Re: [qubes-users] Qubes - Critique (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/18/19 10:40 PM, jrsmi...@gmail.com wrote: > “The install appeared successful. I was able to add Chromium to an > appVM. When I started the appVM and launched Chromium from the > menu... nothing! No window, no error message. I tried a number of > times (the reason for just re-trying will be mentioned below). ” > > This stood out for me and was not addressed by others, so I’ll ask > the obvious question. Did you install the software in the appVM as > you stated or did you install in the template VM the appVM was > based on? For most installed software, it needs to be installed in > the Template VM for it to be there after the appVM is bounced. > Installing in the appVM causes the install to be lost on the next > reboot of that appVM since it gets its installed software from the > Template. I usually clone the distro templates and install my stuff > there and then create appVMs with my copies. That way I can be sure > that the distro templates remain upgradable via QM. > In the template. Used the Qubes Manager to "add" Chromium to the appVM's menu. -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyQ+fEACgkQjWN9/rQY sRxddgf+N2OOb0ktEzhJzi1PvwYw12Ui6KKyhBucowacBqekRAWoiDYnMNyPlbS0 xnoZrc0gFEo++HXmmduuyrodD66chkntvdBhYmJ/n4bb1XmzOCaInBeLxghvI1xX rNMRHFMJTBL56syTmK8gRa5yvujMr9JCAig+q7AP4wrZo3xdfUZUIhZnF0wC2XNC Z2M0+Gotlbm2PBfpuAEGIK49Z9q1n1UuUP9WLVoHkVJoJ+jr/tJ2wLsC+QyfCYKr dAtHHVgiv0RKNw7bxtq3M8iSE9CnXqqtP830yHuTbVrZ+m+zJMP/rfGFDiEp9ZAK yZ4rR1Qi0E0jA5hkOs1k3lx4ZqOgLw== =CWNi -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4014dfa6-fda9-53f6-b043-f79ce8db7d1e%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
“The install appeared successful. I was able to add Chromium to an appVM. When I started the appVM and launched Chromium from the menu... nothing! No window, no error message. I tried a number of times (the reason for just re-trying will be mentioned below). ” This stood out for me and was not addressed by others, so I’ll ask the obvious question. Did you install the software in the appVM as you stated or did you install in the template VM the appVM was based on? For most installed software, it needs to be installed in the Template VM for it to be there after the appVM is bounced. Installing in the appVM causes the install to be lost on the next reboot of that appVM since it gets its installed software from the Template. I usually clone the distro templates and install my stuff there and then create appVMs with my copies. That way I can be sure that the distro templates remain upgradable via QM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf835842-6253-4b3b-83de-d43d3fde6362%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
On Fri, 15 Mar 2019 21:31:02 -0500 John Goold wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA256 > >*A Critique of Qubes* > >Before discussing Qubes, I want to give you a bit of background about >me. I do not want to tell my life-story, I doubt anyone is interested. >However, I want you to know "where I am coming from" and what I want >from Qubes. I am keeping in mind that what I want is just that and >Qubes may not be intended to satisfy, or interest in satisfying my >wants and needs -- that is, I may simply be part of the wrong >demographic. > >* Retired roughly 2 decades >* 73 years old >* Degree in Computer Science >* Started out programming mainframes in Assembly Language (machine > code) >* Later, large-scale software development (various roles) -- R & D, > telecoms and mission-critical apps (those involved in health-care are > regulated) >* Proprietary H/W and OSes, then various Unixes. > >I am not paranoid over privacy and security, but I recognize there are >many individuals who, rightfully, fear for their privacy and anonymity >- -- their livelihood and even their lives may depend on it. > >Wants: > >* Reliability -- do not fail on me or, if something goes wrong, fail > gracefully. >* Reasonable security -- more than is provided by the more standard > Linux distributions (I am a fan of Linux Mint). >* Reasonable privacy (I hope that is not an oxymoron); though perhaps > it is too late in the game for me (though I have never been a fan of > social media, or anything Google) >* No need to spend large amounts of time tinkering with my basic > personal computer setup. >* Ease of use and administration, including software installation. >* GUI for virtually everything unless there is a really, really, really > good reason to use a CLI. Do not get me wrong, I am comfortable with > CLI's, but I do not want to spend my time researching various Linux > administration tools. Consider me lazy if you wish. >* No need to build my own tools to use Qubes (I do some website and > server- side development to keep the neurons firing -- I can do all > the programming I want in that environment). > >Basically, my personal computer(s) is a tool. If I write some software >on it, that software will be for some other purpose and not to >complement the OS. > >- - > >Critique: > >I started using Qubes for my main computer about two months ago. I had >previously experimented with release 3.2 and 4.0 on my HP laptop and >ran into various problems -- discussed by many users ad nausium in >qubes-users. I got a nice little desktop computer for Christmas (from >my wife :-) -- an Intel NUC7i7 (32 GB RAM, 512 GB SSD). > >So I started from the beginning. Installing Qubes 4.0.1 was relatively >straightforward, although it did require researching the use of a USB >mouse and keyboard. > >Basic configuration was no worse than any Linux distribution I have >played with. Software installation was not as straightforward. I was >forced into using the CLI (I do have two proprietary programs: VueScan >and Bcompare). Installing other software can be problematic. I >installed Chromium. The install appeared successful. I was able to add >Chromium to an appVM. When I started the appVM and launched Chromium >from the menu... nothing! No window, no error message. I tried a number >of times (the reason for just re-trying will be mentioned below). > >Issues... > >* When launching a program from the Qubes menu, particularly if the > target appVM has to be started, the program often fails to be > launched. This happens very frequently with the Text Editor. > > This is annoying as one waits a bit in case one is simply being > impatient, or at least I do, so as not to launch two copies of the > program by accident. > >* When a USB device is attached to an appVM, there is an appropriate > notification. When it is detached, there is a notification that the > device is being detached, but no notification to indicate that it has > been successfully detached so how long should one wait before > unplugging it? > >* Ignoring whonix (I do not use it... yet), there are two template VMs > in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However, > they have not been treated equally, with Debian being the loser. The > Qubes documentation indicates that Fedora was favoured for security > reasons. > > Since I had been using Linux distributions based, directly or > indirectly, on Debian, when I first set up Qubes, I created my appVMs > based on Debian. That was painful as I then had to install a lot of > basic software. > > When I re-read the documentation, I realized the security reasons, > so I switched all my appVMs (except one!) back to Fedora. It was not > painful, but I would have rather have spent the time doing something > else. > > The kicker came when Firefox stopped playing Flash content in my > untrusted appVM, complaining that
Re: [qubes-users] Qubes - Critique (long)
John Goold: On 3/16/19 6:35 PM, js...@bitmessage.ch wrote: [Question] So, what do other Qubes users do to protect their families in case they die/get killed, get imprisoned, go missing? In addition to (very) occasional full backups using default qubes tools, i also backup important data to an external hard drive with a luks encrypted partition, so it can be easily accessed outside of qubes if needed. But that still needs someone (spouse, child, executor of your estate) to have access to a key phrase (if that is the right term). What about bank account numbers, etc. If you use KeePassX 2 or similar, what about access to it? Do you have the necessary passwords written down with instructions, sealed in an envelope and stored in a safety deposit box? Something else? We tend to keep more and more financial, legal and medical information on our personal computers rather than keeping paper copies (I am an old guy but my wife and I keep everything in electronic form unless required by law to keep a paper copy -- so I expect the "younger" crowd probably tends to do so as well). We keep at least two backups of such data -- copies to our shared file server and backups to external drives. One of our children has the master password to our password vaults -- there is a non-negligible possibility that both of us could be badly hurt (or killed) in the same accident (e.g. plane or car crash). Anyway, with our emphasis on Qubes and security, I was curious about this other aspect of people's affairs. Do you have all your important data locked down in Qubes so *only* you can get at it? John I'm the only one who can get into my qubes box. Actually i've been thinking about it since you started this thread but i'm not sure of the best way to solve that problem of giving someone trusted access to important data if needed. i've neglected that so far (i guess i've been pretending i'm immortal?) Anyways, first it has to be someone i really trust, since there really isn't a good way to make sure they have access after i die but they don't have access before (although maybe something like that could be worked out with the safe deposit box you mentioned?) And second is the problem of preventing access by people other than the trusted person. I can write down a passphrase for them and put it in an envelope, and tell them don't open it unless i die, but then my passphrase is written down and anyone who gains access to the envelope can get access to my important data. And third is the problem that the only people i *really* trust are probably going to die before i do, but that's not exactly a technical problem.. Anyways, if you have a keepassx database you can just put it on a flash drive or some other storage since the database file is encrypted, but anyone you want to access it will still have to have a passphrase either way. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9252e5b0-1458-9aa6-5b2b-af2f6a8fe487%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/16/19 6:35 PM, js...@bitmessage.ch wrote: > >> [Question] So, what do other Qubes users do to protect their >> families in case they die/get killed, get imprisoned, go >> missing? > > In addition to (very) occasional full backups using default qubes > tools, i also backup important data to an external hard drive with > a luks encrypted partition, so it can be easily accessed outside of > qubes if needed. > But that still needs someone (spouse, child, executor of your estate) to have access to a key phrase (if that is the right term). What about bank account numbers, etc. If you use KeePassX 2 or similar, what about access to it? Do you have the necessary passwords written down with instructions, sealed in an envelope and stored in a safety deposit box? Something else? We tend to keep more and more financial, legal and medical information on our personal computers rather than keeping paper copies (I am an old guy but my wife and I keep everything in electronic form unless required by law to keep a paper copy -- so I expect the "younger" crowd probably tends to do so as well). We keep at least two backups of such data -- copies to our shared file server and backups to external drives. One of our children has the master password to our password vaults -- there is a non-negligible possibility that both of us could be badly hurt (or killed) in the same accident (e.g. plane or car crash). Anyway, with our emphasis on Qubes and security, I was curious about this other aspect of people's affairs. Do you have all your important data locked down in Qubes so *only* you can get at it? John -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyNmBMACgkQjWN9/rQY sRyUAwgAggvJpp6yKTRGfsM+W3EmkAb/nS/reESCCFbyifgFgqr5b2IWclFzZyAi Nra9Q3KiuCaj4rS4YduTE0HcEsFKNoj9fY/mkS+EalriIhyw4DWMeoupZ/q4Nun1 7pbLiPKDhJAccLo1ZNEsQQYpgGnUhUMeR3hFhdawgerss9TASt8lInmnfTNrp9ei uv5l7LOc/sAgy0yEvqYqxJFKIA70xgThK/SWHcqwQx02TX5LCAPXAtM4VFNAw08U BbL+wNUp8c/FcZ2dELtH2iy2Hyraj11b2UCDh7QXv/Uih6358hqkfIT+PZWpyVJq DpLe09Ef5FuWltS4HGVqvDJl+4kjKg== =urg+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dd6ac889-070c-cc83-6cc7-a5d1733cd78a%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
Hi John, John Goold: * When launching a program from the Qubes menu, particularly if the target appVM has to be started, the program often fails to be launched. This happens very frequently with the Text Editor. This is annoying as one waits a bit in case one is simply being impatient, or at least I do, so as not to launch two copies of the program by accident. I experience that too on debian (i don't use fedora appvms). As Chris said it's a longstanding bug with gnome apps like nautilus and gedit. Actually i much prefer the nemo window manager, i think it's great and much better than nautilus (dolphin works too but i don't like it as much). You can install whatever window manager you want in the template and use it in your appvms. By the way does anyone know how to add the qubes specific functions (move/copy to vm, open in dispvm) to the context menu in nemo? It would be nice to not have to switch to nautilus for those functions (i know i can use cli for it too tho). * Ignoring whonix (I do not use it... yet), there are two template VMs in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However, they have not been treated equally, with Debian being the loser. The Qubes documentation indicates that Fedora was favoured for security reasons. I'm also not sure about this. My understanding is that debian is actually better than fedora from a security standpoint because of how updates are done (fedora updates being more vulnerable to man in the middle attacks). At least for some people, it seems Debian is a necessity, but it is not given the attention it deserves. At a minimum, a GUI software installer should be included in the Qubes distribution which would make it much easier for people to install other software they feel inclined to use. I'm not sure about the default debian template in 4.0, but i remember the default debian 8 template in 3.2 had a gui package install/update tool (labelled "Packages" or "Package Updates" or something like that). I remember using it a few times, but i mainly just use cli to install software. If the new debian template doesn't have that by default, as airelemental said you can install one. Using Linux and now Qubes, I not only do not shutdown the computer (i.e. power-off), but I do not logout -- I simply "Lock the Screen" and power-off my monitor. I do the opposite, i reboot every day, and i never had any problems with copy and paste between qubes, and i very rarely have other problems like crashes. I would at least reboot after installing dom0 updates. [Question] So, what do other Qubes users do to protect their families in case they die/get killed, get imprisoned, go missing? In addition to (very) occasional full backups using default qubes tools, i also backup important data to an external hard drive with a luks encrypted partition, so it can be easily accessed outside of qubes if needed. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fdb49c0-bf55-98b3-8306-af7e4aeb4311%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
On 3/16/19 1:39 PM, Andrew David Wong wrote: I agree that backups are the best assurance, but this is in no way Qubes-specific. I'd say the same thing about any operating system. However, Qubes does require the use of snapshot-capable storage for reasonable efficiency and this is not yet Linux' strength. Here's where Chris and I disagree. I've been using Qubes' built-in backup functionality for many years to great effect. Granted, I usually run it overnight, so time and system load aren't concerns for me. It just depends on your needs. I was probably too vague here. The idea was that, apart from the issue of backups, storage integrity on a Linux COW layer (Thin LVM, Btrfs) isn't regarded as top-notch. But I think this is more true of Thin LVM than Btrfs. Someone wishing to guard against data loss on their Qubes+Linux system in the first place (which seems to be an issue for John) could be excused for thinking their options are not the best. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc140a0f-0ba9-79db-321a-42be5f8a8c03%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thank you, John, for sharing your thoughts with us, and thank you, Chris, for taking the time for a detailed reply. I'll offer what I can on just a few points. On 16/03/2019 6.31 AM, Chris Laprise wrote: > Hi John, > > That's an interesting background and list of wants. I've been using > Qubes for some time and can try to address a few of your issues. > > [...] > >> >> The kicker came when Firefox stopped playing Flash content in my >> untrusted appVM, complaining that I needed an up to date >> version of Flash. I installed the most recent version, but that >> did not solve the problem. The problem is/ was something to do >> with Fedora (or the version of Firefox for Fedora or ??). > > I haven't used Flash in a long time so I can't help there. In > general its best to find an alternative that doesn't rely on > Flash, which is becoming a dead format. Typically Flash is replaced > by HTML5 web apps (and most websites have made this switch > automatic). > You might want to try the Google Chrome browser for this. (You may need to enable its built-in flash functionality if it's disabled by default.) > [...] > >> My Bottom Line: >> >> I can live with most of the issues described above. What I >> cannot live with (and worry about) are stability and reliability >> issues. >> I, too, am primarily concerned about stability and reliability (after security, of course). > [...] > >> >> I need some reasonable assurance that data corruption on disk >> has a very low probability. I need some reasonable assurance >> that the operating system (the combination of Xen and dom0) is >> stable. > In my experience, the probability of data corruption on disk is no higher (and perhaps even lower) on Qubes than on other more conventional operating systems. The only kind of instability I've experienced infrequently in the past on Qubes were crashes (e.g., spontaneous reboots), but I've never had any lost or corrupted data on disk from such events. I've also experienced plenty of BSODs on Windows, so I think Qubes is batting pretty well on stability. > The best assurance is regular backups. I don't know what caused > your glitch but I've had vanishingly few on Qubes myself since > 2013. > I agree that backups are the best assurance, but this is in no way Qubes-specific. I'd say the same thing about any operating system. > However, Qubes does require the use of snapshot-capable storage for > reasonable efficiency and this is not yet Linux' strength. > Here's where Chris and I disagree. I've been using Qubes' built-in backup functionality for many years to great effect. Granted, I usually run it overnight, so time and system load aren't concerns for me. It just depends on your needs. > [...] > > I hope this response helps you out some. Right now Qubes appears > to be in a state that's mostly suitable for "security techies"; > There is certainly room for improvement and your critique has made > me think that some new issues need to be opened to help address > the usability issues. > Agreed. I think that many of us have been motivated to become "security techies" by our desire to use Qubes. This isn't a bad thing in itself (it's good to learn new skills), but we don't want it to be a requirement either. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlyNNKgACgkQ203TvDlQ MDBuaBAAiaf05nx3+JYRaVibrmofz+8/auIs3xdHkEI0pXrAlKEg6+Q98k6lnnrw SdK+vnGl249aINJI7uJ5swx6zK+rsCR1rXp25lBT6AFpwfTefbXrIcMVcuXGfj8F XTWiyeb2Tw5ooKfrbYuXGTtrN9O4OQ/q5/r9GY2oSsj3/lf8KiMH7KkxFbgLMSUh oCrZ2BrmvpqFm90paB4C4nqCfe/2HTDKjcIHSL01H0FfAhhGp0hLymwQtpVy0atr 80OKQc0LDc0i/w6tIhDQfWDVVAThVyEYF15tSUNDi6eE9BvNqijrN0zYs+La5pTS AS1Cy1DHdO/ksM0U/083LDo592oKvHdME0XggbBwBVamLvp8wcf4qaLqy83XDbuR 1EgWaPoB5Y8xmQptPJd9ZV93do3p0MuYnpzU+JM6a6U02gW1DQA6apFMvPotxYYE s9djUGQ7b13R+udbfDqVebrnlf5f+OovZJvZgdQI2gKOMBXe9ZfKAMH1zH8tDcyc i15diwQ5tSjk70Fiiw/knrxtNDVcHnF/bFq1vQirAsSCCLQvS8CMue4zDzBOSvND 5OPCTdW5VXm7ieCoT+K2uHq+bVdqIf8vzBf67bkG+m1RXBnXLZvnSUbkgPWeBD2N kbvgpBoKUVRoDi5q42EDVuPZ/M0h2sQPqUZZSTsQxETh7JiAg70= =zU1k -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3014fc66-e2f2-0dd6-1fea-9ae9542d0022%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
Mar 16, 2019, 2:31 AM by jrg.desk...@gmail.com: > Issues... > > * When launching a program from the Qubes menu, particularly if the > target appVM has to be started, the program often fails to be > launched. This happens very frequently with the Text Editor. > Interesting, my experience is limited to mostly debian-based templates and for those, the only program that fails to start from the menu is gnome-terminal. > Since I had been using Linux distributions based, directly or > indirectly, on Debian, when I first set up Qubes, I created my appVMs > based on Debian. That was painful as I then had to install a lot of > basic software. > > When I re-read the documentation, I realized the security reasons, > so I switched all my appVMs (except one!) back to Fedora. It was not > painful, but I would have rather have spent the time doing something > else. > > I've never come across guidance favoring Fedora over Debian in the docs. Can you provide a link? > Since Firefox and Flash were working fine on my Linux Mint laptop > (which I use "to play with"), I re-based my untrusted appVM on Debian > and, lo and behold, Firefox and Flash worked just fine. This, by the > way, was when I attempted to use Chromium. > This is how I used to get flash working too - chromium + some flash plugin on a debian-based appvm. Thankfully flash is dying and I don't need it anymore. > At least for some people, it seems Debian is a necessity, but it is > not given the attention it deserves. At a minimum, a GUI software > installer should be included in the Qubes distribution which would > make it much easier for people to install other software they feel > inclined to use. > I think the policy is that Qubes defers to the distro. So if the distro doesn't have a GUI installer, than the template won't, and it sounds like it would be out of scope for Qubes to provide a GUI installer. On the flip side, if the distro has an optional GUI package manager, it should work. For example, for debian, have you tried installing synaptic in the template? > * Screenshot only appears to work from Qubes Tools. I can "add" > "Screenshot" to appVMVs based on Fedora (but not on Debian). But it > does not work -- The dialog comes up but, having chosen to select an > area, I cannot do so. > Subsequent attempts to use Screenshot do not even present a dialog. > > Although I have not seen this documented anywhere (which does not > mean it is not), it seems logical -- dom0 owns the screen (monitor), > so it makes sense that it handles screenshots. However, that means > screenshots are saved in dom0 and have to be moved (or, I suppose, > copied) to the desired appVM. It seems a bit awkward. If one is in a > program in an appVM and decides a screenshot would be nice, it is > probably focussed on that window or a portion of it. Since the OS > displaying the window "knows" what it is displaying, it seems logical > that some kind of screenshot could be made by that OS, but restricted > to its window. > It *would* be nice if you could right-click a file in dom0 and send to VM using the VM picker. Useful for screenshots and log files, for GUI-inclined users. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/La6VTzm--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/16/19 7:42 AM, Mike Keehan wrote: > > As for Flash, it is a pain. Our BBC still uses it extensively, so > I have to manually download it occasionally and copy the library > file into the appVMs .mozilla directory when necessary. > Hi Mike, What a coincidence! I live in Canada, but use the BBC website on a daily basis for news and interesting articles. It is really the only reason I need Flash. Cheers, John -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyNAl0ACgkQjWN9/rQY sRwJNAf7BWyeG2BfTKJTSFFjTafLrv384+foZ3D1SVEQ587GSaGr8xReuxa8pbaw Vz4qb0+BnMgr7jQ9audWijZWmhwJGx/IuLmUxbrKfQ2s6RhvvKCeBWox9oWrsT5p Lh9J8Ek3QCNStSFNPhIqUT3dXLouYeQ3LQCzXbNafV4HTMyvMzmNkkGKZnWmdnIm 45TiHzx1jiRLH30VjgtSgD55QEyGzi6bMPjIK/n9IdQrgmN/evvvF7PSWsQiE3au C6SyH9RBhfPAzHYY6gopbUcbr2R7sYUugIlu6cA25O0av5vzX+wxxV0ZrwIqvAOq w5HuvElorhVHTAbEjR22brJZVtnZBA== =J3rz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c259349c-4dfd-c777-5fc3-5b22736aef8a%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
On Fri, 15 Mar 2019 21:31:02 -0500 John Goold wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > *A Critique of Qubes* > Hi John, What a nice read, thank you. I have a very similar background, and age, so I was very interested to read your story. I've been using Qubes now for a few years, and love it. Have had very little problem with it; have used and restored using the builtin backup scheme; and have updated without problem using just the normal, stable repositories. The one thing I can suggest that I do differently to you, is that I power down my laptop, and boot up afresh each day. Have always done this during my professional life (wasn't any choice early on as there was no suspend option), and I can say that I have not experienced any of the launch issues you described, nor any copy/paste issues between VMs, not that I do much of that. As for Flash, it is a pain. Our BBC still uses it extensively, so I have to manually download it occasionally and copy the library file into the appVMs .mozilla directory when necessary. Anyway, best of luck, Mike. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190316124251.274962b1.mike%40keehan.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
Hi John, That's an interesting background and list of wants. I've been using Qubes for some time and can try to address a few of your issues. On 3/15/19 10:31 PM, John Goold wrote: Issues... * When launching a program from the Qubes menu, particularly if the target appVM has to be started, the program often fails to be launched. This happens very frequently with the Text Editor. This is annoying as one waits a bit in case one is simply being impatient, or at least I do, so as not to launch two copies of the program by accident. This well-known bug appears to center on programs based on Gtk+ and/or Gnome. The only way to consistently avoid it is to install Qt/KDE or other non-Gtk+ software in the templates. KDE works well and Debian+KDE is what the Whonix templates are based on. The steps on Debian 9: $ sudo apt-get remove gnome* $ sudo apt-get install gnome-icon-theme task-kde-desktop $ su -c "echo export XDG_CURRENT_DESKTOP=KDE >/etc/profile.d/qkde.sh" After that, you'll need to adjust the Applications tab in the template's Settings, and possibly for some of the VMs that are based on it. (Also switching dom0 to KDE is an option, and this has solved a raft of usability issues for me.) * When a USB device is attached to an appVM, there is an appropriate notification. When it is detached, there is a notification that the device is being detached, but no notification to indicate that it has been successfully detached so how long should one wait before unplugging it? There is probably no delay required but a couple of seconds suffices for me. * Ignoring whonix (I do not use it... yet), there are two template VMs in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However, they have not been treated equally, with Debian being the loser. The Qubes documentation indicates that Fedora was favoured for security reasons. IIRC there is mention that Fedora was chosen for convenience, not security. Fedora actually presents a security problem for Qubes and there is an open issue for moving Qubes off of it. The problem with the Debian template is that its not preconfigured with an array of familiar apps, and when you do add them some of the default file/app associations remain set to unfriendly substitutes (like text files being associated to emacs, pictures set to imagemagik or gimp, etc.). Switching to KDE has set these associations to reasonable defaults. Its also doesn't have the full set of kernel firmware packages installed but that's easy to remedy. Since I had been using Linux distributions based, directly or indirectly, on Debian, when I first set up Qubes, I created my appVMs based on Debian. That was painful as I then had to install a lot of basic software. When I re-read the documentation, I realized the security reasons, so I switched all my appVMs (except one!) back to Fedora. It was not painful, but I would have rather have spent the time doing something else. I would like to know where it says this about security. Most Qubes users consider Debian to be (in general) more secure. The open issue for migration away from Fedora is at: https://github.com/QubesOS/qubes-issues/issues/1919 The kicker came when Firefox stopped playing Flash content in my untrusted appVM, complaining that I needed an up to date version of Flash. I installed the most recent version, but that did not solve the problem. The problem is/ was something to do with Fedora (or the version of Firefox for Fedora or ??). I haven't used Flash in a long time so I can't help there. In general its best to find an alternative that doesn't rely on Flash, which is becoming a dead format. Typically Flash is replaced by HTML5 web apps (and most websites have made this switch automatic). * Screenshot only appears to work from Qubes Tools. I can "add" "Screenshot" to appVMVs based on Fedora (but not on Debian). But it does not work -- The dialog comes up but, having chosen to select an area, I cannot do so. Subsequent attempts to use Screenshot do not even present a dialog. Although I have not seen this documented anywhere (which does not mean it is not), it seems logical -- dom0 owns the screen (monitor), so it makes sense that it handles screenshots. However, that means screenshots are saved in dom0 and have to be moved (or, I suppose, copied) to the desired appVM. It seems a bit awkward. If one is in a program in an appVM and decides a screenshot would be nice, it is probably focussed on that window or a portion of it. Since the OS displaying the window "knows" what it is displaying, it seems logical that some kind of screenshot could be made by that OS, but restricted to its window. If not, why is it possible to "add" Screenshot to an appVM? Qubes doesn't limit which apps can be installed in templates. So this is considered more of a "sensible default
[qubes-users] Qubes - Critique (long)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 *A Critique of Qubes* Before discussing Qubes, I want to give you a bit of background about me. I do not want to tell my life-story, I doubt anyone is interested. However, I want you to know "where I am coming from" and what I want from Qubes. I am keeping in mind that what I want is just that and Qubes may not be intended to satisfy, or interest in satisfying my wants and needs -- that is, I may simply be part of the wrong demographic. * Retired roughly 2 decades * 73 years old * Degree in Computer Science * Started out programming mainframes in Assembly Language (machine code) * Later, large-scale software development (various roles) -- R & D, telecoms and mission-critical apps (those involved in health-care are regulated) * Proprietary H/W and OSes, then various Unixes. I am not paranoid over privacy and security, but I recognize there are many individuals who, rightfully, fear for their privacy and anonymity - -- their livelihood and even their lives may depend on it. Wants: * Reliability -- do not fail on me or, if something goes wrong, fail gracefully. * Reasonable security -- more than is provided by the more standard Linux distributions (I am a fan of Linux Mint). * Reasonable privacy (I hope that is not an oxymoron); though perhaps it is too late in the game for me (though I have never been a fan of social media, or anything Google) * No need to spend large amounts of time tinkering with my basic personal computer setup. * Ease of use and administration, including software installation. * GUI for virtually everything unless there is a really, really, really good reason to use a CLI. Do not get me wrong, I am comfortable with CLI's, but I do not want to spend my time researching various Linux administration tools. Consider me lazy if you wish. * No need to build my own tools to use Qubes (I do some website and server- side development to keep the neurons firing -- I can do all the programming I want in that environment). Basically, my personal computer(s) is a tool. If I write some software on it, that software will be for some other purpose and not to complement the OS. - - Critique: I started using Qubes for my main computer about two months ago. I had previously experimented with release 3.2 and 4.0 on my HP laptop and ran into various problems -- discussed by many users ad nausium in qubes-users. I got a nice little desktop computer for Christmas (from my wife :-) -- an Intel NUC7i7 (32 GB RAM, 512 GB SSD). So I started from the beginning. Installing Qubes 4.0.1 was relatively straightforward, although it did require researching the use of a USB mouse and keyboard. Basic configuration was no worse than any Linux distribution I have played with. Software installation was not as straightforward. I was forced into using the CLI (I do have two proprietary programs: VueScan and Bcompare). Installing other software can be problematic. I installed Chromium. The install appeared successful. I was able to add Chromium to an appVM. When I started the appVM and launched Chromium from the menu... nothing! No window, no error message. I tried a number of times (the reason for just re-trying will be mentioned below). Issues... * When launching a program from the Qubes menu, particularly if the target appVM has to be started, the program often fails to be launched. This happens very frequently with the Text Editor. This is annoying as one waits a bit in case one is simply being impatient, or at least I do, so as not to launch two copies of the program by accident. * When a USB device is attached to an appVM, there is an appropriate notification. When it is detached, there is a notification that the device is being detached, but no notification to indicate that it has been successfully detached so how long should one wait before unplugging it? * Ignoring whonix (I do not use it... yet), there are two template VMs in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However, they have not been treated equally, with Debian being the loser. The Qubes documentation indicates that Fedora was favoured for security reasons. Since I had been using Linux distributions based, directly or indirectly, on Debian, when I first set up Qubes, I created my appVMs based on Debian. That was painful as I then had to install a lot of basic software. When I re-read the documentation, I realized the security reasons, so I switched all my appVMs (except one!) back to Fedora. It was not painful, but I would have rather have spent the time doing something else. The kicker came when Firefox stopped playing Flash content in my untrusted appVM, complaining that I needed an up to date version of Flash. I installed the most recent version, but that did not solve the problem. The problem is/ was something to do with Fedora