Re: [qubes-users] Replacing Dolphin on Whonix-ws

[entr0py]

Sec Tester:
> I Really dislike Dolphin. Thumbnail previews dont even seem to work,
> and its kinda annoying to use. I'd like to swap it out for something
> lite and simple (like the fedora-23 file browser)
> 
> Just wanted to check thats not going to break anything?
> 
> Looking at the package removal list, i think it probably will...
> 

I see you're still intent on breaking your templates. I think you want to get 
comfortable with `apt-rdepends`.

try: `apt-rdepends -r dolphin`

Looks like most of those packages are meta-packages but I wouldn't waste time 
trying to figure it out. Just leave it and install nautilus (gnome file 
manager) if that's what you want. thunar (xfce) is also popular.

Before you install, type: `apt-get -s install nautilus` and make sure you want 
to pull in all those gnome/gtk dependencies.

As for Dolphin, I love it's customizability. The thumbnails are likely disabled 
as a security precaution. I was about to say that it was restricted by apparmor 
but it looks like there isn't a profile - strange, kind of remember one in the 
past.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe75f76f-4b7b-1abe-5fe1-0cc6c5014a50%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to rotate VPNs?

[Manuel Amador (Rudd-O)]

On 10/29/2016 03:09 AM, Gaiko Kyofusho wrote:
> Is it possible to set up a VpnVM to automatically/randomly switch
> between vpn servers? At the moment I have to manually replace
> openvpn-client.opvn file with another file (with other server info)
> every time I want to change, would be great if I could at least have a
> menu that would give me the choice of which server I use or randomly
> cycle through servers.
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To post to this group, send email to qubes-users@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/CAGpWZxNH-2%3DWUuk0YXy9dxn1wBNTyow3MrWU62h6pxTt4snfdQ%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/d/optout.

Can you file a ticket for a feature request on
https://github.com/Rudd-O/qubes-vpn ?  Thanks.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39a88389-4aa6-c4b7-9ec5-91f3aa595d7b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Qubes network server

[Manuel Amador (Rudd-O)]

On 11/07/2016 02:29 PM, Max wrote:
>
> This worked first time!
>
> I pinged from the Debian AppVM to a new Fedora AppVM. I checked that the 
> pinging did not work first and then went through the steps to change the 
> Fedora AppVM to connect to the proxy server NetVM, assign a static IP, 
> restart, set the firewall rules and then ping.
>
> In the meantime, could I ask if it is possible to do what I am trying to 
> achieve  by adjusting the iptables? I reported my troubles attempting to do 
> this here: 
> https://groups.google.com/d/msg/qubes-users/Dan7LNLv048/pkT_O2tDAAAJ

It's not clear to me what you are trying to achieve.  Can you describe
it in English with examples?


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab23a251-6ecd-cc49-1ed4-e9bf5a786dba%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: Leakproof Qubes VPN

[Manuel Amador (Rudd-O)]

On 11/09/2016 01:38 PM, SEC Tester wrote:
> Hey Rudd-O,
>
> Thanks for your effort and great contribution to the Qubes community. Not 
> sure why Chris was critical, especially without specifically showing evidence 
> of any problems. Maybe just a troll?
>
> I  haven't tried your program out yet, Im keeping it as my backup option, as 
> im still hoping to find a way to get my AirVPN GUI to work. I would prefer a 
> GUI over a CLI, especially when i might want to switch servers quickly or 
> look at my stats.
>
> As you seem like such an expert on this, i was hoping you could have a look 
> at my post, and see if you could workout whats going wrong?
>
> https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg
>
> If you have the time that would be Awesome! Cheers.

I don't really know how that VPN software works, honestly.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1e99ec5-280d-b131-0d0e-2d5d263fc5ab%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Replacing Dolphin on Whonix-ws

[Sec Tester]

I Really dislike Dolphin. Thumbnail previews dont even seem to work, and its 
kinda annoying to use. I'd like to swap it out for something lite and simple 
(like the fedora-23 file browser)

Just wanted to check thats not going to break anything?

Looking at the package removal list, i think it probably will...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4013a4be-3402-4a26-824e-11c450d99ea0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

[Manuel Amador (Rudd-O)]

On 11/12/2016 08:58 PM, Chris Laprise wrote:
>
> That was my first reaction, too. But years later, I am so, s glad
> ITL de-emphasized kernel-based security.
>
> If they had kept it as a supported security layer, the
> "security-in-depth" mindset would have dominated most of our
> discussions and attention... essentially eaten our brains like it does
> to everyone else. Seriously, this stuff can be perniciously
> misleading, and the moment that "authoritative" voices in the
> community start looking down their noses at "dinky little 1MB
> hypervisor" compared with their heavy bookshelves full of standard
> admin guides and certifications... that's when the security zombies
> start encroaching.
>
> Therefore, I think it is up to the community to promote the Linux
> extra security measures as a kind of add-on. Enabling it could be a
> good thing IF and only if we can do it with minimal effort and
> distraction. But keep it far away from pre-installed or supported status.

Actually, enabling things like GRSECURITY / PaX / SELinux by default
adds security, so it is better than not enabling it.  The only question
is what sort of usability problems it can carry.  But something that
will prevent, say, Firefox from doing arbitrary shit when owned, that
would be absolutely great.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dccafd8b-b4c9-a848-b1f3-41e3b21ae8c9%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Does the Standard Firewall-VM Actaully do anything?

[Manuel Amador (Rudd-O)]

On 11/17/2016 04:20 AM, Sec Tester wrote:
> It also raises the question,
>
> Is there any benefit running a VPN-Proxy-VM through sys-firewall?
>
> Or maybe save the overhead and just connect VPN-Proxy-VM directly to sys-Net?
>

Either works.  With the firewall in between, you can limit the outbound
traffic from the VPN VM to strictly VPN traffic and nothing more.

I have explanatory drawings here: https://github.com/Rudd-O/qubes-vpn

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92dde6e3-df91-ccfa-27d2-8a91bb8d0535%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

[john]

Setting a boot password in the BIOS should mitigate adequately since 
initrd does not execute until after boot password entry.


On 11/17/2016 12:20 AM, Vít Šesták wrote:

According to the description, it looks likely to affect Qubes.

According to my experience, I remember getting in the shell (from a different 
reason) and it asked for a password. I believe this happened when upgrading to 
3.2 due to a mountpoint issue. This suggests that Qubes is not affected, but I 
haven't tried the exact scenario in Qubes.

The key question, however, is: How does it fit to your threat model? In my 
case, attacker would  need a physical access. In such casse, she can also boot 
from an USB device and do the same, maybe even more comfortably. I am aware 
that there are some examples (e.g. ATM) where this can be a real issue. Even 
for those cases, I doubt this is a massive threat. Such devices have usually a 
fairly limited keyboard, which can make the vulnerability unusable. (I am 
assuming that attacker cannot attach a custom keyboard.)

Regards,
Vít Šesták 'v6ak'



--

John R. Shannon

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57a890cd-3e33-b905-2299-fd3f8a43aa79%40johnrshannon.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [qubes-users] /rw/config/rc.local on debian-8

[Vincent Elliott]

The amendment worked like a charm.

Thanks,
Vincent

Vincent "Kim" Elliott
ITC Consultant
Kingston, Jamaica
876-381-0661


On Thu, Nov 17, 2016 at 10:24 AM,  wrote:

> On Thursday, November 17, 2016 at 9:54:09 AM UTC-5, Vincent Elliott wrote:
> > Just adding my 2 cents to this conversation...
> >
> > The file "/rw/config/rc.local" does not consistently execute on Debian-8
> and I find that the VM has to be restarted (sometimes multiple times) for
> it to take effect.  The file is executable and all I am trying to do is
> allow traffic from some other VM(s) as per the instructions in
> https://www.qubes-os.org/doc/firewall/.
> >
> > How can I ensure that the script executes reliably?
>
> Debian machines sometimes have a problem with loading rc.local a little
> too quickly. Putting "sleep 1" or "sleep 5" before loading your firewall
> rules
> should make it reliable. (see further http://askubuntu.com/a/556563)
>
> Daniel
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/qubes-users/9OEKKNtelXA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/43c9b01d-9eb8-4804-aa9a-c486397a6891%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANNetsOyQnxVK9nLW%2BqBfXxZihvZkgjq97Ud9DXdk9BSs_vOLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VT-d support in hcl report

[tezeb]

Hi everyone,

I was about to add my hcl report to wiki when I noticed that for some
reson it reports IOMMU as enabled, while to my best knowledge it should
not be supported on my system. As googling didn't help me understand
what's going on I hope someone here can shed some light on this.

I have Intel i5-2540,Sandy Bridge, with VT-d):
http://ark.intel.com/products/50072/Intel-Core-i5-2540M-Processor-3M-Cache-up-to-3_30-GHz
and Intel HM65 chipset:
http://ark.intel.com/products/52808/Intel-BD82HM65-PCH)
which does not support VT-d. 
According to every resource I was able to find, both(and BIOS) shall
support it in order for VT-d to be enabled, but my hcl report(attached)
states:
IOMMU: "yes",
which is confirmed(somehow) by:
xl info | grep virt_caps
virt_caps: hvm hvm_directio
as well as:
xl dmesg reporting:
(XEN) Intel VT-d iommu 0 supported page sizes: 4kB.
(XEN) Intel VT-d iommu 1 supported page sizes: 4kB.
(XEN) Intel VT-d Snoop Control not enabled.
(XEN) Intel VT-d Dom0 DMA Passthrough not enabled.
(XEN) Intel VT-d Queued Invaldiation enabled
(XEN) Intel VT-d Interrupt Remapping enabled.
(XEN) Intel VT-d Shared EPT tables not enabled.
(XEN) I/O virtualisation enabled
...
(XEN) VMX: Supported advanced features:
(XEN)  - APIC MMIO access virtualisation
(XEN)  - APIC TPR shadow
(XEN)  - Extended Page Tables (EPT)
(XEN)  - Virtual-Processor Identifiers (VPID)
(XEN)  - Virtual NMI
(XEN)  - MSR direct-access bitmap
(XEN)  - Unrestricted Guest
(XEN) HVM: VMX enabled

It seems as if at least part of VT-d is enabled so shall I trust Intel
specs or log outputs? Is hcl tool working correctly? Are the enabled
VT-d features enough for running Qubes 4.x?

Best Regards,
tezeb

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161117200447.679b1ee9%40outoftheblue.pl.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-SAMSUNG_ELECTRONICS_CO___LTD_-400B4B_400B5B_200B4B_200B5B-20161117-162307.yml
Description: application/yaml

Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

[cubit]

17. Nov 2016 15:33 by dmoer...@gmail.com:

> On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
>> Yes. I get the same issue too. I can read the message, but I can't write, 
>> and I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and Thunderbird. I 
>> can READ messages, but I can't send them, nor verify/encrypt/sign them. I'm 
>> not sure what to do with this...
>
> What template are you using for the gpg VM? 
>







 For me both my vault VM and thunderbird VM are sharing the same Debian 8 
template.   This template does have gnupg-agent 2.0.26-6+deb8u1  installed






-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWnSo6h--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

[Grzesiek Chodzicki]

W dniu niedziela, 13 listopada 2016 21:30:25 UTC+1 użytkownik Grzesiek 
Chodzicki napisał:
> W dniu niedziela, 13 listopada 2016 20:54:06 UTC+1 użytkownik yaqu napisał:
> > On Sun, 13 Nov 2016 11:23:35 -0800 (PST), Grzesiek Chodzicki
> >  wrote:
> > 
> > > Following error message is printed after running sudo dnf remove
> > > qubes-template-fedora-23: "No match for argument:
> > > qubes-template-fedora-23 Error: No packages marked for removal."
> > 
> > It looks like you do not have this package installed (or you have
> > executed this command in VM instead of dom0).
> > 
> > To get a list of templates installed from rpm in dom0, you can use this
> > command:
> > [user@dom0 ~]$ rpm -qa | grep template
> > 
> > -- 
> > yaqu
> 
> I did execute it in dom0, fedora-23 was installed by default when I installed 
> Qubes on my PC.

Okay, I found a fix. I deleted fedora-23 folder from the templates directory 
and then deleted its entry from qubes.xml. Afterwards I rebuilt the dvm image 
using the qvm-create-default-dvm. All works fine now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/643ad583-c39f-4181-8304-5cf8ec9d7f80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users]

[kubes]

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWnAkPN--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

[dmoerner]

On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
> Yes. I get the same issue too. I can read the message, but I can't write, and 
> I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and Thunderbird. I can 
> READ messages, but I can't send them, nor verify/encrypt/sign them. I'm not 
> sure what to do with this...

Hi,

What template are you using for the gpg VM? 

As far as I can tell, gpg2 always requires access to gpg-agent, even if your 
keys have no passphrase. I realized this was the problem when running "echo 
test | gpg2 -v --clearsign" in a terminal in the gpg VM always failed. 
Switching from a modified fedora23-minimal to a full fedora23 template solved 
the problem for me. If you're also using a debian-8 template for the gpg VM, it 
might be missing the same thing that fedora23-minimal was missing. (Which I 
never figured out because I needed to get enigmail working.)

Best,
Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4ab6f74d-ab14-44f9-a4c8-d9494c17e6e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] /rw/config/rc.local on debian-8

[dmoerner]

On Thursday, November 17, 2016 at 9:54:09 AM UTC-5, Vincent Elliott wrote:
> Just adding my 2 cents to this conversation...
> 
> The file "/rw/config/rc.local" does not consistently execute on Debian-8 and 
> I find that the VM has to be restarted (sometimes multiple times) for it to 
> take effect.  The file is executable and all I am trying to do is allow 
> traffic from some other VM(s) as per the instructions in 
> https://www.qubes-os.org/doc/firewall/.
> 
> How can I ensure that the script executes reliably?

Debian machines sometimes have a problem with loading rc.local a little too 
quickly. Putting "sleep 1" or "sleep 5" before loading your firewall rules 
should make it reliable. (see further http://askubuntu.com/a/556563)

Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43c9b01d-9eb8-4804-aa9a-c486397a6891%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Trouble upgrading template VMs FC23 -> FC24

[Pawel Debski]

seek, and ye shall find

I was also thinking about std Fedora dnf upgrade plugin 
(https://fedoraproject.org/wiki/DNF_system_upgrade), but the Qubes 
instruction better explains the intricacies of Qubes environment.


Many thanks.

Z powazaniem / Best Regards
Mit freundlichen Gruessen / Meilleures salutations
Pawel Debski

On 2016-11-17 16:01, yaqu wrote:

On Thu, 17 Nov 2016 05:16:12 -0800 (PST), Pawel Debski
 wrote:


I have upgraded dom0 as described in
https://www.qubes-os.org/doc/upgrade-to-r3.2/ and than executed:

sudo dnf install --refresh qubes-upgrade-vm
sudo dnf upgrade --refresh
sudo dnf install qubes-mgmt-salt-vm-connector

apparently everything went ok, however the template vm still is in
version FC3:

You have just upgraded your template to Qubes 3.2, not to Fedora 23.


What shall I do to actually upgrade it to FC24?

Now follow this instruction:
https://www.qubes-os.org/doc/fedora-template-upgrade-23/



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04c22854-1a60-e3e9-2f29-a088efc0b09a%40econsulting.pl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Trouble upgrading template VMs FC23 -> FC24

[yaqu]

On Thu, 17 Nov 2016 05:16:12 -0800 (PST), Pawel Debski
 wrote:

> I have upgraded dom0 as described in
> https://www.qubes-os.org/doc/upgrade-to-r3.2/ and than executed:
> 
> sudo dnf install --refresh qubes-upgrade-vm
> sudo dnf upgrade --refresh
> sudo dnf install qubes-mgmt-salt-vm-connector
> 
> apparently everything went ok, however the template vm still is in
> version FC3:

You have just upgraded your template to Qubes 3.2, not to Fedora 23.

> 
> What shall I do to actually upgrade it to FC24?

Now follow this instruction:
https://www.qubes-os.org/doc/fedora-template-upgrade-23/

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161117150200.EE98B106849%40mail2.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] /rw/config/rc.local on debian-8

[Vincent Elliott]

On Monday, 22 August 2016 18:46:12 UTC-5, johny...@sigaint.org  wrote:
> > On 2016-08-22 07:52, johnyju...@sigaint.org wrote:
> >> /rw/config/rc.local doesn't seem to be run on startup in debian-8
> >> (3.2-testing).
> >>
> >> What is supposed to launch this?  systemd, another startup script, or
> >> something dom0-related?
> >>
> >> I added "/rw/config/rc.local" to "/etc/rc.local" and it works, but was
> >> wondering what might be the official way to do this, and if this is a
> >> bug.
> >>
> >> Thanks.
> >>
> >> JJ
> >>
> >
> > Did you make it executable?
> >
> > # chmod +x /rw/config/rc.local
> 
> Yes, I did.
> 
> And it seems to be working.  I must have been confused at some point with
> too many windows open in different VM's.  :)
> 
> Apologies for the mistaken report.
> 
> JJ

Just adding my 2 cents to this conversation...

The file "/rw/config/rc.local" does not consistently execute on Debian-8 and I 
find that the VM has to be restarted (sometimes multiple times) for it to take 
effect.  The file is executable and all I am trying to do is allow traffic from 
some other VM(s) as per the instructions in 
https://www.qubes-os.org/doc/firewall/.

The contents of the file is below:

#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This include overriding some configuration in /etc,
# starting services etc.
#
# You need to make this script executable to have it enabled.

# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups
iptables -I INPUT -s 10.137.2.22 -j ACCEPT
iptables -I INPUT -s 10.137.2.24 -j ACCEPT
/rw/config/rc.local (END)

How can I ensure that the script executes reliably?

Vincent








-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07c58ddc-c804-4a1b-be78-efda7213190a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Massive performance improvement after disabling power management in the BIOS

[Robert Mittendorf]

Am 11/17/2016 um 01:18 PM schrieb kotot...@gmail.com:
> Is there a bug somewhere in the kernel, in Xen or Qubes which prevent them to 
> properly use this BIOS power management system correctly?
>
> Have other users experience something similar?
Thanks for sharing. Maybe power management does only consider dom0
activity ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f95f254-89f7-0d23-fac3-ef47eb786d81%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Trouble upgrading template VMs FC23 -> FC24

[Pawel Debski]

I have upgraded dom0 as described in 
https://www.qubes-os.org/doc/upgrade-to-r3.2/ and than executed:

sudo dnf install --refresh qubes-upgrade-vm
sudo dnf upgrade --refresh
sudo dnf install qubes-mgmt-salt-vm-connector

apparently everything went ok, however the template vm still is in version FC3:

[user@personal ~]$ ls -l /etc/redh*
lrwxrwxrwx 1 root root 14 Oct 20  2015 /etc/redhat-release -> fedora-release
[user@personal ~]$ cat /etc/redhat-release
Fedora release 23 (Twenty Three)
[user@personal ~]$ 

What shall I do to actually upgrade it to FC24?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27ab3539-32be-4699-9cab-702682de580e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: installing nvidia

[neznaika]

Cant understand this "how to". I should on the PC with fedora 18 system and 
fedora's repos get something with "pvops.qubes" in the name (because my dom0 
kernel is 4.1.13-9.pvops.qubes.x86_64) ? How is that?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12e9b3af-2bba-42a1-80f7-75cb681d09c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: installing nvidia

[neznaika]

I installed fedora 18 and added rpm-fusion repo. Now i have question - how i 
can get the kernel-devel "matching my Qubes dom0 kernel"?
I have 4.1.13-9.pvops.qubes.x86_64 kernel.

>fedora 18 system
>4.1.13-9.pvops.qubes.x86_64
pick one?!?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/770053cb-b55d-4a97-b93d-6388b1811df1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: error reporting

[Salmiakki]

Copy/Paste between dom0 and other domains is intentionally prohibited.

https://www.qubes-os.org/doc/copy-paste/#copypaste-between-dom0-and-other-domains

Or maybe you want this:

https://www.qubes-os.org/doc/copy-from-dom0/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb1bfae7-0215-465d-8894-427c51571478%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: installing nvidia

[Salmiakki]

On Thursday, November 17, 2016 at 8:27:49 AM UTC+1, nezn...@xy9ce.tk wrote:
> anyone?

Can you tell us what you tried and ask a more specific question? I cannot tell 
what your actual problem is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b4de54e-5168-4eb2-b479-6a98b2859d46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Massive performance improvement after disabling power management in the BIOS

[kototamo]

Hello community,

I was wondering why one of my program was taking ~15 seconds to compile when my 
colleague compiled it within ~3 seconds on his system. I know there are a 
performance price to pay for the virtualisation but nonetheless. I was super 
annoyed and I vaguely thinking about switching back to another distribution but 
at the same time I was reading about DNS rebinding attacks and I really wanted 
to stay on Qubes.

I gave a look at the BIOS settings, in the power management section. There are 
options like "Maximize performance on AC" and also options for when the laptop 
is on battery. I already had the "Maximize performance on AC" on. I disabled 
the whole power management section. Performance are better! 

The program mentioned above now compiles in ~5 seconds. The whole systems seems 
more responsive, Firefox and Youtube video (HTML5) seems also better. The only 
drawback is that the laptop is definitively generating more heat (and probably 
consuming more energy) but that's okay because I spend most of the time 
connected to the AC.

Is there a bug somewhere in the kernel, in Xen or Qubes which prevent them to 
properly use this BIOS power management system correctly?

Have other users experience something similar?


When googling I found this article from VMWare with similar problems / solutions

https://blogs.vmware.com/vsphere/2012/01/having-a-performance-problem-hard-to-resolve-have-you-checked-your-host-bios-lately.html


Best regards,
K.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08ea779a-9f41-435c-805f-fa1e0c18a3f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does the Standard Firewall-VM Actaully do anything?

[Franz]

On Thu, Nov 17, 2016 at 5:27 AM, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Nov 16, 2016 at 07:29:35PM -0800, Sec Tester wrote:
> > So im finally getting around to rebuilding the sys-firewall VM on a
> minimal template. Put it off because i thought there would be a lot of
> scripting to setup.
> >
> > According to documentation, it doesnt need any extra packages.
> > https://www.qubes-os.org/doc/templates/fedora-minimal/
> >
> > And when creating the VM, there is no specific option for a "firewall
> VM", only "ProxyVM".
> >
> > * So is it correct to assume the sys-firewall VM is just an empty box
> routing connections?
>
> Mostly yes.
>
> > * There are no specific scripts/rules/packages of protection?
>
> Just a script(s) applying iptables rules (based on selection in Qubes
> Manager, user scripts etc).
>
> > * Does this actually provide any protection in the sense of a
> traditional software firewall? How so? Does it stop incoming connections?
> Or just add a layer of separation between sys-net & app-VMs?
>
> Every Qubes VM (including sys-firewall, and all AppVMs) by default block
> incoming connections. But it is mostly a place which is not so easy to
> compromise as sys-net and where you can limit AppVM in a way it can't
> easily disable on its own.
>
> > * It seems sys-firewall is just there for users to create their own
> custom rules in VM Manager settings? Can u give an example of rules U guys
> actually use?
>
> For example my banking VM is limited to https only and only to banking
> site. This prevents opening wrong links there by mistake and also
> loading some non-https content if the site links to it (it happens they
> load some ads using http...). Similar for my mail VM(s) - only have
> access to mail server so even if I accidentally click on some link in
> a message, it wont load there.
>
>
my bitcoinVM only connects to Electrum servers

>
> On Wed, Nov 16, 2016 at 08:20:43PM -0800, Sec Tester wrote:
> > It also raises the question,
> >
> > Is there any benefit running a VPN-Proxy-VM through sys-firewall?
> >
> > Or maybe save the overhead and just connect VPN-Proxy-VM directly to
> > sys-Net?
>
> I'd connect directly to sys-net. And depending on exact case, connect
> sys-firewall to that VPN-Proxy-VM.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJYLWn5AAoJENuP0xzK19csp6cH/3fCNYFTKHHA1RsCwLdtuj5m
> b4lAg/EfkWWDcG6MXGkdBwVdYz3NH/fnapDzbRugtdDk8u1aUJOWUevAxksTF3xu
> 3d4c9uv8YzRTjyE6MU9jJ7NONMrAZbZigjlM8Rh9TJD1jXSUENacHvBKdaDVwOx9
> 6XKKgInRfhovvY7SUWmYXygFGNJDDp1185DS8SsyHS+IIFIABgDKcxZafeC30wUt
> GYaU9EqxubZY977jZUrNmEaWQTqjn01JLkP2PMcuTEOeopySDUjo3Vyv22+jbwXu
> szPdrjsVHvaUOKCRRngnbsCnNQZdspZGobWWcrnzrm//Kd3sjwHrMnM+fMuaPG4=
> =VVG2
> -END PGP SIGNATURE-
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/20161117082738.GC1145%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCbk-2iRwsriVZoHUj%2Bouy_S%3D%2BZXqoU6JMPDVH6PQFQ%2BQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Android file transfer

[Salmiakki]

>  I can map the phone device but then mounting with simple-mtpfs inb dom0 
> gives me a blank directory.

Just out of curiosity, where did you get this simple-mtpfs?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9bc90a42-e4d1-49f3-ba7f-8079a6e8e85a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Android file transfer

[Salmiakki]

Connecting USB devices to Dom0 is discouraged for security reasons.

I use a VM with an attached USB controller and it works without a problem. The 
only thing I have to do is switch the phone to file transfer mode instead of 
charging otherwise I get an empty folder as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b3f0060-c3a3-4f90-82c0-9d82e42310bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.