13-f17abf07ed1a%40magenta.de.
Re: [qubes-users] Screen sleep doesn't disable backlight
Neil du Preez: On 2024-02-24 16:19, ales...@magenta.de wrote: On Qubes 4,2, when the screen goes to sleep after idle time or when I lock the screen, the screen is black but the backlight is still on. Only when the system goes to Suspend is the backlight turned off. How can I fix this? Hi, I have attached screenshots of xscreensaver and power manager settings that work for me. I discovered them long ago through trial and error, but I don't remember what other combinations worked and didn't. Hope it helps. Yes this helps. Now Lock Screen backlight is off but I didn't try idle sleep yet. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bea24b39-9098-442e-a66c-65286d093038%40magenta.de.
Re: [qubes-users] Qubes 4.2 error: Failed to remove old efi boot entry.
Neil du Preez: On 2024-02-24 16:02, ales...@magenta.de wrote: In my fresh install of 4.2 this error appeared. The following error occurred while installing the boot loader. The system will not be bootable. Would you like to ignore this and continue with installation? Failed to remove old efi boot entry. This is most likely a kernel or firmware bug. But it would be nice to understand why this happens and how to fix it. You might have a setting in your BIOS that prevents boot entries from being removed. I think you are right, there is the option "boot order lock" enabled in the BIOS. I will try to use efibootmanager to fix this after I have disabled this setting. Thank you for the suggestion! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8640d9b9-8b29-484d-90bd-e1f163193749%40magenta.de.
[qubes-users] Qubes 4.2: Attach usb audio device to appvm
After upgrading to 4.2 my audio device does not work. I plug in a usb audio device, then attach that usb device to an appvm and try to use it in e.g. meet.google.com. For some reason it only works for the audio microphone or the speaker, not both. Example: 1. I attach the usb device to the appvm. 2. meet.google.com automatically switches to the new microphone, but I cannot hear anything and the speaker list does not show the usb device. 3. I then detach from the appvm and reattach the usb device to the same appvm. 4. meet.google.com does not show the usb device in the list of microphones. but somehow the "default" speaker now outputs through the usb device. In 4.1 it would either work for both mic and speaker or for none. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bff4746d-a10d-482a-a913-dc82cf5e1ab6n%40googlegroups.com.
[qubes-users] XSAs released on 2024-02-27
Dear Qubes Community, The [Xen Project](https://xenproject.org/) has released one or more [Xen security advisories (XSAs)](https://xenbits.xen.org/xsa/). The security of Qubes OS *is not affected*. ## XSAs that DO affect the security of Qubes OS The following XSAs *do affect* the security of Qubes OS: - (none) ## XSAs that DO NOT affect the security of Qubes OS The following XSAs *do not affect* the security of Qubes OS, and no user action is necessary: - [XSA-451](https://xenbits.xen.org/xsa/advisory-451.html) - Denial of service (DoS) only ## About this announcement Qubes OS uses the [Xen hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its [architecture](https://www.qubes-os.org/doc/architecture/). When the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a [Xen security advisory (XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a [Qubes security bulletin (QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only *positive* confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs cannot provide *negative* confirmation that other XSAs do *not* affect the security of Qubes OS. Therefore, we also maintain an [XSA tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS. This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2024/02/27/xsas-released-on-2024-02-27/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d21b067f-877f-4fb7-8625-8a31c04616a4%40qubes-os.org.
[qubes-users] [Qubes 4.1] issue with thunderbird after recent debian update
Hi, since a recent update, thunderbird throws artefacts on xfce screen (parts of its menu), that spawn virtual screen, survive log off & on again, but disappear if VM is closed. And re-appear when thunderbird is restarted. Very annoying! Am I alone with this type of glitch? Thanks, best, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2fd0bfee-864c-4c14-a6d6-7200144fe994%40web.de.
Re: [qubes-users] 4.2 issue with pam_sss.so
https://github.com/QubesOS/qubes-issues/issues/8595 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de7bbcbf-e17b-4c36-bd4b-07c53b87d81d%40hackingthe.net. OpenPGP_0x08DEA51AE90C3780.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [qubes-users] 4.2 issue with pam_sss.so
Install sssd_client package and it goes away. On January 20, 2024 1:26:00 AM GMT+01:00, Ulrich Windl wrote: >Hi! > > >I just noticed these messages (in my upgraded Qubes OS): > >Jan 20 01:22:39 dom0 sudo[25013]: PAM unable to >dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot >open shared object file: No such file or directory >Jan 20 01:22:39 dom0 sudo[25013]: PAM adding faulty module: >/usr/lib64/security/pam_sss.so > >Am I the only one to see them? > >Regards, > >Ulrich > > >-- >You received this message because you are subscribed to the Google Groups >"qubes-users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to qubes-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/qubes-users/c0dcefc4-dba7-4a3c-9085-262408f33872%40gmail.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0206D65D-4C02-414C-A7C4-FD9D9A98653E%40rudd-o.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
I have this you can use: https://github.com/Rudd-O/qvm-open-in-another-vm After building the package and installing it in the template, you can shut off the template, restart the qube where you want to configure link clicks to launch in another qube, and follow these instructions: https://github.com/Rudd-O/qvm-open-in-another-vm?tab=readme-ov-file#how-set-urls-to-open-in-a-separate-vm With that, any link you click on a non-browser app will prompt you to open the link in any qube of you choice. On 23/02/2024 20.57, 'Skyler Ferris' via qubes-users wrote: [quote="Ulrich_Windl1, post:8, topic:24602"] I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO. [/quote] I want to make sure we're on the same page about exactly why the quotes are removed, because it sounds like you're attributing this to `qvm-run-vm`, when in fact it is the bash invocation in the script itself. When bash (as in, the instance of bash spawned by the `#!/bin/bash` at the top of the `run-vm-firefox` script) reads the line `qvm-run-vm '$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is one single argument and the quotations are not a part of that argument". So the script does not send the quotation marks to `qvm-run-vm`. It could quote all arguments automatically and there are good justifications for doing so but it would not be a strict improvement. For example, even with double quotes globbing is disabled and some callers might want to use this feature. [quote="Demi, post:7, topic:24602"] I suggest escaping single quotes in the $1 and adding a "--" before it. This prevents command injection attacks via a malicious URL. So the result might be ```bash #!/bin/bash -- exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'" ``` [/quote] I believe this is a script improvement. The URL is not trusted data and these safeguards do not have an impact on valid inputs. -- Rudd-O https://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dd2497e1-b86c-4d88-b782-90dacdb1fcaf%40rudd-o.com. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes 4.2 error: Failed to remove old efi boot entry.
On 2024-02-24 16:02, ales...@magenta.de wrote: > In my fresh install of 4.2 this error appeared. > > > The following error occurred while installing the boot loader. The system > will not be bootable. > > Would you like to ignore this and continue with installation? > > Failed to remove old efi boot entry. This is most likely a kernel or > firmware bug. > > I ignored this and I was able to boot 4.2 with rEFInd so I have no problem. > But it would be nice to understand why this happens and how to fix it. You might have a setting in your BIOS that prevents boot entries from being removed. I once had the opposite error where the installer failed to create the entry. Adding an entry manually with efibootmgr didn't work initially either, I had to clear the CMOS before I could add an entry. It also turned out that the efibootmgr command in this section of the docs is outdated: https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty--installation-fails-with-failed-to-set-new-efi-boot-target The .efi file path was different and the "placeholder /mapbs /noexitboot" part wasn't needed in my case. Luckily I had another working Qubes machine where I could dump a working efibootmgr entry and configure the machine accordingly: Boot0001* Qubes OS HD(1,GPT,REDACTED,REDACTED,REDACTED)/File(\EFI\qubes\grubx64.efi) I haven't had time to submit a pull request to update the docs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZdrgrbF5YoPaXaai%40localhost.
[qubes-users] Screen sleep doesn't disable backlight
On Qubes 4,2, when the screen goes to sleep after idle time or when I lock the screen, the screen is black but the backlight is still on. Only when the system goes to Suspend is the backlight turned off. How can I fix this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53938e0a-e753-4275-ab7b-a18347801e02%40magenta.de.
[qubes-users] Qubes 4.2 error: Failed to remove old efi boot entry.
In my fresh install of 4.2 this error appeared. > The following error occurred while installing the boot loader. The system will not be bootable. > Would you like to ignore this and continue with installation? > Failed to remove old efi boot entry. This is most likely a kernel or firmware bug. I ignored this and I was able to boot 4.2 with rEFInd so I have no problem. But it would be nice to understand why this happens and how to fix it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/796467e2-87b4-48e4-a229-ddebd3e69159%40magenta.de.
[qubes-users] Installation Guide needs to be updated
I followed the Installation Guide when I made my fresh install of 4.2. Some of it is not accurate any more. Actually it has not been accurate since a long time now I think. a) In the section Software: Debian and Whonix are not options there any more. This choice has been moved to later in the install. b) Create Your User Account: this has been moved to later in the install, it is part of the Installation Summary now. c) Initial Setup section: the screenshot is not accurate any more and the description does not make reference to new options. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de938ca9-7827-44aa-94e5-1e952b88f59a%40magenta.de.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
[quote="Ulrich_Windl1, post:8, topic:24602"] I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO. [/quote] I want to make sure we're on the same page about exactly why the quotes are removed, because it sounds like you're attributing this to `qvm-run-vm`, when in fact it is the bash invocation in the script itself. When bash (as in, the instance of bash spawned by the `#!/bin/bash` at the top of the `run-vm-firefox` script) reads the line `qvm-run-vm '$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is one single argument and the quotations are not a part of that argument". So the script does not send the quotation marks to `qvm-run-vm`. It could quote all arguments automatically and there are good justifications for doing so but it would not be a strict improvement. For example, even with double quotes globbing is disabled and some callers might want to use this feature. [quote="Demi, post:7, topic:24602"] I suggest escaping single quotes in the $1 and adding a "--" before it. This prevents command injection attacks via a malicious URL. So the result might be ```bash #!/bin/bash -- exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'" ``` [/quote] I believe this is a script improvement. The URL is not trusted data and these safeguards do not have an impact on valid inputs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed25f83c-7ca3-410a-84f0-e42baba56544%40protonmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
Hi! I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO. Kind regards, Ulrich 23.02.2024 03:34:27 'Skyler Ferris' via qubes-users : > qvm-run-vm '$dispvm' /bin/firefox "$1" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/493871d4-495d-46b2-9334-6cef4b934642%40gmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Feb 23, 2024 at 02:34:27AM +, Qubes OS Users Mailing List wrote: > Just realized I sent this as "reply" instead of "reply all". Sorry for > the spam, Ulrich, but I want to make sure this is visible to others who > might have a similar problem. > > I think the problem is that the URL doesn't end up getting quoted on the > other end. When this is sent: > > [quote="Ulrich_Windl1, post:3, topic:24602"] > #!/bin/bash > qvm-run-vm '$dispvm' /bin/firefox "$1" > [/quote] > > The VM will end up getting the URL value with no quotes, because the > quotes in that script are only for the local bash interpreter, not sent > to `qvm-run-vm`. The whole expression is quoted in the exec line, but > bash will interpret the line so the ampersand causes a background > process to start instead of being incorporated in the URL. > > I'm not sure if this is a problem in `qvm-run-vm`. Some people might > want to take advantage of the shell interpretation. And since the caller > is able to run any arbitrary shell command anyway, problems like leaking > environment variables aren't particularly relevant (they have permission > to see that if they have permission to run arbitrary commands, and > output is returned to the caller by design). > > I would guess that updating the `run-vm-firefox` command to quote the > URL within the double-quotes will fix it. [Also note that the `$` is > deprecated, as described in this > article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols). > > The new symbol is `@`; I have only used in in policy files, but I assume > that it will work here too so long as you are running 4.1 or newer. So > the new file would look like this: > > ```bash > #!/bin/bash > qvm-run-vm '@dispvm' /bin/firefox "'$1'" > ``` I suggest escaping single quotes in the $1 and adding a "--" before it. This prevents command injection attacks via a malicious URL. So the result might be ```bash #!/bin/bash -- exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'" ``` - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXYFjsACgkQsoi1X/+c IsHcAhAApDWk48QftzKO5NKdrpelrUZLJ0whO4VK98wW4aONFGyE2UpyTcfD+Nyu wPmrdFcsyb1s1aR4T+9LRKnRe+cdad5ik7p9eDwbMEl1VKqCE5wZOiYqmOhiQ/XY RRjVNSlHiiuRhbIWGmZDQcZ5H6pOfxud0UwcxGoJ5mjoe8RezEaxQ/Keibx25mKQ uYK9WxNsk0ih7hIcaLeyCMxMwwZJmiDVP4dIfw121xh/IhrZfJ9gGBwKYLUqBl0u esz3igOu91Yz8eFODscUC5rwPoXUgdOOEpmi+I7GH7Mz2ORgg+GXgGOfPf6+gi90 DMcDCbBXR9vcLVC4OlOe6vy/KQ7YxXqJe2V7m5snmYVibDmJshBPB7gop9ZeW3gr 8JpY3/WKPgFaxtPANi+wtrZ2LhJjMiPH3B+2MHZwaHTDADExw+t9F4NqXCTwj8gO qH2z9d6tTJtDDQ+fC47xPwGfhkMHaxiEGysvmFYMfH4rCaWcRrRQpz1u0A4U1YEz wAFbtkoE6SEL7bCchcN0Ey/T4x38MWJw6u3oIRvhwGpn1VOOMnl9bQSU6EHbImy3 Cb3eg94BZIo9wkNOp7VPxiHxav1dgFJXpGy/U2J687wtmgsnImSpRqh8H+lmxsix pWl/ulZRt0EE7Y44Oo7BYJIqtPr5s+8yr8NsxM2QmAZ4nAdCH1E= =CD88 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZdgWO-3Ykm_f4bUE%40itl-email.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
Just realized I sent this as "reply" instead of "reply all". Sorry for the spam, Ulrich, but I want to make sure this is visible to others who might have a similar problem. I think the problem is that the URL doesn't end up getting quoted on the other end. When this is sent: [quote="Ulrich_Windl1, post:3, topic:24602"] #!/bin/bash qvm-run-vm '$dispvm' /bin/firefox "$1" [/quote] The VM will end up getting the URL value with no quotes, because the quotes in that script are only for the local bash interpreter, not sent to `qvm-run-vm`. The whole expression is quoted in the exec line, but bash will interpret the line so the ampersand causes a background process to start instead of being incorporated in the URL. I'm not sure if this is a problem in `qvm-run-vm`. Some people might want to take advantage of the shell interpretation. And since the caller is able to run any arbitrary shell command anyway, problems like leaking environment variables aren't particularly relevant (they have permission to see that if they have permission to run arbitrary commands, and output is returned to the caller by design). I would guess that updating the `run-vm-firefox` command to quote the URL within the double-quotes will fix it. [Also note that the `$` is deprecated, as described in this article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols). The new symbol is `@`; I have only used in in policy files, but I assume that it will work here too so long as you are running 4.1 or newer. So the new file would look like this: ```bash #!/bin/bash qvm-run-vm '@dispvm' /bin/firefox "'$1'" ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9bbcc208-8883-46c9-befe-788ed663553c%40protonmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On Thu, 22 Feb 2024 22:19:21 +0100 Ulrich Windl wrote: >On 2/22/24 22:15, Ulrich Windl wrote: >> On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote: >>> >>> On Thu, 22 Feb 2024 21:25:18 +0100 >>> Ulrich Windl wrote: >>> >>>> Hi! >>>> >>>> >>>> I managed to configure Thunderbird to run any links via a DVM. However >>>> today I realized that URLs with parameters are truncated (Qubes-OS 4.2) >>>> after the first parameter it seem. >>>> >>>> For example I have the URL >>>> ../viewtopic.php?f=21=196913=1023049=1023049 >>>> >>>> When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 >>>> >>>> Unfortunately I have no idea how to debug or fix that. >>>> >>>> >>>> Kind regards, >>>> >>>> Ulrich >>>> >>> Easy work around. Setup your "default browser" to be "open in vm". >>> >> I'm confused: The URL _is_ opened in a VM; the issue is that the URL >> being passed in truncated after the first parameter it seems. >> >> https and https content type is redirected to a "run-vm-firefox" that >> contains: >> >> #!/bin/bash >> qvm-run-vm '$dispvm' /bin/firefox "$1" >> >> I would guess that qvm-run-vm has a quoting problem. >> >> >> I see that qvm-run-vm passes the parameter correctly to >> /usr/lib/qubes/qrun-in-vm. >> >> I don't know python, but these lines seems to have a problem: >> >> cmd = ' '.join(sys.argv[1:]) >> sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'", >> "'\\''")) >> > >Here's my test result: > >$ sh -x /usr/bin/qvm-run-vm @dispvm >"../viewtopic.php?f=21=196913=1023049=1023049" >+ getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm -- >@dispvm ../viewtopic.php?f=21=196913=1023049=1023049 >+ OPTS= -- '@dispvm' '../viewtopic.php?f=21=196913=1023049=1023049' >+ eval set -- -- '@dispvm' >'../viewtopic.php?f=21=196913=1023049=1023049' >+ set -- -- @dispvm ../viewtopic.php?f=21=196913=1023049=1023049 >+ [ 3 -gt 0 ] >+ shift >+ break >+ [ != 1 ] >+ [ 2 -lt 2 ] >+ [ = 1 ] >+ [ != 1 ] >+ VMNAME=@dispvm >+ shift >+ service=qubes.VMShell >+ [ != 1 ] >+ service=qubes.VMShell+WaitForSession >+ exec /usr/lib/qubes/qrexec-client-vm @dispvm >qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm >./viewtopic.php?f=21=196913=1023049=1023049 >bash: line 1: ../viewtopic.php?f=21: No such file or directory > Presuming xfce4... bash-5.2# pwd /home/user/.config bash-5.2# cat mimeapps.list [Default Applications] text/html=qvm-open-in-dvm.desktop x-scheme-handler/http=qvm-open-in-dvm.desktop x-scheme-handler/https=qvm-open-in-dvm.desktop x-scheme-handler/about=qvm-open-in-dvm.desktop x-scheme-handler/unknown=qvm-open-in-dvm.desktop application/pdf=org.gnome.Evince.desktop application/sql=org.gnome.TextEditor.desktop [Added Associations] text/plain=org.gnome.gedit.desktop; application/pdf=gimp.desktop;pdfmod.desktop;org.gnome.Evince.desktop; image/jpeg=gimp.desktop;display-im6.q16.desktop; image/png=gimp.desktop; application/sql=org.gnome.TextEditor.desktop; bash-5.2# -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240222174150.235b3f21%40yahoo.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On 2/22/24 22:15, Ulrich Windl wrote: On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote: On Thu, 22 Feb 2024 21:25:18 +0100 Ulrich Windl wrote: Hi! I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem. For example I have the URL ../viewtopic.php?f=21=196913=1023049=1023049 When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 Unfortunately I have no idea how to debug or fix that. Kind regards, Ulrich Easy work around. Setup your "default browser" to be "open in vm". I'm confused: The URL _is_ opened in a VM; the issue is that the URL being passed in truncated after the first parameter it seems. https and https content type is redirected to a "run-vm-firefox" that contains: #!/bin/bash qvm-run-vm '$dispvm' /bin/firefox "$1" I would guess that qvm-run-vm has a quoting problem. I see that qvm-run-vm passes the parameter correctly to /usr/lib/qubes/qrun-in-vm. I don't know python, but these lines seems to have a problem: cmd = ' '.join(sys.argv[1:]) sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'", "'\\''")) Here's my test result: $ sh -x /usr/bin/qvm-run-vm @dispvm "../viewtopic.php?f=21=196913=1023049=1023049" + getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm -- @dispvm ../viewtopic.php?f=21=196913=1023049=1023049 + OPTS= -- '@dispvm' '../viewtopic.php?f=21=196913=1023049=1023049' + eval set -- -- '@dispvm' '../viewtopic.php?f=21=196913=1023049=1023049' + set -- -- @dispvm ../viewtopic.php?f=21=196913=1023049=1023049 + [ 3 -gt 0 ] + shift + break + [ != 1 ] + [ 2 -lt 2 ] + [ = 1 ] + [ != 1 ] + VMNAME=@dispvm + shift + service=qubes.VMShell + [ != 1 ] + service=qubes.VMShell+WaitForSession + exec /usr/lib/qubes/qrexec-client-vm @dispvm qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm ../viewtopic.php?f=21=196913=1023049=1023049 bash: line 1: ../viewtopic.php?f=21: No such file or directory -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6b230897-f81a-4699-8b1b-081c59ae1688%40gmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote: On Thu, 22 Feb 2024 21:25:18 +0100 Ulrich Windl wrote: Hi! I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem. For example I have the URL ../viewtopic.php?f=21=196913=1023049=1023049 When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 Unfortunately I have no idea how to debug or fix that. Kind regards, Ulrich Easy work around. Setup your "default browser" to be "open in vm". I'm confused: The URL _is_ opened in a VM; the issue is that the URL being passed in truncated after the first parameter it seems. https and https content type is redirected to a "run-vm-firefox" that contains: #!/bin/bash qvm-run-vm '$dispvm' /bin/firefox "$1" I would guess that qvm-run-vm has a quoting problem. I see that qvm-run-vm passes the parameter correctly to /usr/lib/qubes/qrun-in-vm. I don't know python, but these lines seems to have a problem: cmd = ' '.join(sys.argv[1:]) sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'", "'\\''")) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/319d0c4d-8d36-4015-b1cc-d2a28cdc7510%40gmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On Thu, 22 Feb 2024 21:25:18 +0100 Ulrich Windl wrote: >Hi! > > >I managed to configure Thunderbird to run any links via a DVM. However >today I realized that URLs with parameters are truncated (Qubes-OS 4.2) >after the first parameter it seem. > >For example I have the URL >../viewtopic.php?f=21=196913=1023049=1023049 > >When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 > >Unfortunately I have no idea how to debug or fix that. > > >Kind regards, > >Ulrich > Easy work around. Setup your "default browser" to be "open in vm". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240222155458.67e22852%40yahoo.com.
[qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
Hi! I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem. For example I have the URL .../viewtopic.php?f=21=196913=1023049=1023049 When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 Unfortunately I have no idea how to debug or fix that. Kind regards, Ulrich -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20be73b9-927d-4c90-a46f-dabeb418ce15%40gmail.com.
[qubes-users] Re: help: errors in fedora-39-minimal upgrade
Some useful information at https://github.com/QubesOS/qubes-issues/issues/8806 On Saturday, February 17, 2024 at 9:08:44 PM UTC-8 Boryeu Mao wrote: > I attempted to upgrade the fedora-39-minimal template as follows: > > sudo qubesctl --show-output --skip-dom0 > --targets=fedora-39-minimal-clone-1 state.sls update.qubes-vm > > But the process results in errors (see attached file qubesctl-f39). This > is for R4.2. Please help. Thank you. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7bfaa032-b572-4fb2-be49-53f1ae0e3125n%40googlegroups.com.
[qubes-users] Qubes OS 4.2: no more access to local ports?
I have for years done my development work using dedicated AppVMs that run podman (https://podman.io/) containers based on images from bioconductor (https://bioconductor.org/help/docker/) for project isolation and reproducibility - images are pushed on a per project basis into the registry of the gitlab instance I use. The containers run a server instance of posit's RStudio IDE (https://posit.co/products/open-source/rstudio-server) and are started mapping a local (AppVM) port to the corresponding container port (8787, both). In the AppVM, a browser is then pointed at localhost:8787 to access the IDE and work in the container. After upgrading to QubesOS 4.2 I appear no longer able to operate like that. Containers start just fine, but the browser cannot connect to the IDE. Is this a result of the new firewall engine? How to fix it? How to debug? Thank you for any pointers? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CEFA1A9C-2A3A-4580-98C2-801DEDB93A52%40graumannschaft.org.
[qubes-users] HCL Dell Precision 7730 with Qubes 4.2
HCL: --- layout: 'hcl' type: 'Notebook' hvm: 'yes' iommu: 'yes' slat: 'yes' tpm: '2.0' remap: 'yes' brand: | Dell Inc. model: | Precision 7730 bios: | 1.31.0 cpu: | Intel(R) Xeon(R) E-2176M CPU @ 2.70GHz cpu-short: | FIXME chipset: | Intel Corporation 8th Gen Core Processor Host Bridge/DRAM Registers [8086:3ec4] (rev 07) chipset-short: | FIXME gpu: | Intel Corporation Coffee Lake-S GT2 [UHD Graphics P630] [8086:3e94] (prog-if 00 [VGA controller]) NVIDIA Corporation GP104GLM [Quadro P4200 Mobile] [10de:1bb9] (rev a1) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Intel Corporation Ethernet Connection (7) I219-LM [8086:15bb] (rev 10) Intel Corporation Wireless-AC 9260 [8086:2526] (rev 29) memory: | 32522 scsi: | usb: | 1 certified: 'no' versions: - works: 'yes' qubes: | R4.2.0 xen: | 4.17.2 kernel: | 6.1.62-1 remark: | Fussed about using btrfs, default install worked fine. credit: | nrauhauser link: | FIXLINK -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e7eaa5d-ad68-4b3e-b37b-93f7d415347dn%40googlegroups.com.
[qubes-users] [Q4.2] Minor display resolution issue with KVM
I have more computers than keyboards so I use a KVM. I have this Debian computer that always switches back to 1024x768 whenever the KVM returns control to it. Ever since I updated my Qubes computer to 4.2, it has been doing the same thing. I keep finding myself wondering why everything looks so big then I remember I have to change the resolution back lol. This didn't happen in 4.1, and I'm guessing it could be related to xfce since both systems are running that now. Anyone here know a fix (without changing xfce)? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAALhvVbWX05wakoB2_QpiqbP-DtKpiQ9equaLJveMBBn1%3DoO5w%40mail.gmail.com.
Re: [qubes-users] Need help after a failed in-place upgrade attempt
Hello 'Haaber', Am Di., 20. Feb. 2024 um 11:10 Uhr schrieb 'haaber' via qubes-users < qubes-users@googlegroups.com>: > ... > > all updates go via tor network (sys-whonix) by default. You could click on > the blue qube widget -> sys-wonix -> run terminal and see if sys-whonix has > network. But I guess not. Here is why: > > https://www.qubes-os.org/doc/firewall/ > > I wild-guess that you are in a "half-state" where one part of the system > expects iptables, another one nftables ... > > Did you download / start to download new (debian/fedora) Templates or are > they the "old" ones? > > I did not see any other user jump to your help, and I am not good enough > to fix that alone for you. So honestly, at your place I would > > (1) backup data (again) > > (2) extract the list of manually installed packages in each of your > templates and stock them on your backup drive > > ("apt-mark showmanual > manual.packages.list" in a terminal is your > friend, no root priv needed) > > (3) re-install a clean 4.2 > > (4) replay your manual installs of packages in your templates: > > "cat manual.packages.list | apt-get install " or something of this > type should work (run as root) > > (5) restore your data. > > It's a pain and takes half a day, but I fear that it is, at the end of the > day, faster than any other solution... > > good luck! > Thanks a lot ! This is exactly the feedback I was hoping for. I'll investigate further on my side & will provide an update from my side before the end of the week ... With kind regards, Viktor -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAeSrGLY7D08tXkpExUKgmCYYAQj7_TO1hzAijspG%3D2a2i%3DuAg%40mail.gmail.com.