[qubes-devel] Re: [GSoC] Qubes-MIME-Handlers Weekly Progress Report #3

[Andrew Morgan]

On 06/22/2017 12:21 PM, Marek Marczykowski-Górecki wrote:
> On Thu, Jun 22, 2017 at 02:49:28AM -0700, Andrew Morgan wrote:
>> On 06/22/2017 02:08 AM, Marek Marczykowski-Górecki wrote:
>>> On Thu, Jun 22, 2017 at 01:50:56AM -0700, Andrew Morgan wrote:
 That may be useful to users who want to keep certain files in their
 ~/Downloads folder without having to open them in a DispVM every time.
>>>
>>> IMO the user should move the file out of Downloads first to have this
>>> effect.
>>>
> 
>> Fair enough, I suppose we could simply prevent a user from marking a
>> file as trusted if it's in a untrusted directory? What if the user
>> manually removed the xattrs? Our daemon may have to do more work to make
>> sure all files in untrusted folders are always untrusted...
> 
> IMO daemon should restore untrusted xattr in that case (it's just one
> another INOTIFY flag). But see the other thread.
> 
> 

Additionally, qvm-file-trust is written in python3, while the unittest
files are written in python2. Do you forsee this as a problem? Should I
convert to py2?

Thanks,
Andrew Morgan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/oj1qmn%24e2o%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-devel] Re: [GSoC] Qubes-MIME-Handlers Weekly Progress Report #3

[Andrew Morgan]

On 06/22/2017 12:21 PM, Marek Marczykowski-Górecki wrote:
> On Thu, Jun 22, 2017 at 02:49:28AM -0700, Andrew Morgan wrote:
>> On 06/22/2017 02:08 AM, Marek Marczykowski-Górecki wrote:
>>> On Thu, Jun 22, 2017 at 01:50:56AM -0700, Andrew Morgan wrote:
 That may be useful to users who want to keep certain files in their
 ~/Downloads folder without having to open them in a DispVM every time.
>>>
>>> IMO the user should move the file out of Downloads first to have this
>>> effect.
>>>
> 
>> Fair enough, I suppose we could simply prevent a user from marking a
>> file as trusted if it's in a untrusted directory? What if the user
>> manually removed the xattrs? Our daemon may have to do more work to make
>> sure all files in untrusted folders are always untrusted...
> 
> IMO daemon should restore untrusted xattr in that case (it's just one
> another INOTIFY flag). But see the other thread.
> 
> 

Hey Marek,

I'm starting to write some unit tests for qvm-file-trust. I found a page
in the documentation on unit tests
(https://www.qubes-os.org/doc/automated-tests/), and from what I can see
all the tests are in qubes-core-admin.

The tests in the repo seem pretty high level, more at the VM level. For
testing the cli tool, should I create a new file or integrate into one
of the existing ones?

Also I noticed that most of the files seem to be gone in the master
branch as opposed to release3.2. Is it a good idea to base on release3.2
or will those files be permanently gone in R4?

Thanks, and apologies for the slight delay in the latest weekly update,
had some major sunburn from the beach that slowed down my productivity a
bit :) Should be out tomorrow.

Andrew Morgan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/oj1qgf%249am%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-devel] Re: [qubes-users] Re: Request for feedback: 4.9 Kernel

[Chris Laprise]

On 06/15/2017 04:51 PM, Zrubi wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 06/15/2017 10:02 PM, Reg Tiangha wrote:

On 06/15/2017 01:53 PM, Zrubi wrote:



Maybe it is a know issue, but: online netvm change on a
disposable VM is also broken on the latest 4.9 VM kernel. (Qubes
Manager shows it is changed, but not working in practice)


I've *never* ever had this work for me (although it might have
worked once in R3.0 or something old like that); I've always had to
shut down the Disp VM first, alter the dvm template, and then start
up a new one in order to change NetVMs.


well this is such a basic feature I would go crazy if that would not
work...

I'm using this feature from the beginning. And it was always working
in general. I remember for some broken kernel releases. But this
feature should work in general. As it is working with my setup, in
case of kernel VM 4.4 - but not in case of VM kernel 4.9


I noticed this, too. So reverting a dispVM's template back to 4.4 should 
fix it?


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/3915cfa4-50e1-be0f-c615-8f837cc13971%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Outback Dingo]

On Jun 28, 2017 20:16, "Marek Marczykowski-Górecki" <
marma...@invisiblethingslab.com> wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 07:58:24PM -0400, Outback Dingo wrote:
> successful... now lets see what it does  -rw-r--r--  2 dingo dingo
> 1265631232 Jun 28 19:57 Qubes-DVD-x86_64-20170628.iso

Hmm, it's a bit small. Should be about 3GB. I guess templates are not
included. Have you built them? Check
qubes-src/linux-template-builder/rpm/noarch - if its empty, execute
"make template", then "make iso" again.


I configured it for only F25 templates it's installing now also during the
install I noticed it only gave me a gui option for xfce not kde I'll know
more in 10 mins


- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVEbcAAoJENuP0xzK19cs4+IH/RV2Ruj6W9ds+Ex3BAGMirq2
ZpnvsD+C7DHblHVdHsCMDTdpola0V/uR8JRTYBvd5muk2yV6TLRTPiMoOjna2k/M
Z546aQA7RJGxrNmXwbW/FCThcHmNO7s0sETBNa11YcYkDWegyHnuzb/PHzaj2qCJ
ZlIAiliml3Uz0mYlHj1FFT8QLAbOZ++66daO1vJnPk2cZs8PPM7/YnrJ//6Hy+me
kULJ8Nc42yuJI4aCteuJi4IlgtpXkQyOEFHobEUaNeb5NOuehz5+oXoEojAp2YKc
KGFt/wz/TCFmISZNcFPm/omHe6jTssK5QqHebLDUWZqR1yFeTbvHYh4Q2A0eIzE=
=ga4A
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CAKYr3zzHVVjM6BjbGUK%3DZZLupWAgdOBpPU8eJdaRptOjnjD14w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 07:58:24PM -0400, Outback Dingo wrote:
> successful... now lets see what it does  -rw-r--r--  2 dingo dingo
> 1265631232 Jun 28 19:57 Qubes-DVD-x86_64-20170628.iso

Hmm, it's a bit small. Should be about 3GB. I guess templates are not
included. Have you built them? Check
qubes-src/linux-template-builder/rpm/noarch - if its empty, execute
"make template", then "make iso" again.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVEbcAAoJENuP0xzK19cs4+IH/RV2Ruj6W9ds+Ex3BAGMirq2
ZpnvsD+C7DHblHVdHsCMDTdpola0V/uR8JRTYBvd5muk2yV6TLRTPiMoOjna2k/M
Z546aQA7RJGxrNmXwbW/FCThcHmNO7s0sETBNa11YcYkDWegyHnuzb/PHzaj2qCJ
ZlIAiliml3Uz0mYlHj1FFT8QLAbOZ++66daO1vJnPk2cZs8PPM7/YnrJ//6Hy+me
kULJ8Nc42yuJI4aCteuJi4IlgtpXkQyOEFHobEUaNeb5NOuehz5+oXoEojAp2YKc
KGFt/wz/TCFmISZNcFPm/omHe6jTssK5QqHebLDUWZqR1yFeTbvHYh4Q2A0eIzE=
=ga4A
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170629001627.GW1268%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Outback Dingo]

successful... now lets see what it does  -rw-r--r--  2 dingo dingo
1265631232 Jun 28 19:57 Qubes-DVD-x86_64-20170628.iso

On Wed, Jun 28, 2017 at 7:24 PM, Marek Marczykowski-Górecki
<marma...@invisiblethingslab.com> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Thu, Jun 29, 2017 at 01:04:12AM +0200, Wojtek Porczyk wrote:
>> On Thu, Jun 29, 2017 at 12:07:04AM +0200, Marek Marczykowski-Górecki wrote:
>> > On Wed, Jun 28, 2017 at 11:41:38PM +0200, Wojtek Porczyk wrote:
>> > > On Wed, Jun 28, 2017 at 04:40:53PM -0400, Outback Dingo wrote:
>> > > > Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
>> > > > building it unsuccessfully drama in another thread. I just want to
>> > > > verify my networking issues are resolved.
>> > >
>> > > I don't think it exists. The one I'm currently working off has 
>> > > non-installable
>> > > templates (rpms from R3.2 can't be used on R4.0 because of some problems 
>> > > with
>> > > post-installation, so I run the internal tools more or less manually) and
>> > > there is no Manager.
>> >
>> > Wojtek, I've already uploaded qubes-template-fedora-25 to templates-itl
>> > for R4.0. And unless you want to use grub installed there, it works ;)
>>
>> Oooh, and 
>> https://ftp.qubes-os.org/~marmarek/Qubes-DVD-x86_64-20170615.iso{,.asc}
>> could be usable? :P
>
> Depends on definition of "usable". One issue is that the image include
> wrong template (with R3.2 repository definitions)...
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJZVDqdAAoJENuP0xzK19csbr4H/2xqFfOZ0taIJ0sMYdUyu4jj
> AwHYmTAooSjGSA9xjA8CB1folc9YNqRK4xDYEaOffs8wRZIFKzQ9jU88JPOQ5n8W
> iCIhUxMiN3/vEgRw9jIfskIXz34fmmuWALXSwmw9Tq8vv8KquokXK4FqpAwWHjjI
> yooeqj8OH19sf6aDOam63tHYMo3+DOvAW7JgMwCzFbtN+w+gSkI7B311f3a/4P23
> SkBu4C4yEPXdCUmfl1rXm/nGjRIR1f3q+ies/0VeLPNhBCVWPIQQm6OhxMPpUHwU
> rO5NfXubouCEKvNQFgZY3FNypKGOzEKby9lnDkIDZk0RJP+s0LO3qAj2kheY4q0=
> =sRL1
> -END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CAKYr3zzQeSLbLCemy4gn0jkmiAd2S5FAuS6idDf3EJ2g%2BstEsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jun 29, 2017 at 01:04:12AM +0200, Wojtek Porczyk wrote:
> On Thu, Jun 29, 2017 at 12:07:04AM +0200, Marek Marczykowski-Górecki wrote:
> > On Wed, Jun 28, 2017 at 11:41:38PM +0200, Wojtek Porczyk wrote:
> > > On Wed, Jun 28, 2017 at 04:40:53PM -0400, Outback Dingo wrote:
> > > > Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
> > > > building it unsuccessfully drama in another thread. I just want to
> > > > verify my networking issues are resolved.
> > > 
> > > I don't think it exists. The one I'm currently working off has 
> > > non-installable
> > > templates (rpms from R3.2 can't be used on R4.0 because of some problems 
> > > with
> > > post-installation, so I run the internal tools more or less manually) and
> > > there is no Manager.
> > 
> > Wojtek, I've already uploaded qubes-template-fedora-25 to templates-itl
> > for R4.0. And unless you want to use grub installed there, it works ;)
> 
> Oooh, and 
> https://ftp.qubes-os.org/~marmarek/Qubes-DVD-x86_64-20170615.iso{,.asc}
> could be usable? :P

Depends on definition of "usable". One issue is that the image include
wrong template (with R3.2 repository definitions)...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVDqdAAoJENuP0xzK19csbr4H/2xqFfOZ0taIJ0sMYdUyu4jj
AwHYmTAooSjGSA9xjA8CB1folc9YNqRK4xDYEaOffs8wRZIFKzQ9jU88JPOQ5n8W
iCIhUxMiN3/vEgRw9jIfskIXz34fmmuWALXSwmw9Tq8vv8KquokXK4FqpAwWHjjI
yooeqj8OH19sf6aDOam63tHYMo3+DOvAW7JgMwCzFbtN+w+gSkI7B311f3a/4P23
SkBu4C4yEPXdCUmfl1rXm/nGjRIR1f3q+ies/0VeLPNhBCVWPIQQm6OhxMPpUHwU
rO5NfXubouCEKvNQFgZY3FNypKGOzEKby9lnDkIDZk0RJP+s0LO3qAj2kheY4q0=
=sRL1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628232412.GV1268%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Wojtek Porczyk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jun 29, 2017 at 12:07:04AM +0200, Marek Marczykowski-Górecki wrote:
> On Wed, Jun 28, 2017 at 11:41:38PM +0200, Wojtek Porczyk wrote:
> > On Wed, Jun 28, 2017 at 04:40:53PM -0400, Outback Dingo wrote:
> > > Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
> > > building it unsuccessfully drama in another thread. I just want to
> > > verify my networking issues are resolved.
> > 
> > I don't think it exists. The one I'm currently working off has 
> > non-installable
> > templates (rpms from R3.2 can't be used on R4.0 because of some problems 
> > with
> > post-installation, so I run the internal tools more or less manually) and
> > there is no Manager.
> 
> Wojtek, I've already uploaded qubes-template-fedora-25 to templates-itl
> for R4.0. And unless you want to use grub installed there, it works ;)

Oooh, and 
https://ftp.qubes-os.org/~marmarek/Qubes-DVD-x86_64-20170615.iso{,.asc}
could be usable? :P


- -- 
pozdrawiam / best regards   _.-._
Wojtek Porczyk   .-^'   '^-.
Invisible Things Lab |'-.-^-.-'|
 |  |   |  |
 I do not fear computers,|  '-.-'  |
 I fear lack of them.'-._ :  ,-'
-- Isaac Asimov `^-^-_>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJZVDXpAAoJEL9r2TIQOiNR6HkP/1Uyw78uuQRVy9KAHGAK39RS
QRP7f3hLI/uDnfG+svQd7QTdzywsq/EMKICjDZbhXDN+bAbO6AGZCkYJTdmrRSvf
pcSvepwMQXePeSHaTvmIo4DawYkbjHt+wY4hg8qDp8x2XkYtHw/CQkJ5H7YgQQGy
DbTBLYN+JZ3eqvWDbfuxIA8YKYkuyQmsGMu4JUQsKvemQm2kIFVb4awiZQ2mwCB+
3HUUA4YWGvHkmUCBtoixJ26qimMWkVsV9fq4bxkEWY5l+qVhT6f8LWRDA6QfANHV
NnuiHUJQuDGs5tc6TY+pHQTYcTST9Hvxcc3WMcgNDTnYintOWxvZUYoTOaAiigNW
sVd03HU5sY/sU5hcBl4IpEAJ9jW658gahv2vuKXKOqwuED6Mk24Q2kBsvT8VjZgL
Gc7VnkVgDQ/K//Szwfl9dBPLqyT8bzpvzCWd5y9GVuhq1e3jC2qQQCtbuBh8mel9
FK/2JUlY4pCFIPvhtXKzFrhwP3QJMtIxM5p/ssWAELEX2OPoDbaJ7dNAM0qQAdEP
iZbYyoEeAuvcjWhkGoTgGFBXGB0dy0xLCrEckp2j2/Sr3ervCWy9lfSN4tT9brwQ
OtIJU2WO1ajWP1Jzu9RcfqBt7P39j83rnjfTfAtepz+UkQOWOtpCED9LdpAS+N8R
BSP5QXkztFpe1NOHrnCu
=S6fe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628230412.GG2697%40invisiblethingslab.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 11:41:38PM +0200, Wojtek Porczyk wrote:
> On Wed, Jun 28, 2017 at 04:40:53PM -0400, Outback Dingo wrote:
> > Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
> > building it unsuccessfully drama in another thread. I just want to
> > verify my networking issues are resolved.
> 
> I don't think it exists. The one I'm currently working off has non-installable
> templates (rpms from R3.2 can't be used on R4.0 because of some problems with
> post-installation, so I run the internal tools more or less manually) and
> there is no Manager.

Wojtek, I've already uploaded qubes-template-fedora-25 to templates-itl
for R4.0. And unless you want to use grub installed there, it works ;)

> And bugs. Not much, but some annoying.
> 
> Looks like we're going to deliver on Andrew's promise with a slight delay.

As always...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVCiJAAoJENuP0xzK19csIPcIAJRG2b97QKYWeIU3JDtI+jAR
uDIYPfayGlQNK80Q9i52bIffXhfU8CTFGXCfG29tzTuNkBbqJKY1Yhm87WreLHjT
7ujqOIgcRXfCk3WEwRMxzDcePCxmtgYA+SrV5IvTNCovHwzJTBDcvjXwg/yYpA8W
d97YikdTVVm4YpRlHHhzjC9sYoPhzCEXBECTpS9h7I2h5VfGp8+sCSWSqNG/5bY1
XaV7RJZcF56hJqdQLf9mdgE/zYsuLkIpEfiw1i6Qi/Yf1eety4VlGP/v7xH5z23L
6hZvQxGk9GdkLm3l9aFmziNVu1w47JOyt3TaS5CfiQYZTay0xw+khdOppPcqmLw=
=XdTq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628220704.GU1268%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Re: Stack-clash kernel vuln & patches

[Ilpo Järvinen]

On Wed, 28 Jun 2017, Reg Tiangha wrote:

> Yeah, that was me screwing up by making a commit but forgetting to
> upload the file. I'm still a git newb so I didn't know how to delete or
> revert properly (if there's a good online guide, please point me to the
> right direction); I didn't know the main branch had already applied the
> fix before I did my version. I almost just want to delete my version and
> re-fork the master one; would that be too extreme, or is there an easier
> way to clean that up?

Your friends in history tweaking are:
  git reset --hard commitid
  git commit --amend

Also the other variants of git reset (mixed & soft) can be useful from 
time to time. I strongly recommend running git status prior to any git 
reset --hard as you'll lose any not yet committed state with that command 
forever.

...And if you've already pushed to github, a forced push is needed to 
replace the previous version with the cleaned up version of the history:
  git push -f

Some care is needed with forced pushes though. If Marek has already merged 
something from you, you should generally not force push anything more 
ancient than what he merged (you cannot edit the history he merged 
unless he also rewrites his repo which would cause troubles for all who 
track those repos).


In addition, if you forget what commitids previously were at HEAD (when 
doing a complex rewrite), git reflog gives you a list of the previous 
hashes. You can always git reset --hard originalcommitid if you were not 
satistified with the history rewrite.


-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/alpine.DEB.2.20.1706290032470.29933%40whs-18.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0

[Wojtek Porczyk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 04:40:53PM -0400, Outback Dingo wrote:
> Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
> building it unsuccessfully drama in another thread. I just want to
> verify my networking issues are resolved.

I don't think it exists. The one I'm currently working off has non-installable
templates (rpms from R3.2 can't be used on R4.0 because of some problems with
post-installation, so I run the internal tools more or less manually) and
there is no Manager.

And bugs. Not much, but some annoying.

Looks like we're going to deliver on Andrew's promise with a slight delay.


- -- 
pozdrawiam / best regards   _.-._
Wojtek Porczyk   .-^'   '^-.
Invisible Things Lab |'-.-^-.-'|
 |  |   |  |
 I do not fear computers,|  '-.-'  |
 I fear lack of them.'-._ :  ,-'
-- Isaac Asimov `^-^-_>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJZVCKRAAoJEL9r2TIQOiNRz9oP/jooiVHbwAyNUQ/weVIlrFY7
ETLpgvDASqGNqUCxD0CXlKA4UB1oA8VvkJAhYSfDKJ5dQ1JzvC5Lkfe8CVuUqhUz
yKwJUoBjmj2OSeW/5klKgZ9IE/kcXB2aCw37pXM7IZA/3FtT9g7RHtH5UFeSH6zX
mjyWALWVWEtuoqwFvgiV1E/1u0r7V+yvD2Ans5u/3M1wWgXBTUDGWL9zPldEZwBi
3l9GsfL6M7TO55UkEukK/jVvy489yodYO5ntDiXOQXE3DNcbsNirqHm1R/7yr0lr
8RYe5z2uiBM6Fa4hpDSLX9wmJM+i6X0m6q9WQjXvlyffpK++rvLLFjqZxIFmnmz/
rLXaEw0K7DW5vGklpRGUXhzHVraxeOjoUoBuGAbhVPMeqCEKu4LRatgMnuV3ePGI
+PBq7P057cEpoztfeuyJKHLtEwPkXR2O5UY+ErmzXunMHtBp387Uz8wXcnjrKDgc
HyYr4IYsNwsd2o1Dp9lwpl8WDjYQpZS5GCMlsznVe6yJEIJgnS0dbkzbAxjkYu0H
DSMqTIElFUKNagf1El7WIbozZqmoGaL6EGcbTRzC/NLa7KDmZdXxnUhB4P7g/Wzv
4KT9P1s9dhxsYvVxHcvkhRASWLsiwbwF6q7f4nA9OwJ7GNEcXMGiBzyv2GyOdead
cJj6Dq2d0R18yV49la4+
=jI7V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628214137.GF2697%40invisiblethingslab.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0 built from git fails

[Wojtek Porczyk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 10:52:33PM +0200, Marek Marczykowski-Górecki wrote:
> On Wed, Jun 28, 2017 at 11:31:48AM -0400, Outback Dingo wrote:
> > still a struggle

It wasn't easy to write, so why should it be easy to compile.

/s


- -- 
pozdrawiam / best regards   _.-._
Wojtek Porczyk   .-^'   '^-.
Invisible Things Lab |'-.-^-.-'|
 |  |   |  |
 I do not fear computers,|  '-.-'  |
 I fear lack of them.'-._ :  ,-'
-- Isaac Asimov `^-^-_>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJZVB/gAAoJEL9r2TIQOiNRDpoP/2ZZ6dBPE/0Dz0lbGvOSIhIm
9HxvC5RWKZs5qSxjiuPf/KGwPZ3NRXLeooX9lDRFMvtVR0g+9/GNK0XgQymoEGtw
Zf3gDpFPXMygONBbOonfLnksVzzjM0G+UuycoNFVRUTLtiGMC4RH0woyTBsahW6o
LT8jtaeNEVTJ4hfF1UCfSyMUGygit9mrhiBS+cs2ip23tYfuH1U95N/HpKxvI+Xq
GTDktlW7PSel88lgGSWH1QlnMJBLaOp8zMwc0bm9cTh/Uf+0wlZPGkU9svT7Aef9
nSuqUU9hrPMH6WOmLvJMkgYKfV+HuPRIXucDdp/li0brjiApA46l14J/KMgKeqK5
hRKmvo8wecVEsgI9sWZTgzTxqAHy8aLAIa9zWw05wYYtJ/u0QU70FHiSphsWJkfW
YE9ACKbtQQtPWfpMSETctXKMGdeBgE9ZadUEZ3pCdxIcVMXAhSuWAiwt+3TB3IGH
l0QuM7Nbkiuh0j2E3M3d+yM1CfjNdaXTK+zAqWFYq7lvp5v2/YGb253J9e55vXrC
xEJ4xn5Nvh5n4G2eu7tHb1XAXVLQmZ89j0HgWdLK0rzoubYPNZJWQxtUjCKfdi5G
zCxNzR73BXdS27c6iRNoqPTqJGgK4TVpWgk8wU4TTVKklRbFBN981w/2g0lKVS8u
e90Rz91+zuzhlw3aqMiS
=rZaS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628213007.GE2697%40invisiblethingslab.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Re: Stack-clash kernel vuln & patches

[Reg Tiangha]

On 06/28/2017 03:14 PM, Marek Marczykowski-Górecki wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Jun 28, 2017 at 02:59:03PM -0600, Reg Tiangha wrote:
>> On 06/28/2017 01:42 PM, Chris Laprise wrote:
>>> Are the latest kernels in testing patched for CVE-2017-1000364?
>>>
>>> Some info...
>>>
>>> https://www.darkreading.com/vulnerabilities---threats/stack-clash-smashed-security-fix-in-linux-/d/d-id/1329193
>>>
>>>
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
>>>
>> The one in testing probably isn't. Those fixes weren't introduced until
>> 4.9.34 (or 4.4.74 and 4.11.7) which were introduced a few days ago. They
>> compile easily enough with all existing Qubes/Xen patches, though so if
>> you have the capability of compiling your own kernel, just incrementing
>> the number in the version file is enough.
> Reg, as you do track kernel changes, would you mind sending pull
> requests when you think it's worth updating kernel in Qubes repo?
> I'm not sure if we want to upload every single stable update, as it will
> probably never get out of testing ;) but for example 4.9.34 would be a
> good idea for the reason above.
>
> And for this, I'd like to have slightly cleaner git history - for
> example you have applied XSA 216 patch twice. After already being
> applied in QubesOS/qubes-linux-kernel repository...
>
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJZVBw6AAoJENuP0xzK19csNnkIAJGIaznPOS/8Ir7PkEZAXWp8
> KjejFM4n6O9p0j3IRcLAHmlYmDsXQGb9gKSCs3RPLMSVvlqNMiGMvoDVYpo5XoEP
> dmy7o3M2koKlT1rjsqwj6IhJN4E+ZaqrhrogLnQOPQnoDOOVQ7BF+o8kF0Ms/xb6
> 11jGtL1v7AjydqM+P9JpadjderBhi3Kfx7nQ8sT3VDHQW36vBZ0z72LIUuITPSPo
> XT3dybSqUsYJxNGxpWdjIF2L3VYB+2EAI638QVh9IEF8SR9B/XrQ6mEMwTN+0d3k
> /wT9UVC0bJfK0ArsY3CztRxRywvVuNAHmjynKleQzSk44b1HiHV6bgCQ5aR6OgE=
> =S86f
> -END PGP SIGNATURE-
>
Yeah, that was me screwing up by making a commit but forgetting to
upload the file. I'm still a git newb so I didn't know how to delete or
revert properly (if there's a good online guide, please point me to the
right direction); I didn't know the main branch had already applied the
fix before I did my version. I almost just want to delete my version and
re-fork the master one; would that be too extreme, or is there an easier
way to clean that up?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/oj16ff%2428i%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Re: Stack-clash kernel vuln & patches

[Reg Tiangha]

On 06/28/2017 02:59 PM, Reg Tiangha wrote:
> On 06/28/2017 01:42 PM, Chris Laprise wrote:
>> Are the latest kernels in testing patched for CVE-2017-1000364?
>>
>> Some info...
>>
>> https://www.darkreading.com/vulnerabilities---threats/stack-clash-smashed-security-fix-in-linux-/d/d-id/1329193
>>
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
>>
> The one in testing probably isn't. Those fixes weren't introduced until
> 4.9.34 (or 4.4.74 and 4.11.7) which were introduced a few days ago. They
> compile easily enough with all existing Qubes/Xen patches, though so if
> you have the capability of compiling your own kernel, just incrementing
> the number in the version file is enough.
>
>

Well actually, I might be mistaken. There could be some preliminary
fixes in the version that's in current-testing (4.9.33) but more
comprehensive fixes were introduced in the latest round of kernel
updates by upstream (i.e. 4.9.34). In the short term, one can mitigate a
little bit by manually setting RLIMIT_STACK and RLIMIT_AS values of
local users and remote services to low values.

https://arstechnica.com/security/2017/06/12-year-old-security-hole-in-unix-based-oses-isnt-plugged-after-all/


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/oj168f%24pde%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Re: Stack-clash kernel vuln & patches

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 02:59:03PM -0600, Reg Tiangha wrote:
> On 06/28/2017 01:42 PM, Chris Laprise wrote:
> > Are the latest kernels in testing patched for CVE-2017-1000364?
> >
> > Some info...
> >
> > https://www.darkreading.com/vulnerabilities---threats/stack-clash-smashed-security-fix-in-linux-/d/d-id/1329193
> >
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
> >
> 
> The one in testing probably isn't. Those fixes weren't introduced until
> 4.9.34 (or 4.4.74 and 4.11.7) which were introduced a few days ago. They
> compile easily enough with all existing Qubes/Xen patches, though so if
> you have the capability of compiling your own kernel, just incrementing
> the number in the version file is enough.

Reg, as you do track kernel changes, would you mind sending pull
requests when you think it's worth updating kernel in Qubes repo?
I'm not sure if we want to upload every single stable update, as it will
probably never get out of testing ;) but for example 4.9.34 would be a
good idea for the reason above.

And for this, I'd like to have slightly cleaner git history - for
example you have applied XSA 216 patch twice. After already being
applied in QubesOS/qubes-linux-kernel repository...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVBw6AAoJENuP0xzK19csNnkIAJGIaznPOS/8Ir7PkEZAXWp8
KjejFM4n6O9p0j3IRcLAHmlYmDsXQGb9gKSCs3RPLMSVvlqNMiGMvoDVYpo5XoEP
dmy7o3M2koKlT1rjsqwj6IhJN4E+ZaqrhrogLnQOPQnoDOOVQ7BF+o8kF0Ms/xb6
11jGtL1v7AjydqM+P9JpadjderBhi3Kfx7nQ8sT3VDHQW36vBZ0z72LIUuITPSPo
XT3dybSqUsYJxNGxpWdjIF2L3VYB+2EAI638QVh9IEF8SR9B/XrQ6mEMwTN+0d3k
/wT9UVC0bJfK0ArsY3CztRxRywvVuNAHmjynKleQzSk44b1HiHV6bgCQ5aR6OgE=
=S86f
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628211433.GS1268%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0 built from git fails

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 11:31:48AM -0400, Outback Dingo wrote:
> On Wed, Jun 28, 2017 at 7:03 AM, Marek Marczykowski-Górecki
>  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > On Wed, Jun 28, 2017 at 06:53:30AM -0400, Outback Dingo wrote:
> >> -> Installing core RPM packages...
> >> /var/tmp/rpm-tmp.UBUWVQ: line 9: grep: command not found
> >> /var/tmp/rpm-tmp.UBUWVQ: line 16: grep: command not found
> >> Failed to connect to bus: No such file or directory
> >> Failed to set locale, defaulting to C
> >> Package dnf-1.1.10-6.fc25.noarch is already installed, skipping.
> >> Package dnf-plugins-core-0.1.21-5.fc25.noarch is already installed, 
> >> skipping.
> >> Running in chroot, ignoring request.
> >> groupadd: GID '0' already exists
> >> make[1]: *** 
> >> [/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:81:
> >> /home/dingo/qubes-builder/chr
> >> oot-fc25/home/user/.prepared_base] Error 1
> >> make[1]: Leaving directory '/home/dingo/qubes-builder'
> >> make: *** [Makefile:221: vmm-xen-dom0] Error 1
> >> [root@localhost qubes-builder]#
> >
> > Run the build as normal user (it will use sudo where really necessary).
> >
> 
> still a struggle
> -> Building meta-packages (rpm_spec/qubes-vm-meta-packages.spec) for
> fc25 vm (logfile: build-logs/meta-packages-vm
> -fc25.log)
> --> Done:
>  
> qubes-src/meta-packages/pkgs/fc25/noarch/qubes-repo-contrib-4.0.0-1.fc25.noarch.rpm
>  
> qubes-src/meta-packages/pkgs/fc25/noarch/qubes-vm-dependencies-4.0.0-1.fc25.noarch.rpm
>  
> qubes-src/meta-packages/pkgs/fc25/noarch/qubes-vm-recommended-4.0.0-1.fc25.noarch.rpm
> ln: failed to access
> 'pkgs/fc25/noarch/qubes-desktop-linux-common-3.2.0-1.fc25.noarch.rpm':
> No such file or direct
> ory
> ln: failed to access
> 'pkgs/fc25/noarch/qubes-menus-3.2.0-1.fc25.noarch.rpm': No such file
> or directory
> make[1]: *** 
> [/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:166:
> update-repo-do] Error 1
> make: *** [Makefile:294: template-local-fc25] Error 1

Oh, looks like order in COMPONENTS is wrong. Put desktop-linux-common
before linux-template-builder.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZVBcSAAoJENuP0xzK19cs4foH/A0ApfliAaiU7x+aNm9mcJIw
YvvXfBxIJbTHfmjLnD34/cpcjh3XPBEg9Fe/359N35xACHgbbVD7go1drf9RJvUZ
OebzUjRotjcmeV6MGcBtwNdAHuWmYMURegJgl6qgIJNVVtdIv7Ttsg+o0/Dbypk0
YKW8NumrPiZ4YMW81wEZ3BhNfFOFjG7Dsn87ilqC1lgfKa3Hrkphy7QunZMAaMBt
4NMy1xujWXNmt6dR38shapYTfeVedjBXHmfe1Nqub1hHITbVIbOPiLyDoSiuUgA7
mm0jP8fQsWCWm0G6IzOvUrXzLR5bcaSJZn+Ia5E3TvOBeqEL13G0dxksIe0dK0I=
=fSrV
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628205233.GB3857%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Qubes 4.0

[Outback Dingo]

Does Anyone have a recent build iso of Qubes 4.0 I can try, Ive tried
building it unsuccessfully drama in another thread. I just want to
verify my networking issues are resolved.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CAKYr3zwrQoSzc0WgesKNOmoSxBgqqrNnOrSmRQyqUSDOLQGFVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Re: [GSoC] Progress report: Anti Evil Maid enhancements

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Andrew Morgan:
> (For some reason your reply doesn't show up in mailing list, so replying
> with it quoted below)

Ah what is the matter with Google Groups and my e-mail address.

> Heh, I need to stop replying to emails in the wee hours of the
> morning... Thought you just needed a script tested or whatnot.
> 
> That being said, while it is my main work laptop, t if all that happened
> was the RAM cracked it wouldn't be too expensive to replace. Anything
> else would be bad though, since I'm doing my own GSoC project on here :P

I probably wouldn't try this with my main system. There could be other
issues, such as condensation.

> What may be tricky is what to do after the DRAM contents have
> been frozen. Does one just plug it in to a running Desktop system and
> execute some software to scan the contents?

For the SCLEAN test, it would all happen inside a single notebook:

1. Boot in AEM mode, without dom0_mem=max:4096
2. Turn off swap space and shut down all VMs
3. Run some small program in dom0 that allocates as much memory as
   possible and fills it with a pattern
4. Cool down RAM modules, unplug disk, and power cycle
5. Boot memory scraper from another disk, and see if the pattern is
   still present - if it is, SCLEAN has been ineffective

> This article states that cold boot attacks against DDR3 systems are
> much less feasible than DDR1/2. Would it even work if we tried?
> 
> https://darkwebnews.com/security-guide/cold-boot-attacks-unencrypted-ram
> -extraction/

With t=0 seconds between power off and power on (what they call "warm
reset" in the quoted paper [1]), they say it worked even with DDR3
RAM. But it's good to know that transplanting DDR3 RAM turned out to
be pointless! Thanks for the link.

Rusty


1. https://www1.cs.fau.de/filepool/projects/coldboot/fares_coldboot.pdf
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZVAEBXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfaGQP/3sZguIoGBYlV0XklUvd2VYM
po6okxWjvmAh35d/TRFvkIkKVLmCmq62+kZ2HQDhjebuQm4se+9TJDphyhUHecDx
IVjIZei68F+ln9ziTBPz4ctymTmDZjdEO9NFeKv/ZQqgmOZvr2JNN+wKJKz/T57b
vnvLyp2ubb+oXQ+wJ3NcGudnhjQqbDYsgQmWCkXmUcMsI3BT/4KHNB1SDgpvmDBk
8ic6/ViyrZXqsJSZf7qZOT2dZ+5OcBSZgYp6MKRRsCo3vJOqKfSscr+f3QCdnU5I
HlBEgoWIkiSWLLOxcNYUvksUHy52kz3vr24TmYgK0G0ewblqKQeem/7PJCIZJ2M3
FZC0Q2E2Tzj7BLL4Rfdkyh+O/EDMiwI43Qr1was9bADQ/L2z8qMlsODafzb6pz+X
5KDf9gNJRjOGUV+r6I39PCz9TLO+zrBNUUJCVC8C8CL0fKHy06EPh0m9LXxehDt1
bwHR3vPFMj4+87MoWH+fWgqkogEM+VVoNTTaxOWM2jPF2EJ4bje7MxCfOdb2+qqM
7MBpBJVoQ7YRhVxtWGMOmJN3EkijajD3scEpaN9Li8mAh8PzFdvOTXFzXehOVUma
usvUzPf0nJmFkDL1q/K1tL5RyEgLvH/ypZPs65ArOJNDlBhBQI3wfucHDLMDWUNG
K6BZSGXO+IE1bkqcrVME
=bvnr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628191358.GA1016%40mutt.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Stack-clash kernel vuln & patches

[Chris Laprise]

Are the latest kernels in testing patched for CVE-2017-1000364?

Some info...

https://www.darkreading.com/vulnerabilities---threats/stack-clash-smashed-security-fix-in-linux-/d/d-id/1329193

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/3360f483-e399-0962-6087-48603d404d6e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0 built from git fails

[Outback Dingo]

On Wed, Jun 28, 2017 at 7:03 AM, Marek Marczykowski-Górecki
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Jun 28, 2017 at 06:53:30AM -0400, Outback Dingo wrote:
>> -> Installing core RPM packages...
>> /var/tmp/rpm-tmp.UBUWVQ: line 9: grep: command not found
>> /var/tmp/rpm-tmp.UBUWVQ: line 16: grep: command not found
>> Failed to connect to bus: No such file or directory
>> Failed to set locale, defaulting to C
>> Package dnf-1.1.10-6.fc25.noarch is already installed, skipping.
>> Package dnf-plugins-core-0.1.21-5.fc25.noarch is already installed, skipping.
>> Running in chroot, ignoring request.
>> groupadd: GID '0' already exists
>> make[1]: *** 
>> [/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:81:
>> /home/dingo/qubes-builder/chr
>> oot-fc25/home/user/.prepared_base] Error 1
>> make[1]: Leaving directory '/home/dingo/qubes-builder'
>> make: *** [Makefile:221: vmm-xen-dom0] Error 1
>> [root@localhost qubes-builder]#
>
> Run the build as normal user (it will use sudo where really necessary).
>

still a struggle
-> Building meta-packages (rpm_spec/qubes-vm-meta-packages.spec) for
fc25 vm (logfile: build-logs/meta-packages-vm
-fc25.log)
--> Done:
 
qubes-src/meta-packages/pkgs/fc25/noarch/qubes-repo-contrib-4.0.0-1.fc25.noarch.rpm
 
qubes-src/meta-packages/pkgs/fc25/noarch/qubes-vm-dependencies-4.0.0-1.fc25.noarch.rpm
 
qubes-src/meta-packages/pkgs/fc25/noarch/qubes-vm-recommended-4.0.0-1.fc25.noarch.rpm
ln: failed to access
'pkgs/fc25/noarch/qubes-desktop-linux-common-3.2.0-1.fc25.noarch.rpm':
No such file or direct
ory
ln: failed to access
'pkgs/fc25/noarch/qubes-menus-3.2.0-1.fc25.noarch.rpm': No such file
or directory
make[1]: *** 
[/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:166:
update-repo-do] Error 1
make: *** [Makefile:294: template-local-fc25] Error 1



> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJZU4zxAAoJENuP0xzK19csp1wH/15aOLAcrJTwZjxoM5JzU0f8
> EtBaiaZSmP2IaXuBZuFk5hcKnBDuiAIA79C9LL8MCdb3eBWDobVWjwa2CQx/33bd
> JH3XLDIDZBQUeRBcd2rELZmBcsfmwPNOng82HXh6DyjPtCHTpupUI2LP8DTy+vXF
> CQ18TKfqV6/hR1wWrknCh3KaD9uSgkb9Xu3Px9fzj8xetnsPpKreaLXWirTQxEUq
> 61VC0Jc9NI9L+lCVlV8UNrK9ymJ76mstw3LnXrBX9Uwa+2SsY0oYA6orpb6r1S95
> 0Neci+ckHxvNV3wDi4iC3uy0NV7AsujmwB2GkqzNuZ5PIPCr0/2zKB77/52n768=
> =WL0+
> -END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CAKYr3zyxum-u-YdJzkYPBYENJ5tK6Xak2FbfRPs0gsKGhj436w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Qubes 4.0 built from git fails

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 28, 2017 at 06:53:30AM -0400, Outback Dingo wrote:
> -> Installing core RPM packages...
> /var/tmp/rpm-tmp.UBUWVQ: line 9: grep: command not found
> /var/tmp/rpm-tmp.UBUWVQ: line 16: grep: command not found
> Failed to connect to bus: No such file or directory
> Failed to set locale, defaulting to C
> Package dnf-1.1.10-6.fc25.noarch is already installed, skipping.
> Package dnf-plugins-core-0.1.21-5.fc25.noarch is already installed, skipping.
> Running in chroot, ignoring request.
> groupadd: GID '0' already exists
> make[1]: *** 
> [/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:81:
> /home/dingo/qubes-builder/chr
> oot-fc25/home/user/.prepared_base] Error 1
> make[1]: Leaving directory '/home/dingo/qubes-builder'
> make: *** [Makefile:221: vmm-xen-dom0] Error 1
> [root@localhost qubes-builder]#

Run the build as normal user (it will use sudo where really necessary).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZU4zxAAoJENuP0xzK19csp1wH/15aOLAcrJTwZjxoM5JzU0f8
EtBaiaZSmP2IaXuBZuFk5hcKnBDuiAIA79C9LL8MCdb3eBWDobVWjwa2CQx/33bd
JH3XLDIDZBQUeRBcd2rELZmBcsfmwPNOng82HXh6DyjPtCHTpupUI2LP8DTy+vXF
CQ18TKfqV6/hR1wWrknCh3KaD9uSgkb9Xu3Px9fzj8xetnsPpKreaLXWirTQxEUq
61VC0Jc9NI9L+lCVlV8UNrK9ymJ76mstw3LnXrBX9Uwa+2SsY0oYA6orpb6r1S95
0Neci+ckHxvNV3wDi4iC3uy0NV7AsujmwB2GkqzNuZ5PIPCr0/2zKB77/52n768=
=WL0+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20170628110313.GP1268%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Qubes 4.0 built from git fails

[Outback Dingo]

-> Installing core RPM packages...
/var/tmp/rpm-tmp.UBUWVQ: line 9: grep: command not found
/var/tmp/rpm-tmp.UBUWVQ: line 16: grep: command not found
Failed to connect to bus: No such file or directory
Failed to set locale, defaulting to C
Package dnf-1.1.10-6.fc25.noarch is already installed, skipping.
Package dnf-plugins-core-0.1.21-5.fc25.noarch is already installed, skipping.
Running in chroot, ignoring request.
groupadd: GID '0' already exists
make[1]: *** 
[/home/dingo/qubes-builder/qubes-src/builder-fedora/Makefile.fedora:81:
/home/dingo/qubes-builder/chr
oot-fc25/home/user/.prepared_base] Error 1
make[1]: Leaving directory '/home/dingo/qubes-builder'
make: *** [Makefile:221: vmm-xen-dom0] Error 1
[root@localhost qubes-builder]#

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CAKYr3zwOM77mW8HNZtmTVsEeo14rNB-RBMdX3KuipBkKG2X%3DcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] Re: [GSoC] Progress report: Anti Evil Maid enhancements

[Andrew Morgan]

(For some reason your reply doesn't show up in mailing list, so replying
with it quoted below)

On 06/27/2017 02:38 PM, Rusty Bird wrote:> Andrew Morgan:
>> On 06/26/2017 08:28 AM, Rusty Bird wrote:
>>> Hi Patrik,
>>>
 I've read some more about Intel TXT and tboot... and it seems that cold
 boot attacks could be ruled out as any abrupt shutdown will trigger a
 secure RAM scrub (via BIOS ACM, a different thing from the SINIT ACM
 module). However, I'm not 100% sure whether whole RAM gets wiped or
just
 the TXT-related bits -- couldn't find that explicitly stated in neither
 TXT nor tboot docs. :-\

 And since the BIOS ACM is a binary blob, the only way to find out will
 be to actually perform a cold boot attack...
>>>
>>> Yes, it would be interesting to test this on e.g. a popular ThinkPad
>>> with 16 GB RAM. There are some bootable memory scrapers [1] if anyone
>>> doesn't know what to do with all their liquid nitrogen...
>
>> I have a Thinkpad T540p with 16GB of RAM. Let me know if you need any
>> testing done :)
>
> Whoa, really? That would be cool! No pun inte-- oh, who am I kidding.
>
> On video, it looks like the T540p has one RAM module sort of on top of
> another, covering half of the lower module. Do you think there's still
> enough vertical space between them to cool down the whole lower
> module? If not, could it fracture from thermal stress? (And how
> annoyed would you be if "something like that" happened...)
>
> Rusty
>

Heh, I need to stop replying to emails in the wee hours of the
morning... Thought you just needed a script tested or whatnot.

That being said, while it is my main work laptop, t if all that happened
was the RAM cracked it wouldn't be too expensive to replace. Anything
else would be bad though, since I'm doing my own GSoC project on here :P

What may be tricky is what to do after the DRAM contents have
been frozen. Does one just plug it in to a running Desktop system and
execute some software to scan the contents?

Laptop RAM wouldn't fit in a normal desktop, so I'd need to get an
adapter or use another compatible laptop (may have one).

This article states that cold boot attacks against DDR3 systems are
much less feasible than DDR1/2. Would it even work if we tried?

https://darkwebnews.com/security-guide/cold-boot-attacks-unencrypted-ram
-extraction/

Open to ideas :)

Andrew Morgan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/oivm9b%24hhb%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature