date:20180315

Templates do not need to connect to anything.

Open a dom0 terminal (xterm/uxterm) and type 'journalctl -f'
then open a fedora-26 terminal and type 'sudo yum update'

then tell us what it says on the dom0 journalctl output.

Type 'sudo vi /etc/qubes-rpc/policy/qubes.UpdatesProxy'
Its going to look like this:

$type:TemplateVM $default allow,target=sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

Make sure the last line points to your sys-net.

Go into your sys-net qube settings. (Right click>settings>Services)
Go to the last tab, Services. Type "qubes-updates-proxy" click add.

If the qube is running, open a terminal and type "systemctl restart
qubes-updates-proxy"

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/0aa3941b-3d2c-485d-be68-d8534a0eae34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

Dual booting is only secure if you remove the HDD/SSD with the other operating 
system on it. 

having two hard drives is essentially, no more or less secure than having one.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/936a47b8-d3bb-4af1-b921-b594ced5cac2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to show boot entries?

On Thursday, March 15, 2018 at 7:08:25 AM UTC+1, coeu...@gmail.com wrote:
> Hello, guys. 
> 
> I want to show boot entries so that I can select certain kernel to boot, and 
> I'm using EFI/qubes/xen.efi as boot binary. Currently, it will directly boot 
> the default kernel. Could anyone give some advices?
> 
> BTW, here is the reason: I have multiple kernels installed and 
> kernel-latest-4.15.6-1 may raise kernel panic errors on Raven Ridge platform, 
> but kernel-4.14.18-1 works just fine.
> 
> Thanks!
> D.F.

Two methods I know of, but there are probably other ways too, i.e. via the EFI 
Shell. 

- Use a secure live boot, access dom0, unlock your encryption, then go here and 
use an editor to edit the file /boot/efi/EFI/qubes/xen.cfg (most straight 
forward between the two approaches here, but be careful you don't make dom0 
less secure with the live boot access).

- Install Grub, and use Grub to boot EFI installs. This way you can have 
multiple EFI kernel boots.


I'm not familiar with the other EFI methods to switch the kernel, you may want 
to wait for more answers to see first. Careful you don't overwrite anything 
important if you choose to install Grub. Be mindful you may need to manually 
adjust Grub as well to make it work. Thereby, the first option is probably the 
most easy of the two. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b3d2068-088c-4f77-88fb-97c82368c828%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to show boot entries?

2018-03-15 Thread CoeusITE

Thanks, Yuraeitha!

It seems xen.cfg is stored in the EFI partition, and I can modify it within
dom0 or through Fedora Live without decryption. However I don’t know how to
modify it.

I think I should add some parameters in [global] section of xen.cfg, but I
fail to find any tips from Xen’s official documents.
On Thu, Mar 15, 2018 at 18:13 Yuraeitha  wrote:

> On Thursday, March 15, 2018 at 7:08:25 AM UTC+1, coeu...@gmail.com wrote:
> > Hello, guys.
> >
> > I want to show boot entries so that I can select certain kernel to boot,
> and I'm using EFI/qubes/xen.efi as boot binary. Currently, it will directly
> boot the default kernel. Could anyone give some advices?
> >
> > BTW, here is the reason: I have multiple kernels installed and
> kernel-latest-4.15.6-1 may raise kernel panic errors on Raven Ridge
> platform, but kernel-4.14.18-1 works just fine.
> >
> > Thanks!
> > D.F.
>
> Two methods I know of, but there are probably other ways too, i.e. via the
> EFI Shell.
>
> - Use a secure live boot, access dom0, unlock your encryption, then go
> here and use an editor to edit the file /boot/efi/EFI/qubes/xen.cfg (most
> straight forward between the two approaches here, but be careful you don't
> make dom0 less secure with the live boot access).
>
> - Install Grub, and use Grub to boot EFI installs. This way you can have
> multiple EFI kernel boots.
>
>
> I'm not familiar with the other EFI methods to switch the kernel, you may
> want to wait for more answers to see first. Careful you don't overwrite
> anything important if you choose to install Grub. Be mindful you may need
> to manually adjust Grub as well to make it work. Thereby, the first option
> is probably the most easy of the two.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/CZ5vMNL_c7k/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/7b3d2068-088c-4f77-88fb-97c82368c828%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAnMqodf-M8atc5C7U1Nyq-G7Hn6vP_DqUyR-qd9n0jr__tNrA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to show boot entries?

On Thursday, March 15, 2018 at 11:23:59 AM UTC+1, CoeusITE wrote:
> Thanks, Yuraeitha! 
> 
> It seems xen.cfg is stored in the EFI partition, and I can modify it within 
> dom0 or through Fedora Live without decryption. However I don’t know how to 
> modify it. 
> 
> I think I should add some parameters in [global] section of xen.cfg, but I 
> fail to find any tips from Xen’s official documents.
> 
> 
> On Thu, Mar 15, 2018 at 18:13 Yuraeitha  wrote:
> On Thursday, March 15, 2018 at 7:08:25 AM UTC+1, coeu...@gmail.com wrote:
> 
> > Hello, guys.
> 
> >
> 
> > I want to show boot entries so that I can select certain kernel to boot, 
> > and I'm using EFI/qubes/xen.efi as boot binary. Currently, it will directly 
> > boot the default kernel. Could anyone give some advices?
> 
> >
> 
> > BTW, here is the reason: I have multiple kernels installed and 
> > kernel-latest-4.15.6-1 may raise kernel panic errors on Raven Ridge 
> > platform, but kernel-4.14.18-1 works just fine.
> 
> >
> 
> > Thanks!
> 
> > D.F.
> 
> 
> 
> Two methods I know of, but there are probably other ways too, i.e. via the 
> EFI Shell.
> 
> 
> 
> - Use a secure live boot, access dom0, unlock your encryption, then go here 
> and use an editor to edit the file /boot/efi/EFI/qubes/xen.cfg (most straight 
> forward between the two approaches here, but be careful you don't make dom0 
> less secure with the live boot access).
> 
> 
> 
> - Install Grub, and use Grub to boot EFI installs. This way you can have 
> multiple EFI kernel boots.
> 
> 
> 
> 
> 
> I'm not familiar with the other EFI methods to switch the kernel, you may 
> want to wait for more answers to see first. Careful you don't overwrite 
> anything important if you choose to install Grub. Be mindful you may need to 
> manually adjust Grub as well to make it work. Thereby, the first option is 
> probably the most easy of the two.
> 
> 
> 
> --
> 
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> 
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/CZ5vMNL_c7k/unsubscribe.
> 
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users...@googlegroups.com.
> 
> To post to this group, send email to qubes...@googlegroups.com.
> 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/7b3d2068-088c-4f77-88fb-97c82368c828%40googlegroups.com.
> 
> For more options, visit https://groups.google.com/d/optout.

np's :) 

It's been a while since I modified one as I generally prefer legacyBIOS over 
EFI, but if memory serves, you only need to edit the top lines near the top of 
the file, the kernel preferences. No need to add or delete anything, you just 
need to change the kernel numbers. If you're unsure which kernel numbers you 
got, then you can perform a "ls" command inside the folder where the 
configuration file is located, it'll show the different kernels next to it. The 
top of the file is kind of like a default selector the the below listed kernels 
in the file, which will pick whichever kernel listed below it (should be 3 
kernels by default). 

Btw if you get frequent kernel issues, or expect more of them in the future 
after a failed kernel update, then you can increase the number of kernels the 
Linux (Qubes) system saves, thereby you have more redundancy in the future. 
Just be sure you got enough space on your partition where the boot device is 
located for multiple of kernels and files. 

This can wait till you get it working again btw. You can edit this file in dom0 
/etc/yum.conf and change "installonly_limit=3" i.e. set it to 5 or 7 instead. 
But be really careful if you got a limited drive space, it can cause your 
updates to fail, and result in a half finished update because it didn't have 
enough drive space to finish up. It will tell you when that happens, but you'll 
be unable to re-boot/re-start without fixing it. So take precaution against 
that when increasing the limit :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e7d92fa-7463-48bc-9f72-bb84e3df1db9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to show boot entries?

On Thursday, March 15, 2018 at 11:23:59 AM UTC+1, CoeusITE wrote:
> Thanks, Yuraeitha! 
> 
> It seems xen.cfg is stored in the EFI partition, and I can modify it within 
> dom0 or through Fedora Live without decryption. However I don’t know how to 
> modify it. 
> 
> I think I should add some parameters in [global] section of xen.cfg, but I 
> fail to find any tips from Xen’s official documents.
> 
> 
> On Thu, Mar 15, 2018 at 18:13 Yuraeitha  wrote:
> On Thursday, March 15, 2018 at 7:08:25 AM UTC+1, coeu...@gmail.com wrote:
> 
> > Hello, guys.
> 
> >
> 
> > I want to show boot entries so that I can select certain kernel to boot, 
> > and I'm using EFI/qubes/xen.efi as boot binary. Currently, it will directly 
> > boot the default kernel. Could anyone give some advices?
> 
> >
> 
> > BTW, here is the reason: I have multiple kernels installed and 
> > kernel-latest-4.15.6-1 may raise kernel panic errors on Raven Ridge 
> > platform, but kernel-4.14.18-1 works just fine.
> 
> >
> 
> > Thanks!
> 
> > D.F.
> 
> 
> 
> Two methods I know of, but there are probably other ways too, i.e. via the 
> EFI Shell.
> 
> 
> 
> - Use a secure live boot, access dom0, unlock your encryption, then go here 
> and use an editor to edit the file /boot/efi/EFI/qubes/xen.cfg (most straight 
> forward between the two approaches here, but be careful you don't make dom0 
> less secure with the live boot access).
> 
> 
> 
> - Install Grub, and use Grub to boot EFI installs. This way you can have 
> multiple EFI kernel boots.
> 
> 
> 
> 
> 
> I'm not familiar with the other EFI methods to switch the kernel, you may 
> want to wait for more answers to see first. Careful you don't overwrite 
> anything important if you choose to install Grub. Be mindful you may need to 
> manually adjust Grub as well to make it work. Thereby, the first option is 
> probably the most easy of the two.
> 
> 
> 
> --
> 
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> 
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/CZ5vMNL_c7k/unsubscribe.
> 
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users...@googlegroups.com.
> 
> To post to this group, send email to qubes...@googlegroups.com.
> 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/7b3d2068-088c-4f77-88fb-97c82368c828%40googlegroups.com.
> 
> For more options, visit https://groups.google.com/d/optout.

don't edit the listed kernels below the preference lines though, only edit the 
kernel preference, near the top of the file. That'll be the one that selects 
which kernel to boot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25ebea71-a495-48ec-873a-543dbeed56b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can a Windows StandaloneVM be made into a TemplateVM?

On Wednesday, March 14, 2018 at 5:56:20 PM UTC+1, inqubator wrote:
> > I copied
> > /var/lib/qubes/appvms/win7/root.img
> > /var/lib/qubes/appvms/win7/private.img
> > to
> > /var/lib/qubes/vm-templates/win7-x64-template/root.img
> > /var/lib/qubes/vm-templates/win7-x64-template/private.img
> > 
> 
> Hi, can I ask how you did that? When I look into the directories you mention 
> (in R4), I don't find these files (but only "icon.png" and "firewall.xml").
> 
> Thanks

It might not be a template, but I'm not sure with RC-4, I didn't look for 
windows in there during RC-4. However, if it isn't acting like a template, then 
it might be placed elsewhere. Try go back a level, /var/lib/qubes/ and instead, 
look in maybe /var/lib/qubes/appvms/ 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7c1871e2-7db8-4995-8dbb-1166d161b981%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can a Windows StandaloneVM be made into a TemplateVM?

On Wednesday, March 14, 2018 at 5:56:20 PM UTC+1, inqubator wrote:
> > I copied
> > /var/lib/qubes/appvms/win7/root.img
> > /var/lib/qubes/appvms/win7/private.img
> > to
> > /var/lib/qubes/vm-templates/win7-x64-template/root.img
> > /var/lib/qubes/vm-templates/win7-x64-template/private.img
> > 
> 
> Hi, can I ask how you did that? When I look into the directories you mention 
> (in R4), I don't find these files (but only "icon.png" and "firewall.xml").
> 
> Thanks

If you didn't do that already of course, you might have as it's an easy 
suggestion.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/839d513f-a70c-4873-8dfc-c9ba29ce5fd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

On Thu, March 15, 2018 7:47 am, sevas wrote:
> Dual booting is only secure if you remove the HDD/SSD with the other
> operating system on it.

Well, even then you are giving the non-Qubes OS unrestricted access to
your hardware/firmware so it could potentially open up the system to an
exploit at that level.

> having two hard drives is essentially, no more or less secure than having
> one.

That's true.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95172d094347bc502617ac1e509e2634.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

On Thursday, March 15, 2018 at 5:11:17 AM UTC+1, yre...@riseup.net wrote:
> T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from
> an SSD?
> 
> I'm looking at buying an i7 T520 that is listed as working on the HCM
> list on a website, for like $250, I see them cheaper on ebay but , the
> thing has 4GB ram , by adding a DVD tray / caddie for an SSD and an SSD
> and 4GB ram, I add another $140  or so  to the cost   so am
> wondering  if this technically would not have the issue where  dual
> booting is considering insecure, if I'm actually booting from 2 separate
> HDs ;  and/or  if  doing the Qubes 4.0  install  is going to be any
> tricker or easier  with 2 HD,  assuming,  I wasn't planning on  doing
> another  dual boot off  1 HD again 
> 
> 
> thanks

You're right that it's more secure to have two devices, but only very, very 
slightly. Though, it's a good idea to do even so, even if only slightly, if you 
must. I believe the partition table can be more exposed here if using the same 
drive? but I'm not sure. 

- Generally you have to look at the security exploits, i.e. it may be worth 
reading the research and articles The Qubes OS Project has made, and other 
works that is being put forward. But in general, you need to be wary of 
firmware exploits, boot-loader exploits, never access your files from an 
insecure duaæ-boot, and weak or no encryption. Something along those lines. 
Generally firmware exploits/attacks, to my understanding, are more exotic 
today, BUT! that may change one day very quickly, and you can also risk being 
plain unlucky. There is also the consideration that it might not be possible to 
make an accurate picture of how many infected firmware's there are existing in 
the wilds, and/if possible to make research to get an idea, it might take years 
before it's detected on a large scale. So you may want to be wary of firmware 
attacks, they may some day be a threat quicker than you think, i.e. think for 
example A.I.'s that can automatically modify themselves to exploit different 
kinds of firmwares, rather than requiring a human hand to do so (intensive 
labor). 

- Use a strong password, so that your CPU's own calculation power is 
insufficient to be used to crack your encryptions. 

- Never leave anything unencrypted. While you can't protect your firmwares, at 
least you can protect all drives with encryption, except, for the bootloader, 
which is a very big weak spot. If you want to protect yourself here, (except 
you are still vulnurable to firmware attacks), then you need to move your 
boot-loader to a locked medium, preferably one that can't be editied, i.e. a 
CD/DVD. You can leave that CD/DVD in your system though, since what matters is 
that it can't be edited, it's not the fact that it can be read. 

- Also you may want to consider at least 8GB RAM. Even 8gigs can feel limited, 
4gigs will probably feel like a crap experience on Qubes. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9907a90-3c4a-4549-85a1-14b1dcbb0436%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] tcp/udp server on qubes

On Tue, March 13, 2018 8:46 pm, idanqu...@gmail.com wrote:
> On Tuesday, March 13, 2018 at 3:14:20 AM UTC+2, awokd wrote:
>
>> On Mon, March 12, 2018 10:21 pm, idanqu...@gmail.com wrote:
>>
>>> I'm trying to build a server that uses tcp protocol, and I'm having
>>> trouble figuring the firewall rules that I need to set in order to
>>> connect the server so it would be able to communicate with a specific
>>>  client through the internet.
>>>
>>> I'm aware that there is the guide for networking and firewall:
>>> https://www.qubes-os.org/doc/firewall/
>>>
>>>
>>>
>>> but unfortunately I cant infer it to my use case.
>>
>> Not sure what you mean- Qubes doesn't need any special rules to
>> communicate out. If you want to restrict inbound communications to the
>> single source IP of your client, follow the guide and use that IP in
>> the rule. I think there's an example like that in there.
>
> allow me to elaborate i am trying to route all incoming traffic to a
> single vm there is an example that supposedly does just that however i have
> zero experience in "IP tables" and as such the example, as detailed as it
> is does not explain to me how to achieve the desired result with a
> specific  vm and its corresponding ip for example i have no idea what
> "MY-HTTPS" is meant to reference

"MY-HTTPS" is a label/name- just type it as is.
Depending on how you are doing your inbound NATing, you may need to
restrict the source IP at your outside firewall/router or in this line of
the sys-net configuration: "iptables -A MY-HTTPS -s 192.168.x.0/24 -j
ACCEPT".

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98eaec46672c594f6c6e9a4be5e08467.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cant connect to outsidet network after setting static ip

On Wed, March 14, 2018 4:40 pm, idanqu...@gmail.com wrote:
> On Wednesday, March 14, 2018 at 6:23:22 PM UTC+2, shon.b...@gmail.com
> wrote:
>
>> so i have vm that i had network connectivity as part of the guide that
>> is listed below i set a static ip to the vm, after which i cant connect
>> to anything even after statically binding the ip to the previous ip but
>> to no avail iv tried to connect the vm to both sys-firewall and sys-net
>> directly any ping attempt from said vm returns destination host
>> unreachable the other vm's are unaffected and still have network
>> connectivity
>
>
> said guide
> https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20
> up%20your%20first%20server.md

You don't say what version of Qubes you are using, but that guide will
only work with R3.2. If that's what you are using, go to VM Settings for
that VM and look at the Networking section under Basic. Make sure the
IP/subnet/gateway you are using matches the IP/subnet/gateway there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc9c701e70e65fb049e2813ff428faa7.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: cant connect to outsidet network after setting static ip

On Wednesday, March 14, 2018 at 5:23:22 PM UTC+1, shon.b...@gmail.com wrote:
> so i have vm that i had network connectivity
> as part of the guide that is listed below
> i set a static ip to the vm, after which i cant connect to anything
> even after statically binding the ip to the previous ip
> but to no avail
> iv tried to connect the vm to both sys-firewall and sys-net directly 
> any ping attempt from said vm returns destination host unreachable 
> the other vm's are unaffected and still have network connectivity

Another solution you can try looking into, is that this could be because you're 
having both the Qubes tools trying to set an automatic IP, in addition to your 
manual adjusted IP, at the same time. I.e. in Windows VM's if you need to use 
manual config, you need to disable the Qubes network tools service first, so it 
doesn't create conflict with the manual adjusted IP. Something similar probably 
needs to be disabled in your other VM; thoough it might help if you mention 
what OS this VM is?

If it's a typical Qubes template, then you can just copy the the template, and 
try uninstall the Qubes tools networking. But only do this in a cloned Qubes 
templates, don't do something like this in any important Qubes templates, 
because this is untested, and if it goes wrong, then you can just simply delete 
the cloned template, rather than have a major headache on your hand.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7552c421-6503-4d9a-b259-d424d1315068%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] tcp/udp server on qubes

2018-03-15 Thread idanqubes

On Thursday, March 15, 2018 at 2:09:22 PM UTC+2, awokd wrote:
> On Tue, March 13, 2018 8:46 pm, idanqu...@gmail.com wrote:
> > On Tuesday, March 13, 2018 at 3:14:20 AM UTC+2, awokd wrote:
> >
> >> On Mon, March 12, 2018 10:21 pm, idanqu...@gmail.com wrote:
> >>
> >>> I'm trying to build a server that uses tcp protocol, and I'm having
> >>> trouble figuring the firewall rules that I need to set in order to
> >>> connect the server so it would be able to communicate with a specific
> >>>  client through the internet.
> >>>
> >>> I'm aware that there is the guide for networking and firewall:
> >>> https://www.qubes-os.org/doc/firewall/
> >>>
> >>>
> >>>
> >>> but unfortunately I cant infer it to my use case.
> >>
> >> Not sure what you mean- Qubes doesn't need any special rules to
> >> communicate out. If you want to restrict inbound communications to the
> >> single source IP of your client, follow the guide and use that IP in
> >> the rule. I think there's an example like that in there.
> >
> > allow me to elaborate i am trying to route all incoming traffic to a
> > single vm there is an example that supposedly does just that however i have
> > zero experience in "IP tables" and as such the example, as detailed as it
> > is does not explain to me how to achieve the desired result with a
> > specific  vm and its corresponding ip for example i have no idea what
> > "MY-HTTPS" is meant to reference
> 
> "MY-HTTPS" is a label/name- just type it as is.
> Depending on how you are doing your inbound NATing, you may need to
> restrict the source IP at your outside firewall/router or in this line of
> the sys-net configuration: "iptables -A MY-HTTPS -s 192.168.x.0/24 -j
> ACCEPT".

i see, thanks to you i think i understand
but i seem to be having at the very first step
after adding both rules in the sys-net terminal 
i still dont see the connection attempt from an external pc
on the rule for the for the prerouting i used CIDR netmask to allow
all possible values for the third-forth part of the sys-net's ip

worth noting that i can connect from the appvm to the net
but not vice versa using the telnet commend 

thank you in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5a6d6a42-e5dd-4ab2-91db-11974304e8e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] RC5 no more 802.11ac networks

2018-03-15 Thread Gulbis Bulbis

After upgrading(i did a fresh install) rc4 to rc5 i no longer "see" 5G wifi 
networks. I reinstalled rc4 and AC networks are working fine so its probably 
not my Intel 7250 dual band network card. What could be a problem?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bdf10ab3-cf2f-4204-b376-ad229652d2f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

2018-03-15 Thread cooloutac

So I upgraded debian-8 to debian-9 on qubes 3.2   But for some reason it has no 
file manager now.  Even if installing one from terminal and then syncing 
appmenus from dom0.  no file manager appears in list.

Is there a qubes debian 9 template to install to qubes 3.2?  

Thanks, Rich.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87a11398-152a-4cd2-9af9-484cabcaf2fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, Mar 15, 2018 at 10:13:45AM -0700, cooloutac wrote:
> So I upgraded debian-8 to debian-9 on qubes 3.2   But for some reason it has 
> no file manager now.  Even if installing one from terminal and then syncing 
> appmenus from dom0.  no file manager appears in list.
> 
> Is there a qubes debian 9 template to install to qubes 3.2?  
> 
> Thanks, Rich.
> 
There is a debian-9 template, but you have the choice of which file manager
you want installed. Just apt-get install whatever you want.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315174113.pe676xjptoza2ugk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

2018-03-15 Thread yrebstv

well looks like both an argument For and Against buying a drive-cd
caddie

for:
can remove the HDD with win10 on it and just use it when needed

against:
keep a CD with a bootloader on it in the CDROM drive  ( what % of users
of qubes are booting off a bootloader on a CD )


believe it or not,  somehow I'm really not worried at all that someone
is going to gain access to my laptop,  though it being a laptop and
travelling  US-> INT'l  I suppose it's possible 



bigger issue now is what condition to buy a T520 eg "verygood" i7 (which
is listed on HCM , though not the submodel) and installing extra RAM to
12GB  for double  what I might buy

an i5 T520 with 12gb installed already which oddly  seems To  match the
submodel  but not the cpu  type ... 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/735bf088b19cb271889e184feee3eb92%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes canary over due...

2018-03-15 Thread code9n

...but only by a day  (see Qubes canary #14 - 
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-014-2017.txt)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e3fcb65-8058-4d5f-96d0-b852ddff5f40%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes canary over due...

2018-03-15 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Mar 15, 2018 at 11:37:29AM -0700, code9n wrote:
> ...but only by a day  (see Qubes canary #14 - 
> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-014-2017.txt)

There is new one, in usual place:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-015-2018.txt

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqkS2QACgkQ24/THMrX
1yw41Qf/ZSLTMsNFJ5h8G9LZIUYNj/3Va+o+n5EeYzEbJlikqrb8YPN34iDgATTa
xoz46n4CAgrCMfx8oQZAaRG0IZfTeB+QkYtZlhJeOfaO7hE9pKV/jF5cFqOGQoyV
Kpj9+jyNOwOSHDMJhyQqwoT0bJ0/j7+EMhEdBy+aJ/xF1mcgrtkiPiQAOgoeT3Hm
aLMs26c9D7wzop+0k+7uZMUIH4nmiVf1MlaGdhNNanwXdG2eI4zj05foRaOa/L5T
pmo/GV18RfugtR8xtU6bFtZeD1aDNE6dazoNIv9qxTovB5pwsJ/FE53Ra+8xEaaa
yOKwLiGvlW3pXke7OyyMbtiR0EF20w==
=9agm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315190639.GC8712%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can a Windows StandaloneVM be made into a TemplateVM?

2018-03-15 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Mar 14, 2018 at 09:56:20AM -0700, inqubator wrote:
> 
> > I copied
> > /var/lib/qubes/appvms/win7/root.img
> > /var/lib/qubes/appvms/win7/private.img
> > to
> > /var/lib/qubes/vm-templates/win7-x64-template/root.img
> > /var/lib/qubes/vm-templates/win7-x64-template/private.img
> > 
> 
> Hi, can I ask how you did that? When I look into the directories you mention 
> (in R4), I don't find these files (but only "icon.png" and "firewall.xml").

In R4, use: qvm-clone --class TemplateVM

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqkTAgACgkQ24/THMrX
1ywD8wgAl413SSwuJe6GeBjh4WYUWJUoz42uGdmqA0xEGFaFRe8ZXQ41m0icKla+
nRCg+J+RAiRZPg9RE6PYsXkYTYcRHwO02NAvs5hNTfxmP4u8pzhE39FxJUGXpuyM
z4Zf1kxbGMp/gPSp/rrfU+qI9O8FYUrO1vxpwsoeahFVC/q57QveDpa9Uj6Ab0Oq
7Z4l/bxN+oa2g7aKBeq4mzNC3VHLzy9yh+K1Wf7H8mgWU7wfEM4pOmF7/+Mg7lDe
4JTqhqCAgQ0SLdq+tTF0Be4CAVw7rjNG24vHnFPZU3kP7mMtwNdVHd7AZJPaZXre
lVDeeEPuEN3zDIkMkkg76ulwT1M9oQ==
=22Ml
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315190923.GD8712%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] tcp/udp server on qubes

On Thu, March 15, 2018 1:19 pm, idanqu...@gmail.com wrote:

> i see, thanks to you i think i understand but i seem to be having at the
> very first step after adding both rules in the sys-net terminal i still
> dont see the connection attempt from an external pc on the rule for the
> for the prerouting i used CIDR netmask to allow all possible values for
> the third-forth part of the sys-net's ip

Test connecting to Qubes from another computer on the same network as your
host before trying to get the remote one working.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57c1b79f164d223c9e10e6e6154bef7b.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes canary over due...

2018-03-15 Thread 'Max Andersen' via qubes-users



On 03/15/2018 08:06 PM, Marek Marczykowski-Górecki wrote:
> On Thu, Mar 15, 2018 at 11:37:29AM -0700, code9n wrote:
> > ...but only by a day  (see Qubes canary #14 -
> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-014-2017.txt)
>
> There is new one, in usual place:
> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-015-2018.txt

Shouldn't it be news since Canary #14 was announced in the news section?:
https://www.qubes-os.org/news/

And it's also missing here in the overview of canaries:
https://www.qubes-os.org/security/canaries/

But it's here in github, so maybe the other pages, should autoupdate or
something?:
https://github.com/QubesOS/qubes-secpack/tree/master/canaries

Is it only released on github in the future?

Sincerely
Max



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f91f0081-1005-6d02-712f-7e0641f4641f%40militant.dk.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 Templates Debian 8 Minimal?

On Wed, March 14, 2018 1:24 am, Drew White wrote:
> Is there such a thing for Qubes 3.2?

It's listed in the builder but I've never tried it. I think the standard
template is relatively "minimal" though.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31dd587c032fe3ce1bdd6884f9d0f6f9.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RC5 no more 802.11ac networks

2018-03-15 Thread [799]

Hello,

On 03/15 07:31, Gulbis Bulbis wrote:

> After upgrading(i did a fresh install) rc4 to rc5 i no longer "see" 5G wifi 
> networks. I reinstalled rc4 and AC networks are working fine so 
> its probably not my Intel 7250 dual band network card. What could be a 
> problem?

running Qubes 4rc5 on my Lenovo W540 and using an Intel Wireless 7260 Card I am 
able to connect and use 5 GHz Wifi networks.
As such it doesn't seem that you problems are not a generic Qubes 4rc5 Wifi 
problem.

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315194156.z7ruymfc73jv5hha%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

2018-03-15 Thread cooloutac

On Thursday, March 15, 2018 at 1:41:18 PM UTC-4, Unman wrote:
> On Thu, Mar 15, 2018 at 10:13:45AM -0700, cooloutac wrote:
> > So I upgraded debian-8 to debian-9 on qubes 3.2   But for some reason it 
> > has no file manager now.  Even if installing one from terminal and then 
> > syncing appmenus from dom0.  no file manager appears in list.
> > 
> > Is there a qubes debian 9 template to install to qubes 3.2?  
> > 
> > Thanks, Rich.
> > 
> There is a debian-9 template, but you have the choice of which file manager
> you want installed. Just apt-get install whatever you want.

according to qubes-os website debian-9 template is only available for qubes 4.0?

I did try to install nautilus.  then did qvm-sync-appmenus  but still no file 
manager in the app list to add.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b254ede-816f-4893-8572-92d5a279b754%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, March 15, 2018 7:49 pm, cooloutac wrote:
> On Thursday, March 15, 2018 at 1:41:18 PM UTC-4, Unman wrote:
>

>> There is a debian-9 template, but you have the choice of which file
>> manager you want installed. Just apt-get install whatever you want.
>
> according to qubes-os website debian-9 template is only available for
> qubes 4.0?

That's just the default one, but it's available for R3.2 as well.

> I did try to install nautilus.  then did qvm-sync-appmenus  but still no
> file manager in the app list to add.

Check here (pending doc. update, not approved)
https://github.com/awokd/qubes-doc/blob/patch-4/common-tasks/managing-appvm-shortcuts.md#what-if-my-application-has-not-been-automatically-included-in-the-list-of-available-apps


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/571d56fd3f55cc018f41c6ab30c3e3af.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Missing hard disk free space

2018-03-15 Thread donoban


On 03/14/18 15:36, donoban wrote:

Hi,

I am pretty confused with thin lvm pools and free disk space.

I attached part of lvs output. Is root qubes_dom0-root? 36.96% of data 
means near 77gb? df on dom0 only shows near 6GB...


Is the meta value fine?

I should have near 100gb of free space and I am nearly full :/

Regards.



This was my problem
https://github.com/QubesOS/qubes-issues/issues/3226

All fine after fstrim /

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca3e7df7-02df-86e7-bb12-fecb88ff4e36%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Missing hard disk free space

2018-03-15 Thread Chris Laprise


On 03/15/2018 04:05 PM, donoban wrote:

On 03/14/18 15:36, donoban wrote:

Hi,

I am pretty confused with thin lvm pools and free disk space.

I attached part of lvs output. Is root qubes_dom0-root? 36.96% of data 
means near 77gb? df on dom0 only shows near 6GB...


Is the meta value fine?

I should have near 100gb of free space and I am nearly full :/

Regards.



This was my problem
https://github.com/QubesOS/qubes-issues/issues/3226

All fine after fstrim /



You may want to add 'discard' option to /etc/fstab so the trim happens 
automatically.


There was a recent fix that switched all the domUs to use discard for /, 
but dom0 was skipped.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/461dd6af-aeca-cad6-6949-4406118ad6db%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, Mar 15, 2018 at 12:49:43PM -0700, cooloutac wrote:
> On Thursday, March 15, 2018 at 1:41:18 PM UTC-4, Unman wrote:
> > On Thu, Mar 15, 2018 at 10:13:45AM -0700, cooloutac wrote:
> > > So I upgraded debian-8 to debian-9 on qubes 3.2   But for some reason it 
> > > has no file manager now.  Even if installing one from terminal and then 
> > > syncing appmenus from dom0.  no file manager appears in list.
> > > 
> > > Is there a qubes debian 9 template to install to qubes 3.2?  
> > > 
> > > Thanks, Rich.
> > > 
> > There is a debian-9 template, but you have the choice of which file manager
> > you want installed. Just apt-get install whatever you want.
> 
> according to qubes-os website debian-9 template is only available for qubes 
> 4.0?
> 
> I did try to install nautilus.  then did qvm-sync-appmenus  but still no file 
> manager in the app list to add.
> 
You're right - there isnt a pre-built Debian-9 for 3.2.(I'm confused
because I roll my own.)
But you can build your own or upgrade an existing.
I'm not quite clear on why file manager doesn't appear in the app list
for you, because I installed it myself following your email and it just
worked.
Let me test again, with a clean debian-8 upgrade, and see if I can
reproduce. (Just to check - do you have an updated dom0 and are you
using Testing repos in dom0?)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315203220.om7a74h7reuoarkg%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, Mar 15, 2018 at 07:58:34PM -, 'awokd' via qubes-users wrote:
> On Thu, March 15, 2018 7:49 pm, cooloutac wrote:
> > On Thursday, March 15, 2018 at 1:41:18 PM UTC-4, Unman wrote:
> >
> 
> >> There is a debian-9 template, but you have the choice of which file
> >> manager you want installed. Just apt-get install whatever you want.
> >
> > according to qubes-os website debian-9 template is only available for
> > qubes 4.0?
> 
> That's just the default one, but it's available for R3.2 as well.

Not from the Qubes repository.

> 
> > I did try to install nautilus.  then did qvm-sync-appmenus  but still no
> > file manager in the app list to add.
> 
> Check here (pending doc. update, not approved)
> https://github.com/awokd/qubes-doc/blob/patch-4/common-tasks/managing-appvm-shortcuts.md#what-if-my-application-has-not-been-automatically-included-in-the-list-of-available-apps
> 
The interesting question is why it works for some people and not for OP.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315203516.ck3u3avwpcycimt3%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Missing hard disk free space

2018-03-15 Thread donoban


On 03/15/18 21:31, Chris Laprise wrote:


You may want to add 'discard' option to /etc/fstab so the trim happens 
automatically.


There was a recent fix that switched all the domUs to use discard for /, 
but dom0 was skipped.




I am considering it, there is some controversy with regular fstrim vs 
discard option e.g.


http://blog.toracat.org/2014/07/discard-that-discard-run-fstrim-on-rhel-and-rebuilds/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2bdf74ef-7603-a963-0d26-530412dbf9d4%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Missing hard disk free space

2018-03-15 Thread Chris Laprise

On 03/15/2018 04:39 PM, donoban wrote:

On 03/15/18 21:31, Chris Laprise wrote:

You may want to add 'discard' option to /etc/fstab so the trim happens
automatically.

There was a recent fix that switched all the domUs to use discard for
/, but dom0 was skipped.

I am considering it, there is some controversy with regular fstrim vs
discard option e.g.

http://blog.toracat.org/2014/07/discard-that-discard-run-fstrim-on-rhel-and-rebuilds/

Keep in mind that most of your VMs (all the domUs) will use discard / in
realtime, along with /rw and home. But I don't think it matters much for
performance on /, as its not meant to be a write-intensive volume (at
least not for domUs).

If I was really concerned about discard performance, I'd focus on
private volumes (rw and volatile) first.

Another wrinkle to this is that Qubes disables actual trim to the SSD by
default. So performance issues introduced by SSD hardware are not even
an issue until/unless you enable trim. See issue
https://github.com/QubesOS/qubes-issues/issues/3686

FWIW I think trim performance is only a problem for older SSD drives
that don't handle their trim cache and block ranges properly.

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/cb4f82b9-b3c9-d09e-6f90-567415de%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4/Coreboot/SeaBIOS Question

2018-03-15 Thread qubes-os

For those who have a KCMA-D8 or KGPE-D16 mainboard running Coreboot with 
a SeaBIOS payload, have you been able to get Qubes 4 running with a PCI 
video card?


I'm able to get it running with onboard video but not with an AMD PCI 
graphics card.


Was curious if anyone has been successful with Qubes 4 with any PCI 
card? If so, did you make any manual adjustments to how Qubes boots to 
allow the PCI card to work?


The same card works fine with Qubes if the proprietary bios is used.

Thanks.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c09fa76b-04c3-9cec-dea9-b90627e4b778%40go-bailey.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, March 15, 2018 8:35 pm, Unman wrote:
> On Thu, Mar 15, 2018 at 07:58:34PM -, 'awokd' via qubes-users wrote:
>
>> On Thu, March 15, 2018 7:49 pm, cooloutac wrote:
>>

>>> according to qubes-os website debian-9 template is only available for
>>>  qubes 4.0?
>>
>> That's just the default one, but it's available for R3.2 as well.
>>
>
> Not from the Qubes repository.

Ever? Could swear I installed it before!





-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8df8f1109ae1a08d9d1ac029709f8e22.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Missing hard disk free space

2018-03-15 Thread donoban


Thanks for the info.

This also seems confusing
https://www.qubes-os.org/doc/disk-trim/#luks

I did not anything of this but second part of step 5 seems working so 
should I believe that TRIM is working ok?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/51b2851b-8bef-0880-faa5-5496bb5cbc9f%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN from a ProxyVM

On Thursday, 15 March 2018 12:33:30 UTC+11, Chris Laprise  wrote:
> On 03/14/2018 08:47 PM, Drew White wrote:
> > On Wednesday, 14 March 2018 23:28:58 UTC+11, Chris Laprise  wrote:
> >> On 03/13/2018 09:53 PM, Drew White wrote:
> >>> On Wednesday, 14 March 2018 12:25:12 UTC+11, Chris Laprise  wrote:
>  On 03/13/2018 08:20 PM, Drew White wrote:
> > On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise  wrote:
> >> The current VPN doc is here:
> >>
> >> https://www.qubes-os.org/doc/vpn/
> > 
> > Thanks for the reply Chris, but that is not what I was looking for as I 
> > was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
> 
>  I think you mean "not an OpenVPN..."?
> >>>
> >>> I am guessing so, yes, thanks for clarifying.
> >>>
>  FWIW, the resources at those links are meant to be adaptable for
>  non-OpenVPN setups, and they don't impose any particular type of routing
>  (other than forbidding access that most call 'leaks'). As for accessing
>  the LAN directly through a VPN VM, there are simple ways to make an
>  exception for it.
> >>>
> >>> That's what I don't get. All I want to do is have the VPN connect, 
> >>> nothing else. So that my AppVM can talk through it to the external.
> >>
> >> OK, this sounds like you want to connect to a remote LAN.
> > 
> > I thought that is what VPNs  are for?
> 
> They can be. Some configs are for remote LANs, others for connecting to 
> Internet.

It's all remote LAN, just different restrictions on them.

 
 
> > Well that is their primary intention, to connect from where you are to a 
> > remote network.
> > I should have clarified that in the first place due to many people these 
> > days connecting to remote networks as a 255.255.255.255 and only doing it 
> > to connect out to the internet for privacy and security.
> > 
> > I shall endeavor to mention that in the future if it ever arises again.
> > 
> >>
> >
> > I also want to have one where everything that is going to happen on the 
> > remote network is pushed through the VPN, and everything else remains 
> > using the local connection.
> >
> > So there are 2 ways I'm looking at having it work.
> >
> > But at first, I just want a standard PPTP connection.
> 
>  There are plenty of guides out there. But when searching for examples
>  keep in mind that a Qubes proxyVM behaves much like a router (not a PC
>  endpoint) so that may be the best type of guide to use.
> >>>
> >>> Exactly, and as a router it should connect a VPN.
> >>> I used to have it able to do it. So that's why I don't understand why it 
> >>> isn't working. Since I had it able to do it once before, ages ago, and 
> >>> nothing has changed since then, and now it isn't working. So it's odd. 
> >>> Thus I figured maybe something has changed.
> >>
> >> I want to say "Not much has changed in R3.2 networking", but the Linux
> >> distros in the templates have changed somewhat over the years. In any
> >> case, you'll need to review your configuration and maybe post setup
> >> steps to get specific troubleshooting advice.
> > 
> > I'm still using F23 for it. Perhaps there is something else inside the 
> > Qubes Networking that has an issue with it after updating for security.
> > 
> > I'll have to just go through settings and try and try and try. Just go from 
> > one settings to another and trying to connect after altering each setting.
> 
> I suggest moving your settings to F26 (i.e. change the template of your VM).

I have F20,21,23,24,26. Normal and Minimal.
Typically I have the minimal, then install what I want.
But since I can't remove the crap from the template, I have to alter the code 
in or disable about 60 things before I start, since there are things that are 
broken that Qubes developers said aren't.
 
 
 
> > What else, other than NetworkManager can be used?
> 
> F26 has pptp-setup package. It lets you use shell commands:
> http://pptpclient.sourceforge.net/

I have F26 and that did not resolve the issue.
At the moment I'm waiting for someone to get pfSense working properly with 
Qubes, so that I have a decent firewall option as using Fedora or Debian 
(Debian is better) as a NetVM is just harsh. Due to the fact that it has so 
much in it that it does't need as a NetVM. Which is why I get the minimal, and 
then add what I need to create a VM for NetVM/ProxyVM, as we as one for AppVM.

Unfortunately, in Qubes you can't remove the standard RPM installed templates. 
It simply has a hissy fit if you do. But I still manually remove it from the 
XML as well as delete the files. Means I can't re-install from the RPM though.

If you know how to remove it via the RPM method, please let me know. It would 
be appreciated.


> Of course, Qubes proxyVMs have Network Manager disabled by default.

There are so many things about the way the systems are going these days that 
are just wrong it's not funny. They keep thinking

Re: [qubes-users] upgraded debian 8 to 9 on qubes 3.2 but no file manager now.

On Thu, Mar 15, 2018 at 08:32:20PM +, Unman wrote:
> On Thu, Mar 15, 2018 at 12:49:43PM -0700, cooloutac wrote:
> > On Thursday, March 15, 2018 at 1:41:18 PM UTC-4, Unman wrote:
> > > On Thu, Mar 15, 2018 at 10:13:45AM -0700, cooloutac wrote:
> > > > So I upgraded debian-8 to debian-9 on qubes 3.2   But for some reason 
> > > > it has no file manager now.  Even if installing one from terminal and 
> > > > then syncing appmenus from dom0.  no file manager appears in list.
> > > > 
> > > > Is there a qubes debian 9 template to install to qubes 3.2?  
> > > > 
> > > > Thanks, Rich.
> > > > 
> > > There is a debian-9 template, but you have the choice of which file 
> > > manager
> > > you want installed. Just apt-get install whatever you want.
> > 
> > according to qubes-os website debian-9 template is only available for qubes 
> > 4.0?
> > 
> > I did try to install nautilus.  then did qvm-sync-appmenus  but still no 
> > file manager in the app list to add.
> > 
> You're right - there isnt a pre-built Debian-9 for 3.2.(I'm confused
> because I roll my own.)
> But you can build your own or upgrade an existing.
> I'm not quite clear on why file manager doesn't appear in the app list
> for you, because I installed it myself following your email and it just
> worked.
> Let me test again, with a clean debian-8 upgrade, and see if I can
> reproduce. (Just to check - do you have an updated dom0 and are you
> using Testing repos in dom0?)

So I've just started from a clean Debian-8, updated, dist-upgraded to
Debian-9 and reinstalled nautilus. Created New qube and the "Files" item
is there.
So that all seems fine.
Have you checked that the install went OK and have you tried the manual
method for adding menu items?
What are you running in dom0 - is that up to date? Running from Testing
repositories?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315234420.fo3omxg443eemsrs%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fedora no longer starts, installed from RPM.

I installed my template for fedora 17 and 20, and neither of them will start.
I installed them from the RPMs provided.

Upon start it looks like it's booting then says "Error could not start VM F17: 
Cannot execute QREXEC daemon."

How can I get them running again?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61950809-32be-45ec-8d61-df58edd80c38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to update default template VM?

debian updates with "sudo apt-get update && sudo apt-get dist-upgrade" 

Whonix should be the same, ("apt-get" or "yum"), but Im not entirely sure. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab8cd218-d7a1-4842-9bb9-83a536fd5313%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to update default template VM?

On Thu, Mar 15, 2018 at 04:55:47PM -0700, sevas wrote:
> debian updates with "sudo apt-get update && sudo apt-get dist-upgrade" 
> 
> Whonix should be the same, ("apt-get" or "yum"), but Im not entirely sure. 
> 

Whonix is based on Debian so apt-get is right

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180315235937.ak5jtvujpnupuhk2%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to update default template VM?

debian updates with "sudo apt-get update && sudo apt-get dist-upgrade"

Whonix should be the same, ("apt-get" or "yum"), but Im not entirely sure. 

Keep an eye on your logs (journalctl) and your RPC Policy.

Your RPC Policy suggests that Whonix will update through Tor, 
$tag:whonix-updatevm $default allow,target=sys-whonix
so make sure sys-whonix is running.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c027664b-0191-4cf0-9e78-a808330ab7dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora no longer starts, installed from RPM.

On Thu, Mar 15, 2018 at 04:50:14PM -0700, Drew White wrote:
> I installed my template for fedora 17 and 20, and neither of them will start.
> I installed them from the RPMs provided.
> 
> Upon start it looks like it's booting then says "Error could not start VM 
> F17: Cannot execute QREXEC daemon."
> 
> How can I get them running again?
> 

Hello Drew,

Nice to see you again.

Fedora 17 and 20 are long past eol, and therefore no longer supported in
Qubes.
You *may* be able to get them running by building your own qubes
packages , but I would think that you will have to mangle the code
somewhat to do that. It's not impossible but you'll have to hack about
in qubes-builder and the relevant package sources.

I suggest you use more up to date Fedora templates.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180316000429.ausrxeekfvhgdj2m%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes Canary #15

2018-03-15 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have published Qubes Canary #15. The text of this canary is
reproduced below. This canary and its accompanying signatures will always be
available in the Qubes Security Pack (qubes-secpack).

View Qubes Canary #15 in the qubes-secpack:



Learn about the qubes-secpack, including how to obtain, verify, and read it:



View all past canaries:



```
---===[ Qubes Canary #15 ]===---


Statements
- ---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is March 14, 2018.

2. There have been 38 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of June 2018. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
- --

None.

Disclaimers and notes
- --

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
- ---

$ date -R -u
Wed, 14 Mar 2018 13:38:04 +

$ feedstail -1 -n5 -f '{title}' -u 
https://www.spiegel.de/international/index.rss
Refugee Bedtime Stories: 'A Long, Long Time Ago, Syria Was Beautiful, My Son'
Creative Destruction: Macron Eyes Expanding His Movement Across Europe
'The Sale of Our Identity': C&A Family Member Discusses Firm's Uncertain Future
The Trade Warrior: Donald Trump's Attack on German Prosperity
Reporter Podcast: Understanding the Riddles of Greenland

$ feedstail -1 -n5 -f '{title}' -u 
https://rss.nytimes.com/services/xml/rss/nyt/World.xml
Why Moscow Will Never Apologize for Attack on Ex-Spy
The Biggest Refugee Camp Braces for Rain: ‘This Is Going to Be a Catastrophe’
Tillerson’s Firing Had Been Expected, but It Still Stunned Observers
Now Two Former Presidents of South Korea Are Under Investigation
New Zealand Diplomat Censured for Vulgar Tweet About U.S. Democrats

$ feedstail -1 -n5 -f '{title}' -u https://feeds.bbci.co.uk/news/world/rss.xml
Stephen Hawking: Visionary physicist dies aged 76
Democrat Conor Lamb claims victory in Pennsylvania election
Rex Tillerson: Secretary of state fired by Trump in Russia warning
Italy bomb: World War Two device forces mass evacuation in Fano
Caribbean volcano Kick 'em Jenny: Ships warned off area

$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
Britain expels 23 Russian diplomats over chemical attack on ex-spy
Stephen Hawking, who unlocked the secrets of space and time, dies at 76
Turkey's Erdogan says hopes Syria's Afrin town to be captured by Wednesday 
evening
Civilians needing medical aid leave Syria's Ghouta for second day
Tokyo bids farewell to 'trustworthy' Tillerson, Seoul awaits seasoned Pompeo

$ curl -s 'https://blockchain.info/blocks/?format=json'

$ python3 -c 'import sys, json; 
print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
0020436a19f4772283e739a4dbd171be51214f5fe73c6804

Footnotes
- --

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.

[qubes-users] [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-03-15 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We have just updated Qubes Security Bulletin (QSB) #37:
Information leaks due to processor speculative execution bugs.

The text of the main changes are reproduced below. For the full
text, please see the complete QSB in the qubes-secpack:



Learn about the qubes-secpack, including how to obtain, verify, and
read it:



View all past QSBs:



View XSA-254 in the XSA Tracker:



```
Changelog
==

2018-01-11: Original QSB published
2018-01-23: Updated mitigation plan to XPTI; added Xen package versions
2018-03-14: Updated package versions with Spectre SP2 mitigations

[...]

(Proper) patching
==

## Qubes 4.0

[...]

Additionally, Xen provided patches to mitigate Spectre variant 2. While
we don't believe this variant is reliably exploitable to obtain
sensitive information from other domains, it is possible to use it
for help with other attacks inside a domain (like escaping a sandbox
of web browser). This mitigation to be fully effective require
updated microcode - refer to your BIOS vendor for updates.

The specific packages that contain the XPTI and Spectre variant 2
patches for Qubes 4.0 are as follows:

  - Xen packages, version 4.8.3-3

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.

## Qubes 3.2

[...]

Additionally, Xen provided patches to mitigate Spectre variant 2. While
we don't believe this variant is reliably exploitable to obtain
sensitive information from other domains, it is possible to use it
for help with other attacks inside a domain (like escaping a sandbox
of web browser). This mitigation to be fully effective require updated
microcode - refer to your BIOS vendor for updates.

The specific packages that contain the XPTI and Spectre variant 2
patches for Qubes 3.2 are as follows:

  - Xen packages, version 4.6.6-37

[...]

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2018/03/15/qsb-37-update/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlqrE18ACgkQ203TvDlQ
MDApFw/8DZdF/WhE31coNPbW7tbroScuADS08kWhWG7QkiYqtzoERCq1TIxNfEiU
KEMlpw28NJc+/NlesPEM/lB9W21eyR9VcIUea9aO98gwX938iTVT2MTMD0lwinnb
Qg+K/jmAW8LMnJ2kDHZ93+GhAuLU9NOUZVdsmnF5tNsmW7NIKDgk7Fx8pGb32u9c
nVL5HVd0SX1QLEanFZ7Jgapstt+6nVfkayCSZEp4gFpzF+drWRdJL/0Z0Qi6EJYr
x29UKFuU+WPqNutxcL88usCwBthOuOgpdh0D+LxnIMaZfjkT002403Vcgqd3DrAw
Jclwh+VOg+e5S4/fA3fFxeRhPrSJuuSvQ2Ik8WUhaE5p10gS6TAoP+fR0z7zBSZ9
7teiZQMORoTWWj02TmoUuf3sL9sEsec6IC+obTKtGr6qU5ntW2RDhMGiQetQO3zU
jyro7p2cGVc8B6SSEZ//bUOpGTujppTAsrK/KAMZQ8Plu/KWOzuCdgIrnFRcoSsW
NPONF8BASlFLUg/hjPbuO0NQwyWYOnejwhaaEcCP4eU9/dudLAvUWb9oTWGevwq5
o29TalXxx7+ZqJXeYt3MECv0pYv/GzeZtX50vaknJjmBYMtoF5l7s8AjiwtgvJep
85j4sMIH/8R/VmqqdpH/HZUkjB7R1/hRpp144mLqvOelvd8OP5Q=
=Z2TQ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9f66ee2-5d76-cbfb-e324-89e578eaade2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes canary over due...

2018-03-15 Thread Andrew David Wong

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2018-03-15 14:28, 'Max Andersen' via qubes-users wrote:
> 
> 
> On 03/15/2018 08:06 PM, Marek Marczykowski-Górecki wrote:
>> On Thu, Mar 15, 2018 at 11:37:29AM -0700, code9n wrote:
>>> ...but only by a day  (see Qubes canary #14 -
>> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-014-2017.txt)
>>
>> There is new one, in usual place:
>> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-015-2018.txt
> 
> Shouldn't it be news since Canary #14 was announced in the news section?:
> https://www.qubes-os.org/news/
> 
> And it's also missing here in the overview of canaries:
> https://www.qubes-os.org/security/canaries/
> 
> But it's here in github, so maybe the other pages, should autoupdate or
> something?:
> https://github.com/QubesOS/qubes-secpack/tree/master/canaries
> 
> Is it only released on github in the future?
> 
> Sincerely
> Max
> 

It's not automatic. I just didn't have time to update everything and
publish all the announcements until just now. :)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlqrF3EACgkQ203TvDlQ
MDDIxg//eJM4ZffQ3UCKIvpqpfeSDgjDOcv0pG6wPckUYwvG5aOiRFux0hC0lYIe
y7TbShKvzm/avddBHMUM/VpicYS638Pt+xyssfSZML4Dcafdn4OXrgPazjJoDd+I
NwUlVVuPaHdGmke4odPeNvpc5UG+FBbT56WKa04SbohmbAQHWQrqs05PFlszleGd
tNQfCEUjcRqaNplq8UiHK7xkL9jY/cBcvLXvxmMygjC8nZoShSC6fDGSVRCd6Lda
IQrg7ULoL8/xYBh6BZudg53Op0t98prpJ/JrfpzFycmT9wAofaNjrCE27dTwLkFe
47GyhVW+OfTNyzkQza4T9vS2hepQA69NSl5Kc+T1EUDE/lu0q7x9PdWO2Vr6NGSi
PUDNjpVl1CtlN/AwgwvX1zBdC/Uleqx9colkgyHaduyvhqz9zogv2DVzWcHsueRy
Cs23XRvTcPh0TDiZLvCGOXJHUwn6C/VyLAHCVl5LDFaZL7paz7x2b0FIjRsADPqW
Z5jeWhi8FeTck+OA5F6+eim6XUVRZlLLQWdEp54r5r7tyVKIG1MJ/nx6UdSUy6Uo
Xwcbq3rGx7qT9VuNUTuwBiOgYz0nJLr1Z7Ef/mVu1jhiZ+PluU9Xt9VYQA7hIHVo
uJLFnSmnglAqR6vpmjOzrW2Nw3ZqvWEdWG3I6dvwRo0HSTdVVxw=
=WJ1f
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b013a3d-d477-0abc-df86-8d9d1934e62f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Macbook Pro - Broadcom WLAN adapter BCM43602 causing freezing under Qubes OS 4.0 rc5

2018-03-15 Thread Greg

Hi,

Please assist if possible - I'm trying to get the Broadcom WLAN adapter
BCM43602 working on my Macbook Pro under Qubes OS 4.0 rc5.

"03:00.0 Network controller: Broadcom Limited BCM43602 802.11ac Wireless LAN
SoC (rev 01)"

I've managed to install Qubes OS successfully (during the second part of setup,
just before sys-net creation I switched to a console and started a short bash
script that just loops over and over trying to remove the BCM43602 from
sys-net, then I went back and completed the setup. The script successfully
removed the BCM43602 from sys-net before sys-net was started by the setup
wizard, meaning that I managed to avoid the system freeze that would have
otherwise occurred during setup).

Now I'm trying to actually get the BCM43602 working, i.e. attach the adapter to
a qube (e.g. sys-net, standalone hvm or anything at all without freezing).
However it seems that the system freezes the moment I start the qube it is
attached to and it doesn't matter which kernel the associated qube is actually
running (e.g. it freezes even when I attach it to a qube that is a fresh Ubuntu
17.10 install with hvm and no kernel seleced). I've tried different
combinations of permissive mode and no-strict-reset and pv/hvm but every
combination results in freezing.

I'm not sure how to proceed? Does anyone have the BCM43602 working under 4.0
rc5?

Any pointers would be appreciated.

Thanks,
Greg

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7d61d6d5-5f0c-4ef3-966d-dc8e5657a89a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora no longer starts, installed from RPM.

On Friday, 16 March 2018 11:04:31 UTC+11, Unman  wrote:
> On Thu, Mar 15, 2018 at 04:50:14PM -0700, Drew White wrote:
> > I installed my template for fedora 17 and 20, and neither of them will 
> > start.
> > I installed them from the RPMs provided.
> > 
> > Upon start it looks like it's booting then says "Error could not start VM 
> > F17: Cannot execute QREXEC daemon."
> > 
> > How can I get them running again?
> > 
> 
> Hello Drew,
> 
> Nice to see you again.
> 
> Fedora 17 and 20 are long past eol, and therefore no longer supported in
> Qubes.
> You *may* be able to get them running by building your own qubes
> packages , but I would think that you will have to mangle the code
> somewhat to do that. It's not impossible but you'll have to hack about
> in qubes-builder and the relevant package sources.
> 
> I suggest you use more up to date Fedora templates.
> 
> unman

Supported or not, they should still start.
They still use the same Qubes system.
Even if there is no QREXEC they should still start and then be able to have the 
console attached to update the QREXEC.

So support isn't an issue here.
Right now it's an issue of Qubes 3.2 and those templates not starting.

Is there anyone that is having a similar issue or else managed to resolve a 
similar issue here old templates aren't starting any more?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/658f9638-c91c-4eba-a976-f2e9af31c356%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Restoring VM from backup...

Hi folks,

I'm restoring a guest from a backup.
It starts off and says it's restoring, then suddenly it stops and gives me this.

---
Extracting data: 18.5 GiB to restore
Some errors occurred during data extraction, continuing anyway to restore at 
least some VMs
-> Restoring QubesTemplateHVm Win7x64...
ERROR: VM private image file doesn't exist: 
/var/lib/qubes/vm-templates/Win7x64/private.img
*** Skipping VM: Win7x64
-> Done. Please install updates for all the restored templates.
Please unmount your backup volume and cancel the file selection dialog.
Finished with errors!
---

In the backup the file is there.
The file that it's saying doesn't exist doesn't exist until the restoration 
puts it there.

I have gotten this issue with all the backups I have tried to restore recently.

What is going on here please?
I wish to restore the guest rather than spending 5 days re-creating it.

It should be a simple matter of it working, but it's not. It's confusing why it 
isn't working.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b650e7c8-d1c4-414b-9fc6-fa18ee8d0413%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] macosx

hi folks,

if i was to get another mac laptop to run qubes, what one could run qubes 4?

sincerely,
D.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d787d74f-2593-4c10-8494-71b795592b62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: macosx