Re: [qubes-users] Re: Qubes 4 boot ISO

[799]

Hello,

Drew White <drew.qu...@gmail.com> schrieb am Sa., 5. Mai 2018, 03:09:

> ()
> I don't use UEFI because I want to remain in control of my PC, not let
> Microsoft and others have control.
>

I had a discussion with a colleague and he couldn't tell what is the real
benefit running UEFI vs. legacy boot.
As far as you run one Linux OS use disk encryption and use LVM to split
your hard drive in different sections, why should I use UEFI which seems to
add more trouble but no benefits.

On the other hand:
I haven't understand how others have control when we use UEFI.

>From what I have read one of the "improvements" is:

(...) The biggest benefit of UEFI is its security over BIOS. UEFI can allow
only authentic drivers and services to load at boot time, making sure that
no malware can be loaded at computer startup. (...)

On the other side there has been evidence that UEFI will not protect you
from attacks:

(...) UEFI rootkits—malicious code that’s meant to hide other malware and
its activities—are perfect for cyberespionage or surveillance operations.
The 2015 data leak from Italian surveillance software maker Hacking Team
revealed that the company was offering a UEFI rootkit to its law
enforcement and government customers.

Documents leaked recently by WikiLeaks about the U.S. CIA’s
cybercapabilities revealed that the agency purportedly has UEFI “implants”
for Mac computers
<http://www.pcworld.com/article/3184435/security/wikileaks-documents-show-cias-mac-and-iphone-compromises.html>.
(...)
As such I have more trust in Legacy Bios more precise Coreboot.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2stPyO%3DgZFsAM2sP0Q%2BVBJUTfFjt%2BU7O_OHQ%3D_Th2geEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Move Firefox Bookmarks between AppVMs - Help with Script

[799]

Hello Ivan,

sorry for top-posting, but as everything you mentioned is super interesting
and very helpful ... Thank you!

The auto export bookmarks feature is nice, didn't know that and if
places.sqlite also includes the browser history I will not use the "copy
places.sqlite file"-approach, because one reason why I am using a
disposable AppVM is exactly because I don't want to have my history seen.

So the only task is to qvm-copy the latest auto-bookmarks export file into
the right location on the dispvm.
There is one problem (maybe):
I need to check if a firefox profile folder exists in the disposable VM.
Not sure if this is the case as each disposable VM is a "fresh" one.

Thanks again for your scripting tips - this is why I love the Qubes
Community :-)

[799]


Ivan Mitev <i...@maa.bz> schrieb am Mo., 7. Mai 2018, 07:28:

> Hi,
>
> On 05/05/2018 11:44 PM, [799] wrote:
> > Hello,
> >
> > following a recent discussion in the qubes-community github repository,
> Ivan has written an interesting script for handling links and disposable
> VMs.
> > This has inspired me to look how to move firefox bookmarks to other
> AppVMs.
> > While disposable VMs are great, sometimes it is handy to have bookmarks
> available in an AppVM.
> >
> > I was able to import bookmarks into other Appvms by transfering the
> places.sqlite file which holds the bookmarks.
>
> Interestingly I investigated this a few weeks ago; an alternative to
> copying the sqlite file (or using sql commands as suggested by rudd-o)
> is to automatically import/export bookmarks as an html file. See:
>
> https://support.mozilla.org/en-US/questions/928809#answer-338913
>
> you shouldn't need to delete the sqlite file in the target VM if you set
> this:
>
> http://kb.mozillazine.org/Browser.places.importBookmarksHTML
>
> The bookmark format looks straightforward so it should be possible to
> merge two html files with basic commands (sed/grep/awk/...) before
> importing. But you might be better off using buku
> (https://github.com/jarun/Buku) to import bookmarks, and then export
> them ; it's quite powerful...
>
>
>
> > In the target AppVM which has the bookmarks:
> > qvm-copy-to-vm 
> /home/user/.mozilla/firefox/*.default/places.sqlite
> >
> > then in the destination VM you only need to move the file from
> QubesIncoming to the profile path.
> > While this works, I like to add some error checking and I would also
> like to kill a running firefox in the destination AppVM.
> >
> > I was able to kill firefox running:
> >
> >kill `ps -A | grep firefox | gawk '{ print $1 }'`
>
> you could also use `pkill firefox`
>
> >
> > no I tried to run further command based on the fact if firefox is
> running or not.
> > I thereof tried to do something like this:
> >
> > if [`ps -A | grep firefox | gawk '{ print $1 }'` \> 0]; then
> >echo "Run this when PID is > 0 and thereof Firefox is running"
> > else
> >echo "Run this when firefox is not running"
> > fi
>
> The problem when using 'grep' is that 'ps' may output the 'grep' line
> itself so even if the process doesn't exist you'll get a match; eg.
>
> $ ps aux | grep nosuchprocess
>
> user  6837  [..] grep --color=auto nosuchprocess
>
> (although 'ps -A' doesn't seem to have this behavior)
>
> to avoid that, a trick is to use a regex like that:
>
> if ps -A | grep -q [f]irefox; then ...
>
> alternatives:
>
> if pgrep firefox > /dev/null; then ...
> if [ -n "$(pgrep firefox)" ]; then ...
> if [ -n "$(pidof firefox)" ]; then ...
>
> and as a side note you can use a short 'if' construct like that if you
> have only short commands:
>
> [ -n "$(pgrep firefox)" ] && echo running || echo not running
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tUzwfmdKgeOsqogXvDU2%2Bhz2beykhNEGgQEnCGRsJ%3Drg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

[799]

Hello John,

john <yreb...@riseup.net> schrieb am Di., 15. Mai 2018, 07:23:

> On 05/14/18 14:58, Ángel wrote:
> > (...)
> > Luckily, with Qubes it is easy to set a firewall rule so that your email
> > AppVM can only contact with your email server.
> > NB that some of these leaks are dns-based, so ideally you would not
> > allow it to perform any dns query, either.
> >
> >
> can you give an example to the steps to   make such a fw rule,   if it's
> that simple  please ?
>

You need to find out your Email-Server IPs:

https://github.com/one7two99/my-qubes/blob/master/docs/mail-firewall.md

Then you can use iptables in the Email AppVM to block all traffic as
default rule.
Then only adding the traffic to the allowed IPs and ports.

I can send you my firewall script to allow email for outlook.com and Gmail.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqaXoC%2BEy8s_40wsOn8a%3D6M_vz%3Dr115-aBxcS_kURGNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Q4.0 Whonix Torbrowser no sound, says to install pulseaudio ...

[[799]]

Hello mossy,

On 04/13 01:39, mossy wrote:
> john:
> > Q4.0 Whonix Torbrowser no sound, says to install pulseaudio ...
> 
> This issue (and others) are resolved in whonix 14, now in testing -- you
> can upgrade here:
> 
> https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14
> 
> Although it will be less work/risk if you can wait until the templates
> are ready.  If you attempt the upgrade, be sure to backup your Whonix
> appVMs and templateVMs first!


Questions:

1) If I understand you correctly sound will work in whoonix 14?
Do you or someone else knows when whoonix 14 will be evailable via the Qubes 
Repositories?

2) Has someone installed pulseaudio in the whoonix-ws template in Qubes 4 and 
did this solve the no-sound-topic.

3) Why is there no sound in whoonix in the default Qubes Installation?

kind regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180427221118.7eqbtn4bl6ep7ykq%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Using AIDE (Intrusion Detection) and Lynis (auditing) in Qubes App/TemplateVMs

[[799]]

Hint: might be slightly off-topic (except Question 1)

Hello,

I am currently "harding" my Email-AppVM by adding additional firewall rules 
and using this opportunity to "play" with some tools like
- rkhunter
- clamav
- lynis
- AIDE
- ...

I am unsure if this is really needed in Qubes, but for me it is also about 
learning more about those tools.

I have some questions regarding which might be answered by the 
security-professionals here.

1) If I choose to install an IDS like AIDE, should it be installed in the
   Template or AppVM ? As AppVM can't change critical system files, the
   Template VM might the better solution?


2) AIDE specific, but I couldn't solve it after googling for a while:
   everytime I run AIDE I get the following warning:

   [user@my-privmail bin]$ sudo aide --check
   DBG: md_enable: algorithm 7 not available

   It seems that this means that some algorithm is missing, but I don't know how
   to install it afterwards or disable the use of it.
   In an older topic I found the hint that it might be related to HAVAL which
   is a hashing algorithm.
   https://openindiana.org/pipermail/oi-dev/2013-July/002519.html
   But looking into my AIDE config file it seems that I am not using haval at 
all.

   Any ideas?


3) I run lynis and got some suggestion for improvements
   Running it on my customized fedora-26-min template (added some apps for 
email)
   I got the following result:

  Lynis security scan details:
  Hardening index : 73 [##  ]

   Question: is someone using lynis on Qubes and can give some feedback about 
this?

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180428102948.6ugvnmfcuwptgyi5%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Minecraft/OpenGL in Qubes

[799]

Hello,

for a POC I tried to run Minecraft on top of a Debian 9 AppVM but run into
problems as the AppVM doesn't have OpenGL.

As I am using a Lenovo W540 which has dual graphic (Intel + dedicated GPU)
can I pass the dedicated graphic card into the AppVM and use it to get
OpenGL?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vpRLjxJjhYn-j7kaJHwL94DKPcWpPRrK80uRGr3oN8jA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Insert/Inject keyboard hits to a Qube from Dom0

[799]

Hello Jonny,

<cr33dc0...@gmail.com> schrieb am Fr., 11. Mai 2018, 15:18:

> Am Freitag, 11. Mai 2018 13:52:23 UTC+2 schrieb cr33d...@gmail.com:
> > Hey Everyone!,
> >
> > currently working on several automation processes using bash scripts
> executed in dom0 to do certain actions.
> >
> > To execute an specific command, normally we are using s.th. like:
> >
> > qvm-run  [VMname] 
> >
> > E.g.: qvm-run personal "cp /home/user/Desktop/test.txt
> /home/user/Documents/test.txt
> >
> > Now my situation:
> >
> > When connecting to an ftp-server via: ftp , i had to enter an
> username and password.
> >
> > How to execute this using qvm-run? I suggest to write a little script
> like:
> >
> > #!/bin/bash
> >
> > qvm-run personal "ftp " | qvm-run personal "user /n" |qvm-run
> personal "pw \n"
> >
> > Unfortunately this one does not work since last two aren't commands.
> However, is it possible to insert such keyboard entries in an VM's console
> to get this work?
> >
> > Thanks,
> > Jonny
>
> Hey All, an alternative is to write an executable bash script in the qube
> that to the ftp stuff, bind it to PATH and execute it with qvm-run.
>
> But, if there is an alternative, not to use a script located on that vm
> and do all remotely, i would be pleased to hear your ideas :)
>

if possible I would try to look for a way to replace ftp by something that
is more secure like sftp/scp.
Then you can drop the login/password part and use certificates to
authenticate.
If you really want to use login/password I would use split-gpg so that you
can keep the password on an offline "vault-vm" and the password will be
decrypted and used in the AppVM.

Question if you keep using ftp
Would it be ok, if you enter login and password in dom0 ?
Are you always connecting to the same ftp server from the AppVM?
And are you always executing the same ftp command ?
Or do you need a more flexible approach like:

don0script 

If you are more specific what you want to accomplish I can write you a
draft.

Regards

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ub5BhfkiiZYPR%3Dkzqar7Ldfq%2BxfSFgnCZrvA6FqZfixA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Move Firefox Bookmarks between AppVMs - Help with Script

[[799]]

Hello,

following a recent discussion in the qubes-community github repository, Ivan 
has written an interesting script for handling links and disposable VMs.
This has inspired me to look how to move firefox bookmarks to other AppVMs.
While disposable VMs are great, sometimes it is handy to have bookmarks 
available in an AppVM.

I was able to import bookmarks into other Appvms by transfering the 
places.sqlite file which holds the bookmarks.

In the target AppVM which has the bookmarks:
qvm-copy-to-vm  
/home/user/.mozilla/firefox/*.default/places.sqlite

then in the destination VM you only need to move the file from QubesIncoming to 
the profile path.
While this works, I like to add some error checking and I would also like to 
kill a running firefox in the destination AppVM.

I was able to kill firefox running:

   kill `ps -A | grep firefox | gawk '{ print $1 }'`

no I tried to run further command based on the fact if firefox is running or 
not.
I thereof tried to do something like this:

if [`ps -A | grep firefox | gawk '{ print $1 }'` \> 0]; then
   echo "Run this when PID is > 0 and thereof Firefox is running"
else
   echo "Run this when firefox is not running"
fi

Unfortunately this doesn't work. Can somone point me into the right direction?
What is the right approach to run certain commands based on the fact that a 
program is running or not?

Sorry for this off-topic question but playing with Qubes gives so much options 
for building own scripts and I am still a beginner here.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2018050520.o22gzlllsub4kdgj%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Move Firefox Bookmarks between AppVMs - Help with Script

[799]

Hello rudd-o,

Manuel Amador (Rudd-O) <rud...@rudd-o.com> schrieb am So., 6. Mai 2018,
03:44:

> On 2018-05-05 20:44, [799] wrote:

> () I thereof tried to do something

> like this:
> >
> > if [`ps -A | grep firefox | gawk '{ print $1 }'` \> 0]; then
> >echo "Run this when PID is > 0 and thereof Firefox is running"
> > else
> >echo "Run this when firefox is not running"
> > fi
> >
> > Unfortunately this doesn't work. Can somone point me into the right
> direction?
>

This is still not solved, I like to know how to make this work, also
because I might need this for other purposes.

You are probably better off writing something that will sync two
> different .sqlite files by using SQL operations on both.  SQLite files
> are safe to be accessed by two different programs at the same time, and
> therefore you may not need to kill Firefox.
>

You are right, but this is something that is currently beyond my skillet as
I need to learn python and sqlite.
There is an interesting tutorial which might be helpful, but it will take
some time for me ...
http://www.sqlitetutorial.net/

As an additional task I need to understand how the sqlite database is
setup/working in order to merge bookmarks from two different places.sqlite
files.
I think the easiest way would look like:

1) dump data from sqlite (even while Firefox is running
2) copy dumpfile to destination VM
3) import dump and overwrite the existing entries in the places.sqlite

If I has the dump export/import part I can take care of the rest.
The idea is that I can start a disposable VM and then "push" the firefox
bookmarks of another VM into this disposable VM.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vTp5GkFPu9fS05QLwpfTzsMnit24UpneoTbR_2aYzgZg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Insert/Inject keyboard hits to a Qube from Dom0

[799]

Hello Jo

<cr33dc0...@gmail.com> schrieb am Do., 17. Mai 2018, 15:22:

> Am Donnerstag, 17. Mai 2018 07:28:19 UTC+2 schrieb [ 799 ]:
> > (...)
> > my solution to run more complicated command in an AppVM:
> >
> > 1) "build" a script in dom0
> > 2) qvm-copy the script to the AppVM
> > 3) use qvm-run from dom0 to launch the script
> > 4) remove the script from the AppVM
> >
> > if you need I can look for an example in my script-collection.
>
> Yes please - I would appreciate. That might help me out.
>


An example can be found in my qvm-screenshot-to-clipboard-script.
It takes a screenshot from dom0 and copy it to the clipboard of an appvm

In the script I am setting up a simple "helper file" from dom0 which gets
moved to the AppVM and then executed there.

If you have further questions do not hesitate to contact me.


https://github.com/one7two99/my-qubes/blob/master/home/bin/qvm-screenshot-to-clipboard.sh

- - - 8< - - -

#!/bin/bash
# qvm-screenshot-to-clipboard
# Creates a dom0 screenshot and copy it to the Clipboard of an AppVM

# Define Variables
MyAppVM=$1
MyScreenshot=qvm-screenshot-to-clipboard.png

# Take screenshot in dom0 by selecting an area and adding border+shadow
gnome-screenshot --area --include-border --border-effect=shadow
--file=/tmp/$MyScreenshot

# Copy screenhot to AppVM
qvm-move-to-vm $MyAppVM /tmp/$MyScreenshot

# Create a helper-Script in the AppVM to copy screenshot file to clipboard
echo "xclip -selection clipboard -l 1 -t image/png
/home/user/QubesIncoming/dom0/$MyScreenshot" > /tmp/file2clipboard.sh
chmod +x /tmp/file2clipboard.sh
qvm-move-to-vm $MyAppVM /tmp/file2clipboard.sh

# Send notification for 5sec when Screenshot has been pasted into (!) AppVM
notify-send --urgency low --icon image --expire-time=5000
"qvm-screenshot-to-clipboard" "Screenshot available in $MyAppVM's clipboard"

# Run the helper script in the AppVM
qvm-run $MyAppVM /home/user/QubesIncoming/dom0/file2clipboard.sh

### The last command will remain active until the pasting has been done in
the AppVM

# Send notification for 5sec after Screenshot has been pasted from (!) AppVM
notify-send --urgency low --icon image --expire-time=5000
"qvm-screenshot-to-clipboard" "Screenshot pasted from $MyAppVM's clipboard"

# Remove helper script and screenshot file in AppVM
qvm-run $MyAppVM "rm -f /home/user/QubesIncoming/dom0/file2clipboard.sh
/home/user/QubesIncoming/dom0/$MyScreenshot"
 Desktop version

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tOj%2BeLoS_4d7fbxA0iOK7rRM6Svt8V1G2XL%3D5JHAjOUw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

[799]

Hello,

On 15 May 2018 at 09:24, Eivind K. Dovik <he...@eivinddovik.com> wrote:

> On Mon, 14 May 2018, john wrote:
>
> On 05/14/18 14:58, Ángel wrote:
>>
>>>   [...]
>>>
>>
>> can you give an example to the steps to   make such a fw rule,   if it's
>> that simple  please ?
>>
>>
> Through Qubes VM Manager, I've added the following firewall rule:
>
> - Deny network access except ...
> - IP address of my email server
> This works fine.


I prefer adding my rules to my AppVM. This is how do it:

1st you can check the connections which are request by running this command
in your Email AppVM.

watch -n 1 'sudo netstat -tap'

It will show you if your email app connects to a server

But as most mail providers use more than one IP for load balancing you need
to add more IPs (see my posting a few hours ago in this thread how do find
the IPs your mail provider is using).

This are the rules I am currently applying to my Email AppVM.
You can put them into a script which loads on AppVM startup or copy & paste
them into a terminal.
You need use sudo for the commands or switch to root via sudo -i (if you
have sudo installed).
If you don't have sudo you can request a root terminal via qvm-run --auto
--user root  gnome-terminal

- - - - 8< - - - - snip - - - - 8< - - - -

#show default policy
iptables -L -v | grep policy

# delete all rules
iptables -t filter -F

# change default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow DNS to gateway 10.137.1.1 (this is the sys-firewall)
iptables -A OUTPUT -p udp -d 10.139.1.1 --dport 53 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp -s 10.139.1.1 --sport 53 -m conntrack --ctstate
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.139.1.1 --dport 53 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 10.139.1.1 --sport 53 -m conntrack --ctstate
ESTABLISHED -j ACCEPT

# Allow outgoing ping/echo (only for troubleshooting / can be removed
afterwards)
iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

### allow IMAP (valid for germany, use other IPs you're from somewhere else)
# Gmail IMAP
iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 64.233.160.0/19 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 64.233.160.0/19 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 173.194.0.0/16 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 173.194.0.0/16 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 66.102.0.0/20 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 66.102.0.0/20 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Outlook IMAP
iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 993 -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT

### allow SMTP
#Gmail SMTP
iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
#Outlook SMTP
iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 587 -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT

# allow everything for localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

- - - - 8< - - - -

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users&q

Re: [qubes-users] [Bug?] whonix-ws clock out of synch after suspend (R4.0)

[799]

Hello,

On 05/15 10:57, Dimitri wrote:
> Hi,
> I noticed that the clock in whonix-ws based VMs is not synchronized after
sleep mode. If I have my computer in sleep mode for 2h then the VMs clock
is 2h in the past.
> To me this looks like a bug.
> Large clock skews can potentially harm anonymity.

I have the same problem.

I have set the time manually using the following command in sys-whonix and
my anon-whonix AppVM:

   user@host:~$ sudo date +%T -s "22:18:00"


which sets the time to my current local time (germany).

Strangely I still get an error message when running whonixcheck.
Why is there a message "NTP synchronized: no" ?

Shouldn't the time always be synchronized as we're running virtual machines?


user@host:~$ whonixcheck
[INFO] [whonixcheck] sys-whonix | Whonix-Gateway | whonix-gw Template-Based
ProxyVM | Tue May 15 22:29:23 UTC 2018
dmesg: read kernel buffer failed: Operation not permitted
[INFO] [whonixcheck] Connected to Tor.
[ERROR] [whonixcheck] Systemd Clock Check Result:
Unexpected results by timedatectl.
timedatectl_output_pretty:
  Local time: Tue 2018-05-15 22:29:25 UTC
  Universal time: Tue 2018-05-15 22:29:25 UTC
RTC time: n/a
   Time zone: Etc/UTC (UTC, +)
 NTP enabled: yes
NTP synchronized: no
 RTC in local TZ: no
  DST active: n/a
It is generally recommended to keep the default as per Whonix Design. [1]
If you did not change timezone related settings, please report this Whonix
bug.
If you know what you are doing and changed this on purpose, feel free to
disable this check. [2]

[1] https://www.whonix.org/wiki/Dev/Design-Shared#timezone
[2] Create a file /etc/whonix.d/50_whonixcheck_user and add:
whonixcheck_skip_functions+=" check_systemd_clock "


[799]



On 15 May 2018 at 19:57, Dimitri <sudodcf...@gmail.com> wrote:

> Hi,
> I noticed that the clock in whonix-ws based VMs is not synchronized after
> sleep mode. If I have my computer in sleep mode for 2h then the VMs clock
> is 2h in the past.
>
> To me this looks like a bug.
>
> Large clock skews can potentially harm anonymity.
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/1a102f3c-da72-4987-b688-edde6f9ebe75%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vQb0ywD_V3HsvYppG6-c-jxL6pQLfZULmBxQgN0Zz3Lw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Teamviewer 13 won't start (QubesOS 3.2)

[799]

Hello,

Others call me jean <nom...@trash-mail.com> schrieb am Fr., 25. Mai 2018,
14:32:

> [...]
> Since Fedora 26 and Teamviewer 13 I can't open teamviewer anymore:
>
> [user@fedora-28-dvm ~]$ teamviewer
>
> Init...
> CheckCPU: SSE2 support: yes
> Checking setup...
> Launching TeamViewer ...
> Launching TeamViewer GUI ...
> [user@fedora-28-dvm ~]$
>
> -> no GUI
>
> This issue sounds like the same problem, but I don't know how I can get
> the solution:
> https://github.com/QubesOS/qubes-issues/issues/3664


What display resolution are you running and what about other applications
in the same AppVM?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vT2anrB4u%2B7iQaDP34yrcYJ6WqU9Vs5M-___foR8KsJg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Insert/Inject keyboard hits to a Qube from Dom0

[[799]]

On 05/13 04:40, cr33dc0...@gmail.com wrote:

> what i try to accomplish is a process executed on dom0 that downloads an data 
> package from the server onto AppVM1 - then forward it over to another AppVM - 
> then execute (read) it. Currently i have scripted the transfer between dom1 
> and 2 and the download from the server with a script inside dom1. However, i 
> want to try to initiate & control the download from dom0 that the script does 
> not have to be placed in the AppVM.
> 
> - it would be ok to enter login data from dom0 (that login information would 
> be stored on dom0)
> - in that case i will always connect to the same ftp server
> - i will always execute the same ftp command differ by data-name:
>   - like: ftp get /path/to/fileX.txt
> - would not need to be that flexible - here what i have got for dom1:
> #--#
> #!/bin/bash
> 
> HOST='x.x.x.x'
> USER='AppVM1'
> PASSWD=''
> 
> FILE=$1
> ftp -n -v $HOST < ascii
> user $USER $ PASSWD
> prompt
> ls
> lcd /path/to/
> get $FILE
> bye
> EOT
> #--#
> 
> This can be just 'triggered' by dom0 using qvm-run.

my solution to run more complicated command in an AppVM:

1) "build" a script in dom0
2) qvm-copy the script to the AppVM
3) use qvm-run from dom0 to launch the script
4) remove the script from the AppVM

if you need I can look for an example in my script-collection.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180517052809.g3ybx4iufwjvnp2r%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [Bug?] whonix-ws clock out of synch after suspend (R4.0)

[[799]]

Hello,

On 05/15 10:57, Dimitri wrote:
> Hi,
> I noticed that the clock in whonix-ws based VMs is not synchronized after 
> sleep mode. If I have my computer in sleep mode for 2h then the VMs clock is 
> 2h in the past.
> To me this looks like a bug. 
> Large clock skews can potentially harm anonymity.

I have the same problem.

I have set the time manually using the following command in sys-whonix and my 
anon-whonix AppVM:

   user@host:~$ sudo date +%T -s "22:18:00"


which sets the time to my current local time (germany).

Strangely I still get an error message when running whonixcheck.
Why is there a message "NTP synchronized: no" ?

Shouldn't the time always be synchronized as we're running virtual machines?


user@host:~$ whonixcheck
[INFO] [whonixcheck] sys-whonix | Whonix-Gateway | whonix-gw Template-Based 
ProxyVM | Tue May 15 22:29:23 UTC 2018
dmesg: read kernel buffer failed: Operation not permitted
[INFO] [whonixcheck] Connected to Tor.
[ERROR] [whonixcheck] Systemd Clock Check Result:
Unexpected results by timedatectl.
timedatectl_output_pretty:
  Local time: Tue 2018-05-15 22:29:25 UTC
  Universal time: Tue 2018-05-15 22:29:25 UTC
RTC time: n/a
   Time zone: Etc/UTC (UTC, +)
 NTP enabled: yes
NTP synchronized: no
 RTC in local TZ: no
  DST active: n/a
It is generally recommended to keep the default as per Whonix Design. [1]
If you did not change timezone related settings, please report this Whonix bug.
If you know what you are doing and changed this on purpose, feel free to
disable this check. [2]

[1] https://www.whonix.org/wiki/Dev/Design-Shared#timezone
[2] Create a file /etc/whonix.d/50_whonixcheck_user and add:
whonixcheck_skip_functions+=" check_systemd_clock "


[799]


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180515203810.tpgltwx3v5sqemhk%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 won't boot via coreboot grub rescue

[[799]]

Hello awokd,

On 05/16 03:08, awokd wrote:
> > On 05/14/2018 06:25 PM, awokd wrote:
> >
> >> On Mon, May 14, 2018 8:58 pm, taii...@gmx.com wrote:
> >>> I try the usual syslinux_configfile but I get an "out of memory" error
> >>> how am I to do this? ideas?
> > [...]
> >
> > I wish to install qubes 4.0 via the coreboot grub payload.
> >
> > So I try to boot qubes 4.0 DVD via the grub coreboot payload which
> > provides one with a grub-rescue console, normally the command
> > "syslinux_configfile (ahci1)/isolinux/isolinux.cfg" or what not will
> > launch the iso as normal but instead I receive an out of memory error
> > and for some reason the grub.cfg included in the isolinux folder doesn't
> > work either.

I don't know which device you're using but I have flashed Coreboot with SeaBIOS 
on my X230 and have also documented how to do so. I was 
also thinking about using GRUB but there were many side effects which someone 
mentioned in a Qubes posting. I think one of them was 
related to updating dom0 and thereof I choose simplicity over security. Using 
SeaBIOS was good enough for me, the only nice thing about 
using Coreboot + Grub is (as far as I understand) that we can run an encrypted 
boot, which might offer a better protection against evil 
maid attacks.

My idea against Evil Maid attacks was to run somthing like AIDE (file 
fingerprinting) on /boot and to verify.
I think this is also the idea of the Anti Evil Maid approach in Qubes.

But to be honest, the risk that someone attacks me via evil maid is not very 
high for me or in other words "reasonable unlikely" :-)

If you get Coreboot+GRUB on qubes fixed I am interesting in hearing how this 
works during daily use.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180516052829.lmjakhb2hamb365w%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

[[799]]

Hello Eivind,

On 05/15 09:24, Eivind K. Dovik wrote:
> [...]
> Through Qubes VM Manager, I've added the following firewall rule:
> 
> - Deny network access except ...
> - IP address of my email server
> 
> This works fine.

please keep in mind that most email providers will use load-balancers for 
incoming requests.
As such you might need to add more than one IP to the firewall.
If you're using the Qubes GUI to add firewall rules:
If you enter a FQDN it will be translated to an IP-address when you enter the 
rule.
As such it might not work next time, if the load balancers route you to another 
IP.

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180516054302.gxex6eovvbetxp65%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Major Problem: Boot Loop after Upgrading dom0

[799]

Hello,

 schrieb am Mo., 28. Mai 2018, 19:18:

> On Monday, May 28, 2018 at 6:00:05 PM UTC+2, [ 799 ] wrote:,
> >
> > After Upgrading my AppVMs to Fedora 28 yesterday I tried to upgrade dom0.
> > During the update I ran into problems with the kernel upgrade.
> > As the process seem to be stuck I interrupted with STRG + C.
> >
> > Upon next reboot I run into a bootloop after passing Grub menu.
> >
> > Any idea how to proceed?
>
> You should choose in grub menu an older kernel and do the grub2-mkconfig
> command as suggested.
>

Ok, when booting up I see the following menu:
1) Qubes, with Xen Hypervisor
2) advanced Options for Qubes with Xen Hypervisor

Choosing 2) I see another menu:

1) Xen Hypervisor, version 4.8.3
2) Xen Hypervisor, version 4.8.3.config
3) Xen Hypervisor, version 4.8

I have chosen 1 and then I can see different kernels:

I'll try to boot those.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vAxgjCzKaqSzUTytWGK3HM7mwe7tN2gtGQZBt5HK6nyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Major Problem: Boot Loop after Upgrading dom0

[799]

Hello,

After Upgrading my AppVMs to Fedora 28 yesterday I tried to upgrade dom0.
During the update I ran into problems with the kernel upgrade.
As the process seem to be stuck I interrupted with STRG + C.

Upon next reboot I run into a bootloop after passing Grub menu.

Any idea how to proceed?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tT_JTDDysK2R_orJR_UdK%3D-H%3DAEsdviL_mikvZK3EYHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Teamviewer 13 won't start (QubesOS 3.2)

[799]

Hello,

On 27 May 2018 at 11:22, Others call me jean <nom...@trash-mail.com> wrote:

> On 05/25/2018 05:52 PM, 799 wrote:
> > Hello,
> >
> > Others call me jean <nom...@trash-mail.com
> > <mailto:nom...@trash-mail.com>> schrieb am Fr.,
> > 25. Mai 2018, 14:32:
> >
> > [...]
> > Since Fedora 26 and Teamviewer 13 I can't open teamviewer anymore:
> >
> > [user@fedora-28-dvm ~]$ teamviewer
> >
> > Init...
> > CheckCPU: SSE2 support: yes
> > Checking setup...
> > Launching TeamViewer ...
> > Launching TeamViewer GUI ...
> > [user@fedora-28-dvm ~]$
> >
> > -> no GUI
> >
> Display resolution: 1920x1080
> I don't run other application in the same VM (only a test vm for
> teamviewer)
>

I tried to install & run teamviewer in a fedora-26 based AppVM under Qubes
4 (as I don't have 3.2).
Teamviewer shows the same problem like you are describing unter Qubes 3.2.
Other applications start normally from the same AppVM and I am running a
non high-dpi-resolution.
As such the problem seems to be within the Teamviewer setup.

I found the following link:
https://community.teamviewer.com/t5/Linux/Teamviewer-13-amp-Debian-Stable-9-2-no-GUI/m-p/26156#M1377

from there:

"TeamViewer relies on session info to be made available to the daemon. The
desktop manager (lightdm) is involved in this. TeamViewer needs this
information to allow connecting to the login screen (lightdm) and then
transfer to the actual user session.We focus on that ability in our
development. However, your scenario is also valid of course. Once we get
the (non-installed) TAR package fixed, you might prefer it however. You
should be able to just start it when needed and it should also work if no
desktop manager exists."
I thereof tried to installed lightdm via sudo yum install lightdm but even
after installing it, I got the same problem.

My suggestion is to switch from Teamviewer to AnyDesk, which is working
without any problems under all OSes:
https://anydesk.com/remote-desktop

Companies who are unable/unwilling to provide cross-platform solution
shouldn't be supported.
I have switched from using Teamviewer to AnyDesk and haven't looked back.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sYu6v%3D8WXEX_OP%2B-9hXMmVrrgeE-Ma57Uj-dygK_BDJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] fedora-27-minimal: networking support?

[[799]]

Hello Johannes,

On 05/28 12:00, Johannes Graumann wrote:
> The fedora-27-minimal template from the repo does not appear to have
> networking support. What needs to be installed to remedy that? 

I have just migrated all my sys-AppVMs from a fedora-26-minimal to a 
fedora-28-minimal image.
I also had some issues with networking and got it working after installing some 
more packages:

When I build my standard-App-Template for daily use, the AppVM was unable to 
connect to the web.
I had to install the following packages in the template to get networking:

dnf install qubes-core-agent-networking 

I guess the same applies for fedora 27.

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180527224032.ye33zkmjm2ar3sfl%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Dolphin or Nautilus in a standard Qubes AppVM Template

[799]

<schnurentwick...@gmail.com> schrieb am Mo., 28. Mai 2018, 13:45:

> On Sunday, May 27, 2018 at 10:16:17 PM UTC+2, [ 799 ] wrote:
>
> > The question is now, if I should install Dolphin or Nautilus as the
> default File Manager and which qubes-specific question I should install.
> > What do you suggest under Qubes Dolphin or Nautilus?
>
> For fedora use nautilus. Better Qubes integration.
> In debian use dolphin, because in the past there already were some Qt
> packages installed.
>

Thanks for the hint.

And respectively use Qt Applications in debian and gtk stuff in fedora.
>

Is there a way to check which  application uses GTK and which are using QT?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u1r0hjczsx_xJQnKWZVF6A7TeVNL6dNURFBDW%3DMdXANQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Dolphin or Nautilus in a standard Qubes AppVM Template

[[799]]

Hello,

I am currently migrating from fedora-26 to fedora-28 which includes replacing 
my templates buy rebuilding from scratch.

I decided to replace my "fat AppVM templates" which have been based on 
fedora-26 before with AppVMs based on the 
fedora-28-minimal template.

The question is now, if I should install Dolphin or Nautilus as the default 
File Manager and which qubes-specific question I should install.
What do you suggest under Qubes Dolphin or Nautilus?


[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180527201319.ik6t2ehakmihh7aj%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why does sys-firewall needs so much RAM?

[799]

On 27 May 2018 at 16:13, donoban <dono...@riseup.net> wrote:

> [...]
> Also if you want to save more ram with sys-firewal, consider trying:
> https://github.com/talex5/qubes-mirage-firewall


I haven't heard of the "unikernel firewall", thanks.

More explanation found here:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/

The only thing I am struggling with is to install something so crucial like
a firewall which is not coming from the Qubes Team.
For me as a normal user it is hard to decide if qubes-mirage-firewall is
reasonable secure compared to the default sys-firewall.
As far as I understand it is run a docker image (in dom0?).

is there any official feedback regarding the qubes-mirage-firewall and what
do the "Qubes Pro's" think about it.
If it is better, then why hasn't it be integrated in the Qubes Image?

I will rebuild my sys-firewall from a fedora-26-minimal template and try to
see if I can reduce memory.

Question:
How can I check how much memory really is consumed?

[user@dom0 ~]$ xl list
[...]
sys-firewall shows 1.638 MB


[user@sys-firewall ~]$ free -h
  totalusedfree  shared  buff/cache
available
Mem:   1.4G133M882M2.9M454M
1.1G
Swap:  1.0G  0B1.0G

Does this mean that only 133 MB is currently used by sys-firewall?

Maybe I made the mistake trusting the numbers in dom0: xl list?
[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sR%2BUd%2B8DBmNkFcuJ4bUoiprmM06wykP%3DsBLyuwZqRApw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why does sys-firewall needs so much RAM?

[799]

Hello,

as I have only 16GB of RAM available I'd like to keep an eye on RAM
consumption.
I am wondering why my sys-firewall always need > 3 GB of RAM.
What is running there that needs so much memory?

My sys-firewall is based on a fedora-minimal package which has some
additional packages installed to work as a firewall AppVM.
memory consumption according to qvm-ls is 3.083 MB after a fresh restart
only having sys-net and sys-usb running.

my sys-usb is showing 284 MB RAM, my sys-net 384 MB

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uuD4wCdYj9Y%2BFqff6e2Ei53BUrkg-zHTDPmryFg%3DFeEQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Help understanding qubes networking

[[799]]

Hello Ivan,

On 04/30 10:19, Ivan Mitev wrote:
> Hi !
> 
> On 04/30/2018 09:48 AM, [799] wrote:
> > [...]
> > I am trying to understand how networking is configured.
> > [...]
> 
> - when the XEN network interface appears, /usr/lib/qubes/setup-ip
>  script is run by udev (see /etc/udev/rules.d/99-qubes-network.rules)

Thanks, this script is located in the AppVM.
 
> - /usr/lib/qubes/setup-ip gets the VM's definitions from dom0 with
> `qubesdb-read /blah` and sets the network accordingly

Looking at the script /usr/lib/qubes/setup-ip I found:

ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)

so the variables are filled from data coming from qubesdb-read.
I opened qubesdb-read but it looks like a binary (?) file.

> you can change a VM's network prefs with `qvm-prefs vmname ip`,
> `qvm-prefs vmname gateway`, ...; I see there's a bunch of `visible_...`
> network prefs, no idea how those works nor nor how they're generated).

So basically it looks like this:

network configuration of AppVM -> qvm-prefs -> stored "somewhere" in dom0
/usr/bin/qubesdb-read (in the AppVM) -> read data from dom0

Where is the data from qvm-prefs stored? Is it really a database?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180501001931.6jk27cvffbpyvwpj%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Music streaming in Firefox 59: QubesOS 4.0 / Fedora 26

[799]

Hello,

<00010age...@gmail.com> schrieb am Mi., 25. Apr. 2018, 21:38:

>
> Thanks, but unfortunately it did not work.
>

I was also interested in multimedia usage when running Qubes.
As I run into some issues using Firefox I ended up building a multimedia
App Template based on Debian.

I wrote a short How-to, if you're interested take a look there:
https://www.qubes-os.org/doc/multimedia/

Is it an issue for you when you're running a Debian based AppVM?

What kind of music service do you want to use?
Maybe U can try if it works in my multimedia AppVM before you spent time
there.

Regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u2MhRy7po4crO9wnwHSXqq6wC%2BXUorZanZKKABPYC_Ow%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Help understanding qubes networking

[[799]]

Hello,

I'm trying to understand where I can tweak my network configuration in a 
fedora-26-min based AppVM.
As far as I understand networking for eth0 is currently configured by DHCP from 
the sys-firewall AppVM.

I am trying to understand how networking is configured.

Nomally I would expect to find the IP-configuration for eth0 in 
/etc/sysconfig/network-scripts but there is only an ifcfg-lo not an ifcfg-eth0.
Nameservers are set as usual in /etc/resolv.conf.

I assume that there are qubes specific script involved?
Can someone explain?

I would like to know how networking is setup and how I can change my 
configuration (likely on sys-firewall) so that I can decide which AppVM gets 
which IP-address.

I looked at the Qubes OS networking doc located at 
https://www.qubes-os.org/doc/networking/ but it seems that the side is gone.
-> 404 not found

 [799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180430064807.mkb2sy7ruos4nell%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-run: piping to xclip

[[799]]

Hello Quentin,

On 05/03 12:31, quentin.leguenn...@gmail.com wrote:
> I am currently trying to get a script working to copy passwords from a 
> password store VM to different VMs, using qvm-pass.
> I tried something like:
> qvm-run vmname 'qvm-pass gmail | xclip'
> The password is copied to the vm but the command doesn't terminate.
> In fact,
> qvm-run vmname 'echo abc | xclip'
> Doesn't terminate either. Can someone explain what I'm missing here? 

I run into the same issue when writing a script to overcome the problem that 
working with screenshots is very hard in Qubes.
As only dom0 can make screenshots I was looking for a way to send 
dom0-screenshots into the clipboard of an AppVM.
The solution I came up with was a script that needs to be run in dom0, which 
will allow the user to make screenshot and paste the screenshot into the AppVM 
clipboard.

https://github.com/one7two99/my-qubes/blob/master/home/bin/qvm-screenshot-to-clipboard.sh

It has also some information in out how you can send messages to the 
notification area, something I think is important as soon as data is transfered 
between VMs or dom0 and VMs.

I had also a problem that the script will only quit after the content has been 
pasted from the AppVMs clipboard.
I am sure that this is the same in your case.

Try it out and give me a feedback.

Question to others:
How is it possible to overcome this 
"continue-after-clipboard-has-been-pasted"problem?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180503163450.nx3r3vhfutq5eowi%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Remote Control Question

[799]

Hello Stuart,

Stuart Perkins <perkins.stu...@gmail.com> schrieb am Mo., 30. Apr. 2018,
14:58:

>
> >> I'm considering setting up Qubes capable server at my home.  What I
> need, however, is to be able to remotely control it.
> Updates...reboot/stop/start system and app vm's etc.  Is this even possible
> with Qubes?  I currently run a Ubuntu powered old laptop as a "server" and
> have it hosting a couple of VM's with virtualbox.
>

Depending on the hardware you can completely remote administrate the server
using Intel AMT.
It allows you to remotely control the hardware even when the device is
switched off but connected to the LAN.
Using AMT you can open up a VNC connection to the server.
AMT will allow you to remotely control and restart a server even it has
crashed into a blue/purple screen.

This technology is the reason that some people are flashing their BIOS
(Coreboot) in order to get rid of this piece of software.
I am using AMT with my corporate Q
laptop which runs Qubes OS.
On my 2nd Laptop a X230 I am running Coreboot to get rid of AMT.

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v2kbPH2PSjwYFL5tpeBUkJZBD-cDyzPnkjAfuNDzK_RQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] screen sharing

[799]

Hello The Flakes,

<thefla...@gmail.com> schrieb am So., 29. Apr. 2018, 02:34:

> What's the best way to allow app/screen sharing in WebEx / GotoMeeting /
> Hangouts etc. ?
>

I had to ask the same question when moving to Qubes OS as part of my job is
heavily based on Collaboration and Screen sharing.
Working for an IT company/Cisco Partner I had the benefit that we can use
some tools for free.
While I like WebEx it is a shame that there is no real solution for Linux
and companies who are not providing cross platform solution should be
"punished" by not using their products ;-)

As such I have looked at other alternatives like TeamViewer and AnyDesk as
both solution can be run for free as an individual user and can be used for
business when paid.

I prefer AnyDesk over TeamViewer as it is super easy to setup and  doesn't
cost much when used for business.

Please consider that most screen sharing apps are closed source and as such
can't be trusted.

Another option is to create a screen sharing "Proxy VM".
You could then run your Screensharing App there and use VNC to make a
connection from there to your AppVM.
This includes to set firewall rules between both VMs to allow VNC.
But you could easily write a script which does all the necessary steps:

Idea:
qvm-screenshare start   

The Script will start the Screensharing AppVM, then launch the
Screensharing Application in this VM.
Additionally it will setup the required firewall rules between both AppVMs

qvm-screenshare stop  

This will remove the firewall rules between both VMs.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tLc7E1YDoEfJaskyrD10pNk_Um8XmBjJ5KzS0ZjTU80A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[[799]]

On 03/07 06:48, Yuraeitha wrote:

> It seems like a good way to do it, I like it. What does others think about 
> it? 

agreed. 

> Does anyone disagree with the idea of making an initial first step with a 
> second repository with an associated 
> Community doc page, as discussed? We can always look at forums and other 
> platforms later on, it's probably best not 
> to do everything at once, especially now when the Qubes staff is busy, it 
> might be best to start where the least 
> work is needed from the Qubes staff. A second repository and assigning 
> volunteer moderator(s) should be straight 
> forward less than 5 minutes task [...]

as you mentioned let's do it this way and if we find out this was a bad idea, 
we can fix it later on.
the alternative could also be just start a new repository on our own accounts.
Honestly I think that only a few users will contribute, but that's fine.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180307185609.h2s4abfp3a3fp4gk%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: off topic - invite codes to 'riseup'

[[799]]

On Wednesday, March 7, 2018 at 8:11:25 PM UTC+1, Tim W wrote:
>
> Compare this to say protonmail its not even remotely close.  As both can be 
> had for free and without all the need for referrals as its 
> targeted toward liberal/social/anticapital political change groups not sure 
> the point?  Elitism?

The problem with Protonmail is, that there is no IMAP support and therof it 
seems impossible to store data offline.
https://protonmail.com/support/knowledge-base/imap-smtp-and-pop3-setup/

There seems to be a workarround with the Protonmail Bridge but it will only 
work for Windows & Mac.

[...] The Bridge release for Linux, which will include a command-line interface 
version, is scheduled for early 2018. [...]

Thereof the best option might be to use email-encryption.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180307202046.seqidmn5ohrhmgnu%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Fwd: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

CC'd to list, as I am still learning neomutt and hitting reply ("r") only
send the mail back to the main address.

-- Forwarded message --
From: [799] <one7tw...@gmail.com>
Date: 7 March 2018 at 01:15
Subject: Re: [qubes-users] For community by community - A way to
preserve/focus everyones work going into Qubes, bottom-up
To: Alex Dubois <bowa...@gmail.com>


Hello,

On 03/06 11:37, Alex Dubois wrote:

> [...]
> A new project is create (by Andrew?) called Qubes-community
> I think 2 is better
> - as we may have as repo a fork of Qubes-doc, but we could have
Qubes-community templates, scripts, ...
> - as it protects Qubes’s main project and operations
> [...]

I agree, but would call it the "qubes-community-doc" and I also like the
idea which was also mentioned by someone else, that we start with a simple
empty repository.
Thereof the risk is lower that someone doesn't know where to publish
changes.
the qubes-doc should be seen as the production area documentation while
qubes-community-doc is something like a preproduction/staging area.

@Andrew/Qubes-Team:
Can you setup the repository from your account?
As mentioned I think it makes sense if you "own" the main repository.

[799]

--
Lenovo W540: Qubes OS 4rc4 + Windows 10 Ent - Dual"bh"t
Lenovo X230: Qubes OS 4rc4 with Coreboot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2spQpUQbLaMvw%2Bo950sAF5SwFyZO7mOoCXVLz_wrk8JOw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: RC5 still coming out today?

[799]

Hello,

On 7 March 2018 at 01:08, <alexclay...@gmail.com> wrote:

> It's posted: https://www.qubes-os.org/downloads/#qubes-release-4-0-
> rc5-release-candidate
>

great news. I am missing information how to upgrade coming from a Qubes
4rc4.

In the Installation Guide (https://www.qubes-os.org/doc/installation-guide/
) it says:
[...]
Upgrading
For instructions in upgrading an existing installation, please see the
Release Notes of the version to which you want to upgrade.
All of these release notes are available from the main downloads page.
[...]

In the Release Notes (
https://www.qubes-os.org/doc/releases/4.0/release-notes/ ) it says:
[...]
There is no in-place upgrade path from earlier Qubes versions. The only
supported option to upgrade to Qubes R4.0 is to install it from scratch and
use qubes backup and restore tools for migrating of all of the user VMs. We
also provide detailed instruction for this procedure.
[...]

I assume I can upgrade from Qubes 4rc4 just via qubes-dom0-update and then
updating all TemplateVMs?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tNz%2B1aPPuYzUR0ZbgDoNuBOR90DrjysU%2BgM3uuN%3D-Pag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Recommended laptop

[799]

Hello,


Am 07.03.2018 7:28 vorm. schrieb "'我' via qubes-users" <
qubes-users@googlegroups.com>:

Hello.

I installed Qubes3.2 on my MacBook 2009 late. But I could not use WiFi.
So I want to buy a new laptop for qubes4. What laptop is recommended?

How about libreboot T400?
https://minifree.org/product/libreboot-t400/


My suggestion would be get a Thinkpad, which is on both "compatibility
lists" (HCL - Hardware Compatibility List)

1) Coreboot HCL
https://www.coreboot.org/Supported_Motherboards

2) Qubes OS
https://www.qubes-os.org/hcl/

As you haven't provided any information what you want to do on your Laptop
and which form factor and battery runtime is right for you, nobody can give
an advice.
What are your requirements?

As always in live it's about finding the right trade-off.

I have two Laptops, one 12" with Core i5 and 16GB RAM, working WWAN and a
very long battery runtime and a 15" with Core i7 / 32 GB RAM and a
3K-Display.
Using the 12" much more and haven't run into any performance issues.
Only recommendation: if possible grab 16 GB RAM, feels right.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vXQLCV-Hj82%3DKskTQ14QNGK3OinU%2BcbXpv_6b93WTGiQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Recommended laptop

[799]

Am 07.03.2018 8:21 vorm. schrieb "'awokd' via qubes-users" <
qubes-users@googlegroups.com>:


> If you aren't concerned about owner control, check
> https://www.qubes-os.org/hcl/ for other laptops reported to work with 4.0.

Should add that if you go with a G505s, please be prepared to flash it
with Coreboot yourself. It will need an external SPI programmer.


If using Coreboot instead of Libreboot aren't their better options than the
G505s which seems to be a consumer device.

As the question "what should I buy?" seems to be common, is this in the
FAQ? Maybe also with some more details regarding Stock ROM vs. Coreboot vs
Coreboot + ME_cleaner vs. Libreboot?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vx7WC3jxM2zbC6-0nQgEO_co8dx3343JF3zKpYAHZuEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] repo qubes-dom0-current-testing broke copy between AppVM

[799]

Hello Glen,

Am 07.03.2018 5:11 vorm. schrieb "Glen H" <glen.he...@gmail.com>:

Hi,

I wanted to update from 4 RC4 to RC5.

so I ran:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

But that seems to have broken copy to another AppVM (from Nautilus).
Perhaps I need to update the templates too but I'm not sure if I should be
syncing up to "qubes-dom0-current-testing" or "qubes-dom0-current", please
clarify (I want to be on RC5).


You need to upgrade both, if the problem still exist it may be a bug.
Andrew wrote yesterday what the procedure looks like:

(...) Current users of Qubes 4.0-rc4 can upgrade in-place by downloading
the latest updates from the testing repositories in both
[dom0][dom0-testing] and [TemplateVMs][domU-testing] (...)


For FYI, is there anyway to downgrade back to "qubes-dom0-current" (or
whatever state I was in before I updated)?


I highly suggest to make a backup before running any upgrades.
With today harddrive capacity there is now reason not having a regular
backup

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uwkQgduXsMYFebatu4D-9hwgQc74ggAr6PnB-RqT-w0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

Hello Yuraeutha,

On 03/07 08:59, Yuraeitha wrote:

> [...]
> If I interpreted this correctly, my understanding is that it's preferred
that a community like this to have an inviting
> GUI platform, so that it can easier gain traction and build up users, and
include more people? i.e. github is not desired
> for the central community environment?
>
> Maybe we could beta-run a volunteer run GUI based platform first before
you decide if it should be made official on i.e.
> recognized on the Qubes website with a link? testing the waters a bit by
dipping the toe in, before taking a full dive.
> [...]

I won't agree, as content is the most important thing.
Content first -> presentation later.

Let's just start with using GitHub and evolve from there.
What do you think?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uEWmnEAhKuezusMgUwQuGxNVbSPs7_Ks-o%3DRZQn%2BDOxA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Offtopic Amazon Echo // Re: [qubes-users] Re: High spec laptop for Qubes OS

[799]

Am 07.03.2018 8:08 nachm. schrieb "Yuraeitha" <yuraei...@gmail.com>:

(...)
So who wants a proprietary, backdoored, error-prone, computer in their
brain in contrast to open source, open hardware, which can be trusted? Even
before all this, some people who didn't care before, are starting to care
now when technology is increasingly getting closer to their lives. Like The
Amazon Echo, which is always listening to its environment, and now it's
happening to TV's and many other gadgets as well. Eventually even toasters
can spy on us.


To be fair:
The problem is not that it is always listening, as this is only be done to
simplify the use as you can say Alexa  without having to wait for
until the the echo is ready.
As soon as it recognized "Alexa" it will use the part afterwards as command.

More details in the FAQ:
https://www.amazon.com/gp/help/customer/display.html?nodeId=201602230

[...] 2. How does Alexa hands-free on my Fire tablet recognize the wake
word?

Alexa on your Fire tablet uses on-device keyword spotting to detect the
wake word, even when your device is in standby mode. When the wake word is
detected, Alexa on your Fire tablet streams audio to the Cloud, including a
fraction of a second of audio before the wake word [...]

What is much worse:
In the default configuration it storing every command you have ever said at
Amazon. With this data you can create a perfect profile and this shouldn't
be enabled by default.
The regarded voice command should be transferred to the voice recognition
server for analysis and the data should then be deleted as there is no
technical reason to store it.
I have doubts that they only do so in order to improve their service by
analyzing the voice data to give more accurate results.
This should be something that is done via opt-in and maybe with a reward:
"thank you for being completely transparent, you'll get a 10eur Amazon
Voucher and a free copy of '1984'".

I agree that it is dangerous to have such a device at home which doesn't
have a hardware kill-switch for the microphone.
But much worse is what they're already got doing without hiding it from
their users.
I was shocked when a friend showed me his Amazon echo and then said:
"Here look at the list about every command I have used so far, isn't this
cool?"

The danger is clearly the user who even agrees and likes this kind of
"feature" and the usability of those products is so easy, that everything
with adds more security feels complex.

That's a main motivation for me willing to contribute documentation so that
Qubes is easy to use do use, for those who are interested in privacy but
are not technical experts / Linux powerusers.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2synoy3Wvsi2WCDqoLQ6f-d9duQcvyi0D4G6GBM_PH_ZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R4.0 testing: Widget shows spinners / Kill for running VMs

[799]

Hello,

Am 08.03.2018 2:01 vorm. schrieb "Chris Laprise" <tas...@posteo.net>:

Having just upgraded dom0 with qubes*testing, I noticed that nearly all of
my running VMs are being displayed by the 'Q' widget as if they were in a
pre-started or pre-halted state.


Wouldn't it makes sense to create one GitHub page for each new release,
where users can provide a quick feedback when there testing the new release.
I know it is also possible to raise an issue but it takes more time and is
not that convenient for users to look at and the list of open topics could
be placed on the Qubes Website, so that a user has a single go-to-place to
find out if he wants to take the chance testing out the new release.

I am currently reading all posts to make a decision, should I upgrade yet?
Having a bullet point list on a GitHub page would be nice, maybe later
referencing to the issue-tracker and deleted as soon the problem is fixed?
Could also be maintained by the community with a disclaimer (Warning:
blaba..)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uRBm5LxP9s5dwxmitXkzYFjHujugqUk95H%3DF3nTZSCdg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Qubes and Email/PIM (Was: Re: [qubes-users] Re: Security questions (templates and kde)

[799]

Hello,

Am 06.03.2018 10:04 nachm. schrieb "Steve Coleman"

Because the SMTP infrastructure was not designed with compartmentalization
in mind, and I only get my one email account to work with, this single
"email" VM is highly isolated. It gets its own software locked down
configuration and is firewalled with a default-deny network policy. The
only services that this VM can get to on the network is the required SMTP
services, network authentication, and the necessary  signing key
management.  No internal websites, no external sites, only the email App
runs here. Well, Ok, the calendar too. Anyway, there should be no "phoning
home" from here, other than through per use 2fa outbound email. Should any
rouge malware be received, all attachments are first scanned and "tested"
in a DVM instance before being separated and pushed across to the
appropriate project VM for storage management. All project related
historical emails are then migrated to an off-line but searchable storage
by project. This specialized email VM essentially sorts, filters,
prioritizes, and bins any incoming data/mail for easy processing.


Do you mind writing some more details as I am interested how other people
solve the email problem.
Are you really separating email in different AppVMs?
Even when you said, that the VM can only connect per SMTP I assume that you
are not separating IMAP (incoming) and SMTP (outgoing) into two two VMs and
then moving emails from the incoming mail VM to the offline mail VM?
You have one VM which makes both IMAP and SMTP correct?
Which email/calendar client are you using and how do you move mails to
your  offline email VM?

My setup:
Dedicated Email VM with Davmail installed. Davmail connects per OWA to our
corporate Microsoft Exchange Server and acts as some kind of gateway to
provide local SMTP/IMAP/CardDAV/CalDAV connections.
For emails I am running offlineimap which connects locally to Davmail and
downloads all emails and creates a local maildir-repository.
Contacts and calendar entries are downloaded via vdirsyncer.
All content is now locally available in this Email-AppVM and can now also
be used offline.
Within this VM I have setup:
For plaintext work:
- neomutt - email client
- khal - calendar
- khard - adressbook
- notmuch - fast search

And as GUI email clients (connecting to the Davmail gateway / not using the
maildir-repository)
- Evolution
- Thunderbird

Unfortunately not everything works with the Davmail Gateway:
I can see the exchange Calendar in Thunderbird, but not the calendars of my
colleques. If I open a calendar entry I get an error.
On Evolution calendar is working much better as I can open and view the
details of an calendar entry, I can create and edit calendar entries -
everything is synced per Davmail to our corporate Exchange.
Strangely I can not delete calendar entries in Evolution.

With khal I can also view/edit my  calendar entries in the terminal.
Same for khard with my contacts.

Todo:
1) Check why I can add/edit calendar entries but not delete them

2) optimize handling of attachments that PDFs / Office documents / Weblinks
are always opened in a DVM.
I have been able to do this for Thunderbird but not yet for neomutt and
Evolution.

3) I'd like to integrate email and calendar into emacs org-mode, which I am
more and more using for PIM.

4) lock down EmailAppVM so that it can only access the Microsoft Exchange
Mailserver nothing more.
I would do so by running IPtables within the VM with a default
incoming/outgoing DROP policy only adding what is absolutely necessary to
get mail/contacts/calendar working with the Exchange server

I have also thought about separating email into more AppVMs but the
usability trade-off seems to high without gaining that much security.
As the Email AppVM only is used for email/calendar it should have the same
security level like our Exchange Server. If it gets compromise it doesn't
make a difference what I have setup in Qubes.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2txubQV8-Btuxje%2BFvfT5aq8aLHdxjnBRhVBRkFOLz6bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes os resolution issue

[799]

Am 09.03.2018 6:56 nachm. schrieb <randallrba...@gmail.com>:

Hi there so I was finally able to get qubes installed to test if it
actually runs on my laptop (Razer stealth 2017) and there's some issue with
the display resolution. My resolution is 3200 x 1800 and that's fine, but
when I log into qubes everything looks extremely small and hard to read.


I'll install Qubes 4rc5 on my Lenovo W540 which has also a 3K resolution ->
2880x1620 Px.

I had the opposite problem before that my fonts in the terminal windows
were to big.

I used the following command to scale down the display fonts:

Fix big font size in AppVM in a HighRes machine:
https://github.com/QubesOS/qubes-issues/issues/1951
qvm-run  'gsettings set org.gnome.desktop.interface scaling-factor 1
&& gsettings set org.gnome.desktop.interface text-scaling-factor 1

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vwR6Kmpx0HRUpO%2Bo0JbyEcaXjczrYjC-ycLPr7cTvQ_w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes os resolution issue

[799]

Hello,

Am 09.03.2018 6:56 nachm. schrieb <randallrba...@gmail.com>:

My resolution is 3200 x 1800 and that's fine, but when I log into qubes
everything looks extremely small and hard to read.


I've installed Qubes 4rc5 and I was able to scale the display resolution
using the normal system preference panel:

1) Qubes Menu > System Tools > Appearance

2) then go to the "Fonts"-Tab

3) DPI
[X] Custom DPI setting: 120
(Default value is 96)

You might of course also try different DPI-settings.

You might need to tweak the scaling in the AppVMs as well, see my last
email.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vc%3Dpp3QWgZbBAYviNQhci1tJo-EaNHGxySqT9v%2BNoWhw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Launching speed of disposable VMs 15-18sec

[799]

Hello,

I am just wondering if there is a way to speed up the start of disposable
VMs.
On my W540 with an Intel Core i7-4900MQ with 4 Cores @ 2.8GHz / 32 GB RAM /
512GB SSD and having only sys-net / sys-firewall running the first boot of
a disposable VM takes 18sec, later starts take 15sec.

There is not much difference compared to my less powerful X230.

Are these normal launch times (~15sec) for a DispVM?
What could be done to accelerate this to get below 10sec?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s4NwxpHFHp6-P-hjA%3Dj2yCZ1nYd8Qr%3D2v0bfKnQB4J4w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Want to use qubes. Will my pc be compatible?

[799]

Hello,

Am 11.03.2018 10:27 nachm. schrieb "konngammre" <jgau...@s207.org>:

So recently I found out about qubes-whonix and really want to try it out
for myself but, I have a new pc and was wondering if it will work. Also

if I have qubes on one drive and windows one another and the qubes drive is
encrypted does the windows drive compromise security of qubes?


I highly suggest to read or at least take a quick look over the excellent
Qubes documentation at https://www.qubes-os.org/doc/

Specifically:
https://www.qubes-os.org/faq/#is-there-a-list-of-hardware-that-is-compatible-with-qubes-os

... and ...

https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot

Questions from me:

1) what is your level of Linux expertise?

2) which applications are you running inside windows?

You could run Windows as HVM within Qubes to minimize the need to boot up
windows.
This is also a good migration way to find out which apps you need in Qubes
to replace existing windows apps.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2to1e4TpCjGoGOCyLNunaVRzmXN6EoQoTPZ70K5UTyHMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to install qubes-windows-tools under Qubes 4rc5

[799]

Hello,

I'm trying to install windows on my new Qubes 4rc5 installation.
It seems that Qubes.Windows-Tools (QWT) are not available in the Qubes
4-repositories.

qubes-dom0-update --enablerepo=qubes-dom0-current-testing
qubes-windows-tools
[...]
Error: Unable to find a match

After some trial and error I found a way, is there another way to
accomplish easier?
If not I would add this to the docs.

1) Go to the rpm-repository from Qubes 3.2
https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/

2) Download qubes-windows-tools-3.2.2-3.x86_64.rpm in an 

https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm

3) move the rpm file to dom0, run in dom0
qvm-run --pass-io  'cat
/home/user/Download/qubes-windows-tools-3.2.2-3.x86_64.rpm' >
qubes-windows-tools-3.2.2-3.x86_64.rpm

4) Verify rpm package
rpm -K qubes-windows-tools-3.2.2-3.x86_64.rpm
it would be better to verify the signature i the AppVM, but you need to
import the Qubes Signing Key to do so, I was lazy and was fine with moving
the rpm-file to dom0 and verify the signature there.

5) Install rpm-package
rpm -ivh qubes-windows-tools-3.2.2-3.x86_64.rpm

6) the Qubes Windows Tools ISO will be located at
/usr/lib/qubes/qubes-windows-tools.iso
   this will be a link to the latest version installed, thereof to:
   /usr/lib/qubes/ubes-windows-tools-3.2.2.3.iso in this case

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vu0KwjUTcRFeWiV_S%3DR8WRN2B8bL2J%3DxHOCGnu6m93-A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?

[799]

Hello,

Am 12.03.2018 7:40 vorm. schrieb "Yuraeitha" <yuraei...@gmail.com>:

This is getting ridiculousness, another two posts automatically removed
straight after or shortly after posting, it's inhuman speeds, it is
certainly google-bots pretty censorship handy-work non normal
content/language.


Honestly I haven't understand why Qubes Team is hosting it's Mailinglist on
Google.

[...] Google collects and maintains information about your account
activity, including the groups that you join or manage, lists of other
members or invitees in the groups, messages or topics you track, custom
pages you create or edit, ratings you make, and your preferred settings
when using Google Groups [...]

I am sure that there are solutions where a Mailinglist can be hosted and as
others have suggested maybe run a forum.

Maybe https://savannah.gnu.org/ ?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqmL64MVPVOLkfeJKRNYsi24Do6Dzgs%2BkcnxX3CWdvHw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[[799]]

Hello,

On 03/09 09:01, Yuraeitha wrote:
> On Friday, March 9, 2018 at 5:58:33 PM UTC+1, Ivan Mitev wrote:
> > On 03/09/2018 06:42 PM, Yuraeitha wrote:
> > > I added a repository for Community Discussions, and pinned it at the top. 
> > > Something like this is good for everyone?
> > 
> > https://github.com/Qubes-Community-Collaboration/Community-Discussions/issues/1
> > 
> > :)
> 
> Awesome, I'll go right there and read/reply :)
> I also just made this example, doesn't have to be like this, it's just a 
> layout. https://github.com/orgs/Qubes-Community-Collaboration/teams
> It allows for team discussions too, as well as allow community members to 
> find who specialize in what, so that requests can be made. Thoughts?

I went to the page but couldn't see any public members.
How can someone become a member?
I would like to transfer my "Qubes Projects" over to this place.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180309181220.rjjf6npd2opd4ehc%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

Hello,

Am 09.03.2018 7:18 nachm. schrieb "Yuraeitha" <yuraei...@gmail.com>:


Apologies, we decided to shorten the name a bit, the collaboration is in
the sub-title now instead. It can be found here https://github.com/Qubes-
Community


Ok, I can the site but I don't know where to go from there. Let's say I
would like to share my qvm-screenshot-2-clipboard script, where should I
put it?

Should I create a fork and then create a new directory put the files in etc?
Maybe the first contribution could be to create a "Hello World" example?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sBt3Tg2v55T9fudkO7Z-8s%2BskAmQJn%3DnNY5oA5_3j_GA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4rc5 + win7 HVM :: Can't resize Windows

[799]

Hello,

After a fresh installation of Qubes 4rc5 I provisioned a new win7 HVM from
scratch.
As I had detailed notes from my prior I installation this was mostly copy
and paste and the win7 is running including Qubes Windows Tools + seamless
mode.

The only but annoying problem is, that I can't resize windows as the window
is always running maximized.

Under Qubes 3.2 it was possible to resize Windows in seamless mode, if I
can only run full-size windows there is not much benefit running seamless
mode.
Has something changed from Q3.2 to Q4? Or is it something like a bug with
QWT under Q4?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2spvmnj6SdgE3S4K3UyGm2-D5%2B7Luyg6%3D1J_-kfhN4fzw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Q3.2 backup to AppVM , how to restore if can't boot Qubes ?

[799]

Hello,

Am 13.03.2018 2:17 vorm. schrieb "'awokd' via qubes-users" <
qubes-users@googlegroups.com>:


> Is backing up to a removable USB device then  the suggested best practice

Backing up to some type of removable storage is a good idea in case your
computer gets lost or heavily damaged.


I would go as far, that a "backup" which is stored locally is not (!) a
backup as it will not help you in case of theft or harddrive damage.
A backup to local disk, is just a copy of data.

I have very often seen people loosing data because of a bad backup
implementation, some suggestions:

1) store a copy of the backup to (at least) one external storage

2) keep more than 1 version of your backup. A replication of your
production is not a real backup as accidentally deletes will be transferred
to the backup upon next synchronisation.

3) encrypt your backups

4) if possible, use more than 1 backup medium and store a copy Offsite or
at your friends/parents house

5) IMPORTANT:
Make a recovery test of your backup, this includes restoring a few files
and more important a complete restore. Can it be restored to different
hardware? What are the exact steps etc.
A backup without a recovery test is not a backup.
I have never understand why so many people care about backups and not about
restores ;-)

6) adapt your backup frequency to your data needs. Important data
might/should be backup more often than other data (personal
documents/pictures vs. your movie/mp3 collection)

7) always assume that any external storage will certainly (!) break one
day. It's not a question of if, but when.
It will hit you one day. As pricing for storages goes down / capacity
increases it doesn't make sense to keep your harddrive for ages.

8) think about the threat scenarios you're trying  to be protected against.
Then look at the backup implementation if it will protect you against all
of this.
Example: thread = theft or fire -> a harddrive under your bed or the NAS in
the basement, might not be the best (or only) solution.

9) review your backup schedule at least once a year, maybe when you're
running a recovery test (see 5) above. .. Just to keep reminding you :-)

My suggestions so far.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vJLaBw5ueeNwtnaa-xSVg4qK58JmAh5yoJzttnUPEzYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Howto: Enable WWAN (LTE Sierra EM7345) in Qubes OS (Howto install ModemManager in Qubes)

[799]

Hello,

On 12 March 2018 at 20:38, akiraloopback via qubes-users <
qubes-users@googlegroups.com> wrote:

> Maybe. No. I just installed sys-usb now, delegating the LTE device to
> sys-net:
> [root@dom0 ~]# qubesctl state.sls qvm.sys-usb
> [user@dom0 ~]$ qvm-usb -a sys-net sys-usb:4-10
>
> Seems to work well.


happy to heat, that you made it work.
For some reason sometimes the exalt USB ID changes (example same device
which was sys-usb:4-10 before is then sys-usb:5-10).
I have thereof written a small helper script which will attach the
WWAN-card based on the name:

#!/bin/bash
# Attaches internal LTE-Card to sys-net
qvm-usb attach sys-net `qvm-usb | grep H5321 | gawk '{ print $1 }'`

You might need to change H5321 in your case so that the string is within
the description of your WWAN card.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s-L7hkgxeQMQ48Xq-ZypuRDOQJfR%2Bn6%2ByXTXXLj-97qg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RC5 no more 802.11ac networks

[[799]]

Hello,

On 03/15 07:31, Gulbis Bulbis wrote:

> After upgrading(i did a fresh install) rc4 to rc5 i no longer "see" 5G wifi 
> networks. I reinstalled rc4 and AC networks are working fine so 
> its probably not my Intel 7250 dual band network card. What could be a 
> problem?

running Qubes 4rc5 on my Lenovo W540 and using an Intel Wireless 7260 Card I am 
able to connect and use 5 GHz Wifi networks.
As such it doesn't seem that you problems are not a generic Qubes 4rc5 Wifi 
problem.

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315194156.z7ruymfc73jv5hha%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] not yet working -> fedora-26-based (minimal) sys-usb with Qubes 4rc5

[799]

Hello,

I'd like to rebuild my sys-net/-firewall/-usb VMs based on a fedora minimal
template instead of a full template.
While sys-net and sys-firewall seem to work with my new template (named:
t-sys) I can't get sys-usb to work.

I followed the info page on the Qubes Doc:
https://www.qubes-os.org/doc/templates/fedora-minimal/


Those are steps I've made

# Install default minimal template in dom0
sudo qubes-dom0-update qubes-template-fedora-26-minimal

# Clone template to keep the original template
qvm-clone fedora-26-minimal t-sys

# Install additional packages
qvm-run --auto --user root t-sys "xterm -hold -e 'dnf -y install
gnome-terminal terminus-fonts less vim-minimal nano dejavu-sans-fontsl sudo
pciutils psmisc gnome-keyring usbutils'"

# Install specific packages for sys-VMs
qvm-run --auto --user root t-sys "xterm -hold -e 'dnf -y install
qubes-core-agent-qrexec qubes-core-agent-systemd
qubes-core-agent-passwordless-root polkit qubes-core-agent-nautilus
qubes-core-agent-networking qubes-core-agent-network-manager
network-manager-applet  notification-daemon  qubes-core-agent-dom0-updates
qubes-usb-proxy  pulseaudio-qubes NetworkManager NetworkManager-wifi
NetworkManager-wwan'"

# Install missing firmware
qvm-run --auto --user root t-sys "xterm -hold -e 'dnf -y install
linux-firmware iwl7260-firmware'"

# Shutdown template VM
qvm-shutdown --wait t-sys

# shutdown everything and change template in your sys-VMs
qvm-kill sys-net && qvm-kill sys-firewall
qvm-shutdown -all
qvm-prefs --set sys-net template t-sys
qvm-prefs --set sys-firewall template t-sys
qvm-prefs --set sys-usb template t-sys


While sys-net and sys-firewall seem to work, the sys-usb-VM seem to miss
something as my mouse will not work, which it is when using the default
fedore-26 template.

What am I missing?
Is there any reason, why the sys-VMs doesn't come based on a fedora-minimal
installation?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sKRDftyY7JMxSXmQAE4VbFV2YKiCuf%2B2jyk%2BPkWSiGcw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: not yet working -> fedora-26-based (minimal) sys-usb with Qubes 4rc5

[799]

Am 10.03.2018 2:09 vorm. schrieb "Yuraeitha" <yuraei...@gmail.com>:


Any chance it could be because of the missing qubes-input-proxy-sender?
It's hiding in the horizontal slider in the doc link you linked, it's very
east to miss it so its understandable.


There is no package 'qubes-input-proxy-sender' for fedora-26 based VMs in
Qubes 4rc5.

There is package 'qubes-usb-proxy' which I installed already before.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vf%3DPfE8ur-JG3rimrGLc74ubn1-U2fMivaGT%3Dv8UQVUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Launching speed of disposable VMs 15-18sec

[799]

On 10 March 2018 at 01:48, 'MirrorWay' via qubes-users <
qubes-users@googlegroups.com> wrote:

> Unlike regular dispvms, the lifetime of a named dispVMs is not tied to an
> app, you have to shutdown manually. Like regular dispvms, named dispVMs
> forget all changes to private storage after shutdown.
>
> To create a named dispVM called "disp-untrusted" that is based on the
> "untrusted" VM:
> $ qvm-prefs untrusted template_for_dispvms True
> $ qvm-create --class DispVM --template untrusted -l red disp-untrusted
>
> Your new named dispvm doesn't appear in the menu, so you'll need to rely
> on CLI to manipulate it:
> $ qubes-vm-settings disp-untrusted
> $ qvm-run disp-untrusted firefox
> $ qvm-shutdown disp-untrusted
>

but this VM is just one (1) VM that will be reset (including the home
directory) on each reboot, as such I can't start two of those VMs which are
separated from each other (like real disposable VMs)?

$ qvm-prefs untrusted template_for_dispvms True

I can't run this command. It seems something is wrong here

I'm running Qubes 4rc5 and if I enter:

 qubes-prefs --get

I can't see a property template_for_dispvms

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tMr2n9%2B_rOsrAZFLaAEXiX4kMqBScxL5GuLt2MbNuueQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Launching speed of disposable VMs 15-18sec

[799]

On 10 March 2018 at 00:03, Yuraeitha <yuraei...@gmail.com> wrote:

> [...]
> I did a benchmark comparison (not overly accurate, but it might give some
> pointers).
>
> Your CPU 9061 rating. Single Thread Rating: 2084. Margin for error: Low.
> No of Cores: 4 (2 logical cores per physical).
> https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+i7-4900MQ+%40+2.80GHz
> 15 seconds to open dispVM.
>
> My CPU 2820 rating, Single Thread Rating: 1051. Margin for error: Low.
> No of Cores: 2 (2 logical cores per physical).
> https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+M-
> 5Y10c+%40+0.80GHz=2464
> 33,49 seconds to open picture in dispVM.
>
> So I got one real core, and one logical core to run my AppVM's, while you
> essentially have double up, 2 cores, 2 logical (unless you modified default
> Qubes CPU core layout to AppVM's of course).
>
> If you notice the value rating pr. core, yours is rated 2048, while mine
> is rated 1051. That's a roughly double up difference in performance.
>
> What I wonder about, what would happen if you assigned the 3'rd
> physical+logical core to your AppVM usecases, while preserving the last 1
> physical+logical core in dom0? Would it give you 75% performance in AppVM's
> instead of just 50% performance?
>


Start = click on launch DispVM Firefox
Stop = default website starts to load in Firefox


Mode = PVH 4GB RAM, 1vCPUs, Memory Balancing enabled
1st start = 19 seconds
2nd start = 19 seconds

Mode = PVH 4GB RAM, 2vCPUs, Memory Balancing enabled
1st start = 16 seconds
2nd start = 16 seconds

Increase vCPUs:
Mode = PVH, 4GB RAM, 4vCPUs, Memory Balancing enabled
1st start = 15 seconds
2nd start = 16 seconds

Disable Memory Belancing,
Mode = PVH, 4GB RAM, 4vCPUs, Memory Balancing disabled
1st start = 12 seconds
2nd start = 13 seconds

Mode = PVH, 8GB RAM, 6vCPUs, Memory Balancing disabled
1st start = 13 seconds
2nd start = 13 seconds


I did the same tests with Virt-Mode = HVM

Mode = HVM 4GB RAM, 2vCPUs, Memory Balancing enabled
1st start = 22 seconds
2nd start = 21  seconds

Mode = HVM 4GB RAM, 2vCPUs, Memory Balancing disabled
1st start = 17 seconds
2nd start = 18 seconds


Summary:
Adding more RAM or vCPUs doesn't change much, it seems that disabling
memory balance brings a small performance improvement.
Using Virt-Mode PVH seems to deliver the best performance

===
Prebuild -> fast delivery

It is a very interesting idea would to have prebooted disposable VMs
available. which gets activated as soon as I need a disposable VM.
As I have enougfh ressources I don't care if my RAM is eaten up or I loose
a bit CPU performance.
If disposable VM opens within a few seconds, I can change my workflow and
open my documents in a disposable VM.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9mCA8jDDL4urQEjRmzv2VHLveweX6S99PfbOAPU8YWA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Launching speed of disposable VMs 15-18sec

[799]

Hello,

Am 10.03.2018 1:10 vorm. schrieb "'MirrorWay' via qubes-users" <
qubes-users@googlegroups.com>:

You can reduce the start time to almost zero by using an already-running,
named DIspVM, see marmarek's post in https://github.com/QubesOS/
qubes-issues/issues/2801.


That sounds very interesting.
I have looked at the link, but didn't figure out what to do, to get faster
DispVM boot up times.
What do I need to do?


You can set a cron job that ensures they shutdown at least once per day.


Why? The DispVM should be shutdown after I close the window.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tAXrTGAT35HzixtYHz5A5SppS0RmirEo6%2BYPj%3Dz2CmGw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How do I create an HVM?

[799]

Hello,


Am 10.03.2018 8:19 vorm. schrieb "sevas" <tafleming2...@gmail.com>:

Been following the docs and I cant get it.

qvm-create --hvm
#No such argument
qvm-create --HVM
#No such argument
qvm-create --class hvm
qvm-create --class=hvm
qvp create --class hardwareVM

you get the picture. I must be missing something. I just want to start an
iso from a VM.


I think it's all in the docs:

https://www.qubes-os.org/doc/hvm/

For example:

qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property
kernel="" --property memory=4096 --property maxmem=4096 --property
debug=True --label green

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t7BQMo-8kMyTeOCpi3o%2BVaKrATaExD%3DBZASFymj8fxow%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: not yet working -> fedora-26-based (minimal) sys-usb with Qubes 4rc5

[799]

Hello,

On 10 March 2018 at 04:08, Yuraeitha <yuraei...@gmail.com> wrote:

> >
> > Any chance it could be because of the missing qubes-input-proxy-sender?
> It's hiding in the horizontal slider in the doc link you linked, it's very
> east to miss it so its understandable.
> > There is no package 'qubes-input-proxy-sender' for fedora-26 based VMs
> in Qubes 4rc5.
> > There is package 'qubes-usb-proxy' which I installed already before.
>
> how odd. I'm not sure why, but I can find it in my fedora-26 template, but
> I don't have any current minimal template to test it on on this particular
> machine. Here is my output;
>

I've checked again, the package is available in the default fedora-26
template but not in a fedora-26-minimal template:
t-sys is a template  which is a clone of the fedora-26-minimal Template

   [user@t-sys ~]$ sudo dnf -y install qubes-input-proxy-sender
   Last metadata expiration check: 0:00:41 ago on Sat Mar 10 21:16:27 2018.
   No match for argument: qubes-input-proxy-sender
   Error: Unable to find a match

I then tried to use the testing-repositories ... and SUCCESS, it worked:

   [user@t-sys ~]$ sudo dnf -y install
--enablerepo=qubes-vm-*-current-testing qubes-input-proxy-sender
   Qubes OS Repository for VM (updates-testing)258 kB/s | 197 kB
00:00
   Last metadata expiration check: 0:00:00 ago on Sat Mar 10 21:19:39 2018.
   Dependencies resolved.


Package   Arch   Version
Repository Size


   Installing:
qubes-input-proxy-sender
  x86_64 1.0.10-1.fc26
qubes-vm-r4.0-current-testing  15 k

   Transaction Summary


   Install  1 Package
   [...]
   Installed:
qubes-input-proxy-sender.x86_64
1.0.10-1.fc26

   Complete!


After installing the package via the testing-repositories, my new
sys-usb-Qube is also working correctly.
Thanks for the feedback - I guess this information is also somewhere in the
Qubes docs - haven't checked it yet, honestly.

maybe it makes sense to provide a script to build the sys-net /
sys-firewall / sys-usb based on a fedora-26-minimal template.
Try to add it to "our" qubes community docs ;-)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tW3V5G3aRWhT645FVRa%3DbsRY-OzGzWwk7pW6KSD3XWrA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Launching speed of disposable VMs 15-18sec

[799]

Hello,

On 10 March 2018 at 22:52, 'MirrorWay' via qubes-users <
qubes-users@googlegroups.com> wrote:

> You can probably simplify this by basing it on named dispvms.
> That way you don't have to keep an xterm open somewhere, nor do you need
> to extract the dispvm name from Xwindows.
> Just restart the dispvm after you close the app.
>
> For example, assuming disp-untrusted is already running:
> $ qvm-run -p disp-untrusted firefox ; qvm-shutdown disp-untrusted ;
> qvm-start disp-untrusted
> -p above causes the qvm-run to block until you close firefox. Then it
> restarts the named dispvm, which stays running until the next launch
> request.
>
>
I've tested your suggestion, unfortunately this will not work like a normal
disposable VM.
I have downloaded an HTML-page in the disp-untrusted VM and when it gets
closed and started the next time, the file is still there.
This means it doesn't behave like a real disposable VM.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uXQwQi1VktsWrEC03H3ObLXcs7A46SBVHk03%2BT%2BCXQ5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Launching speed of disposable VMs 15-18sec

[799]

Hello,

On 10 March 2018 at 17:14, Yuraeitha <yuraei...@gmail.com> wrote:

> On Saturday, March 10, 2018 at 8:21:02 AM UTC+1, hopkins...@gmail.com
> wrote:
> > >32 GB RAM.  launch times (~15-19 sec)
> >
> > This was the reason why i left Qubes OS. I cant coupe with hours
> starting vm-s. 3.2 version were faster.


I came up with an idea to accelerate the start of an application in a
Disposable VM to ~2 seconds.
The idea came to my mind when I thought about how we accelerate stateless
virtual desktops for our customers who are running VMware virtual desktop
(Horizon View),
We can build desktops that only exist as long as the user is logged in,
after logout the desktop is destroyed and he gets a complete new desktop
(build from an image) on the next login.
To make it possible that users have a good user experience and don't have
to wait during logon, when their desktop is provisioned we are prebuilding
desktops, so that a certain amount of desktops is always available.
If a new users takes a desktop, the system is automatically reprovisioning
a new one, for the next user.

I took the same idea to accelerate the launch of applications within
disposable VMs.
I have one or more disposable AppVMs available that can be used to launch
an application within it.
If the application ends the DispVM will be killed and for the next
application another disposable AppVM will be provisioned in advance.

The downside is that those started Disposable VMs may use some ressources
but as long as they are not running any calculation, the overhead shouldn't
be to big.
This approach is a workarround not a very smart solution, but it works.

Please don't be to hard judging the current state of the work, as I am
missing some scripting skills to make it do a first alpha version.
But someone with some more skills might be able to fill in the gaps.

This is how it works:

1) Launch a new disposable VM with nothing more than an empty xterm window.
This is only to have something like a container, to start the application in

2) move the xterm window to the last desktop (default Qubes installation
has 4 desktops (=desktop overview pager left of the clock in the menubar)

3) If you need to open a disposable Application, start this application in
the already running disposable VM
add a qvm-kill/qvm-shutdown after the command launch

4) provision a new disposable AppVM in the background which will be used
when the next disposable Application must be started.

This is far away from being perfect but it would be good enough for me,
I've run the commands manually and proved that something like this can
work, but I am missing some more scripting skills.
I hope someone can support me, filling the missing gaps.

=
Quick'n dirty notes, playing arround with the above idea / needs to be
polished.

# Create list of all open windows = Window-List-1
wmctrl -l | gawk '{ print $1 }'

# Show all Running DispVMs = List-DVMs-1
qvm-ls | grep DispVM


# Create a new AppVM and open an xterm window in it
# This will open up a new xterm window in the current window
qvm-run -q -a --service --dispvm=fedora-26-dvm -- qubes.StartApp+xterm &


# Show all Running DispVMs = List-DVMs-2
qvm-ls | grep DispVM


# TODO: commands to get the name of the newly created DispVM
# This DispVM will be called "Newest-DispVM"


# Create a new list of all open windows = Window-List-2
wmctrl -l | gawk '{ print $1 }'


# TODO:
# Commands to find out which is the new window ID from the xterm-window
# The DispVM-window-ID = Window-List-2 - Windows-List-1
# we call this window here DispVM-xterm-Window-ID


# List of all available desktops
# First desktop = 0
wmctrl -d |  gawk '{ print $1 }'
# TODO: Get the greatest number from this list = LastDesktop


# move the new xterm window to the last desktop, so that is it out of the
way
wmctrl -i -r $DispVM-xterm-Window-ID -t $LastDesktop


# If a new DisposableVM is needed, the following steps need to be done:

1) $Current-DispVM = Newest-DispVM

2) Prepare another DispVM in the background (!)
   Create a new DispVM  by opening an xterm session and
   move it to the last desktop (see above)
   This DVM will be the "Newest-DispVM

3) Run the application in Current-DispVM
   and kill the DispVM when the command has been ended
   qvm-run $Current-DispVM  && qvm-kill $Current-DispVM
   this will also kill the xterm window on the last desktop


What do you think?
Can someone can tell me the neccessary command to find out what is the
Windows-ID of the xterm window and the DisposableVM-Name after launching a
new App-VM?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on th

Re: [qubes-users] Re: Launching speed of disposable VMs 15-18sec

[799]

Hello,


On 11 March 2018 at 01:49, 'MirrorWay' via qubes-users <
qubes-users@googlegroups.com> wrote:

>
> This is strange, did you manually restart disp-untrusted?
> Check that `qvm-prefs disp-untrusted class` says DispVM.
>
> > Change your template - base it off a -dvm, and itwill work like a 3.2
> Named dispvms should work with any appvm with template_for_dispvms set,
> though.
>

sorry, but I still can't follow, I have already build a custom dvm, but it
had the -class=AppVM
It seems that there are different disposable VMs now?

I have to read: https://www.qubes-os.org/doc/dispvm/

>From my own Qubes Installation notes (Howto create an iwn disposable VM
template):

# Create a new Disposable App-VM which is based on a custom template
t-fedora-26
qvm-create --template t-fedora-26 --label red --property
template_for_dispvms=True --class=AppVM my-dvm

# TEST: Start an application in this dvm
qvm-run --dispvm=my-dvm xterm

# Fix menu entry from Domain: my-dvm to Disposable: my-dvm
# https://groups.google.com/forum/#!msg/qubes-users/gfBfqTNzUIg/sbPp-pyiCAAJ
# https://github.com/QubesOS/qubes-issues/issues/1339#issuecomment-338813581
qvm-features vmname appmenus-dispvm 1
qvm-sync-appmenus --regenerate-only my-dvm

# Change the Disp-VM from an AppVM (here: my-untrusted)
qvm-prefs --set my-untrusted default_dispvm my-dvm

# Try to start something from this AppVM in a disposable VM
qvm-run --auto my-untrusted 'qvm-open-in-dvm https:/google.de'
# This should start a new dispvm which is based on your dvm-App
# Check the template on which the dispvm is based on in dom0
qvm-ls | grep disp

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t_yjXL-ufuPMyqvrro1oSNxS56cjPth9Tz%2BPsntz%3Dbxw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes Windows Tools (QWT) for Qubes 4,x

[799]

Hello,

I looked at the Qubes Doc and also did a quick google search in the
mailnglist, couldn't find a hint:
Where do I get Qubes Windows Tools from, when I am running Qubes 4rc5.
I tried to install it in dom0 / also via qubes-dom0-current-testing but
there are no QWT packages available.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sjC2mxebj_Mogx0AeHoyvj9MsoJhSgW1HY0ONYkBi9rw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4rc5 + win7 HVM :: Can't resize Windows

[[799]]

Hello,

On 03/13 10:06, Alex wrote:
> 
> I'm afraid I'm unable to help with your question. However, if you managed to 
> run windows in seamless mode under Qubes 4rc5, as far as I know, you are 
> further advanced than all the tips and discussions I could find[1][2][3].
> Would you share with us how did you manage to get seamless mode working ?
> The related options in qvm-prefs appear to be gone since Qubes R4.

as I found out, seamless is not working for me.
I thought it was, but it was just because the Windows VM crashed shortly after 
boot.
Therof no windows :-)

Even when I have disabled seamless mode the win7 VM boots up fullscreen.
As mentioned windows can't be resized.
I'm currently following my setup guide in order to check if it is maybe related 
to the highres display resolution on my office laptop.

[799] 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180314172500.br2ukwwtohfuhbrj%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4rc5 :: Howto LVM-snapshots from AppVMs

[[799]]

hello,

I would like to use LVM snapshots in order to simplify administration and 
troubleshooting in QUBES.
As I found it seems that there are lots of logical volumes from a running VM:

For an AppVM:

/dev/qubes_dom0/vm--private
/dev/qubes_dom0/vm--private-snap
/dev/qubes_dom0/vm--volatile
/dev/qubes_dom0/vm--root-snap

Can someone provide guidance how to make use of LVMs snapshot feature to make a 
snapshot and later restore the snapshot?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180314180459.tidlrwcjyh7k2gcx%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello,

On 6 April 2018 at 15:05, Holger Levsen <hol...@layer-acht.org> wrote:

>
> On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote:
> > As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> > including building the pi, flashrom and extracting Blobs.
>
> out of curiosity: does resume work reliably for you? For me it didnt
> with coreboot (and the free VGA bios) but it does with legacy bios...
>

as described in the howto I have extracted the vga.rom from my own
BIOS-files.
I can use resume and the laptop reconnects its network adapters as soon as
it wakes up.
So far no issues at all.

I've run into one problem when I tried to start my AppVMs after flashing
coreboot.

Problem:
Some VMs where unable to boot (sys-net and also some other AppVMs),
Error message:
Get the message PCI device 
does not exist

Solution:
Following the suggestions mentioned here and removing some devices which
doesn't make sense.
https://github.com/QubesOS/qubes-issues/issues/3619

qvm-pci ls 
qvm-pci detach  

I had to open Qubes Settings for the sys-net VM to assign the Wifi Network
controller back to the VM.
It got lost after flasing coreboot.

> The coreboot config I have used is here:
> > https://github.com/Qubes-Community/Contents/blob/
> master/docs/coreboot/x230-configfile
>
> thanks, depending on your answer to the above question I probably
> compare yours with mine ;)
>

Can you share your config file?
I am sure that there is room for improvement in my config.


> > I wrote the how-to as I need to look at several places to get everything
> > together for example how to extract Blobs, how to merge two bios files
> into
> > one etc.
> > It seems to me that if I run Coreboot with grub + encrypted boot, there
> is
> > no need to run anti evil maid, as the boot partition can't be messed
> with.
> > Is this correct?
>
> mostly. The boot partition cannot be messed up but the components of
> your computer can be changed (eg a keyboard controller recording your
> keystrokes) and anti-evil-maid is designed to also detect those attacks.
> However these attacks are also much more sophisticated and require more
> time and are harder to do that just replacing a kernel image on an
> unencrypted boot partition.
>

Ok, I have not yet understand all the pieces of anti evil maid and of
course you are right that replacing my keyboard with a keyboard which has a
keylogger installed will make my system reasonable unsecure.
On the other hand, I don't think that I am a high profile target and if
this would change, I guess there are much easier ways to get the
data/information.
https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRVHWS5XJpzzG7g%2BWbP%2BGjq9DsWDBYYme3hHGN%3DeQLKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Cloudflare DNS-over-HTTPS in Qubes?

[799]

Hello,


On 5 April 2018 at 22:38, taii...@gmx.com <taii...@gmx.com> wrote:

> Wow people are actually falling for cloudflares "privacy respecting"
> bullshit from a service that uses for example browser fingerprinting on
> every computer that it serves and blacklists sites based on how the CEO
> is feeling that morning. [...]
>

Can your provide some additonal information to cover this?
Regarding the blacklisting you are refering to the "Daily Stormer" case?
Discussed also here;
https://blog.cloudflare.com/why-we-terminated-daily-stormer/

What exactly do you mean by browser fingerprinting?
Are you talking about Browser Integrity Checks?
https://support.cloudflare.com/hc/en-us/articles/200170086-What-does-the-Browser-Integrity-Check-do-

"[...] Cloudflare's Browser Integrity Check (BIC) is similar to Bad
Behavior and looks for common HTTP
 headers abused most commonly by spammers and denies access to your page.
It will also challenge
 visitors that do not have a user agent or a non standard user agent (also
commonly used by abuse
 bots, crawlers or visitors) [...]"

You wrote: "They are a front for an intelligence agency"

In general I'd like to that see claims - no matter which - are based on
evidence or at least facts.
How do you come to this conclusion?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tQmSoYoPfQiF7_zRTFc_Efu9XjibE7rAxWJCKpM7FqUg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello,

G <giu...@anche.no> schrieb am Di., 27. März 2018, 20:10:

>
> since it took a while for me to sum up all piece and a lot of trial and
> error to get the whole setup working i took some notes to help other who
> want to try something similar.
> Please note that everything written there is public domain (so
> copy-edit-whatever).
>
> https://git.lsd.cat/g/thinpkad-coreboot-qubes
> <https://git.lsd.cat/g/thinkad-coreboot-qubes>


Nice how-to, I'm currently writing something similar for my X230.

Would you mind adding your howto to the Qubes Community doc repository,
which we've established to work on howtos and docs until they're easy to be
migrated to the official Qubes Docs.
If you agree, I can also add your notes there, mentioning you as the
original author.

I did it today in a hurry so any feedback, modification or contribution
> is welcome.


I'd like to use grub as payload but without using encrypted boot as I am
afraid to damage my production Qubes environment and loosing time fixing it.

What do I need to do, if I would like to just use Grub and leave my boot
untouched?

As far as I understand the benefit of having Grub as payload is to be able
to encrypt /boot.
Does this mean than include that it makes no sense to run Grub instead of
SeaBIOS without having boot encrypted?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sBicuaNaSyK_J%2BRgibgV-6nacm_MWZ2ERSx-9k7a4MqA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com" <taii...@gmx.com>:

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.


what exactly does it mean "set write-lock on flash descriptor" and where
can I do this.

Regarding Stickers I think it is very easy to replace those for someone who
is willing to sneak silently into my laptop.
What kind of stickers do you suggest?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tOEMd9NborxvQRY9F%2BVGAMeqW35sz6-cMXBJC0nbb4zg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Becoming a Qubes Evangelist :: but ... how to Screencast?

[799]

Hello,

I'd like to demo one of my Qubes Instances to some other non-qubes-users as
they got attractsd talking me about Qubes here and there.

I have now a problem which is basically a result of Qubes being "reasonable
secure":

I would like to make a webcast and show Qubes including AppVMs and
Template-Management, is there any way to make this possible?
As I would use a dedicated machine for this I can love with an unsecure
solution as the laptop will be fresh installed before and afterwards.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tzJep9k%3DOYWhH2vq-zF3tT3JurxO8odbHTXPQ5f6eDJA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] X230 won't boot into Qubes after installing 4.0

[799]

Hello,

<berto0...@gmail.com> schrieb am Mi., 11. Apr. 2018, 07:49:

>
> > Check this here:
> > https://github.com/QubesOS/qubes-issues/issues/2841
>
> We discussed this issue recently on this mailing list. I also tried the
> suggestion from above now, and it did not fix it on my Thinkpad X230. The
> default iommu=no-igfx option works fine though.
>
> However, the suggestion by awokd is working for me. Add the two lines to
> the kernel sections in Xen.cfg as in
> https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu


As the link to the Qubes-docs seems to cover UEFI, I assume you are using
UEFI on your X230?
If so, may I ask why? I am running Qubes 4 on my X230 and had no problems
installing it, but I've installed from one of the Release Candidates and I
have also not used UEFI as I don't see any benefit.
I am using Coreboot with SeaBIOS as Payload and everything works supernice
and like the best Laptop I have ever had.
There is one issue with my sys-usb which I need to resolve but I am unsure
if it is related to 4.0 or Coreboot or just myself.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v1toQONs9YkD%3DCGLzV-0fJUz%2Bn%3DD08ktA1McThpozt1w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] X230 won't boot into Qubes after installing 4.0

[799]

Hello Taiidan,

taii...@gmx.com <taii...@gmx.com> schrieb am Mi., 11. Apr. 2018, 23:01:

> (...)
> I also suggest buying a *20 series non-chiclet keyboard while you are at
> it, it is a good mod.
>

Is it possible to place the older non-chiclet keyboard in a X230?
If so, do I need to modify my laptop in such a way that I can't go back to
the Chiclet Keyboard (example selling the device)?

Would love to use the older keyboard I had on my X200.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v3Lt%3D6gXjCg8CrRnLo7Taq6y4XXdsw7JCEoDy5J0U_%3Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] WWAN/LTE Card stopped working

[799]

Hello,

I have applied Updates to my Templates and also flashed Coreboot ony X230.
I haven't used my internal WWAN Card for a while as I was using WiFi.
The WWAN Card was working before (default template/Stock ROM) without a
problem, now it doesn't.

I can pass the WWAN per sys-usb to my sys-net and I can see that it it
present there (lsusb).
But I can't use Gnome Network Manager anymore to us it.

I have also tried to pass the whole PCI Controller which includes the WWAN
Card as USB device to take sys-usb out of the equation, but I get the same
result.

Do you have any idea where to start troubleshooting?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sK696_eLL81f%3DT92b9t9LEVmS_0Gk8T%2BGB7Z2fyFBRaA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shaving N seconds off VM startup

[799]

Hello Chris,

Thanks for the info, very interesting.

Chris Laprise <tas...@posteo.net> schrieb am Fr., 13. Apr. 2018, 19:20:

> I've done some experimenting to get my Debian VMs to boot faster. So far
> I've reduced the start time significantly by disabling these services in
> the template:
> (...).
>

Can you post some more I formation what you have done to measure startup
time?
Additionally I like to know if you can do the same for Fedora based VMs, as
most of the AppVMs from me are Fedora based.

Regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vSpauKrpVMHk7s5z3esJxmHfO1-Hmbf2pZAZxtLWsfWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello Giulio,

G <giu...@anche.no> schrieb am Di., 27. März 2018, 21:35:

> On 2018-03-27 18:10, G wrote:
> > Hello,
> > since it took a while for me to sum up all piece and a lot of trial
> > and error to get the whole setup working i took some notes to help
> > other who want to try something similar.
> > Please note that everything written there is public domain (so
> > copy-edit-whatever).
> >
> > https://git.lsd.cat/g/thinkad-coreboot-qubes


As mentioned I have also drafted a how-to to setup Coreboot on a X230,
including building the pi, flashrom and extracting Blobs.

My how-to is located in the Qubes Community docs.
While I need to fill in some small gaps how to put the hardware parts
together, all the other stuff is covered including extracting Blobs and
vga.rom.

The how-to is located here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

The coreboot config I have used is here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

I wrote the how-to as I need to look at several places to get everything
together for example how to extract Blobs, how to merge two bios files into
one etc.
Having everything in one place is nice for a newbie if he owns exactly the
same modell/x230.

I am interested in getting the best out of both worlds (Coreboot + Qubes).
It seems that your approach (using GRUB) offers some benefits vs. using
SeaBIOS as the boot partition can so be encrypted.

Are there issues going this way? For example breaking the future upgrade
ability ?

It seems to me that if I run Coreboot with grub + encrypted boot, there is
no need to run anti evil maid, as the boot partition can't be messed with.

Is this correct?

[799]

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vT%3DcA%2Bm-xHEVXe7iNa7DS%3DAC80a%3DFqmaZ5c%2Bp67ofPGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Offtopic :: reasonable secure routers?

[799]

Hello,

having a reasonable secure OS and maybe some additional freedom by using
Coreboot is great, but might not be enough.

At least in Germany most home routers are not owned by the users but the
internet providers, even worse it ia often not possible to upgrade the
software as a user.
If I want to improve this situation, what do you think about librecmc (
https://librecmc.org/faq.html), I have come across by accident?

Sorry if this is non-qubes question, but I don't know that much people
carrying about privacy and would like to hear your opinion about it.

"(...)  In the light of recent events, it is more important now more than
ever to fight for the freedom to control the software that runs on a given
device. Users should have the freedom to control their devices, not the
OEMs who originally made the device. Since libreCMC is free software, users
have total control over what the software on their device is doing. This is
important because it means that the community can add new features, review
what the software is doing and make improvements that benefit the community
as a whole. (...)"

Regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2svo8YYKaOUyvUEqCQCcy%2B_ORWxk-P%3Dk9HbHHLi-rm-Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Offtopic :: reasonable secure routers?

[799]

Hello Giulio,

Giulio <giu...@anche.no> schrieb am Do., 12. Apr. 2018, 08:04:

> In my opinion the best affordable option is using a PC Engines APU2 with
> OpenBSD https://www.pcengines.ch/apu2.htm (but of couse you can use
> linux/FreeBSD too).
>

Actually this is something I am running already as 2nd device behind the
default router given by my provider.
An Alix Board running pfSense.

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tqwHEWv2WXdqSebX32pp_QhyPMJzTe4QXug9uHu9eU%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Small Templates

[799]

Drew White <drew.qu...@gmail.com> schrieb am Mi., 18. Apr. 2018, 02:10:

> On Tuesday, 17 April 2018 22:22:35 UTC+10, awokd  wrote:
> (...)
> > fedora-minimal is pretty minimal!
>
> it is minimal in what it thinks is minimal, but it is still not nice and
> small, or what I asked about "super small"


You could take a look what is installed on a Qubes fedora-minimal template
using dnf list installed and then remove everything you don't want.

Further reading:
https://docs-old.fedoraproject.org/en-US/Fedora/25/html/System_Administrators_Guide/sec-Listing_Packages.html

Or - in case you have already a running version of your preferred
super-minimal (I think the name "fedora-nano" or "fedora-core" would be
great) - you check which packages are installed there and compare it to the
fedora-minimal template, then you know which packages you need to look at.
Make sure not to remove important qubes packages.

Out of interest:
What do you thing is the benefit of running a minimal fedora minimal?
Is it because of storage/performance capacity or because you think that
this will ensure additional security?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vA3f794QroDDQvpA6jbGJBpCnssW_5QBNrjLN1D71jpA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Cannot pass USB drive to Windows HVM

[799]

Hello,

Drew White <drew.qu...@gmail.com> schrieb am Mi., 18. Apr. 2018, 02:13:

On Tuesday, 17 April 2018 21:41:32 UTC+10, Nico De Musso  wrote:
> (...) when

i attach a usb hard drive from sys-usb to Windows HVM nothing appear on my
> Windows VM.

(...)
>
> I have been complaining about this since Qubes 2.
>

@Qubes Team:
Is this something that will be solved in the near future?
Windows Support is very important to run corporate apps and also when you
work in customer environments.

Maybe opening asking for funding would motivate someone to look for a
solution.
If I can run a full windows HVM including seamless mode USB and maybe even
Sound I can get rid of one addditonal laptop and would be happy to invest
supporting a license.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vvSid6QpNW_44H7kaoxeuYs8ASuq32xNihe2cSCPAJag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] meetup

[799]

Hello,

<mai...@maiski.net> schrieb am Mo., 16. Apr. 2018, 22:24:

> cool!
> no I was not aware! cu!
>
> Quoting Michael Carbone <mich...@qubes-os.org>:
>
> > hey, you may have missed previous emails about it but there is a monthly
> > meeting in Berlin for Qubes users at a local hackerspace. The most
> > recent meet-up was today.
> >
> > You can find out more info here:
> > https://qubesusersberlin.github.io


Ok, you need to improve Public Relations ;-)
Never heard of it before, I am also Berlin based and would attend.

How many users are there? And how many of those are Coreboot Users?

Regards

[799]

>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2txM3SFCnoSG741aQ1xU99ThC_6S_aDPM2wurrbWuGFcQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] IMG sharing

[799]

Hello Drew,

Drew White <drew.qu...@gmail.com> schrieb am Di., 24. Apr. 2018, 07:14:

> Is it possible for every guest to share one virtual drive for cacheing and
> auto mounting to same location for file transfers?
>
> i.e. One file always mounted to each guest and one reads while one writes.
> etc. no need to mount and unmount? And it can be multiple images on
> different locations at once?
>

I haven't understand yet what you are trying to accomplish.
You want a file location ("drive") that is shared between VMs, and you want
that most VMs have read permissions to this location and one can write to
it?

As mentioned by others this kind of breaks the security model of Qubes but
I had a similar use case to work with data stored in a cloud service.

I wanted to separate data editing, local data storage and synchronization
to the cloud service.
The idea was that data is always encrypted in the "storage AppVM". Other
"AppVMs" can access this Storage AppVM using SSHfs.
I am using certificates and tight firewall configuration:
- the AppVM can request connection to the storage VM via ssh, login is done
via certificates.
- after authentication the remote location is mounted via SSHfs
- the data is encrypted with encfs and the decryption keys are only stored
on the AppVM which is accessing the data (not the storage VM)

This setup works quiet well for my usecase as it is less complex than
setting up a Fileserver with NFS to share data between AppVMs.

I know that this may not the best thing for a die hard Qubes user, but it
allows me to setup inter-AppVM data flows if needed for specific use cases.

I have also scripted everything so that the firewall ports will only be
opened when needed.

If you are interested I can upload my scripts/how-to to my GitHub account.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vvTj%3DmF2dcx537LF6u3TKCxAu0-ma_dMbOzsL9D4DMzw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] offlineimap with Split-GPG : get new email via cron doesn't work

[799]

Hello,

I am using neomutt with offlineimap to get my corporate mail into an
Email-AppVM.
The current workflow is:

1) get email running offlineimap -o
2) start neomutt

I'd like to have offlineimap check the mails in the background using cron.
Thereof I have written a small script:

/user/check-mail.sh
#!/usr/bin/bash
# Script will be run by cron
#su user -c "/usr/bin/offlineimap -u quiet -f INBOX,INBOX.Inbox_CC"
/usr/bin/offlineimap -u quiet -f INBOX,INBOX.Inbox_CC
echo Cronjob run at: `date`>> /tmp/cron.log

The last line is only for troubleshooting in order to see, if the cronjob
has been run.

The scripts is working when launched manually. It will open up the SplitGPG
window to grant access to my GPG-key in my vault-VM.
I need to enter the password once and if the next request is within a
300sec window access will be granted to th eGPG without further user
interaction.

I have installed cron and setup a cronjob which should run every 3 min in
order to be below the 300sec time window when Spli-GPG is asking for a
password. I have encrypted the password in my offlineimap-config and it can
only be decrypted using my

[user@my-mail]$ crontab -l
# min  hr   day-of-month month day-of-week
# 0-59 0-23 0-31 1-12  0-7
# Check important mail folders every 3min
*/3 * * * * /home/user/bin/check-mail.sh

unfortunately it seems that this script doesn't work via cron, do you have
any idea what is wrong?
If I look into the logfile the script is writing (/tmp/cron.log) I see that
th ecronjob runs the script but no mails are downloaded.
As mentioned running the script manually will work.
Is cron running the job as "user" or as "root"?

To all offlineimap / mutt users how are you auto-fetching new emails?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tXWNz6Mst3PeUHtcPUj2EzAhH6vs7OUTg0tf8m_8LrAA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] X230 won't boot into Qubes after installing 4.0

[799]

Hello Andreas,

Andreas Rasmussen <journalistandreasrasmus...@gmail.com> schrieb am So., 1.
Apr. 2018, 10:44:

> I tried to install Qubes 4.0 on my Lenovo Thinkpad X230. The install went
> smoothly without having to do any work in the BIOS.
>
> However, upon reboot/startup I get the following error and then a black
> screen. Any clues to how I should continue?
> [...]


Check this here:
https://github.com/QubesOS/qubes-issues/issues/2841

I am unsure if iommu=no-igfx is the right option for the X230.
I would press "e" on boot and edit the grub prompt, let us know how it
works with changing the iommu-setting upon boot.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tPjXojeJ6w9GN_YcA2HWqNBRkU6PA0cSoDawKEY8_n%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] (neo)mutt/mailhandling best Practises in Qubes

[799]

Hello,

I have moved most of my email workflow in Qubes to a dedicated Email-AppVM.
It has DavMail and Thunderbird + neomutt installed to access our Corporate
Exchange Server.

(Thunderbird is only used when I need to paste screenshots into an email,
for example for troubleshooting/howtos etc)

I'd like to know how other users have configured their mailcap-file in
(neo)mutt to handle file attachments.
Currently I am opening HTML attachments/mails in a disposable VM which
fires up qutebrowser and I tried to handle docx/xlsx/PPT/pdf attachments
the same way.
Can someone share their mailcap-file file to get an impression what should
be in there?

Another topic:
I'd also like to use a dedicated Key Combination to open a file in my
work-appVM.

The workflow I came up with:

1) Check Mail with neomutt (plain text power)
2) open attachments in disposable VMs
3) if I need to work on an attachments, after checking it, open it in my
Work-AppVM (which is separated from my workmail-AppVM)

Does this makes sense from a security perspective or is it overcomplicated
and I should merge mail and document editing into one VM (browsing the web
is always done on another Work-Internet-AppVM).

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vFpMdHv076y%2BgeUMdJGie3vx5-9JG6n_utrgaN_qn7cQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Best works-out-of-the-box dual-head gfx card?

[799]

Stumpy <stu...@posteo.co> schrieb am Do., 29. März 2018, 03:01:

>
> On 09.03.2018 00:57, taii...@gmx.com wrote:
> > [...]
> > The reason things break and you need to re-compile every time you
> > update your kernel with a new nvidia card in your system is because
> > they make an effort to slow down the nouveau project and in the case
> > of their brand new cards entirely block it via hardware code signing
> > enforcement and not even providing any firmware blobs.

[...]
>

Honestly, I think this should be mentioned somewhere within the Qubes Docs,
maybe a dedicated section "Not recommended Hardware" or something like
"Hardware tries to keep you unsecure".

The only way to stop those brands is to speak about it.

We are also having issues with Nvidia in our bigger desktop virtualization
projects as customers need to buy not only the server based graphic card
but also licensing and subscription...

"Nvidia, you're fired!"

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vjJPeLgHH0BgHFK%2BbPTiayP7A%2B0P3xvqN%3DhMy_mndRfQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How do I load firmware-atheros into Qubes 4.0 R5?

[799]

Hello,

taii...@gmx.com <taii...@gmx.com> schrieb am Do., 29. März 2018, 20:36:

> I believe in this case you should be contacting your vendor for
> technical support - you certainly paid more than enough to deserve some.

[...]
> "We are doing the best we can"
> Wrong.
> There are companies that are releasing real libre firmware computers,
> brand new and fast, fully open source and owner controlled (but purism
> doesn't want you to know that)

[...]
>

While some of your point might be true, I don't understand why Purism gets
so much bashing.
Every User who buys a Purism laptop has still a better device and at least
paid attention to the topic privacy than others who buy regular
cheap/standard laptops.
And every user who got a Purism device and joins this community is a good
thing of others are so much better, they should just improve their
marketing ;-)
... and yes buying a cheaper refurbished device and installing Coreboot or
libreboot might be possible, this is nothing every user can do, maybe they
just want a slightly more secure device than a default windows laptop and
if Purism is the reason why a user is running Linux instead of Windows/Mac
this is a good thing.

If you blame Purism, than you should also be fair and request that a user
inspects the Mainboard of a refurbished laptop to make sure that the device
is not tampered with.

Also consider that some users just want a modell that looks sexier than the
Lenovo G505.

Maybe users buy a Purism laptop and next time they buy something even more
free ... That's still great.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sLu3Wb%3DEf8w%3DpvXKhiEa2LsA5d-3Ru4PH0%3DahUuTULOg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Remove original Template-VM, keeping the package for reinstallation

[799]

Hello,

I am cloning the default templates before applying any changes in order to
start from scratch in case of problems

Thereof I have now several templates and it feels crowded.

Question:
How can I remove the default template VMs from Qubes but keeping the
installation package, so that I can reinstall if I would like to start with
a fresh template VM?


[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t9-tmtZqv9Z_TC2Pw2FnrZtvXdP6ZR0Fv3y5e6%3DZ2Hdg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Quebes and whonix

[799]

Hello Black Beard,

Black Beard <franziska.schle...@gmail.com> schrieb am Mo., 2. Apr. 2018,
22:14:

I want use win10, too. Lets say , i want install Quebes full on my laptop,
> but needs my Win10, too. How can i realized this project without a Usb
> Stick?


The question is why you need to run Windows and why it has to be windows 10?
Usually you don't _want_ to run Windows but to complete special tasks and
to do so, you might _need_ to run windows.

The answer in my case to my two questions above:

Why windows?
1) I need to run our ERP Client application
2) I need to run Remote Desktop Manager from Devolutions to access our
central Credential and Session repository

Why windows 10?
Because windows 10 is the only OS which is supported by internal IT.

The solution in my case was to install a windows 7 VM with a VPN Client to
run ERP and Remote Desktop Manager.
The downside is that the OS has to be managed by me not our internal IT dep.

Additional I have setup VMwarw Horizon View on a Fedora 26 based AppVM to
connect to my "corporate Windows 10 virtual Desktop".

I was running a dual boot setup before, but have migrated to a Qubes only
setup.
Using a Dualboot setup has the disadvantages that you don't benefit from
all the benefits Qubes offers while you work with windows and the longer
you work with windows, the less likely it is to "force" yourself  to
migrate to Qubes.
The main benefit I had forcing myself to use Qubes as only OS was to look
and find a solution to get a workings solution to connect to our corporate
Microsoft Exchange via Linux.

You can try to run Windows 10 as a virtualized stand alone VM in Qubes.
Dualboot is not something I would recommend under normal circumstances.

Another idea could be to run Windows from a USB stick. Using a 128GB USB3
Modell this works fair enough

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uTbzb6dPWCDmduzWzTXTKjopLX7y_aXMWDh9B8Ryx3EQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

[799]

Sorry, last Email send in advance while writing...

Hello Rusty,

Rusty Bird <rustyb...@net-c.com> schrieb am Sa., 17. März 2018, 23:18:

SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
> (might be the default now), and completely disable dynamic loading of
> any dubious option ROMs:
>
> $ build/cbfstool build/coreboot.rom add-int -i 0 -n
> etc/pci-optionrom-exec
>

When do I need to run this? After building my Coreboot ROM?
Can't this option be included in the Coreboot or SeaBIOS menuconfig?


That's incompatible with graphical mode GRUB, but you can simply
> change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
> /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.
>

I am already using the console setting in my grub installation.
Can I still boot from a USB stick which has graphical boot enabled?


You might also enjoy HEADS.
> https://github.com/osresearch/heads


Thanks, looks very interesting, but as far as I understand I don't need
Seabios when I am running Heads?
Is somebody already using heads? From the website it seems that it is not
that easy to install and maybe still under development?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sJovy_hWYNBEcdng0ZJvOO1bJHb8cJYPhrk86TM7NP1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

[799]

Hello Rusty,

Rusty Bird  schrieb am Sa., 17. März 2018, 23:18:

>
> SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
> (might be the default now), and completely disable dynamic loading of
> any dubious option ROMs:
>
> $ build/cbfstool build/coreboot.rom add-int -i 0 -n
> etc/pci-optionrom-exec
>

When do I need to run this?
After I

>
> That's incompatible with graphical mode GRUB, but you can simply
> change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
> /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.
>
> IMO it actually looks better - no blindingly bright blue light at
> night, and fewer font changes during startup. I've been meaning
> (forever) to open a pull request to make this the default...
>
> You might also enjoy HEADS[3].
>
> Rusty
>
>
> 1. https://image.ibb.co/jGvCCx/grub_gfxterm.png
> 2. https://image.ibb.co/mbnsCx/grub_console.png
> 3. https://github.com/osresearch/heads
> -BEGIN PGP SIGNATURE-
>
> iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
> NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m
> 5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H
> JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw
> Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs
> D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2
> 05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi
> lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9
> pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP
> UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo
> 4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3
> T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr
> P5Lc8JEJpNcnac70K0c=
> =L0qD
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s_uDpfYWQvQ2DgwpWR4GUeeKjHZLsu61Mo1UXKhc9NBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

[799]

Hello,

I had Coreboot running on my X230 with Qubes 3.2 + Windows Dualboot and
reflashed to stock room before installing Qubes 4.
Now I want to reinstall Coreboot without using Dualboot, thereof I have
more options regarding 2nd payload.

Question:
What is the best configuration to run Coreboot and Qubes?
Seabios or Grub and are there any special options which might make sense?

Some information has been provided in
https://groups.google.com/forum/m/#!topic/qubes-users/I6kt6362PR0
But I'd like to see a special page in the documentation and would be
willing to contribute or create to such a page.

Should I use Seabios or Grub?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ts6-Jtyb84udOoEh_43YaLzBm3h8KcztP_931LmAuwjg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] desktop recommendations?

[[799]]

Hello Ted,

On 03/22/2018 05:07 PM, Ted Brenner wrote:
> Hi all,
> 
> My current desktop is getting old so I'm looking for an upgrade.
> [...]

for what reason are you looking for a desktop? Because of high perfomance or to 
use several harddrives/ssds?
Buying a laptop has lots of advantages compared to a desktop and with a docking 
station you get a very flexible desktop replacement.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180322214151.g2ssv6je4vgjxng3%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VLC won't play DVDs even after installing libdvdcss

[799]

Hello,

Kyle Breneman <tomeconque...@gmail.com> schrieb am Di., 20. März 2018,
19:58:

> I'm running Qubes 3.2 and Fedora 26.  I've installed VLC Media Player as
> well as libdvdcss, but I still *cannot* get commercial DVDs to play on my
> laptop.
>

It seems you're trying to play DVDs from your sys-firewall VM, why?

I have created a multimedia AppVM based on Debian and I was able to play
DVDs.
Maybe you take a look at the how-to, which I put together trying to get
multimedia working.

https://www.qubes-os.org/doc/multimedia/

If you run into any problems, do not hesitate to contact me, so that we can
improve the documentation.

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uuU_LHzcpQ3xKn-T4hEng2oeKOG3-%2BK11ci8qOOKGCQQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: AW: Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

Hello Taiidan,

Am 04.03.2018 9:48 nachm. schrieb "taii...@gmx.com" <taii...@gmx.com>:

I will not be participating in any website or wiki of this type if people
with zero qualifications are allowed to provide "advice".


What does "zero qualification" means and what does "advice" stands for?
It's not about advicing (advice to me means: I know something better then
someone else or at least I feel knowledgeable enough to tell other people
what they should do).

There are quite a lot of people on this list giving literally dangerous
advice or telling people not to bother with increasing their security with
libre software/hardware because of vague theoretical backdoors...


If so, those users should be given constructive feedback and guidance. Keep
in mind that those "users" are still more likely to listen than the
"average" user, who has no interest in privacy at all.

I believe the minimum of qualifications should be having at least one owner
controlled motherboard with coreboot/libreboot/OpenPOWER firmware.


I don't see how qualification is "certified" by running Coreboot/Libreboot?
I am running coreboot does this qualifies me? Keep also in mind that there
might be users who need to run recent hardware or hardware that are not on
the Coreboot Hardware Compatibility List (HCL).

As a starter rule I would also say that people who have gmail/microsoft
accounts should not be allowed to comment at all because they probably have
no idea what they are doing[1].


Writing from my Googlemail address which is only there for Qubes+Coreboot
Mailinglist because Protonmail doesn't offer IMAP:
Not using Google doesn't make someone superior, and even if you are right
that there are reasons not (!) to use Google for personal E-Mails:
If you don't allow them to comment,there is no possibility for a discussion
and convincing them to try something different.
And if so, then Qubes should not run this Google group/Mailinglist ;-)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tU0q%2BOeikDJ2OSw%2BO7X8P5g6m7n6R09ujwh6nOpQ_h7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: AW: Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

Hello Alex,


2018-03-04 11:49 GMT+01:00 Alex Dubois <bowa...@gmail.com>:

>
> I had some thought.
> - Qubes team probably don't have the time to spread too thin, and would
> prefer for us to help them on there Qubes repo
> - Some people invest time in documenting, but it takes time for Qubes team
> to validate the pull request, and sometime they may prefer to not accept
> the PR.
>

It is important to communicate why a pull request has not been approved.
This communication takes some time and also fixing the issues

I think one of these 2 options would be a first good step in the right
> direction:
> - Qubes team provides a fork of qubes-doc in another project on which
> community members accept PR that can then be accepted as PR upstream on the
> official qubes-doc, qubes team only manage the access right for the PR (?)
> - Someone is happy to put the effort to do option 1 and manage it (which
> should be limited to access right to that repo to trusted comminutity
> members to accept PR), as long as Qubes team agree with the approach
>

I agree that this will be the easiest option and allows us to start
collecting scripts.
I am unsure if we really need to fork the whole qubes-doc as this might
lead to confusion where to work when improving the existing documentation.

Can't we just create a new "community" repo where Pull request get reviewed
by us but finally approved by more experienced Power Users (this group can
include Qubes OS Team, but also experienced community members selected by
the Qubes Team/David)?

I have one concern with such proposal. A number of community proposal are
> sometimes not very secure (to be gentle). So ideally a layer of meta-data
> is added (maybe on a single index page), with the rating of the doc page.
>

Agree, it might feel frustrating in the beginning of you start contributing
docs and then find out that the "nice idea" that you had leads to several
security risks or is just not yet ready to be released.
But: this is exactly the point what I like about Qubes. That I can rely
that it's not that easy to do something stupid which compromises security.
As such writing docs or scripts always include a learning curve which is a
good thing.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uhd7eaW4%3DOPvQThfJK15PrTyy4nEOLEzXxdV4NT9%3DCXw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: AW: Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[799]

Hello Alex,

05.03.2018 8:28 "Alex Dubois" wrote:

I think it is important to keep it as a fork for few reasons:

- most importantly we focus on helping the Qubes team
- if not it would be hard to clean-up what is in Qubes-doc, in the
community repo, and if the Qubes-doc get improved directly, it won’t be
ported to community, leading to not up to date info


Valid points, I agree.

However I think my suggestion is only to be taken with Qubes team
validation.
And if they feel it is not the best way and prefer the mailing lists and
existing infrastructure it is important to respect that and get back in
line.


I love the work of the Qubes Team, don't get to me wrong, but I don't
understand why and how they could block the community effort to create a
fork?
Some of use have already forked the docs and are currently developing their
own improved scripts.
Doing so in a collaborative and centralized way would be much better.
But - I would like to see of course - that Qubes Team is also supporting
this idea and knows about it.
One reason was also to indicate clearly which part of the documentation is
official and thereof reasonable secure and which is unofficial and maybe
less secure.
I definitely like the idea of an index page / rating system.

too much resources discussing this, but rather contribute directly


Let's go, I am ready to start.
@David (in his role of the community manager):
What do you think?

I feel that a pair/trio need to be “responsible” per area or subject. With
a person helped by one or two for the overall.


Yes, but we have already some interested people here, I think we only need
to discuss the approvement process and how and if of those ideas/scripts
might be placed more visible (maybe as a link) somewhere on the Qubes
website which is the main area for new users (?).
At least a link to it, with maybe a disclaimer:

"Take a look what is happening in the Qubes Community.

DISCLAIMER: the content there should be treated as work in progress and has
not been reviewed by the Qubes OS Team and maybe thereof less "reasonable
secure" or maybe even opening attack vectors to your Qubes installation.
Even more if you implement a script which you haven't reviewed (and
understood) and which has not been marked as meeting the Qubes OS quality
standards.
WARNING:
If you implement changes in dom0 or the sys-VMs (sys-net, sys-firewall,
sys-usb) this might result in a total loss of security"

For example in the Qubes-doc, there are pages to put dns, http-proxy or vpn
in line (I.e. sys-firewall). This is a bad practice as the attack surface
of one protocol is exposing the entier Qubes system.
A better way is to have these hosted on app-vm and have sys-firewall
intercepting and routing the traffic.
Even having sys-firewall doing the download rather than a dispvm is
increasing the attack surface (not sure if still the case)


This is a good example, is there a disclaimer or security rating on the
qubes-doc pages?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uq%3DMfrp-ZRzRULeTFHtEa%3DQyTxGw2h4r87kwJ6-6k6zQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[[799]]

On 03/04 03:48, sevas wrote:
> A forum is a must. It doesnt have to be official. But it needs to happen.  
> It needs to have a section for 
> -Questions & -Community Tutorials
> at the very least. 

the only problem with a forum is, that it produced overhead in order to
keep the forum software secure and up-to-date.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180305004121.d3z22jiiuxunssua%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] WordPress on Qubes

[799]

Am 05.03.2018 1:34 nachm. schrieb "'awokd' via qubes-users" <
qubes-users@googlegroups.com>:

On Sun, March 4, 2018 3:46 pm, brandonmaytha...@gmail.com wrote:
> One thing I have never been able to figure

out though is how to run WordPress to
> develop multiple sites.
> I am familiar with Vagrant but it requires Virtualbox


Don't have experience with Wordpress in particular, but in general you
could:
1. Create new standalone VM based on debian-9 (or your favorite) template
2. Set up web server on it
3. Set up Wordpress on it
4. Follow
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes


I don't know what Vagrant is doing for you. If you give me a few hints what
"setting up a development WordPress" looks like, I am pretty sure that we
can script a solution that will do the provisioning for you.

Are you only asking for setting up new AppVMs with a webserver/WordPress in
it which might be reachable from another AppVM or do you need additional
tweaking within the WordPress installation?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u33UiCq0%3D5YY6JyoxcdzgPKsXrsJUkHN4_5abGzH%3DgFw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.