Re: [qubes-users] Qubes - Critique (long)

2019-03-19 Thread John Goold
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/18/19 10:40 PM, jrsmi...@gmail.com wrote:
> “The install appeared successful. I was able to add Chromium to an
> appVM. When I started the appVM and launched Chromium from the
> menu... nothing! No window, no error message. I tried a number of
> times (the reason for just re-trying will be mentioned below). ”
> 
> This stood out for me and was not addressed by others, so I’ll ask
> the obvious question. Did you install the software in the appVM as
> you stated or did you install in the template VM the appVM was
> based on?  For most installed software, it needs to be installed in
> the Template VM for it to be there after the appVM is bounced.
> Installing in the appVM causes the install to be lost on the next
> reboot of that appVM since it gets its installed software from the
> Template. I usually clone the distro templates and install my stuff
> there and then create appVMs with my copies. That way I can be sure
> that the distro templates remain upgradable via QM.
> 
In the template. Used the Qubes Manager to "add" Chromium to the
appVM's menu.
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyQ+fEACgkQjWN9/rQY
sRxddgf+N2OOb0ktEzhJzi1PvwYw12Ui6KKyhBucowacBqekRAWoiDYnMNyPlbS0
xnoZrc0gFEo++HXmmduuyrodD66chkntvdBhYmJ/n4bb1XmzOCaInBeLxghvI1xX
rNMRHFMJTBL56syTmK8gRa5yvujMr9JCAig+q7AP4wrZo3xdfUZUIhZnF0wC2XNC
Z2M0+Gotlbm2PBfpuAEGIK49Z9q1n1UuUP9WLVoHkVJoJ+jr/tJ2wLsC+QyfCYKr
dAtHHVgiv0RKNw7bxtq3M8iSE9CnXqqtP830yHuTbVrZ+m+zJMP/rfGFDiEp9ZAK
yZ4rR1Qi0E0jA5hkOs1k3lx4ZqOgLw==
=CWNi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4014dfa6-fda9-53f6-b043-f79ce8db7d1e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-18 Thread jrsmiley
“The install appeared successful. I was able to add 
Chromium to an appVM. When I started the appVM and launched Chromium 
from the menu... nothing! No window, no error message. I tried a number 
of times (the reason for just re-trying will be mentioned below). ”

This stood out for me and was not addressed by others, so I’ll ask the obvious 
question. Did you install the software in the appVM as you stated or did you 
install in the template VM the appVM was based on?  For most installed 
software, it needs to be installed in the Template VM for it to be there after 
the appVM is bounced. Installing in the appVM causes the install to be lost on 
the next reboot of that appVM since it gets its installed software from the 
Template. I usually clone the distro templates and install my stuff there and 
then create appVMs with my copies. That way I can be sure that the distro 
templates remain upgradable via QM.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf835842-6253-4b3b-83de-d43d3fde6362%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-18 Thread Stuart Perkins



On Fri, 15 Mar 2019 21:31:02 -0500
John Goold  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>*A Critique of Qubes*
>
>Before discussing Qubes, I want to give you a bit of background about
>me. I do not want to tell my life-story, I doubt anyone is interested.
>However, I want you to know "where I am coming from" and what I want
>from Qubes. I am keeping in mind that what I want is just that and
>Qubes may not be intended to satisfy, or interest in satisfying my
>wants and needs -- that is, I may simply be part of the wrong
>demographic.
>
>* Retired roughly 2 decades
>* 73 years old
>* Degree in Computer Science
>* Started out programming mainframes in Assembly Language (machine
>  code)
>* Later, large-scale software development (various roles) -- R & D,
>  telecoms and mission-critical apps (those involved in health-care are
>  regulated)
>* Proprietary H/W and OSes, then various Unixes.
>
>I am not paranoid over privacy and security, but I recognize there are
>many individuals who, rightfully, fear for their privacy and anonymity
>- -- their livelihood and even their lives may depend on it.
>
>Wants:
>
>* Reliability -- do not fail on me or, if something goes wrong, fail
>  gracefully.
>* Reasonable security -- more than is provided by the more standard
>  Linux distributions (I am a fan of Linux Mint).
>* Reasonable privacy (I hope that is not an oxymoron); though perhaps
>  it is too late in the game for me (though I have never been a fan of
>  social media, or anything Google)
>* No need to spend large amounts of time tinkering with my basic
>  personal computer setup.
>* Ease of use and administration, including software installation.
>* GUI for virtually everything unless there is a really, really, really
>  good reason to use a CLI. Do not get me wrong, I am comfortable with
>  CLI's, but I do not want to spend my time researching various Linux
>  administration tools. Consider me lazy if you wish.
>* No need to build my own tools to use Qubes (I do some website and
>  server- side development to keep the neurons firing -- I can do all
>  the programming I want in that environment).
>
>Basically, my personal computer(s) is a tool. If I write some software
>on it, that software will be for some other purpose and not to
>complement the OS.
>
>- -
>
>Critique:
>
>I started using Qubes for my main computer about two months ago. I had
>previously experimented with release 3.2 and 4.0 on my HP laptop and
>ran into various problems -- discussed by many users ad nausium in
>qubes-users. I got a nice little desktop computer for Christmas (from
>my wife :-) -- an Intel NUC7i7 (32 GB RAM, 512 GB SSD).
>
>So I started from the beginning. Installing Qubes 4.0.1 was relatively
>straightforward, although it did require researching the use of a USB
>mouse and keyboard.
>
>Basic configuration was no worse than any Linux distribution I have
>played with. Software installation was not as straightforward. I was
>forced into using the CLI (I do have two proprietary programs: VueScan
>and Bcompare). Installing other software can be problematic. I
>installed Chromium. The install appeared successful. I was able to add
>Chromium to an appVM. When I started the appVM and launched Chromium
>from the menu... nothing! No window, no error message. I tried a number
>of times (the reason for just re-trying will be mentioned below).
>
>Issues...
>
>* When launching a program from the Qubes menu, particularly if the
>  target   appVM has to be started, the program often fails to be
>  launched. This happens very frequently with the Text Editor.
>
>  This is annoying as one waits a bit in case one is simply being
>  impatient, or at least I do, so as not to launch two copies of the
>  program by accident.
>
>* When a USB device is attached to an appVM, there is an appropriate
>  notification. When it is detached, there is a notification that the
>  device is being detached, but no notification to indicate that it has
>  been successfully detached  so how long should one wait before
>  unplugging it?
>
>* Ignoring whonix (I do not use it... yet), there are two template VMs
>  in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However,
>  they have not been treated equally, with Debian being the loser. The
>  Qubes documentation indicates that Fedora was favoured for security
>  reasons.
>
>  Since I had been using Linux distributions based, directly or
>  indirectly, on Debian, when I first set up Qubes, I created my appVMs
>  based on Debian. That  was painful as I then had to install a lot of
>  basic software.
>
>  When I re-read the documentation, I realized the security reasons,
>  so I switched all my appVMs (except one!) back to Fedora. It was not
>  painful, but I would have rather have spent the time doing something
>  else.
>
>  The kicker came when Firefox stopped playing Flash content in my
>  untrusted appVM, complaining 

Re: [qubes-users] Qubes - Critique (long)

2019-03-17 Thread jsnow

John Goold:

On 3/16/19 6:35 PM, js...@bitmessage.ch wrote:



[Question] So, what do other Qubes users do to protect their
families in case they die/get killed, get imprisoned, go
missing?


In addition to (very) occasional full backups using default qubes
tools, i also backup important data to an external hard drive with
a luks encrypted partition, so it can be easily accessed outside of
qubes if needed.


But that still needs someone (spouse, child, executor of your estate) to
have access to a key phrase (if that is the right term). What about
bank account numbers, etc. If you use KeePassX 2 or similar, what about
access to it?

Do you have the necessary passwords written down with instructions,
sealed in an envelope and stored in a safety deposit box? Something
else?

We tend to keep more and more financial, legal and medical information
on our personal computers rather than keeping paper copies (I am an old
guy but my wife and I keep everything in electronic form unless
required by law to keep a paper copy -- so I expect the "younger" crowd
probably tends to do so as well).

We keep at least two backups of such data -- copies to our shared file
server and backups to external drives.

One of our children has the master password to our password vaults --
there is a non-negligible possibility that both of us could be badly
hurt (or killed) in the same accident (e.g. plane or car crash).

Anyway, with our emphasis on Qubes and security, I was curious about
this other aspect of people's affairs. Do you have all your important
data locked down in Qubes so *only* you can get at it?

John


I'm the only one who can get into my qubes box. Actually i've been 
thinking about it since you started this thread but i'm not sure of the 
best way to solve that problem of giving someone trusted access to 
important data if needed. i've neglected that so far (i guess i've been 
pretending i'm immortal?)


Anyways, first it has to be someone i really trust, since there really 
isn't a good way to make sure they have access after i die but they 
don't have access before (although maybe something like that could be 
worked out with the safe deposit box you mentioned?)


And second is the problem of preventing access by people other than the 
trusted person. I can write down a passphrase for them and put it in an 
envelope, and tell them don't open it unless i die, but then my 
passphrase is written down and anyone who gains access to the envelope 
can get access to my important data.


And third is the problem that the only people i *really* trust are 
probably going to die before i do, but that's not exactly a technical 
problem..


Anyways, if you have a keepassx database you can just put it on a flash 
drive or some other storage since the database file is encrypted, but 
anyone you want to access it will still have to have a passphrase either 
way.


--
Jackie

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9252e5b0-1458-9aa6-5b2b-af2f6a8fe487%40bitmessage.ch.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread John Goold
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/16/19 6:35 PM, js...@bitmessage.ch wrote:
> 
>> [Question] So, what do other Qubes users do to protect their
>> families in case they die/get killed, get imprisoned, go
>> missing?
> 
> In addition to (very) occasional full backups using default qubes
> tools, i also backup important data to an external hard drive with
> a luks encrypted partition, so it can be easily accessed outside of
> qubes if needed.
> 
But that still needs someone (spouse, child, executor of your estate) to
have access to a key phrase (if that is the right term). What about
bank account numbers, etc. If you use KeePassX 2 or similar, what about
access to it?

Do you have the necessary passwords written down with instructions,
sealed in an envelope and stored in a safety deposit box? Something
else?

We tend to keep more and more financial, legal and medical information
on our personal computers rather than keeping paper copies (I am an old
guy but my wife and I keep everything in electronic form unless
required by law to keep a paper copy -- so I expect the "younger" crowd
probably tends to do so as well).

We keep at least two backups of such data -- copies to our shared file
server and backups to external drives.

One of our children has the master password to our password vaults --
there is a non-negligible possibility that both of us could be badly
hurt (or killed) in the same accident (e.g. plane or car crash).

Anyway, with our emphasis on Qubes and security, I was curious about
this other aspect of people's affairs. Do you have all your important
data locked down in Qubes so *only* you can get at it?

John
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyNmBMACgkQjWN9/rQY
sRyUAwgAggvJpp6yKTRGfsM+W3EmkAb/nS/reESCCFbyifgFgqr5b2IWclFzZyAi
Nra9Q3KiuCaj4rS4YduTE0HcEsFKNoj9fY/mkS+EalriIhyw4DWMeoupZ/q4Nun1
7pbLiPKDhJAccLo1ZNEsQQYpgGnUhUMeR3hFhdawgerss9TASt8lInmnfTNrp9ei
uv5l7LOc/sAgy0yEvqYqxJFKIA70xgThK/SWHcqwQx02TX5LCAPXAtM4VFNAw08U
BbL+wNUp8c/FcZ2dELtH2iy2Hyraj11b2UCDh7QXv/Uih6358hqkfIT+PZWpyVJq
DpLe09Ef5FuWltS4HGVqvDJl+4kjKg==
=urg+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd6ac889-070c-cc83-6cc7-a5d1733cd78a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread jsnow

Hi John,

John Goold:

* When launching a program from the Qubes menu, particularly if the
   target   appVM has to be started, the program often fails to be
   launched. This happens very frequently with the Text Editor.

   This is annoying as one waits a bit in case one is simply being
   impatient, or at least I do, so as not to launch two copies of the
   program by accident.


I experience that too on debian (i don't use fedora appvms). As Chris 
said it's a longstanding bug with gnome apps like nautilus and gedit.


Actually i much prefer the nemo window manager, i think it's great and 
much better than nautilus (dolphin works too but i don't like it as 
much). You can install whatever window manager you want in the template 
and use it in your appvms.


By the way does anyone know how to add the qubes specific functions 
(move/copy to vm, open in dispvm) to the context menu in nemo? It would 
be nice to not have to switch to nautilus for those functions (i know i 
can use cli for it too tho).



* Ignoring whonix (I do not use it... yet), there are two template VMs
   in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However,
   they have not been treated equally, with Debian being the loser. The
   Qubes documentation indicates that Fedora was favoured for security
   reasons.


I'm also not sure about this. My understanding is that debian is 
actually better than fedora from a security standpoint because of how 
updates are done (fedora updates being more vulnerable to man in the 
middle attacks).



   At least for some people, it seems Debian is a necessity, but it is
   not given the attention it deserves. At a minimum, a GUI software
   installer should be included in the Qubes distribution which would
   make it much easier for people to install other software they feel
   inclined to use.


I'm not sure about the default debian template in 4.0, but i remember 
the default debian 8 template in 3.2 had a gui package install/update 
tool (labelled "Packages" or "Package Updates" or something like that). 
I remember using it a few times, but i mainly just use cli to install 
software.


If the new debian template doesn't have that by default, as airelemental 
said you can install one.



   Using Linux and now Qubes, I not only do not shutdown the computer
   (i.e. power-off), but I do not logout -- I simply "Lock the Screen"
   and power-off my monitor.


I do the opposite, i reboot every day, and i never had any problems with 
copy and paste between qubes, and i very rarely have other problems like 
crashes. I would at least reboot after installing dom0 updates.



[Question] So, what do other Qubes users do to protect their families
 in case they die/get killed, get imprisoned, go missing?


In addition to (very) occasional full backups using default qubes tools, 
i also backup important data to an external hard drive with a luks 
encrypted partition, so it can be easily accessed outside of qubes if 
needed.


--
Jackie

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fdb49c0-bf55-98b3-8306-af7e4aeb4311%40bitmessage.ch.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread Chris Laprise

On 3/16/19 1:39 PM, Andrew David Wong wrote:

I agree that backups are the best assurance, but this is in no way
Qubes-specific. I'd say the same thing about any operating system.


However, Qubes does require the use of snapshot-capable storage for
reasonable efficiency and this is not yet Linux' strength.



Here's where Chris and I disagree. I've been using Qubes' built-in
backup functionality for many years to great effect. Granted, I
usually run it overnight, so time and system load aren't concerns for
me. It just depends on your needs.


I was probably too vague here. The idea was that, apart from the issue 
of backups, storage integrity on a Linux COW layer (Thin LVM, Btrfs) 
isn't regarded as top-notch. But I think this is more true of Thin LVM 
than Btrfs. Someone wishing to guard against data loss on their 
Qubes+Linux system in the first place (which seems to be an issue for 
John) could be excused for thinking their options are not the best.



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc140a0f-0ba9-79db-321a-42be5f8a8c03%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Thank you, John, for sharing your thoughts with us, and thank you,
Chris, for taking the time for a detailed reply. I'll offer what I can
on just a few points.

On 16/03/2019 6.31 AM, Chris Laprise wrote:
> Hi John,
> 
> That's an interesting background and list of wants. I've been using
> Qubes for some time and can try to address a few of your issues.
> 
> [...]
> 
>> 
>> The kicker came when Firefox stopped playing Flash content in my
>>  untrusted appVM, complaining that I needed an up to date
>> version of Flash. I installed the most recent version, but that
>> did not solve the problem. The problem is/ was something to do
>> with Fedora (or the version of Firefox for Fedora or ??).
> 
> I haven't used Flash in a long time so I can't help there. In 
> general its best to find an alternative that doesn't rely on
> Flash, which is becoming a dead format. Typically Flash is replaced
> by HTML5 web apps (and most websites have made this switch 
> automatic).
> 

You might want to try the Google Chrome browser for this. (You may
need to enable its built-in flash functionality if it's disabled by
default.)

> [...]
> 
>> My Bottom Line:
>> 
>> I can live with most of the issues described above. What I
>> cannot live with (and worry about) are stability and reliability 
>> issues.
>> 

I, too, am primarily concerned about stability and reliability (after
security, of course).

> [...]
> 
>> 
>> I need some reasonable assurance that data corruption on disk
>> has a very low probability. I need some reasonable assurance
>> that the operating system (the combination of Xen and dom0) is 
>> stable.
> 

In my experience, the probability of data corruption on disk is no
higher (and perhaps even lower) on Qubes than on other more
conventional operating systems. The only kind of instability I've
experienced infrequently in the past on Qubes were crashes (e.g.,
spontaneous reboots), but I've never had any lost or corrupted data on
disk from such events. I've also experienced plenty of BSODs on
Windows, so I think Qubes is batting pretty well on stability.

> The best assurance is regular backups. I don't know what caused 
> your glitch but I've had vanishingly few on Qubes myself since 
> 2013.
> 

I agree that backups are the best assurance, but this is in no way
Qubes-specific. I'd say the same thing about any operating system.

> However, Qubes does require the use of snapshot-capable storage for
> reasonable efficiency and this is not yet Linux' strength.
> 

Here's where Chris and I disagree. I've been using Qubes' built-in
backup functionality for many years to great effect. Granted, I
usually run it overnight, so time and system load aren't concerns for
me. It just depends on your needs.

> [...]
> 
> I hope this response helps you out some. Right now Qubes appears
> to be in a state that's mostly suitable for "security techies";
> There is certainly room for improvement and your critique has made
> me think that some new issues need to be opened to help address
> the usability issues.
> 

Agreed. I think that many of us have been motivated to become
"security techies" by our desire to use Qubes. This isn't a bad thing
in itself (it's good to learn new skills), but we don't want it to be
a requirement either.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlyNNKgACgkQ203TvDlQ
MDBuaBAAiaf05nx3+JYRaVibrmofz+8/auIs3xdHkEI0pXrAlKEg6+Q98k6lnnrw
SdK+vnGl249aINJI7uJ5swx6zK+rsCR1rXp25lBT6AFpwfTefbXrIcMVcuXGfj8F
XTWiyeb2Tw5ooKfrbYuXGTtrN9O4OQ/q5/r9GY2oSsj3/lf8KiMH7KkxFbgLMSUh
oCrZ2BrmvpqFm90paB4C4nqCfe/2HTDKjcIHSL01H0FfAhhGp0hLymwQtpVy0atr
80OKQc0LDc0i/w6tIhDQfWDVVAThVyEYF15tSUNDi6eE9BvNqijrN0zYs+La5pTS
AS1Cy1DHdO/ksM0U/083LDo592oKvHdME0XggbBwBVamLvp8wcf4qaLqy83XDbuR
1EgWaPoB5Y8xmQptPJd9ZV93do3p0MuYnpzU+JM6a6U02gW1DQA6apFMvPotxYYE
s9djUGQ7b13R+udbfDqVebrnlf5f+OovZJvZgdQI2gKOMBXe9ZfKAMH1zH8tDcyc
i15diwQ5tSjk70Fiiw/knrxtNDVcHnF/bFq1vQirAsSCCLQvS8CMue4zDzBOSvND
5OPCTdW5VXm7ieCoT+K2uHq+bVdqIf8vzBf67bkG+m1RXBnXLZvnSUbkgPWeBD2N
kbvgpBoKUVRoDi5q42EDVuPZ/M0h2sQPqUZZSTsQxETh7JiAg70=
=zU1k
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3014fc66-e2f2-0dd6-1fea-9ae9542d0022%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread airelemental



Mar 16, 2019, 2:31 AM by jrg.desk...@gmail.com:

> Issues...
>
> * When launching a program from the Qubes menu, particularly if the
>  target   appVM has to be started, the program often fails to be
>  launched. This happens very frequently with the Text Editor.
>
Interesting, my experience is limited to mostly debian-based templates and for 
those, the only program that fails to start from the menu is gnome-terminal. 

>  Since I had been using Linux distributions based, directly or
>  indirectly, on Debian, when I first set up Qubes, I created my appVMs
>  based on Debian. That  was painful as I then had to install a lot of
>  basic software.
>
>  When I re-read the documentation, I realized the security reasons,
>  so I switched all my appVMs (except one!) back to Fedora. It was not
>  painful, but I would have rather have spent the time doing something
>  else.
>
>
I've never come across guidance favoring Fedora over Debian in the docs. Can 
you provide a link? 

>  Since Firefox and Flash were working fine on my Linux Mint laptop
>  (which I use "to play with"), I re-based my untrusted appVM on Debian
>  and, lo and behold, Firefox and Flash worked just fine. This, by the
>  way, was when I attempted to use Chromium.
>
This is how I used to get flash working too - chromium + some flash plugin on a 
debian-based appvm. Thankfully flash is dying and I don't need it anymore.

>  At least for some people, it seems Debian is a necessity, but it is
>  not given the attention it deserves. At a minimum, a GUI software
>  installer should be included in the Qubes distribution which would
>  make it much easier for people to install other software they feel
>  inclined to use.
>
I think the policy is that Qubes defers to the distro. So if the distro doesn't 
have a GUI installer, than the template won't, and it sounds like it would be 
out of scope for Qubes to provide a GUI installer.

On the flip side, if the distro has an optional GUI package manager, it should 
work. For example, for debian, have you tried installing synaptic in the 
template?

> * Screenshot only appears to work from Qubes Tools. I can "add"
>  "Screenshot" to appVMVs based on Fedora (but not on Debian). But it
>  does not work -- The dialog comes up but, having chosen to select an
> area, I cannot do so.
>  Subsequent attempts to use Screenshot do not even present a dialog.
>
>  Although I have not seen this documented anywhere (which does not
>  mean it is not), it seems logical -- dom0 owns the screen (monitor),
>  so it makes sense that it handles screenshots. However, that means
>  screenshots are saved in dom0 and have to be moved (or, I suppose,
>  copied) to the desired appVM. It seems a bit awkward. If one is in a
>  program in an appVM and decides a screenshot would be nice, it is
>  probably focussed on that window or a portion of it. Since the OS
>  displaying the window "knows" what it is displaying, it seems logical
>  that some kind of screenshot could be made by that OS, but restricted
>  to its window.
>
It *would* be nice if you could right-click a file in dom0 and send to VM using 
the VM picker. Useful for screenshots and log files, for GUI-inclined users.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/La6VTzm--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread John Goold
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/16/19 7:42 AM, Mike Keehan wrote:

> 
> As for Flash, it is a pain.  Our BBC still uses it extensively, so
> I have to manually download it occasionally and copy the library
> file into the appVMs .mozilla directory when necessary.
> 
Hi Mike,

What a coincidence!  I live in Canada, but use the BBC website on a
daily basis for news and interesting articles. It is really the
only reason I need Flash.

Cheers,
John
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlyNAl0ACgkQjWN9/rQY
sRwJNAf7BWyeG2BfTKJTSFFjTafLrv384+foZ3D1SVEQ587GSaGr8xReuxa8pbaw
Vz4qb0+BnMgr7jQ9audWijZWmhwJGx/IuLmUxbrKfQ2s6RhvvKCeBWox9oWrsT5p
Lh9J8Ek3QCNStSFNPhIqUT3dXLouYeQ3LQCzXbNafV4HTMyvMzmNkkGKZnWmdnIm
45TiHzx1jiRLH30VjgtSgD55QEyGzi6bMPjIK/n9IdQrgmN/evvvF7PSWsQiE3au
C6SyH9RBhfPAzHYY6gopbUcbr2R7sYUugIlu6cA25O0av5vzX+wxxV0ZrwIqvAOq
w5HuvElorhVHTAbEjR22brJZVtnZBA==
=J3rz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c259349c-4dfd-c777-5fc3-5b22736aef8a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread Mike Keehan
On Fri, 15 Mar 2019 21:31:02 -0500
John Goold  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> *A Critique of Qubes*
> 
Hi John,

What a nice read, thank you.  I have a very similar background, and age,
so I was very interested to read your story.

I've been using Qubes now for a few years, and love it.  Have had very 
little problem with it; have used and restored using the builtin backup
scheme; and have updated without problem using just the normal,
stable repositories.

The one thing I can suggest that I do differently to you, is that I
power down my laptop, and boot up afresh each day.  Have always done
this during my professional life (wasn't any choice early on as there
was no suspend option), and I can say that I have not experienced any
of the launch issues you described, nor any copy/paste issues between
VMs, not that I do much of that.

As for Flash, it is a pain.  Our BBC still uses it extensively, so I
have to manually download it occasionally and copy the library file
into the appVMs .mozilla directory when necessary.

Anyway, best of luck,

   Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190316124251.274962b1.mike%40keehan.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-16 Thread Chris Laprise

Hi John,

That's an interesting background and list of wants. I've been using 
Qubes for some time and can try to address a few of your issues.



On 3/15/19 10:31 PM, John Goold wrote:

Issues...

* When launching a program from the Qubes menu, particularly if the
   target   appVM has to be started, the program often fails to be
   launched. This happens very frequently with the Text Editor.

   This is annoying as one waits a bit in case one is simply being
   impatient, or at least I do, so as not to launch two copies of the
   program by accident.


This well-known bug appears to center on programs based on Gtk+ and/or 
Gnome. The only way to consistently avoid it is to install Qt/KDE or 
other non-Gtk+ software in the templates. KDE works well and Debian+KDE 
is what the Whonix templates are based on.


The steps on Debian 9:

$ sudo apt-get remove gnome*
$ sudo apt-get install gnome-icon-theme task-kde-desktop
$ su -c "echo export XDG_CURRENT_DESKTOP=KDE >/etc/profile.d/qkde.sh"


After that, you'll need to adjust the Applications tab in the template's 
Settings, and possibly for some of the VMs that are based on it.


(Also switching dom0 to KDE is an option, and this has solved a raft of 
usability issues for me.)




* When a USB device is attached to an appVM, there is an appropriate
   notification. When it is detached, there is a notification that the
   device is being detached, but no notification to indicate that it has
   been successfully detached  so how long should one wait before
   unplugging it?


There is probably no delay required but a couple of seconds suffices for me.



* Ignoring whonix (I do not use it... yet), there are two template VMs
   in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However,
   they have not been treated equally, with Debian being the loser. The
   Qubes documentation indicates that Fedora was favoured for security
   reasons.


IIRC there is mention that Fedora was chosen for convenience, not 
security. Fedora actually presents a security problem for Qubes and 
there is an open issue for moving Qubes off of it.


The problem with the Debian template is that its not preconfigured with 
an array of familiar apps, and when you do add them some of the default 
file/app associations remain set to unfriendly substitutes (like text 
files being associated to emacs, pictures set to imagemagik or gimp, 
etc.). Switching to KDE has set these associations to reasonable defaults.


Its also doesn't have the full set of kernel firmware packages installed 
but that's easy to remedy.




   Since I had been using Linux distributions based, directly or
   indirectly, on Debian, when I first set up Qubes, I created my appVMs
   based on Debian. That  was painful as I then had to install a lot of
   basic software.

   When I re-read the documentation, I realized the security reasons,
   so I switched all my appVMs (except one!) back to Fedora. It was not
   painful, but I would have rather have spent the time doing something
   else.


I would like to know where it says this about security. Most Qubes users 
consider Debian to be (in general) more secure. The open issue for 
migration away from Fedora is at:


https://github.com/QubesOS/qubes-issues/issues/1919



   The kicker came when Firefox stopped playing Flash content in my
   untrusted appVM, complaining that I needed an up to date version of
   Flash. I installed the most recent version, but that did not solve
   the problem. The problem is/ was something to do with Fedora (or the
   version of Firefox for Fedora or ??).


I haven't used Flash in a long time so I can't help there. In general 
its best to find an alternative that doesn't rely on Flash, which is 
becoming a dead format. Typically Flash is replaced by HTML5 web apps 
(and most websites have made this switch automatic).



* Screenshot only appears to work from Qubes Tools. I can "add"
   "Screenshot" to appVMVs based on Fedora (but not on Debian). But it
   does not work -- The dialog comes up but, having chosen to select an
area, I cannot do so.
   Subsequent attempts to use Screenshot do not even present a dialog.

   Although I have not seen this documented anywhere (which does not
   mean it is not), it seems logical -- dom0 owns the screen (monitor),
   so it makes sense that it handles screenshots. However, that means
   screenshots are saved in dom0 and have to be moved (or, I suppose,
   copied) to the desired appVM. It seems a bit awkward. If one is in a
   program in an appVM and decides a screenshot would be nice, it is
   probably focussed on that window or a portion of it. Since the OS
   displaying the window "knows" what it is displaying, it seems logical
   that some kind of screenshot could be made by that OS, but restricted
   to its window.

   If not, why is it possible to "add" Screenshot to an appVM?


Qubes doesn't limit which apps can be installed in templates. So this is 
considered more of a "sensible