There's probably a substantial Qubes R4.3 userbase that doesn't have qubes-core-admin-addon-kicksecure installed yet. Anyone who installs the kicksecure-18 template is going to get a deluge of notifications, similar to the issue described in [1]. As a workaround, I documented how to manually install qubes-core-admin-addon-kicksecure, restart qubesd, and then re-sync qvm-features from the kicksecure-18 template by source'ing all the scripts under /etc/qubes/post-install.d. [2]
This is workable, and most users will probably not run into this issue, but is there possibly a way to work around this, so that when a user installs qubes-core-admin-addon-kicksecure for the first time, the appropriate features are automatically set? The only "correct" way I can think of to do this would be to boot every single not-yet-booted template, run all of its post-install.d scripts in the same shell, then shut down the template if it wasn't booted at addon install time. That sounds very painful though, and like something that should be avoided if at all possible. The other option I can think of would be to scan for templates with a name matching the regex "kicksecure-\d+" and adding any necessary features to them, but that risks both false positives and false negatives. I don't think there's any good way around this, but I wanted to ask, in case a solution better than the existing documentation is possible. Thanks for your time :) -- Aaron [1] https://github.com/QubesOS/qubes-issues/issues/7447 [2] https://www.kicksecure.com/wiki/Qubes#Known_Issues -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/20251024181524.705d427f%40kf-m2g5.
pgpuQn2H0alP5.pgp
Description: OpenPGP digital signature
