[qubes-users] Re: Qubes 4 and coreboot

[stevensheffey4]

On Tuesday, February 27, 2018 at 3:42:07 PM UTC-6, qube...@go-bailey.com wrote:
> Do the Qubes devs recommend a specific payload to use with coreboot and 
> Qubes 4?
> 
> For those who are using coreboot with the Qubes 4 release candidates, 
> what payload are you using?
> 
> Have you run into any oddities with said payload detecting the install 
> DVD or USB stick as well as with the subsequent installation?
> 
> I haven't been able to get coreboot with a petitboot payload working 
> well with Qubes 4 thus far so am thinking of trying a different payload.
> 
> Thanks in advance.

I use Coreboot + SeaBIOS with Qubes 4, and it works perfectly on a Thinkpad 
x230.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b724053-3ae1-4d64-8b4d-e9b7e8cd7cf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 08:23 PM, 'awokd' via qubes-users wrote:

On Thu, March 1, 2018 1:14 am, billol...@gmail.com wrote:



This is not qubes-specific.  It hasn't worked in fedora for a long time,
and I don't think it works in ubuntu/debian either, as long as
NetworkManager is turned on.  In regular fedora, you can use macchanger
if you turn off NetworkManager and manage all your connections yourself,
but that's quite a hassle.


BTW, as an example of Qubes-specifics in this issue, on sleep/wake 
networkVMs don't process the normal array of events and system states 
that bare-metal Linux distros do. At least this was the case for 3.x. 
The result was that advocates of the macchanger script method (which 
relied on such events and related hooks) recommended that users keep a 
watch on the current MAC address and restart sys-net whenever it 
reverted (waking from sleep was the most common/blatant example). They 
didn't care to address the fact that the waking system was already 
broadcasting the original address before the user had a chance to 
restart sys-net (and not to mention the unmitigated headache of 
restarting/reassigning all the dependant VMs).



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01db7573-f65e-a48d-9a48-431f85177421%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 03:58 PM, Yuraeitha wrote:

On Wednesday, February 28, 2018 at 9:14:30 PM UTC+1, vel...@tutamail.com wrote:

Chris if you could replicate the simplicity in your instruction for a 
"kill-switc-VPN" for the this feature that would be awesome...

This seems like a great feature...I am getting up to speed on the Linux 
commands but I suspect a lot of the laypeople(who likely need the security) 
would appreciate this feature if they could understand the detailed steps, even 
if simple.

Thanks again for all you do

V


https://groups.google.com/forum/#!searchin/qubes-users/vpn$20github%7Csort:date/qubes-users/FUQaRPWXPj8/SMlPfhwuAgAJ


To add to your thoughts V, maybe this could even be implemented it in Qubes 
directly, with a simple turn on/off switch or command? It seems like this would 
be helpful for new users seeking Qubes for privacy concerns. I know Qubes is 
primary focused on security, but it'd be a one step closer to make Qubes easy 
to use for people not into the terminal/how-to guides. It would also make it 
easier when upgrading a new Qubes, for example when Qubes 4.1. and Qubes 5 is 
out, and guides once again face questions as to if they work on a Qubes version 
or not (all over again).

What do you think Chris? is this realistic, feasible in terms of no newly 
introduces downsides, or even desired?


I can't tell if MAC addresses or VPNs are being discussed at this point. 
If the latter, then I've already posted the new code and done 90% of the 
changes needed to make the doc simpler (essentially 3 steps, not 
counting "test the connection" and "restart the VM"). So, we'll see 
when/if the new solution gets integrated.


For MAC addresses, I'd actually recommend making randomization the 
default _at some point_. But right now the exercise is academic because 
firmware and driver vendors haven't addressed the problem of unique 
non-address metadata that NICs are also transmitting.


Even though its academic, I'd rather not see people struggle with 
macchanger when it could still leak the original address, whether or not 
the other metadata is sent.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bbdf93a4-40a1-4304-3352-2d35d0557d9f%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 08:23 PM, 'awokd' via qubes-users wrote:

On Thu, March 1, 2018 1:14 am, billol...@gmail.com wrote:



This is not qubes-specific.  It hasn't worked in fedora for a long time,
and I don't think it works in ubuntu/debian either, as long as
NetworkManager is turned on.  In regular fedora, you can use macchanger
if you turn off NetworkManager and manage all your connections yourself,
but that's quite a hassle.

The thing I don't like about NetworkManager MAC address randomization
compared to macchanger, is that it is connection-specific, not network
device-specific, and I prefer the latter.


Yes, NM does it that way because the main necessity is to prevent users 
being tracked as their machines are moved geographically. (Of course, 
the prevention is theoretical at this point because other metadata has 
not yet been suppressed.)




Might be worth keeping the content around then if all we need to do is add
that note about disabling NetworkManager.


Unfortunately, even when they worked the macchanger scripts still had 
some big issues with the address reverting back to original when certain 
system events occurred. That's why the feature had to be integrated.


There are now three places in Linux where MAC randomization can be 
managed properly: WPA Supplicant (I think for wifi only), NM and 
systemd. NM seems to provide the best overlap between simplicity and 
flexibility. OTOH using macchanger is much more complicated and likely 
to leak your hardware address.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53524cc5-4dc7-470b-f8ad-eabde7db557a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

['awokd' via qubes-users]

On Thu, March 1, 2018 1:14 am, billol...@gmail.com wrote:

>
> This is not qubes-specific.  It hasn't worked in fedora for a long time,
> and I don't think it works in ubuntu/debian either, as long as
> NetworkManager is turned on.  In regular fedora, you can use macchanger
> if you turn off NetworkManager and manage all your connections yourself,
> but that's quite a hassle.
>
> The thing I don't like about NetworkManager MAC address randomization
> compared to macchanger, is that it is connection-specific, not network
> device-specific, and I prefer the latter.

Might be worth keeping the content around then if all we need to do is add
that note about disabling NetworkManager.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/490ed2153dcfbef04e0bfc92f1b02e6a.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[billollib]

On Wednesday, February 28, 2018 at 1:34:28 PM UTC-5, Chris Laprise wrote:

> Hi,
> 
> The macchanger section of the doc hasn't worked for a long time (search 
> the mailing list to see issues) and it never did work correctly, IMO.
> 
> > What should i do?
> > 
> 
> You should use the MAC randomization feature integrated into Network 
> Manager, shown at the beginning of the doc.
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

This is not qubes-specific.  It hasn't worked in fedora for a long time, and I 
don't think it works in ubuntu/debian either, as long as NetworkManager is 
turned on.  In regular fedora, you can use macchanger if you turn off 
NetworkManager and manage all your connections yourself, but that's quite a 
hassle.

The thing I don't like about NetworkManager MAC address randomization compared 
to macchanger, is that it is connection-specific, not network device-specific, 
and I prefer the latter.

billo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b1332f71-9630-44fd-a316-6f866089f48e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: firewall/proxy VM not working with Qubes 4.0-rc4

[Alex Dubois]

On Wednesday, 28 February 2018 17:41:06 UTC, thorsten...@gmail.com  wrote:
> > Could you try this:
> > qvm-prefs sys-firewall | grep netvm
> > it should say sys-net? Y/N
> 
> yes, result is sys-net
> 
> 
> > Even if it states sys-net, let's try to force it again
> > qvm-prefs sys-firewall -s netvm sys-net
> 
> that command did not work due to wrong syntax, so I did:
> 
> qvm-prefs --set sys-firewall netvm sys-net
> 
> If sys-firewall is shut down, the command works.
> If sys-firewall is running, the command fails with the error:
> "no such preoperty: 'netvm'", in addition if sys-firewall is running while I 
> do this, the eth0 interface is removed from sys-firewall.
> 
> 
> > and try the arp -an in sys-firewall again
> 
> Still the same result:
> ? (10.137.0.5) at  on eth0
> 
> Maybe I should try to look into the script(s) that are running when using 
> "qvm-prefs --set sys-firewall netvm sys-net"?

Yes good idea. I would need to do so too to be able to help now... I'm not 
familiar with this part.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19ea3dbe-7b8a-4a60-8935-e2f5f50be320%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

AW: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

['[799]' via qubes-users]

Hello Yuraeitha,

 Original-Nachricht 
An 28. Feb. 2018, 21:39, Yuraeitha schrieb:

> It seems from time to time that various
> people have shared a good unofficial script,
> guides and 'how to's', and even code, for
> Qubes related content, on their github page or
> similar. The problem however is that while
> shared, it isn't very visible, and even if they are
> from time to time mentioned in a mail thread,
> it quickly gets buried under many new mails.

I have recognized the same and was wondering already what could be the reason 
that people have written own small projects which I only knew of because 
following this mailing list.
Honestly I started the same, after coming up with the first draft of ma 
qvm-screenshot-to-clipboard script.

The main reason why I didn't upload it (yet) to Qubes docs:

1) it is on a very early stage and while it is working I would feel a bit 
ashamed, as there is no error handling etc.

2) I am unsure if the script is not only working but also "reasonable secure" 
to use

3) I like the quality of the existing Qubes documentation, but it takes some 
time for a newbie user not only to write a good how-to but also include all the 
valuable feedback or keep the discussion ongoing.

Maybe those are the reasons why others like to keep developing their stuff 
outside of the Qubes doc repository. Summarized:

1. Scripts are not yet ready/to basic
2. Unknown impact on security
3. Not enough time to craft a quality "product"

> To solve an issue like this, it'd be helpful to
> have a place where we can keep track of
> everyone's projects which are shared for
> others to use. It may also be worth discussing
> on quality and security, and how we "censor"?
> bad scripts/guides/code.

Yes, please! His could also be a good ressource to browse looking to fine-tune 
Qubes.

> It could be done in many various of different
> ways, which is also why I think it'd make
> sense to open a discussion on the matter, so
> we can find the most preferred method. First
> though, a location might be ideal starting
> place, where to keep everything updated?
> (...)
> A https://www.qubes-os.org/doc/ page listing
> all the unofficial projects. The most simple
> and easy way.

I like the idea having it available at GitHub as we can easily contribute to 
the code and GitHub has all the features to keep discussion ongoing etc.
It is also allows to keep a copy of the latest version of the scripts and 
people don't have to learn another tool when their code is ready to be released.

The bad thing:
If you're not a developer and have never worked with GitHub the learning curve 
might be high.
At least I had to click some time arround to understand what is located where 
and how it is working.

> Generally the main concern is the visibility of
> the effort that the community puts in Qubes,
> from the bottom-up, often goes to waste and
> few people see's it.

The other benefit is, that I learn a lot from reading other person's scripts 
and of course following the discussion.

Maybe some of the ideas there could also be mentioned in a maybe monthly blog 
post, so that new users can see that Qubes is a living project.

I would call this site/place where all the ideas are summarize "Qubes Garden" 
or "Qubes Playground" :-)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0pr2C-ky5f2cKco20qOf5PtKmsLafq7Xmw0-9qKvG0demT1mbPRyAv1QOkn6w6oYvxjrv-XP_eVgyhuqrbNE8Hac1U2BLhioUJ9M6l5SlkA%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] error opening sys-net & dom0 flashing yellow triangle

[yrebstv]

Today opening sys-net  I get these errors in the terminal , though
sys-net continues  on and  seems OK ,  I suppose by now, it is expected
behavior that sys-net takes a long time and sometimes never shutsdown ??

  File "/usr/bin/qvm-start", line 136, in 
main()
  File "/usr/bin/qvm-start", line 120, in main
xid = vm.start(verbose=options.verbose,
preparing_dvm=options.preparing_dvm, start_guid=not options.noguid,
notify_function=tray_notify_generic if options.tray else None)
  File
"/usr/lib64/python2.7/site-packages/qubes/modules/005QubesNetVm.py",
line 143, in start
vm.attach_network(wait=False)
  File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py",
line 1738, in attach_network
self._format_net_dev(self.ip, self.mac, self.netvm.name))
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 530, in
attachDevice
if ret == -1: raise libvirtError ('virDomainAttachDevice() failed',
dom=self)
libvirt.libvirtError: invalid argument: network device with mac
00:16:3e:5e:6c:06 already exists



I cont'd on after  sys-net  started  via CLI  above  but occasionally I
see a dom0 flashing triangle  FWIW, maybe not related to below ??

(XEN) [VT-D]DMAR:[DMA Write] Request device [:04:00.0] fault addr
fff0, iommu reg = 82c0009f4000
(XEN) [VT-D]DMAR: reason 05 - PTE Write access is not set
(XEN) [VT-D]DMAR:[DMA Write] Request device [:04:00.0] fault addr
fff0, iommu reg = 82c0009f4000
(XEN) [VT-D]DMAR: reason 05 - PTE Write access is not set
(XEN) [VT-D]DMAR:[DMA Write] Request device [:04:00.0] fault addr
fff0, iommu reg = 82c0009f4000
(XEN) [VT-D]DMAR: reason 05 - PTE Write access is not set



THIRDLY,
of late qvm-shutdown --all   has been hanging and I must do a hard
reboot , or  do  qvm-shutdown VM1 VM2 VM3  etc ,  which is kind of a
pain ...


I'm not really geeky enough to know if any of these might be related or 
fix themselves,  Lastly,  I am running  the security update repo  , but
don't recall if any of these started before or after installing the
security patch  for  the intel  issues.


any suggestions to do something or nothing appreciated  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/860e350216c381a4ac7502794f7515aa%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Dell XPS 8920

[Jascha]

Attached.

Most everything I have tested seems to be working. Only the monitor
seems to have issue going into sleep/power save. When installing
computer has a SSD and Magnetic HD was forced to install to Magnetic HD
since install kept failing with SSD.

-Jascha

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f5459a6-87b5-14c9-dafd-f53173f0d538%40cryptocartel.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-Dell_Inc_-XPS_8920-20180228-144337.yml
Description: application/yaml


Qubes-HCL-Dell_Inc_-XPS_8920-20180228-144337.cpio.gz
Description: application/gzip

[qubes-users] Cron not working on AppVMS based on Debian 9

[maurice]

Hi,

I'm not able to get the user crontab running, apparently this happens because 
threre's no crond service nor unit files:

systemctl status crond
Unit crond.service could not be found.

Being the only service available the cron mount:

systemctl | grep -i cron
var-spool-cron.mount loaded active mounted /var/spool/cron 

Does anyone knows how to get cron running persistently (i.e. after every 
reboot) so the user can run its cronta job?

Thank you.

John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4ea717d3aec55121fff2649dbe671e9%40disroot.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Yuraeitha]

On Wednesday, February 28, 2018 at 9:14:30 PM UTC+1, vel...@tutamail.com wrote:
> Chris if you could replicate the simplicity in your instruction for a 
> "kill-switc-VPN" for the this feature that would be awesome...
> 
> This seems like a great feature...I am getting up to speed on the Linux 
> commands but I suspect a lot of the laypeople(who likely need the security) 
> would appreciate this feature if they could understand the detailed steps, 
> even if simple.
> 
> Thanks again for all you do
> 
> V 
> 
> 
> https://groups.google.com/forum/#!searchin/qubes-users/vpn$20github%7Csort:date/qubes-users/FUQaRPWXPj8/SMlPfhwuAgAJ

To add to your thoughts V, maybe this could even be implemented it in Qubes 
directly, with a simple turn on/off switch or command? It seems like this would 
be helpful for new users seeking Qubes for privacy concerns. I know Qubes is 
primary focused on security, but it'd be a one step closer to make Qubes easy 
to use for people not into the terminal/how-to guides. It would also make it 
easier when upgrading a new Qubes, for example when Qubes 4.1. and Qubes 5 is 
out, and guides once again face questions as to if they work on a Qubes version 
or not (all over again).

What do you think Chris? is this realistic, feasible in terms of no newly 
introduces downsides, or even desired?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/563b393e-e5f9-4e3f-ac41-982a4220b0ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up

[Yuraeitha]

It seems from time to time that various people have shared a good unofficial 
script, guides and 'how to's', and even code, for Qubes related content, on 
their github page or similar. The problem however is that while shared, it 
isn't very visible, and even if they are from time to time mentioned in a mail 
thread, it quickly gets buried under many new mails. It often isn't feasible to 
use the search engine to find these either.

Of course everything could be put into the Qubes doc page. But first, it's 
getting pretty large and cluttered and will probably only grow bigger. Second, 
the Qubes doc page does not show on-going and un-finished work. The strength of 
seeing unfinished projects, is that we can help each others finish and test 
them. Scrutinize them for security issues and reliability issues, before they 
are considered for the Qubes doc page.

To solve an issue like this, it'd be helpful to have a place where we can keep 
track of everyone's projects which are shared for others to use. It may also be 
worth discussing on quality and security, and how we "censor"? bad 
scripts/guides/code. It could be done in many various of different ways, which 
is also why I think it'd make sense to open a discussion on the matter, so we 
can find the most preferred method. First though, a location might be ideal 
starting place, where to keep everything updated?

Initial thoughts
- A https://www.qubes-os.org/doc/ page listing all the unofficial projects. The 
most simple and easy way.

- A decentralized network shared links through wiki pages, linking from one to 
the next. Takes some work to maintain, but could be useful if properly done. 
The weakness is that it is very redundant and requires edits on every wiki page 
containing shared content in order to keep a network based source system up. A 
single maintained overview page would therefore be easier. The strength is that 
it builds up a stronger sense of inter-connected community and inter-awareness 
of each others github pages.

- An off-sight website which can build on unofficial content, keeping the Qubes 
official website clean from unofficial releases. The strength here is that more 
can be done to make answers to redundant questions more visible, and highlight 
unofficial solutions to which many people keep facing. The weakness is that it 
once more segments where Qubes users hangout, which might not be something we 
currently can afford. There are only about 30.000 Qubes users tops? and from 
them we often see the same people posting, and many of the new faces don't 
re-post very often. It would also require a reputation of reliability and 
trust, including carrying out these responsibilities too, on its own. 

Generally the main concern is the visibility of the effort that the community 
puts in Qubes, from the bottom-up, often goes to waste and few people see's it. 

Thoughts? maybe other new solutions or a modified one to one mentioned? I'm 
pretty sure there are many good ideas, opinions and insights out there, lets 
discuss this issue.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d1fd248-de9c-4d4a-a8a8-c716a5e251a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[velcro]

Chris if you could replicate the simplicity in your instruction for a 
"kill-switc-VPN" for the this feature that would be awesome...

This seems like a great feature...I am getting up to speed on the Linux 
commands but I suspect a lot of the laypeople(who likely need the security) 
would appreciate this feature if they could understand the detailed steps, even 
if simple.

Thanks again for all you do

V 


https://groups.google.com/forum/#!searchin/qubes-users/vpn$20github%7Csort:date/qubes-users/FUQaRPWXPj8/SMlPfhwuAgAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/861e424b-3955-4fb4-a6fa-2915ff776105%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 01:49 PM, awokd wrote:

On Wed, February 28, 2018 6:34 pm, Chris Laprise wrote:

On 02/28/2018 11:31 AM, klausdiet...@mail2tor.com wrote:


Hey guys,


i have a big problem with "Anonymizing your MAC Address with macchanger
  and scripts". I used this Tutorial on the Qubes Doc:
https://www.qubes-os.org/doc/anonymizing-your-mac-address/



Hi,


The macchanger section of the doc hasn't worked for a long time (search
the mailing list to see issues) and it never did work correctly, IMO.



Should it be deleted? I can put in a PR, but that won't leave much left on
that doc. Should what's left work on R4.0?




To answer your other question: Yes, the NM instructions work equally 
well under 3.2 and 4.0.


There's not much verbiage but that is often a good thing. I can expand 
it a bit by showing an additional NM config that generates a random MAC 
only once and retains it for each wifi access point.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a79e561-33ae-8c58-3639-0ecc8cff6a41%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 01:49 PM, awokd wrote:

On Wed, February 28, 2018 6:34 pm, Chris Laprise wrote:

On 02/28/2018 11:31 AM, klausdiet...@mail2tor.com wrote:


Hey guys,


i have a big problem with "Anonymizing your MAC Address with macchanger
  and scripts". I used this Tutorial on the Qubes Doc:
https://www.qubes-os.org/doc/anonymizing-your-mac-address/



Hi,


The macchanger section of the doc hasn't worked for a long time (search
the mailing list to see issues) and it never did work correctly, IMO.



Should it be deleted? I can put in a PR, but that won't leave much left on
that doc. Should what's left work on R4.0?



That section has been defunct/abandoned for almost 2 years, so yeah it 
should be deleted. I know initially a lot of work went into it, but then 
interest quickly dropped off probably because the scripted approach 
wasn't practical for that task.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7cb9dec-4ca1-21fd-d486-de2d6dd980d4%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: qrexec demon fails to load any VM when I attach any device

[Yuraeitha]

On Tuesday, February 27, 2018 at 7:55:09 PM UTC+1, Allen Larocque wrote:
> Thanks for the help.
> 
> The intel audio pci device is indeed listed in the qvm-pci list, and the 
> pulseaudio manager is 'connected', However, under 'devices' there's nothing 
> about the intel device - just 'combined monitor' as the source
> 
> 
> On Tuesday, 27 February 2018 10:09:37 UTC-8, Yuraeitha  wrote:
> > On Tuesday, February 27, 2018 at 6:58:11 PM UTC+1, Allen Larocque wrote:
> > > Thanks Yuraeitha for the thoughtful reply!
> > > 
> > > Hm. It doesn't seem to work in the other templates. I think it is a 
> > > driver issue. I've tried volume etc.; and switching through the 
> > > pulseaudio menus shows only 'simultaneous output' devices (which DO have 
> > > actively fluctuating 'volume bars' when playback is happening!). Under 
> > > 'config' there is 'no sound cards available for configuration'. 
> > > I've been trying some things and let me try to clarify:
> > > 
> > > 'lspci' lists '00:1b:0 Audio device: Intel Corporation 7 Serices/c210 
> > > Series Chipset Family High Definition Audio Controller (rev04)'
> > > I interpret that as the audio card being on the chipset (hence 'plugged 
> > > in' automatically).
> > > 
> > > 'aplay -l' however lists "no soundcards found". So alsa doesn't see it?
> > > 
> > > Alsa is a deeper level than pulseaudio generally, right? So if alsa 
> > > doesn't see it then it makes sense that pulseaudio doesn't either.
> > > 
> > > So: how to get alsa/pulseaudio to see it?
> > > 
> > > Thanks again for the gracious help!
> > > - Allen
> > > 
> > > On Tuesday, 27 February 2018 04:16:15 UTC-8, Yuraeitha  wrote:
> > > > On Tuesday, February 27, 2018 at 10:42:30 AM UTC+1, Allen Larocque 
> > > > wrote:
> > > > > Hi Qubes,
> > > > > First time installer here, trying to get my sound to work. Strangely, 
> > > > > speakers are broken, but headphones work fine.
> > > > > 
> > > > > Anytime I move my sound device from 'available' to 'selected' in a 
> > > > > given VM, the VM won't load and I get the 'qeexec demon' error. Same 
> > > > > thing when I move various other devices over (tested with USB ones). 
> > > > > I should need the audio device moved over in order for it to work in 
> > > > > a given VM, right?
> > > > > 
> > > > > Any thoughts? Running 3.2 on a Zenbook UX31A.
> > > > > 
> > > > > Thanks,
> > > > > Allen
> > > > 
> > > > Also if you moved the soundcard to a direct pass-through, and the 
> > > > soundcard hardware does not support the PCI pass-through feature. Then 
> > > > you need to make a full restart of Qubes OS (fully power down power in 
> > > > order to clean hardware memory). This is due to security reasons. If 
> > > > this is hitting you, then you may want to first undo the pass-through 
> > > > you made of your soundcard, and then make a full restart before trying 
> > > > the above suggestions.
> > 
> > np's :)
> > 
> > Try compare "qvm-pci list" with lspci, it's the same list, but it'll show 
> > you if the Qubes tools register the sound card. Also try look in the Qubes 
> > menu --> Systems Tools --> Pulseaudio Manager. See if the sound server is 
> > connected or disconnected here.
> > 
> > I can't write much more right now as I'm on the road and need to close the 
> > lid and move now, but checking these might get us a little closer with more 
> > information.
> > 
> > I can confirm I see my own soundcards with "aplay -l", so this command 
> > should indeed be working in Qubes it seems?
> > 
> > It sounds like a problem that is out of my league though, but I'll try to 
> > help where I can.

I apologies for the delay. I divided this post into two sections, one if you 
got USB controller in dom0, and the other if you got the USB controller in an 
AppVM. You'll need the link if you got your USB controller anywhere else but 
your dom0. If you got a sys-usb, then your USB controller is likely tied to 
that VM. If you don't have a sys-usb, and you didn't move the USB controller 
yourself, then the USB controller is still likely tied to dom0. The Qubes 
installer can automatically make a sys-usb at first system boot, but it won't 
always do it, for example if the USB controller can't be pass-through or if 
something important is tied to it, like touch devices often are.

Assuming your USB controller is indeed not located in dom0, then I believe your 
issue is actually a split two-part issue. It might be that system sound isn't 
working as you also suggested by being a driver issue, but your second issue is 
that your other soundcard, which is based on USB, won't work because you got 
your USB controller in sys-sub, and if the sound is passed to the sys-usb from 
your USB soundcard, then it can't communicate with your speakers since it's cut 
off from dom0. There is a small adjustment, which I haven't tried my self, that 
can make this work. See the link below for the official method to do this.

https://www.qubes-os.org/doc/external-audio/

I'm not 100% sure, but this 

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

['awokd' via qubes-users]

On Wed, February 28, 2018 6:34 pm, Chris Laprise wrote:
> On 02/28/2018 11:31 AM, klausdiet...@mail2tor.com wrote:
>
>> Hey guys,
>>
>>
>> i have a big problem with "Anonymizing your MAC Address with macchanger
>>  and scripts". I used this Tutorial on the Qubes Doc:
>> https://www.qubes-os.org/doc/anonymizing-your-mac-address/
>>
>
> Hi,
>
>
> The macchanger section of the doc hasn't worked for a long time (search
> the mailing list to see issues) and it never did work correctly, IMO.
>

Should it be deleted? I can put in a PR, but that won't leave much left on
that doc. Should what's left work on R4.0?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/291b23e0548f10b6c2c9a9c025f9ad48.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[Chris Laprise]

On 02/28/2018 11:31 AM, klausdiet...@mail2tor.com wrote:

Hey guys,

i have a big problem with "Anonymizing your MAC Address with macchanger
and scripts". I used this Tutorial on the Qubes Doc:
https://www.qubes-os.org/doc/anonymizing-your-mac-address/


Hi,

The macchanger section of the doc hasn't worked for a long time (search 
the mailing list to see issues) and it never did work correctly, IMO.



What should i do?



You should use the MAC randomization feature integrated into Network 
Manager, shown at the beginning of the doc.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5889aec9-7b15-0537-db74-f4ffbe54f938%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Yuraeitha]

On Wednesday, February 28, 2018 at 7:10:33 PM UTC+1, Braden wrote:
> On Wednesday, February 28, 2018 at 12:50:23 PM UTC-5, Unman wrote:
> > On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote:
> > > On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote:
> > > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > > > Performing some modifications to dom0, but when I run apps like wget 
> > > > > from dom0 terminal I am unable to resolve addresses. Same if I were 
> > > > > to try running firefox from dom0. Know this is because of security 
> > > > > benefits, but how can I enable networking from there. Say I wanted to 
> > > > > connect to dom0 from a vnc temporarily.
> > > > > 
> > > > There's almost never any need to do this. If you want to install
> > > > packages you can use the update mechanism. Otherwise download files in a
> > > > qube and then copy them in to dom0 and install them there.
> > > > If dom0 is compromised then all your qubes are open.
> > > > 
> > > > But you probably know this already.
> > > > 
> > > > As things stand it's difficult, but not impossible to access dom0. You
> > > > could open a channel to allow vnc to a qube and use socat and an rpc
> > > > service to front to dom0. But really just dont do it: it subverts the
> > > > whole point in using Qubes.
> > > 
> > > btw, isn't it possible that he can use the Qubes 4 dom0 admin features to 
> > > make changes to VM's from a remote location? Could the solution be to 
> > > upgrade to Qubes 4 and use that instead? I haven't yet went 
> > > discovering/understood the limitations of the Qubes 4 dom0 admin tools, 
> > > but isn't this a perfect match to his goal if he upgrades? Apologies if I 
> > > misunderstood how the dom0 admin features work, I haven't started using 
> > > it my self yet.
> > > 
> > 
> > Yes, it is.
> > OP could read this post
> > https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
> My hardware is only 3.2 supported rn as you guessed, suppose I could explore 
> the unique service idea, is there anything similar on *nix

>From a security point of view, Qubes 4 is probably long past the point to 
>surpass the security risk there is to opening up dom0 to networking (if 
>comparing the two situations purely from a security risk point of view). So if 
>you got the time for it, it might be worth it to install Qubes to gain access 
>to the dom0 admin tools. In terms of reliability, well personally I feel Qubes 
>4 is pretty stable, I haven't had any major issues. But they're still working 
>on it, though, I believe it's because they want it to as perfect as possible. 
>It's very different from being ready to release, and to release something near 
>a perfection goal. Well obviously perfection is a dangerous word to use, but 
>it can translated into high quality instead. That's how I perceive it at 
>least. If you got the time, it may be worth upgrading.

Perhaps others may put in a word for how ready they perceive Qubes 4 is for 
productivity and mission critical work. Since it isn't officially released as 
as a final release yet, the more views on this matter, the merrier and more 
accurate it'll be. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be1bf8de-b80e-46ab-b0c0-5e20e89eb281%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Braden]

On Wednesday, February 28, 2018 at 12:50:23 PM UTC-5, Unman wrote:
> On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote:
> > On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote:
> > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > > Performing some modifications to dom0, but when I run apps like wget 
> > > > from dom0 terminal I am unable to resolve addresses. Same if I were to 
> > > > try running firefox from dom0. Know this is because of security 
> > > > benefits, but how can I enable networking from there. Say I wanted to 
> > > > connect to dom0 from a vnc temporarily.
> > > > 
> > > There's almost never any need to do this. If you want to install
> > > packages you can use the update mechanism. Otherwise download files in a
> > > qube and then copy them in to dom0 and install them there.
> > > If dom0 is compromised then all your qubes are open.
> > > 
> > > But you probably know this already.
> > > 
> > > As things stand it's difficult, but not impossible to access dom0. You
> > > could open a channel to allow vnc to a qube and use socat and an rpc
> > > service to front to dom0. But really just dont do it: it subverts the
> > > whole point in using Qubes.
> > 
> > btw, isn't it possible that he can use the Qubes 4 dom0 admin features to 
> > make changes to VM's from a remote location? Could the solution be to 
> > upgrade to Qubes 4 and use that instead? I haven't yet went 
> > discovering/understood the limitations of the Qubes 4 dom0 admin tools, but 
> > isn't this a perfect match to his goal if he upgrades? Apologies if I 
> > misunderstood how the dom0 admin features work, I haven't started using it 
> > my self yet.
> > 
> 
> Yes, it is.
> OP could read this post
> https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
My hardware is only 3.2 supported rn as you guessed, suppose I could explore 
the unique service idea, is there anything similar on *nix

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e82e49e9-823a-4b81-8e85-db14b5edb6ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Anonymizing your MAC Address with macchanger and scripts

[Yuraeitha]

On Wednesday, February 28, 2018 at 5:55:03 PM UTC+1, klausd...@mail2tor.com 
wrote:
> Hey guys,
> 
> i have a big problem with "Anonymizing your MAC Address with macchanger
> and scripts". I used this Tutorial on the Qubes Doc:
> https://www.qubes-os.org/doc/anonymizing-your-mac-address/
> 
> Everytime it happens the same:
> 
> 1) I create the file macspoof@.service with sudo gedit
> /etc/systemd/system/macspoof@.service
> 
> 
> 2) I copie the text in the newly created gedit file:
> 
> [Unit]
> Description=macchanger on %I
> # Hack since macspoof@%i contains @ which is not allowed yet
> ConditionPathExists=/var/run/qubes-service/macspoof-%i
> Wants=network-pre.target
> Before=network-pre.target
> BindsTo=sys-subsystem-net-devices-%i.device
> After=sys-subsystem-net-devices-%i.device
> 
> [Service]
> ExecStart=/usr/bin/macchanger -e %I
> Type=oneshot
> 
> [Install]
> WantedBy=multi-user.target
> 
> 
> 3) In the Fedora Terminal is says:
> 
> [user@fedora-23 ~]$ sudo gedit /etc/systemd/system/macspoof@.service
> 
> (gedit:1029): Gtk-WARNING **: Calling Inhibit failed:
> GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
> org.gnome.SessionManager was not provided by any .service files
> 
> What should i do?

It could be that you're using fedora 23? It's no longer supported, and maybe 
it's unable of talking with the rest of your Qubes system in a proper way, thus 
perhaps that is why it fails for you. Are you sure you keep dom0/templates 
updated in sync with each others? For example your dom0 may be updated, but 
your fedora-23 template isn't since its no longer maintained.

Fedora 24/25 is no good either, you need to go all the way to fedora-26. Fedora 
27 is out too, but it's not fully supported by Qubes yet. So fedora-26 is what 
you want. You can download and install it with "sudo qubes-dom0-update 
qubes-template-fedora-26" <--- it will take a while, especially if you got a 
slow connection or system. Be sure you got plenty of gigabyte space ready for 
it to install on, it'll take a bit more space to install before it shrinks 
again when finished.

Update the template fully, and try perform your script in the fedora-26 
template instead.

Also be sure you change your sys-net and sys-firewall, and other VM's that run 
on out of date and no longer supported templates. You need to fully change all 
of them away from fedora-23, before you can delete the old fedora-23 as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d87520ac-fd1f-4e81-bc31-cccfac16c89e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Yuraeitha]

On Wednesday, February 28, 2018 at 6:51:14 PM UTC+1, Braden wrote:
> On Wednesday, February 28, 2018 at 12:50:17 PM UTC-5, Braden wrote:
> > On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote:
> > > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > > Performing some modifications to dom0, but when I run apps like wget 
> > > > from dom0 terminal I am unable to resolve addresses. Same if I were to 
> > > > try running firefox from dom0. Know this is because of security 
> > > > benefits, but how can I enable networking from there. Say I wanted to 
> > > > connect to dom0 from a vnc temporarily.
> > > > 
> > > There's almost never any need to do this. If you want to install
> > > packages you can use the update mechanism. Otherwise download files in a
> > > qube and then copy them in to dom0 and install them there.
> > > If dom0 is compromised then all your qubes are open.
> > > 
> > > But you probably know this already.
> > > 
> > > As things stand it's difficult, but not impossible to access dom0. You
> > > could open a channel to allow vnc to a qube and use socat and an rpc
> > > service to front to dom0. But really just dont do it: it subverts the
> > > whole point in using Qubes.
> > 
> > Fair enough, suppose will copy the package to dom0 and then install my vnc 
> > server there, but would the firewall refuse to allow connections just like 
> > how firefox and wget refuse in dom0?
> 
> Only need VNC client connections working that is

Is VNC capable of something that can't be done with the Qubes 4 dom0/admin 
tools? Just curious, maybe it can be solved.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0f68731-3750-4ad4-bc00-d8b193b770f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

['awokd' via qubes-users]

On Wed, February 28, 2018 5:53 pm, Unman wrote:

>
> By design dom0 has no networking.
> If you MUST break Qubes , and you cant use the admin features in 4.0
> (see my last post),then you'll have to use some service to pass data in
> and out of dom0 WITHOUT networking.

Another option for remote access might be a TCP/IP based hardware KVM, or
equivalent built in to your computer already like IPMI or DRAC. Obviously,
Qubes can't provide any security beyond a screensaver password from an
attack using those.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a79d274a6d4760d691f20c236232627.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Unman]

On Wed, Feb 28, 2018 at 09:50:17AM -0800, Braden wrote:
> On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote:
> > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > Performing some modifications to dom0, but when I run apps like wget from 
> > > dom0 terminal I am unable to resolve addresses. Same if I were to try 
> > > running firefox from dom0. Know this is because of security benefits, but 
> > > how can I enable networking from there. Say I wanted to connect to dom0 
> > > from a vnc temporarily.
> > > 
> > There's almost never any need to do this. If you want to install
> > packages you can use the update mechanism. Otherwise download files in a
> > qube and then copy them in to dom0 and install them there.
> > If dom0 is compromised then all your qubes are open.
> > 
> > But you probably know this already.
> > 
> > As things stand it's difficult, but not impossible to access dom0. You
> > could open a channel to allow vnc to a qube and use socat and an rpc
> > service to front to dom0. But really just dont do it: it subverts the
> > whole point in using Qubes.
> 
> Fair enough, suppose will copy the package to dom0 and then install my vnc 
> server there, but would the firewall refuse to allow connections just like 
> how firefox and wget refuse in dom0?
> 

By design dom0 has no networking.
If you MUST break Qubes , and you cant use the admin features in 4.0
(see my last post),then you'll have to use some service to pass data in
and out of dom0 WITHOUT networking.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180228175308.z6tkj4poeopfxmke%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Braden]

On Wednesday, February 28, 2018 at 12:50:17 PM UTC-5, Braden wrote:
> On Wednesday, February 28, 2018 at 12:38:49 PM UTC-5, Unman wrote:
> > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > Performing some modifications to dom0, but when I run apps like wget from 
> > > dom0 terminal I am unable to resolve addresses. Same if I were to try 
> > > running firefox from dom0. Know this is because of security benefits, but 
> > > how can I enable networking from there. Say I wanted to connect to dom0 
> > > from a vnc temporarily.
> > > 
> > There's almost never any need to do this. If you want to install
> > packages you can use the update mechanism. Otherwise download files in a
> > qube and then copy them in to dom0 and install them there.
> > If dom0 is compromised then all your qubes are open.
> > 
> > But you probably know this already.
> > 
> > As things stand it's difficult, but not impossible to access dom0. You
> > could open a channel to allow vnc to a qube and use socat and an rpc
> > service to front to dom0. But really just dont do it: it subverts the
> > whole point in using Qubes.
> 
> Fair enough, suppose will copy the package to dom0 and then install my vnc 
> server there, but would the firewall refuse to allow connections just like 
> how firefox and wget refuse in dom0?

Only need VNC client connections working that is

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75ce23b7-1350-473c-b89c-2ceb75274e7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Unman]

On Wed, Feb 28, 2018 at 09:48:43AM -0800, Yuraeitha wrote:
> On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote:
> > On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > > Performing some modifications to dom0, but when I run apps like wget from 
> > > dom0 terminal I am unable to resolve addresses. Same if I were to try 
> > > running firefox from dom0. Know this is because of security benefits, but 
> > > how can I enable networking from there. Say I wanted to connect to dom0 
> > > from a vnc temporarily.
> > > 
> > There's almost never any need to do this. If you want to install
> > packages you can use the update mechanism. Otherwise download files in a
> > qube and then copy them in to dom0 and install them there.
> > If dom0 is compromised then all your qubes are open.
> > 
> > But you probably know this already.
> > 
> > As things stand it's difficult, but not impossible to access dom0. You
> > could open a channel to allow vnc to a qube and use socat and an rpc
> > service to front to dom0. But really just dont do it: it subverts the
> > whole point in using Qubes.
> 
> btw, isn't it possible that he can use the Qubes 4 dom0 admin features to 
> make changes to VM's from a remote location? Could the solution be to upgrade 
> to Qubes 4 and use that instead? I haven't yet went discovering/understood 
> the limitations of the Qubes 4 dom0 admin tools, but isn't this a perfect 
> match to his goal if he upgrades? Apologies if I misunderstood how the dom0 
> admin features work, I haven't started using it my self yet.
> 

Yes, it is.
OP could read this post
https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180228175017.pagkei4aq3xial7h%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Yuraeitha]

On Wednesday, February 28, 2018 at 6:38:49 PM UTC+1, Unman wrote:
> On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> > Performing some modifications to dom0, but when I run apps like wget from 
> > dom0 terminal I am unable to resolve addresses. Same if I were to try 
> > running firefox from dom0. Know this is because of security benefits, but 
> > how can I enable networking from there. Say I wanted to connect to dom0 
> > from a vnc temporarily.
> > 
> There's almost never any need to do this. If you want to install
> packages you can use the update mechanism. Otherwise download files in a
> qube and then copy them in to dom0 and install them there.
> If dom0 is compromised then all your qubes are open.
> 
> But you probably know this already.
> 
> As things stand it's difficult, but not impossible to access dom0. You
> could open a channel to allow vnc to a qube and use socat and an rpc
> service to front to dom0. But really just dont do it: it subverts the
> whole point in using Qubes.

btw, isn't it possible that he can use the Qubes 4 dom0 admin features to make 
changes to VM's from a remote location? Could the solution be to upgrade to 
Qubes 4 and use that instead? I haven't yet went discovering/understood the 
limitations of the Qubes 4 dom0 admin tools, but isn't this a perfect match to 
his goal if he upgrades? Apologies if I misunderstood how the dom0 admin 
features work, I haven't started using it my self yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae2f8296-7702-4db2-a327-b73bda521016%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: firewall/proxy VM not working with Qubes 4.0-rc4

[thorsten . schierer]

> Could you try this:
> qvm-prefs sys-firewall | grep netvm
> it should say sys-net? Y/N

yes, result is sys-net


> Even if it states sys-net, let's try to force it again
> qvm-prefs sys-firewall -s netvm sys-net

that command did not work due to wrong syntax, so I did:

qvm-prefs --set sys-firewall netvm sys-net

If sys-firewall is shut down, the command works.
If sys-firewall is running, the command fails with the error:
"no such preoperty: 'netvm'", in addition if sys-firewall is running while I do 
this, the eth0 interface is removed from sys-firewall.


> and try the arp -an in sys-firewall again

Still the same result:
? (10.137.0.5) at  on eth0

Maybe I should try to look into the script(s) that are running when using 
"qvm-prefs --set sys-firewall netvm sys-net"?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72a9400d-c705-4360-b0c1-b55afe3a496d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 connectivity for maintenance

[Unman]

On Wed, Feb 28, 2018 at 08:52:07AM -0800, Braden wrote:
> Performing some modifications to dom0, but when I run apps like wget from 
> dom0 terminal I am unable to resolve addresses. Same if I were to try running 
> firefox from dom0. Know this is because of security benefits, but how can I 
> enable networking from there. Say I wanted to connect to dom0 from a vnc 
> temporarily.
> 
There's almost never any need to do this. If you want to install
packages you can use the update mechanism. Otherwise download files in a
qube and then copy them in to dom0 and install them there.
If dom0 is compromised then all your qubes are open.

But you probably know this already.

As things stand it's difficult, but not impossible to access dom0. You
could open a channel to allow vnc to a qube and use socat and an rpc
service to front to dom0. But really just dont do it: it subverts the
whole point in using Qubes.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180228173843.q24zbrs6csjrue7w%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Dom0 connectivity for maintenance

[Braden]

On Wednesday, February 28, 2018 at 12:11:34 PM UTC-5, Yuraeitha wrote:
> On Wednesday, February 28, 2018 at 5:52:07 PM UTC+1, Braden wrote:
> > Performing some modifications to dom0, but when I run apps like wget from 
> > dom0 terminal I am unable to resolve addresses. Same if I were to try 
> > running firefox from dom0. Know this is because of security benefits, but 
> > how can I enable networking from there. Say I wanted to connect to dom0 
> > from a vnc temporarily.
> 
> I also believe you can just add the extra repository to make dom0 
> install/update in a secure way, without attaching the network directly to 
> dom0. But as mentioned above, first, what is it you actually want to do?

Understandable, I'd need to install a VNC into dom0 so I can easily change hvms 
and appvm settings from work, so how should I go about attaching the network. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2ed9145-6b74-4cbb-9eba-f34548bd9c66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Dom0 connectivity for maintenance

[Yuraeitha]

On Wednesday, February 28, 2018 at 5:52:07 PM UTC+1, Braden wrote:
> Performing some modifications to dom0, but when I run apps like wget from 
> dom0 terminal I am unable to resolve addresses. Same if I were to try running 
> firefox from dom0. Know this is because of security benefits, but how can I 
> enable networking from there. Say I wanted to connect to dom0 from a vnc 
> temporarily.

I also believe you can just add the extra repository to make dom0 
install/update in a secure way, without attaching the network directly to dom0. 
But as mentioned above, first, what is it you actually want to do?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98cf3860-685f-4d1b-9562-b11ad62dfebe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Dom0 connectivity for maintenance

[Yuraeitha]

On Wednesday, February 28, 2018 at 5:52:07 PM UTC+1, Braden wrote:
> Performing some modifications to dom0, but when I run apps like wget from 
> dom0 terminal I am unable to resolve addresses. Same if I were to try running 
> firefox from dom0. Know this is because of security benefits, but how can I 
> enable networking from there. Say I wanted to connect to dom0 from a vnc 
> temporarily.

I think this might be possible without too much trouble, but before that, what 
is it you want to install in dom0? Are you sure you can't use existing means or 
do it from an AppVM? 

For example if you need htop or something else in the fedora repositories, you 
can do "sudo qubes-dom0-update htop" which will install htop in dom0. Same with 
everything else in fedora repositories.

What kind of program is it you need to install in dom0? The general notion is 
that its best to not install anything there at all, which becomes a stronger 
and stronger reinforced point at every new Qubes released version, when less 
and less is needed to be done in dom0. 

Does what you want to archive have to be in dom0 to get it working? 
Is it possible you can tell us what you want to archive/install? There might be 
other/better ways to do it. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0560b097-2dc2-41bd-8c0e-104d2c215cda%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Anonymizing your MAC Address with macchanger and scripts

[KlausDieter2]

Hey guys,

i have a big problem with "Anonymizing your MAC Address with macchanger
and scripts". I used this Tutorial on the Qubes Doc:
https://www.qubes-os.org/doc/anonymizing-your-mac-address/

Everytime it happens the same:

1) I create the file macspoof@.service with sudo gedit
/etc/systemd/system/macspoof@.service


2) I copie the text in the newly created gedit file:

[Unit]
Description=macchanger on %I
# Hack since macspoof@%i contains @ which is not allowed yet
ConditionPathExists=/var/run/qubes-service/macspoof-%i
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target


3) In the Fedora Terminal is says:

[user@fedora-23 ~]$ sudo gedit /etc/systemd/system/macspoof@.service

(gedit:1029): Gtk-WARNING **: Calling Inhibit failed:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.SessionManager was not provided by any .service files

What should i do?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/91ed37b131ab893801536fb4e69940ed.squirrel%40_.
For more options, visit https://groups.google.com/d/optout.

Re: Re: Re: AW: Re: [qubes-users] Installing Chrome

[Yuraeitha]

On Tuesday, February 27, 2018 at 11:16:46 PM UTC+1, [799] wrote:
> Hello Yuraeitha,
> 
> Thanks for the clarification, I think we share some common values.
> 
> 
> 
> -- 
> Qubes 4rc3 > Lenovo X230 + Lenovo W540
> 
> Gesendet von ProtonMail mobile
> 
> 
> 
> 
>  Original-Nachricht 
> An 27. Feb. 2018, 02:48, Yuraeitha schrieb:
> 
> 
> 
> > Okay I may have come on a bit strong worded,
> > I apologize that I ended up being rude.
> > Nevertheless I'm not reclaiming my criticism
> > before convinced otherwise. 
> 
> Thanks for the reply, as always in written communication it's sometimes hard 
> to read the intention by just reading the words.
> 
> 
> > I definitely have projects I'm working on, such
> > as QubesTV, QubesNAS, Qubes update script,
> > Qubes screenshot scripts, etc. 
> 
> If possible share it, I am heavily interested in a better screenshot solution 
> and come up with a first prototype to be able to copy a screenshot (made in 
> dom0) into the clipboard of a predefined AppVM.
> (Search for qvm-screenshot-to-clipboard on GitHub)
> Warning: it is a working solution but currently without any error handling, 
> happy to hear feedback from a security view as I am far away from being an 
> expert there.
> 
> > My beef with this is that Qubes is about being
> > open source, decentralization (Qubes Air
> > which was planned almost a decade ago
> > now), retaining control of ones own system,
> > etc. If there are just as good open source
> > solutions, or even nearly just as good ones,
> > then these should be mentioned and
> > included. 
> 
> I totally agree and that is what I am doing  everyday when I talk to my 
> "enterprise" customers when the decide to use windows or VMware just because 
> it is "more of an enterprise solution" (mainly because it costs money :-/).
> Of course I don't agree with this argument.
> Open Source is great, and if I would have known about an open source solution 
> I would have mention this.
> 
> > While sure Qubes is primarily about security
> > and less focused about privacy, but Qubes is
> > also about open source and retaining control
> > of your system.
> 
> Agreed and I think that you can still gain privacy and security benefits when 
> using "closed source" solution with Qubes just by using different Qubes.
> Let me put it this way, if I am really concerned about privacy I would not 
> use Amazon Prime/Netflix at all because you become very transparent when 
> someone knows what you are watching/reading and when.
> 
> > To put this straight, I don't care if users can
> > just choose to do something else, the fact
> > that it's not following the spirit of what Qubes
> > is all about, is what I care about.
> 
> Understand you point, still I think that every person who is using Linux or 
> even better Qubes is a large win as more people learn that there are 
> alternatives.
> Maybe the use Linux and Chrome in the beginning and some day companies see 
> that there is a critical mass, so that it makes sense to develop cross 
> platform solution.
> I don't expect that every company has to go open source, maybe because they 
> want to protect their ownership/development costs. But I would like to use 
> their software on my Operation System of choice.
> So the biggest topic is not that I have to use closed source/proprietary 
> software but that I need to sacrifice lots of features  when working in the 
> classic "enterprise app" environment.
> Example:
> 
> Our ERP System, Our CTI Application (ESTOS), Cisco WebEx/Cisco Jabber/Spark, 
> Microsoft Office/Outlook, our main IT Service Tool (Remote Desktop Manager) 
> are mainly running on top of of Windows, some offer a limited feature set 
> when using web-alternatives, but there are no native Linux Apps, which is 
> shame.
> I am running Qubes OS as primary OS but it is (for my job role) impossible 
> without using Windows or other closed source apps.
> That's also why I really hope to see ongoing Windows AppVM support in Qubes 
> which I honestly think is a major feature being able to run Qubes.
> 
> > (...) I also enjoy discussions trying to reach a
> > common shared ground. That's what
> > discussions are all about to begin with after
> > all. 
> 
> Agreed.
> 
> [799]

I'm glad that we're on good terms again, it's been bothering me a lot since I 
made that mistake. You make a good point that it can be hard to read peoples 
intends in written communication too, with the lack of body language and voice, 
dynamic communication and such, I definitely agree. Although I could have 
written that much better by not making that mistake, so it's still my fault 
even so, I will have to learn from that experience.

I can relate with the Windows issues, I've recently become fully Linux (Qubes) 
by finally becoming fully accustomed when I ditched MS-Office for LibreOffice 
(I couldn't do that for years, but finally made it fully across), which was my 
last nail in the Microsoft coffin. But I still have friends, and the 

[qubes-users] Dom0 connectivity for maintenance

[Braden]

Performing some modifications to dom0, but when I run apps like wget from dom0 
terminal I am unable to resolve addresses. Same if I were to try running 
firefox from dom0. Know this is because of security benefits, but how can I 
enable networking from there. Say I wanted to connect to dom0 from a vnc 
temporarily.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/431b70dd-8c1d-4cb8-aa7e-1c62fe17b6ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Clearing qubes-dom0-cached packages

[Yuraeitha]

On Tuesday, February 27, 2018 at 7:42:54 PM UTC+1, Chris Laprise wrote:
> On 02/27/2018 12:42 PM, Yuraeitha wrote:
> > On Tuesday, February 27, 2018 at 6:08:57 PM UTC+1, awokd wrote:
> >> On Tue, February 27, 2018 5:00 pm, Yuraeitha wrote:
> >>
> >>> I'm working on an update script btw, which might solve issues like these.
> >>
> >> I haven't tested it but I noticed there's a clean action, so you can do:
> >>
> >> sudo qubes-dom0-update --action=clean
> >>
> >> Not exactly sure what it does but it might simplify things if it works.
> > 
> > Yes that is a good trick, but Marek recently told me not to use it though, 
> > from what I understand it's because it causes extra load on the server, 
> > which is bad if too many people does it. So the clean command is probably 
> > really good if only used sparingly once in a while. But maybe it could be 
> > used in the script with some kind of countdown, like for example if it only 
> > cleans once a month? But would that be useful though?
> > 
> > I didn't mention or show the script to Marek, as it was only a few days 
> > afterwords I started working on it. But he did tell me to use --refresh 
> > instead when he saw I used the clean command. I found the --refresh flag in 
> > fedora template, but I couldn't get it to work in dom0. Though I found 
> > --check-only in the qubes-dom0-update manual, presumably it's the same as 
> > --refresh and only updates the metadata? Seemingly debian does it all 
> > automatically already too. uh, too many questions that needs sorted out. I 
> > definitely need these sorted out with a degree of certainty before I give 
> > this script to other people, I don't want to risk messing someone elses 
> > Qubes system up with it, that would suck.
> > 
> > So maybe clean is not needed if metadata are cleaned? I believe the clean 
> > command works very well indeed, but from what I understood from Marek at 
> > the time, it might overdo it.
> > 
> > I'll see if I can upload the script when I get home later today so you can 
> > see it (I'm on the road atm), I'll post a link here so it's easier to 
> > discuss any potential pitfalls in it.
> > 
> 
> FWIW, I'm working on porting my updater to 4.0. The existing version 
> already uses "clean packages" and I may add --refresh (which has worked 
> for me) as well.
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

Neat! It's good to have better solutions around :)

I just checked yours out by following your github link. Your Qubes updater is 
much more advanced than mine, I won't even pretend I can fully read it. My 
script is essentially just a compile of binary commands, so yours is definitely 
superior.

Since I promised to upload it, I will still do so, though it's now probably 
better suited for learning/educational purposes instead, now when there are 
better options available :) 
https://github.com/Aekez/scripting-qubes/blob/master/check-Qubes-updates-by-metadata.sh

As noted before, despite that the script works, it's still 
experimental/unfinished/untested.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e170e4e9-68ff-4a74-ae64-7d51aa84f72b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Kali-rolling issue: kali-defaults collides with qubes-core-agent

['Max Andersen' via qubes-users]

Hi,

I get an error when installing Kali rolling using the Qubes-guide : 
https://www.qubes-os.org/doc/pentesting/kali/#create-a-kali-linux-rolling-template


The error comes when installing kali-defaults, which seems to collide 
with qubes-core-agent:


user@Kali-Rolling:~$ sudo apt --fix-broken install
Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following additional packages will be installed:
  kali-defaults
The following NEW packages will be installed:
  kali-defaults
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
1435 not fully installed or removed.
Need to get 0 B/1,545 kB of archives.
After this operation, 2,722 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
(Reading database ... 304913 files and directories currently installed.)
Preparing to unpack .../kali-defaults_2018.2.0_all.deb ...
Leaving 'diversion of /etc/skel/.bashrc to /etc/skel/.bashrc.original by 
kali-defaults'
Leaving 'diversion of 
/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xsettings.xml to 
/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xsettings.xml.original by 
kali-defaults'

Unpacking kali-defaults (2018.2.0) ...
dpkg: error processing archive 
/var/cache/apt/archives/kali-defaults_2018.2.0_all.deb (--unpack):
 trying to overwrite '/etc/dconf/profile/user', which is also in 
package qubes-core-agent 4.0.20-1+deb9u1

dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
 /var/cache/apt/archives/kali-defaults_2018.2.0_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
user@Kali-Rolling:~$

I've tried forcing to no avail. Even trying to uninstall 
qubes-core-agent, but It seems to be demanding more packages to be 
uninstalled, than I might think maybe necessary.


user@Kali-Rolling:~$ sudo apt-get remove qubes-core-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 kali-desktop-common : Depends: kali-defaults but it is not going to be 
installed
 qubes-core-agent-networking : Depends: qubes-core-agent but it is not 
going to be installed
 qubes-gui-agent : Depends: qubes-core-agent (>= 3.0.14) but it is not 
going to be installed
 qubes-input-proxy-sender : Depends: qubes-core-agent (>= 3.0.25) but 
it is not going to be installed
 qubes-vm-dependencies : Depends: qubes-core-agent but it is not going 
to be installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages 
(or specify a solution).

user@Kali-Rolling:~$


Any ideas?

Sincerely

Max

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f8c98e44-918d-baed-0a7f-88d66a39b197%40militant.dk.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4 and coreboot

[qubes-os]

MirrorWay:

Thank you. Very helpful to know.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18f6ccfb-fa69-d952-bb4e-3fc3d319a371%40go-bailey.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: sys-usb / template install yubikey tools ?

[Alex Dubois]

On Wednesday, 28 February 2018 06:37:14 UTC, ThierryIT  wrote:
> Le samedi 24 février 2018 21:49:49 UTC+2, Alex Dubois a écrit :
> > On Wednesday, 21 February 2018 09:01:45 UTC, ThierryIT  wrote:
> > > Le mercredi 14 février 2018 09:49:37 UTC+2, ThierryIT a écrit :
> > > > Le dimanche 11 février 2018 10:08:52 UTC+2, ThierryIT a écrit :
> > > > > Le samedi 10 février 2018 22:58:15 UTC+2, Alex Dubois a écrit :
> > > > > > > On 10 Feb 2018, at 17:46, ThierryIT  wrote:
> > > > > > > 
> > > > > > > Le samedi 10 février 2018 01:44:36 UTC+2, Alex Dubois a écrit :
> > > > > > >> On Saturday, 3 February 2018 22:42:46 UTC, Alex Dubois  wrote:
> > > > > > >>> On Saturday, 3 February 2018 10:12:25 UTC, ThierryIT  wrote:
> > > > > >  Le vendredi 19 janvier 2018 13:19:29 UTC+2, Alex Dubois a 
> > > > > >  écrit :
> > > > > > >> On Friday, 19 January 2018 05:57:16 UTC, ThierryIT  wrote:
> > > > > > >> Not familiar with this ... Will need procediure to follow.
> > > > > > >> 
> > > > > > >> 
> > > > > > >> Le mercredi 17 janvier 2018 23:03:31 UTC+2, Alex Dubois a 
> > > > > > >> écrit :
> > > > > > >>> On Wednesday, 17 January 2018 15:15:45 UTC, ThierryIT  
> > > > > > >>> wrote:
> > > > > >  No, I am still under R3.2
> > > > > >  
> > > > > >  Le mercredi 17 janvier 2018 16:54:58 UTC+2, awokd a écrit :
> > > > > > > On Wed, January 17, 2018 2:09 pm, ThierryIT wrote:
> > > > > > >> "https://github.com/adubois/qubes-app-linux-yubikey;
> > > > > > >> 
> > > > > > >> 
> > > > > > >> Le mercredi 17 janvier 2018 16:05:52 UTC+2, awokd a 
> > > > > > >> écrit :
> > > > > > >> 
> > > > > > >>> On Wed, January 17, 2018 1:09 pm, ThierryIT wrote:
> > > > > > >>> 
> > > > > >  Nobody ?
> > > > > >  
> > > > > >  
> > > > > >  
> > > > > >  Le mercredi 17 janvier 2018 09:23:34 UTC+2, ThierryIT 
> > > > > >  a écrit :
> > > > > >  
> > > > > >  
> > > > > > > Hi,
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > I am going to install a new sys-usb.
> > > > > > > I have before to install all what I need to the 
> > > > > > > template (fedora-26)
> > > > > > > first. When following your procedure:
> > > > > > > 
> > > > > > > 
> > > > > > > ykpers has been installed but: I cannot do the same 
> > > > > > > for
> > > > > > > qubes-yubikey-vm and qubes-yubikey-dom0 :
> > > > > > > 
> > > > > > > no match for argument
> > > > > > > 
> > > > > > > ideas ?
> > > > > > >>> 
> > > > > > >>> Not quite sure what you are trying to do here. What 
> > > > > > >>> procedure? What
> > > > > > >>> command are you entering?
> > > > > > > 
> > > > > > > Are you trying this on Qubes 4.0? Those Yubikey packages 
> > > > > > > might not be in
> > > > > > > the Qubes repo yet.
> > > > > > >>> 
> > > > > > >>> Hi,
> > > > > > >>> 
> > > > > > >>> I have not maintained this for some time. So long that I 
> > > > > > >>> can't remember if the packages had been created/tested, I 
> > > > > > >>> don't think they have.
> > > > > > >>> 
> > > > > > >>> Best is you follow the steps to build it on a new temporary 
> > > > > > >>> VM, don't be afraid it should not be too hard:
> > > > > > >>> - Execute the yum command in "Build dependancies"
> > > > > > >>> - Also install pam-devel
> > > > > > >>> - Follow the steps in preparing the build and build
> > > > > > >>> - Deploy the code in Dom0 and the USB VM.
> > > > > > >>> 
> > > > > > >>> I am about to upgrade to Qubes 4.0 rc4 (when released) so 
> > > > > > >>> won't probably be able to help until this is done.
> > > > > > >>> 
> > > > > > >>> Any help from someone who is used to packaging under Fedora 
> > > > > > >>> would be nice.
> > > > > > >>> 
> > > > > > >>> Alex
> > > > > > > 
> > > > > > > Sure, I'll update the doc and post here. However as I said 
> > > > > > > don't want to touch my Qubes set-up before my upgrade to 4.0 
> > > > > > > rc4. So might be in 2-3weeks
> > > > > >  
> > > > > >  Did you upgrade to Q4R4 ?
> > > > > > >>> 
> > > > > > >>> I'm in the process. Having issues with PCI path-through of my 
> > > > > > >>> second NIC that I need to solve. I have to use PV mode for now 
> > > > > > >>> and not too happy to have too. I'll open another thread if I 
> > > > > > >>> can't find a way...
> > > > > > >> 
> > > > > > >> Hi Thierry,
> > > > > > >> 
> > > > > > >> I have recompiled it OK. This was working on R3.2. You can test 
> > > > > > >> it on R4 but no idea if it will