[qubes-users] Qubes OS 4.0.1 has been released!

2019-01-08 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We're pleased to announce the release of Qubes 4.0.1! This is the first
stable point release of Qubes 4.0. It includes many updates over the
initial 4.0 release, in particular:

 - All 4.0 dom0 updates to date, including a lot of bug fixes and
   improvements for GUI tools
 - Fedora 29 TemplateVM
 - Debian 9 TemplateVM
 - Whonix 14 Gateway and Workstation TemplateVMs
 - Linux kernel 4.14

Qubes 4.0.1 is available on the [Downloads] page.


What is a point release?
- 

A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.1.


What should I do?
- -

If you're currently using an up-to-date Qubes 4.0 installation
(including updated Fedora 29, Debian 9, and Whonix 14 templates), then
your system is already equivalent to a Qubes 4.0.1 installation. No
action is needed.

Similarly, if you're currently using a Qubes 4.0.1 release candidate
(4.0.1-rc1 or 4.0.1-rc2), and you've followed the standard procedure for
keeping it up-to-date, then your system is equivalent to a 4.0.1 stable
installation, and no additional action is needed.

If you're currently using Qubes 4.0 but don't have these new templates
installed yet, we recommend that you follow the appropriate
documentation to do so:

 - [Fedora 29]
 - [Debian 9]
 - [Whonix 14]

Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.1 ISO will make this more
convenient and secure, since it bundles all Qubes 4.0 updates to date.
It will be especially helpful for users whose hardware is too new to be
compatible with the original Qubes 4.0 installer.


[Downloads]: https://www.qubes-os.org/downloads/
[Fedora 29]: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/
[Debian 9]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
[Whonix 14]: https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/01/09/qubes-401/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1YTUACgkQ24/THMrX
1ywKSgf/RepKuj8klzDbi3G566MRg6XaF6GgVKYtt8xa9PX5w3yk+3j0n26zsW07
fsO4iJQtn4xt4nUDkIkY0ZaFuLXiXes6syLsu2mJ5dhB23C6C07No1tbeJ0GqzmJ
G5TbCsXpTGnTH8URSyb0U0aB2C6dIAwQZUom+HaDgb/x6M6OWAwODhVV/hbFzhm/
msWu6Xy1rVcbaAB2Q2YLGGIShwx3cd5I/K6y0Lw+9sWhIZ8lj4ARfdnWzqGp5u2+
YYVMtRDGBWGm2o5Wu/gmduYNjRpkDSoE2qh5bUvubRm7TWK0HDkTCHvqyGTQXaZZ
mGbhYdSlxM1N4Qm5YuyYMcGd1qUKQg==
=8aly
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190109024925.GJ5040%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes Canary #18

2019-01-08 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We have published Qubes Canary #18. The text of this canary is
reproduced below. This canary and its accompanying signatures will
always be available in the Qubes Security Pack (qubes-secpack).

View Qubes Canary #18 in the qubes-secpack:



Learn about the qubes-secpack, including how to obtain, verify, and read
it:



View all past canaries:



```
---===[ Qubes Canary #18 ]===---


Statements
- ---

The Qubes core developers who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is January  8, 2019.

2. There have been 45 Qubes Security Bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

5. We plan to publish the next of these canary statements in the first
two weeks of April 2019. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.

Special announcements
- --

Simon Gaiser (aka HW42) joined the Qubes Security Team. More details:
https://www.qubes-os.org/news/2018/11/05/qubes-security-team-update/

Disclaimers and notes
- --

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised.  This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
- ---

$ date -R -u
Tue, 08 Jan 2019 03:18:51 +

$ feedstail -1 -n5 -f '{title}' -u 
https://www.spiegel.de/international/index.rss
Avi Loeb on the Mysterious Interstellar Body 'Oumuamua: 'Thinking About Distant 
Civilizations Isn't Speculative'
The Year of Populism: Europe's Right Wing Takes Aim at the EU
Women in Startups: 'The Most Successful Teams Are Diverse Teams'
Fergus Falls: A Fantastic Town
The Claas Relotius Affair: DER SPIEGEL's Reaction to U.S. Ambassador's Criticism

$ feedstail -1 -n5 -f '{title}' -u 
https://rss.nytimes.com/services/xml/rss/nyt/World.xml
Philippines Dispatch: Where 518 Inmates Sleep in Space for 170, and Gangs Hold 
It Together
Migrants’ Despair Is Growing at U.S. Border. So Are Smugglers’ Profits.
Poland Cracks Down on Escape Rooms After Diversion Turns Deadly
Kim Jong-un, North Korea’s Leader, Visits China
Fleeing Saudi Woman, Facing Deportation, Is Allowed to Remain in Thailand

$ feedstail -1 -n5 -f '{title}' -u https://feeds.bbci.co.uk/news/world/rss.xml
North Korea's Kim Jong-un visits China's Xi Jinping
Ex-Nissan boss says he is wrongly accused
Guatemala expels UN-backed anti-corruption commission
Yellow vests: France to crack down on unsanctioned protests
Kevin Spacey in court to face charges of groping teenager

$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
North Korea leader visits China after warning of alternate path to U.S. talks
Myanmar's civilian, military leaders meet, vow to "crush" Rakhine rebels
Guatemala to shut down U.N. anti-corruption body early
Trump, Trudeau agree to press China on detained Canadians: Ottawa
White House says Trump position unchanged as Syria withdrawal plans slow

$ curl -s 'https://blockchain.info/blocks/?format=json' |\
  python3 -c 'import sys, json; 
print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
00073048d01300bb6ca9102dd0641f065cb42d5659412915

Footnotes
- --

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread Illidan Pornrage 
I apologize for this truckload of typos and bad formatting. Sleep 
deprivation much.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ddaf95f3-ca07-1f76-de77-57a6f4ea1d60%40pornrage.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread Illidan Pornrage 

On 1/8/19 9:25 PM, simon.new...@gmail.com wrote:

Chris Laprise wrote:


Of course, I should mention anti evil maid: AEM essentially protects the
/boot partition (and your firmware!). That is nothing to sneeze at and
gives you a decent basis for investigating the dom0 root volume if
something does crop up.


AEM wont work with one of my machines BIOS AFAIK . that bios has no legacy mode 
its all UEFI, so per the docs, AEM wont work.


was going to try HEADS but the dependence on Google services made me back off.


Didnt realise there was a dependence on google services for heads. That seems 
counter intuitive to me. Wheres the dep?



Actually there is no dependency on google services. THere is "Google 
Authenticator, but that is an open source TOTP Generator that works 
without internet that can be installed on android.

BUT
There are also commandline programs for it on every major desktop distro.

Essentially for HEADS to work you need:
Coreboot working on your board.
A TPM
A persistent storage drive
A stripped down enough linux kernel for your board that fits in bios 
flash memory and that can use the tpm
an initramfs for that kernel that is the actual "heads" part that does 
all the magic.
A second device that shows you the current totp (time based one time 
pad) to compare it with the value that heads is showing. If match then 
system files and booted code are still as expected, if not investigate. 
TOTP is based on a secret from which the OTPs (one time codes) are 
generated via time.

So the second machine stores a secret and needs a roughly accurate time.
On the machine to be verified the secret exists only when it is booted 
in the correct state and only then the passphrase should be entered. If 
the booted code is different the secret is not existing instead another 
secret is existing that is not the right one that generates a mismatches 
that of the verifier device.
The verifier device should ideally be offline so as to not be easily 
manipulated so it contains another secret that matches a modified 
bootloader. I think an old android with removed/castrated radio hardware 
containing a totp app would be a good candidate.


Rest assured the official tails git only contains a device config for 
the Thinkpad X230 that is quite outdated.
The purism coreboot repo contains a heads fork that is compatible with 
librem devices and their other fancy stuff that sadly is quite overpriced.
Porting heads to your device to be verified is a royal PITA as testing 
is annoying without a spare device. Because you most certainly will 
flash a whole bunch of builds that arent working yet as your bios and 
then need to flash the next build or a working backup of normal coreboot 
with an InSystemProgrammer which is fiddly stuff.


Been there, done that. Is a major baywatch episode of fail on the beach 
and I made a cludgy half working compromise that I would be ashamed to 
put anywhere near public.
I could sink insane amounts of additional time in those things but it 
feels like a dead end as long as nobody pays me for my time. I cant even 
guarantee success as I am not an expert in those things. I just try to 
be McGyver as much as I can.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/233d1ad1-5f0f-9dce-549d-5618c462e12b%40pornrage.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Installing snaps in appvms?

2019-01-08 Thread 'awokd' via qubes-users 

Stumpy wrote on 1/9/19 12:07 AM:

On 1/8/19 7:04 PM, Stumpy wrote:
I thought I had snap installed but the app i installed via snap now 
does not seem to be working? I installed snapd in dom0 then tried 
installing a snap package in one of appvms but I am getting errors. If 
i try to run a snap from dom0:

qvm-run gfx /snap/bin/xnview

I get:
Running '/snap/bin/xnview/ on gfx
gfx: command failed with code: 1

when i try to run it within the appvm i get:
user@gfx:~$ xnview
Can not open /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No 
such file or directory)

aborting: No such file or directory

thoughts? please?



oh, and if i try to reinstall the app I get:
user@gfx:~$ sudo snap install xnview
snap "xnview" is already installed


Nothing should be installed to dom0. You'd have to install snapd in a 
template, and possibly the snap package. You might want to create a 
Standalone VM and install everything in there, instead of templates & 
AppVMs.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6401d66-8154-32f5-55e7-7534b54853d9%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Installing snaps in appvms?

2019-01-08 Thread Stumpy 

On 1/8/19 7:04 PM, Stumpy wrote:
I thought I had snap installed but the app i installed via snap now does 
not seem to be working? I installed snapd in dom0 then tried installing 
a snap package in one of appvms but I am getting errors. If i try to run 
a snap from dom0:

qvm-run gfx /snap/bin/xnview

I get:
Running '/snap/bin/xnview/ on gfx
gfx: command failed with code: 1

when i try to run it within the appvm i get:
user@gfx:~$ xnview
Can not open /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No 
such file or directory)

aborting: No such file or directory

thoughts? please?



oh, and if i try to reinstall the app I get:
user@gfx:~$ sudo snap install xnview
snap "xnview" is already installed



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36117477-e490-4a2e-f609-21f108ca4ae8%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Installing snaps in appvms?

2019-01-08 Thread Stumpy 
I thought I had snap installed but the app i installed via snap now does 
not seem to be working? I installed snapd in dom0 then tried installing 
a snap package in one of appvms but I am getting errors. If i try to run 
a snap from dom0:

qvm-run gfx /snap/bin/xnview

I get:
Running '/snap/bin/xnview/ on gfx
gfx: command failed with code: 1

when i try to run it within the appvm i get:
user@gfx:~$ xnview
Can not open /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No 
such file or directory)

aborting: No such file or directory

thoughts? please?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/69db0665-5a32-6443-711e-64e793e8e486%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 Error

2019-01-08 Thread 'awokd' via qubes-users 

remresalexan...@gmail.com wrote on 1/8/19 5:35 PM:

No Vm is starting, onboard NIC doesnt works and the Startup says failed to load 
Kernel Modules
Im booting from Legacy mode

You can see your libxl-driver.log by going to Qubes menu/Terminal 
Emulator (dom0) and then typing "sudo cat 
/var/log/libvirt/libxl/libxl-driver.log".


It sounds like sys-net doesn't like your NIC. Is it Ethernet? If so, try 
the workarounds described in 
https://www.qubes-os.org/doc/assigning-devices/#pci-passthrough-issues.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84dae202-7f58-3592-2362-b48b94437bc9%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How do i setup correctly an OpenMediaVault in Qubes?

2019-01-08 Thread 'awokd' via qubes-users 

marmot-te wrote on 1/8/19 3:55 PM:

Hi,

what i already try here :
https://forum.openmediavault.org/index.php/Thread/25472-OMV-inside-QubesOs-web-gui-innaccessible/?postID=192084#post192601



You only need that to be an HVM if you're planning on assigning a 
dedicated NIC to it. That would probably be the easiest fix, but you are 
bypassing Qubes' networking security.


Otherwise, you're on the right track with the Qubes firewall document 
you referenced. You could write rules so the source permits an entire 
subnet, not just a single IP. Iptables/NFT rules aren't very 
straight-forward though; afraid I can't help there.


In either case, test from a web browser inside the VM to make sure the 
web server is working before testing from external.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b489dbb4-dbb4-ce9c-5aa1-51bebc27cb5d%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Using Windows 7 vm from R3.2

2019-01-08 Thread Lorenzo Lamas 
Starting with the QWT iso or attaching it didn't work for me either, it didn't 
show up at all. I copied it to the windows VM and extracted the installer from 
it. 

Btw, I just installed Windows 7 SP1 from an iso and installed all updates in 
just a few hours.(old Sandy Bridge dual core with sata SSD) After installing 7 
SP1, or after installing SP1 if using an older iso, don't let it search for 
updates but instead install manually the April 2015 servicing stack update and 
then the Convenience 
Rollup.(https://www.howtogeek.com/255435/how-to-update-windows-7-all-at-once-with-microsofts-convenience-rollup/)
After that, the number of updates still needed in order to be fully up to date 
is a LOT less.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a26f3ff9-e1c1-4e69-915f-0e4ecccffd04%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)

2019-01-08 Thread 'awokd' via qubes-users 

22...@tutamail.com wrote on 1/8/19 2:53 PM:

Just played around again with the sun icon, this time starting my whonix-gw 
template used for template updates prior, a couple of observations:

Seems to work fine when updating Debian and Fedora 29 templates, at least the 
messages I get in the details appear positive, listing the updates/changes, 
green check marks, etc

However when I try to update my whonix14 templates (both -ws and -gw) I get 
what appears to be errors. I still don't know how to copy errors from Dom0 to 
an appvm but the errors end with:

File"/var...salt...futures import cancelledError
ImportError: No module named concurrent.futures
...

A little back ground on my Qubes...I started using Qubes out of an immediate 
need for security and have been backing in to how to use it over the last few 
years. I consider myself pretty good but I am still missing what appears to be 
basic skills.

How do I check:
/etc/qubes-rpc/policy/qubes.UpdatesProxy

Sorry to ask but can you explain in more detail?

Thanks again Qubes and all those contributing...I really appreciate it! I'll 
document what I can using this feature...


No apologies needed! More detail: go to a dom0 prompt (Qubes 
menu/Terminal Emulator) then "cat" or "nano" that file. Not sure it's 
formally documented somewhere, but if you want your updates to go 
through Whonix, confirm the non-commented out lines (ones without a # at 
the front) have target=sys-whonix instead of target=sys-net. You might 
have the same lines with different targets, but it's only the first one 
that matters.


"sudo qubesctl state.sls qvm.updates-via-whonix" should set your 
templates to update over Whonix, if you see any problems in that file. 
You can also edit it manually with "sudo nano 
/etc/qubes-rpc/policy/qubes.UpdatesProxy", but copy it somewhere first 
so you can revert if you mess up something.


I tested trying to Qubes Update a Debian template with sys-whonix 
shutdown, and it failed quickly. Would have expected it to automatically 
start sys-whonix like the other update procedures, but at least it 
didn't seem to be using sys-net incorrectly! I'll try using it for -ws 
or -gw next time. To copy text from dom0, follow item #1 or #3 here: 
https://www.qubes-os.org/doc/copy-from-dom0/#copypaste-from-dom0.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0e1e438-6add-469f-c8f2-71a46f2b5206%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread Chris Laprise 

On 01/08/2019 03:07 PM, Chris Laprise wrote:

On 01/08/2019 07:25 AM, simon.new...@gmail.com wrote:
As per subject, does anyone use things such as AIDE (or other file 
integrity IDS) ?


I understand the security model is "if dom0 is compromised, you are 
fscked" but it would be at least nice to have something that gave me a 
heads up if such an event happens.


I think Marek mentioned that HEADS has a root fs verification scheme. I 
was going to try HEADS but the dependence on Google services made me 
back off.




Of course, I should mention anti evil maid: AEM essentially protects the 
/boot partition (and your firmware!). That is nothing to sneeze at and 
gives you a decent basis for investigating the dom0 root volume if 
something does crop up.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1cbbe43e-ce84-5a63-b40a-136e36d95b8c%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread Chris Laprise 

On 01/08/2019 07:25 AM, simon.new...@gmail.com wrote:

As per subject, does anyone use things such as AIDE (or other file integrity 
IDS) ?

I understand the security model is "if dom0 is compromised, you are fscked" but 
it would be at least nice to have something that gave me a heads up if such an event 
happens.


I think Marek mentioned that HEADS has a root fs verification scheme. I 
was going to try HEADS but the dependence on Google services made me 
back off.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/189c678c-88c1-dfcf-e44c-256cb3d99643%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread 799 
Hello,

Am Di., 8. Jan. 2019, 13:25 hat  geschrieben:

> As per subject, does anyone use things such as AIDE (or other file
> integrity IDS) ?
>
> I understand the security model is "if dom0 is compromised, you are
> fscked" but it would be at least nice to have something that gave me a
> heads up if such an event happens.
>

I was thinking about this as I am currently running a dual boot setup,
which means that the /Boot partition is unencrypted and could theoretically
be compromised as it unencrypted.
I have therefore written a small script which fingerprints all files in the
Boot partition and verify the fingerprints later - basically something like
a poor man's IDS.
The hash sume file itself is GPG signed and _not_ stored on boot but the
encrypted part of dom0.
So if files in boot got changed I do get an alarm when I verify the
fingerprints.
This could then lead to the decision to rebuild/drop the whole system as it
could have become (reasonable) insecure.

I tried to find out if I can run the scripts before login into Qubes but it
seems that there is no way to do so.

So now I have the idea that the script will run after login of dom0 and
then present a notification:  boot files are ok.

- O.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tNqF-L99i287-KCxZd3D095-j8OfUNXgTLfixBOkaRng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: dom0 update: sys-whonix: command failed with code: 1

2019-01-08 Thread John S.Recdep 
On 1/2/19 8:20 AM, John S.Recdep wrote:
> On 1/1/19 12:29 PM, qubes-fan-q7wo9g+UVklWk0Htik3J/w...@public.gmane.org 
> wrote:
>> Hi, during dom0 update I get following output:
>>
>> $ sudo qubes-dom0-update
>> Using sys-whonix as UpdateVM to download updates fro dom0; this may take 
>> some time...
>> sys-whonix: command failed with code: 1
>> No new updates available
>> Qubes OS Repository for Dom0  23 MB/s | 52 kB
>>
>> The update than goes as normal. What does that mean and is there any action 
>> needed from my side?
>>
> 
> ditto here except mine is sys-net  code:1
> 
> fwiw
> 


Is this also in testing  or  can someone help / advise a fix to this ?
my updatevm per qubes-prefs is sys-net   but I always thought that other
file had it set up to use  sys-whonix-14

haven't had any issues with previous  qubes updates

I am running
$sudo qubes-dom0-update  and getting



Using sys-net as UpdateVM to download updates

sys-net: command failed with code: 1


Last metadata expiration check: 0:09:40 ago on Tue Jan  8 08:59:27 2019.

Dependencies resolved.



 Package  Arch  Version Repository
   Size



Reinstalling:

 python3-blivet   noarch2:2.1.6-5.fc25  qubes-dom0-current
  1.0 M

 python3-kickstartnoarch1000:2.32-4.fc25qubes-dom0-current
  370 k



Transaction Summary





Total size: 1.3 M

Installed size: 1.3 M

DNF will only download packages for the transaction.

Downloading Packages:

[SKIPPED] python3-blivet-2.1.6-5.fc25.noarch.rpm: Already downloaded


[SKIPPED] python3-kickstart-2.32-4.fc25.noarch.rpm: Already downloaded


Complete!

The downloaded packages were saved in cache until the next successful
transaction.

You can remove cached packages by executing 'dnf clean packages'.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca9a4033-183d-dee5-28d4-d0f0d92d4bda%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 Error

2019-01-08 Thread remresalexander 
No Vm is starting, onboard NIC doesnt works and the Startup says failed to load 
Kernel Modules
Im booting from Legacy mode 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0329dbc9-44e1-48d4-a127-9888ad090ad5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 Error

2019-01-08 Thread remresalexander 
Startup says failed to load Kernel Modules
Im booting from Legacy mode

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/65767fc1-267d-4b6d-9430-8afcf4c41476%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 Error

2019-01-08 Thread remresalexander 
No Vm is starting and NIC is not working

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bef1fca-02db-4c2f-8c0d-bb1aa7229ab8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] signal-desktop?

2019-01-08 Thread Sven Semmler 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 1/7/19 9:24 AM, haaber wrote:
> The "--disable-gpu" parameter works perfectly for the
> debian-install and the signed package form the signal website.

Yup. Thank you!

/Sven
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlw0s1UACgkQ2m4We49U
H7aAbg/+KT+bylRV4sM+n3vnugEIA4d07CYlIc7izCjPFzY/04EQl2V7KjHdNUVn
0zBGElgChv1EOi2C171mL6jCZPQ2LrO/xHsenqOCMNtnnVClkB9t6axJEDVi5q7C
jAuml6dWWfX11SLG5+PQJWxmg+0PMkVzo/oyo6b6eLzpvIu3QbO9wiQ1iUPx2mE9
nHTx6QZ0KmKZ8zBeAeRf8jBZg813W7fSXGeCG8pnjn/EK0LD1G2Kn1LIBNtarjSA
BK8mfOk/aTxXMaHM6Zlw6acW+LfjFNKma4iE822vRIM9xcbld8+VCisauEUfKy2T
Hg36NRY+mTGmJF/lI35W+3EleXYCZxquz6MLthk38/mQrlHk28jFLhb1rUgDDnQG
c2fgM+04701j0gd+RTmmKIZBDk/0tCvq3iBy1XXXyjV+5jw8i29+lvaw19ebBDMe
c+s73Yt983Zj9yMuW+T6MGuM7iJqnYPoCikuTxU2bseFCmIahZKlZXETlRBfETqA
EzLMznnEVDmVKt9j8vojVl6xA4AOe4XA4tqkXdlklyi1vCF53BNg+E0ocW/rabdA
cLP8/eRMoX3zZyo/EyOJZucX/3aFFq5y5mLLf5YsLDbluC6eBo1mZNdtcdwbDmp2
jdE9nPLzJZLFv3UNSoppz2NsdNhY9AuyMqf6oTUXVmCQ4YSXEs4=
=/dKb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/786f4ce3-8626-7cd1-3c21-5c81f98934d9%40SvenSemmler.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 Error

2019-01-08 Thread unman 
On Tue, Jan 08, 2019 at 08:25:36AM -0800, remresalexan...@gmail.com wrote:
> Acer Aspire A515-51G-303X
> Qubes 4
> 
> Error Prompt
> https://www.file-upload.net/download-13462178/IMG_20190108_145008.jpg.html
> 
> How i can go to the libxl-driver.log file
> https://www.file-upload.net/download-13462203/IMG_20190108_171610.jpg.html
> 
> Does someone know a solution for that Problem?
> 

Please don't just post images: they are no use to some people.
Take a little time to read the errors and put what is important in the
post. You are more likely to get help that way.

I don't know what your issue is (because you haven't told me.)
If the error comes when you are trying to start a qube, then most likely
you have an issue with some connected device. Perhaps a NIC?
See what happens if you remove the device - can you start the qube then?
Have you tried changing "strict reset" for PCI devices in qube manager?
I'm working blind here.

To answer your specific question - try sudo su, then access the file as
root.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190108164550.26momkx4bxb3n2xr%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Which parts of qubes-builder are guaranteed to work/supported?

2019-01-08 Thread unman 
On Tue, Jan 08, 2019 at 01:31:30PM +, Robert Rettig wrote:
> > > > Right now I'm not even getting to centos-7:
> > > > 
> > > > make get-sources get-sources-extra qubes-vm is stopping at
> > > > 
> > > > -> Installing core RPM packages...
> > > > error: Failed dependencies:
> > > > glibc = 2.28-9.fc29 is needed by
> > > > glibc-all-langpacks-2.28-9.fc29.x86_64
> > > > glibc-common = 2.28-9.fc29 is needed by
> > > > glibc-all-langpacks-2.28-9.fc29.x86_64
> > > > make[1]: ***
> > > > [/home/user/qubes-builder/qubes-src/builder-rpm/Makefile-legacy.rpmbuilder:35:
> > > >  
> > > > /home/user/qubes-builder/chroot-fc29/home/user/.prepared_base] Error 
> > > > 1
> > > > make: *** [Makefile:217: vmm-xen-vm] Error 1
> > > 
> > > Different environment. Started with a generic/fedora29 box (see 
> > > https://app.vagrantup.com/generic/boxes/fedora29 )
> > > 
> > > Got same error but different reason
> > > https://pastebin.com/raw/Efi5JQKU
> > > 
> > > ```
> > > E: Failed to fetch 
> > > https://deb.debian.org/debian/pool/main/r/reprepro/reprepro_4.16.0-1_amd64.deb
> > >   GnuTLS recv error (-54): Error in the pull > function.
> > > 
> > > E: Unable to fetch some archives, maybe run apt-get update or try with 
> > > --fix-missing?
> > > make[1]: *** 
> > > [/home/vagrant/qubes-builder/qubes-src/builder-debian/Makefile.debian:
> > > 176: 
> > > /home/vagrant/qubes-builder/chroot-jessie/home/user/.prepared_base] 
> > > Error 100 ```
> > > 
> > > How can I resume the broken build?
> > > 
> >
> > Obviously you have had some network issue, so downloads have failed for 
> > jessie.(Why Jessie? Latest Whonix is based on stretch.) It doesnt look as 
> > if you
> > built much (anything) so you should be able to just start the build again.
> > I recommend breaking the build down to separate distros, rather than 
> > building all at once. Also, you can use make qubes-vm and make template as
> > separate step.
> >
> > If you use a caching proxy upstream from the build device then this helps 
> > to mitigate the pain, and also dramatically speeds up template updates. 
> > Since
> > you are downloading to update templates anyway, why download again to build 
> > (vice versa)
> 
> The build especially the gcc takes a lot of time. The network issue happened 
> somehow at night.
> Therefore I asked how to resume and retry the build without building gcc 
> again ... .
> Normally I would assume if a component like gcc is build upfront that it will 
> be used from later components.
> 
> To make it more clear what I did.
> Essentially I followed the rabbit in the documentation from
> https://www.qubes-os.org/faq/#how-do-i-build-qubes-from-sources
> to https://www.qubes-os.org/doc/qubes-builder/ 
> to https://www.qubes-os.org/doc/qubes-r3-building/ .
> Maybe that needs some cleanup and pick up your recommendation "breaking the 
> build down to separate distros"?
> 
> I choose `qubes` meta target as it should "build all required components in 
> correct order".
> "List of components is configured in builder.conf. You can also check the 
> current value at the end of make help, or using make build-info."
> For me that shows up
> 'gcc vmm-xen core-libvirt core-vchan-xen core-qubesdb linux-utils python-cffi 
> python-xcffib python-sphinx python-pillow python-quamash python-objgraph 
> python-hid python-u2flib-host core-admin core-admin-client 
> core-admin-addon-whonix core-admin-linux core-agent-linux intel-microcode 
> linux-firmware linux-kernel artwork gui-common gui-daemon gui-agent-linux 
> gui-agent-xen-hvm-stubdom vmm-xen-stubdom-linux app-linux-split-gpg 
> app-linux-tor app-thunderbird app-linux-pdf-converter app-linux-img-converter 
> app-linux-input-proxy app-linux-usb-proxy app-linux-snapd-helper 
> app-shutdown-idle app-yubikey app-u2f mgmt-salt mgmt-salt-base 
> mgmt-salt-base-topd mgmt-salt-base-config mgmt-salt-base-overrides 
> mgmt-salt-dom0-qvm mgmt-salt-dom0-virtual-machines mgmt-salt-dom0-update 
> infrastructure meta-packages dbus manager desktop-linux-common 
> desktop-linux-kde desktop-linux-xfce4 desktop-linux-i3 desktop-linux-awesome 
> desktop-linux-manager linux-dom0-updates linux-pvgrub2 linux-gbulb 
> linux-scrypt linux-template-builder installer-qubes-os linux-yum linux-deb 
> antievilmaid xscreensaver builder builder-rpm builder-debian template-whonix'
> 
> As I wrote 
> https://groups.google.com/d/msgid/qubes-users/AM0PR04MB590621E2E36C66F18DBBB4B8D2B30%40AM0PR04MB5906.eurprd04.prod.outlook.com?utm_medium=email_source=footer
> I would like to rebuild a component which includes my BIOS SLIC information. 
> The changes should be part of `vmm-xen` component.
> 
> And yes I would like to create the whole ISO with just those changes ... if 
> possible.
> Currently a fresh install with the original Qubes ISO is not possible for me. 
> I have some trouble to install from USB device (dd'ed the ISO to flash) and I 
> even with external USB DVD.
> Installer works as expected without errors but after

[qubes-users] Dom0 Error

2019-01-08 Thread remresalexander 
Acer Aspire A515-51G-303X
Qubes 4

Error Prompt
https://www.file-upload.net/download-13462178/IMG_20190108_145008.jpg.html

How i can go to the libxl-driver.log file
https://www.file-upload.net/download-13462203/IMG_20190108_171610.jpg.html

Does someone know a solution for that Problem?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79f7e2c2-3768-47d0-8409-45c1944a9453%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread unman 
On Tue, Jan 08, 2019 at 04:25:00AM -0800, simon.new...@gmail.com wrote:
> As per subject, does anyone use things such as AIDE (or other file integrity 
> IDS) ?
> 
> I understand the security model is "if dom0 is compromised, you are fscked" 
> but it would be at least nice to have something that gave me a heads up if 
> such an event happens.
> 

I use tripwire - primarily in dom0, but also in selected qubes.
Also periodic rpm -aV in dom0.
As you say, always nice to know if the games up.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190108160231.3s6kbtoetdbewpsj%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How do i setup correctly an OpenMediaVault in Qubes?

2019-01-08 Thread marmot-te 
Hi,

what i already try here :
https://forum.openmediavault.org/index.php/Thread/25472-OMV-inside-QubesOs-web-gui-innaccessible/?postID=192084#post192601

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c877a464-881d-fc09-cc39-5645ddeb1481%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Document change request

2019-01-08 Thread unman 
On Tue, Jan 08, 2019 at 02:29:42PM +0100, Achim Patzner wrote:
> On 20190108 at 00:54 + 'awokd' via qubes-users wrote:
> > unman wrote on 1/7/19 11:31 PM:
> > > It is, of course, still linked as /usr/lib/qubes/bind-dirs.sh
> > > 
> > Achim, why did you think it was init?
> 
> [user@work applications]$ sudo find / -name bind-dirs.sh
> find: ‘/run/user/1000/doc’: Permission denied
> find: ‘/run/user/1000/gvfs’: Permission denied
> /usr/lib/qubes/init/bind-dirs.sh
> [user@work applications]$ uname -a
> Linux work 4.19.12-3.pvops.qubes.x86_64 #1 SMP Wed Dec 26 22:31:51 UTC
> 2018 x86_64 x86_64 x86_64 GNU/Linux
> [user@work applications]$ 
> 

I see that in Fedora template - in my Debian it's there with a link at 
/usr/lib/qubes/bind-dirs.sh
Interesting.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190108154806.3u7n4ver55wezxbl%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)

2019-01-08 Thread 22rip 
Just played around again with the sun icon, this time starting my whonix-gw 
template used for template updates prior, a couple of observations:

Seems to work fine when updating Debian and Fedora 29 templates, at least the 
messages I get in the details appear positive, listing the updates/changes, 
green check marks, etc

However when I try to update my whonix14 templates (both -ws and -gw) I get 
what appears to be errors. I still don't know how to copy errors from Dom0 to 
an appvm but the errors end with:

File"/var...salt...futures import cancelledError
ImportError: No module named concurrent.futures
...

A little back ground on my Qubes...I started using Qubes out of an immediate 
need for security and have been backing in to how to use it over the last few 
years. I consider myself pretty good but I am still missing what appears to be 
basic skills.

How do I check:
/etc/qubes-rpc/policy/qubes.UpdatesProxy

Sorry to ask but can you explain in more detail?

Thanks again Qubes and all those contributing...I really appreciate it! I'll 
document what I can using this feature...
 



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/733c7790-bf7f-4a95-a862-9332e8a2684c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] old version of xscreensaver

2019-01-08 Thread Sven Semmler 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 1/4/19 9:08 AM, Stuart Perkins wrote:
> GUI of choice is a very personal thing.  I am more pragmatic and 
> don't like "dancing" icons and starting all of my application
> names with K...or G for that matter...but to each his own.  I am
> "slightly" impaired visually, and the simpler and more clean a GUI,
> the better for me.  I have to spend many hours in front of a screen
> each day.

Just for completeness: Qubes does support i3. It certainly is an
acquired taste, but for some (like me) it's the very best solution out
there. It is for sure "simple & clean".

https://www.youtube.com/watch?v=Wx0eNaGzAZU

/Sven
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlw0rpYACgkQ2m4We49U
H7YNOhAAn/tAZadH+GGNlAzm0/P4sLPEqkv4/qhgHbtGUDas+B8Tov2PwiECSUvn
ZNnSfWa2Rsuq5ufeDXu2gY/0n+hnMX06vP/YbKfyExP1hn7L7va3j+YECf/rNAi4
ImmuhamCJSrpgIZO0QUnXiBgyMevYT832hggvKCJ0D7xYF/rsC48Uzvqccx/hs8J
cqNUBg+Xe7uqlWztzDTSfuJ63mHsSmmhtWN1L5m6YWjmsxW7p3UCfkq+4ry2uyI2
vBpplY1mUigmOaZhIR5O5Z9uejjHsdlptpHt95ec530x1H7C8xKw5N+Ioe2OHvwY
eAqQ+tZWwKhJDlqELdf98VTtGR6MVzTDzNNaxXik1+qGl4UP+RMhDaKGmPVf0/io
yIHWEnNlJx9rWMcM8Y8H8ZFzMqbf1PX98BUzzerskaVzapuVfox/4JX/q4oqNDPr
pjsrK8bplyHq9h/2FapsYaWcX/T98gtNrmwWlW28ZFkiQFt3uRYKn2+vv2YrB+nn
d8boDvIwLsYgJ8YIGbDskpdEbddoQ1V0kD///+YCY0au06aG1zN5hgNec9Kfmz5R
+mLNdqYmRbprpPK0LWNQ1bSiYnbXoJToI0Rc9OOcZz8ZuftZFL5WBPPnBzdcOxXN
jDd1VBAJKrephnUg0JN6J8mV2bidX4pNvY9TugTYU7R4bNM2Q9U=
=4gOh
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20a5c88a-1dd7-b868-905f-f884f635e6e2%40SvenSemmler.org.
For more options, visit https://groups.google.com/d/optout.

RE: [qubes-users] Re: Which parts of qubes-builder are guaranteed to work/supported?

2019-01-08 Thread Robert Rettig 
> > > Right now I'm not even getting to centos-7:
> > > 
> > > make get-sources get-sources-extra qubes-vm is stopping at
> > > 
> > > -> Installing core RPM packages...
> > > error: Failed dependencies:
> > >   glibc = 2.28-9.fc29 is needed by
> > > glibc-all-langpacks-2.28-9.fc29.x86_64
> > >   glibc-common = 2.28-9.fc29 is needed by
> > > glibc-all-langpacks-2.28-9.fc29.x86_64
> > > make[1]: ***
> > > [/home/user/qubes-builder/qubes-src/builder-rpm/Makefile-legacy.rpmbuilder:35:
> > >  
> > > /home/user/qubes-builder/chroot-fc29/home/user/.prepared_base] Error 
> > > 1
> > > make: *** [Makefile:217: vmm-xen-vm] Error 1
> > 
> > Different environment. Started with a generic/fedora29 box (see 
> > https://app.vagrantup.com/generic/boxes/fedora29 )
> > 
> > Got same error but different reason
> > https://pastebin.com/raw/Efi5JQKU
> > 
> > ```
> > E: Failed to fetch 
> > https://deb.debian.org/debian/pool/main/r/reprepro/reprepro_4.16.0-1_amd64.deb
> >   GnuTLS recv error (-54): Error in the pull > function.
> > 
> > E: Unable to fetch some archives, maybe run apt-get update or try with 
> > --fix-missing?
> > make[1]: *** 
> > [/home/vagrant/qubes-builder/qubes-src/builder-debian/Makefile.debian:
> > 176: 
> > /home/vagrant/qubes-builder/chroot-jessie/home/user/.prepared_base] 
> > Error 100 ```
> > 
> > How can I resume the broken build?
> > 
>
> Obviously you have had some network issue, so downloads have failed for 
> jessie.(Why Jessie? Latest Whonix is based on stretch.) It doesnt look as if 
> you
> built much (anything) so you should be able to just start the build again.
> I recommend breaking the build down to separate distros, rather than building 
> all at once. Also, you can use make qubes-vm and make template as
> separate step.
>
> If you use a caching proxy upstream from the build device then this helps to 
> mitigate the pain, and also dramatically speeds up template updates. Since
> you are downloading to update templates anyway, why download again to build 
> (vice versa)

The build especially the gcc takes a lot of time. The network issue happened 
somehow at night.
Therefore I asked how to resume and retry the build without building gcc again 
... .
Normally I would assume if a component like gcc is build upfront that it will 
be used from later components.

To make it more clear what I did.
Essentially I followed the rabbit in the documentation from
https://www.qubes-os.org/faq/#how-do-i-build-qubes-from-sources
to https://www.qubes-os.org/doc/qubes-builder/ 
to https://www.qubes-os.org/doc/qubes-r3-building/ .
Maybe that needs some cleanup and pick up your recommendation "breaking the 
build down to separate distros"?

I choose `qubes` meta target as it should "build all required components in 
correct order".
"List of components is configured in builder.conf. You can also check the 
current value at the end of make help, or using make build-info."
For me that shows up
'gcc vmm-xen core-libvirt core-vchan-xen core-qubesdb linux-utils python-cffi 
python-xcffib python-sphinx python-pillow python-quamash python-objgraph 
python-hid python-u2flib-host core-admin core-admin-client 
core-admin-addon-whonix core-admin-linux core-agent-linux intel-microcode 
linux-firmware linux-kernel artwork gui-common gui-daemon gui-agent-linux 
gui-agent-xen-hvm-stubdom vmm-xen-stubdom-linux app-linux-split-gpg 
app-linux-tor app-thunderbird app-linux-pdf-converter app-linux-img-converter 
app-linux-input-proxy app-linux-usb-proxy app-linux-snapd-helper 
app-shutdown-idle app-yubikey app-u2f mgmt-salt mgmt-salt-base 
mgmt-salt-base-topd mgmt-salt-base-config mgmt-salt-base-overrides 
mgmt-salt-dom0-qvm mgmt-salt-dom0-virtual-machines mgmt-salt-dom0-update 
infrastructure meta-packages dbus manager desktop-linux-common 
desktop-linux-kde desktop-linux-xfce4 desktop-linux-i3 desktop-linux-awesome 
desktop-linux-manager linux-dom0-updates linux-pvgrub2 linux-gbulb linux-scrypt 
linux-template-builder installer-qubes-os linux-yum linux-deb antievilmaid 
xscreensaver builder builder-rpm builder-debian template-whonix'

As I wrote 
https://groups.google.com/d/msgid/qubes-users/AM0PR04MB590621E2E36C66F18DBBB4B8D2B30%40AM0PR04MB5906.eurprd04.prod.outlook.com?utm_medium=email_source=footer
I would like to rebuild a component which includes my BIOS SLIC information. 
The changes should be part of `vmm-xen` component.

And yes I would like to create the whole ISO with just those changes ... if 
possible.
Currently a fresh install with the original Qubes ISO is not possible for me. I 
have some trouble to install from USB device (dd'ed the ISO to flash) and I 
even with external USB DVD.
Installer works as expected without errors but after reboot the pc, it show 
black screen no errors and is haltet (only power switch holding down >=4s is 
working).


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,

Re: [qubes-users] Document change request

2019-01-08 Thread Achim Patzner 
On 20190108 at 00:54 + 'awokd' via qubes-users wrote:
> unman wrote on 1/7/19 11:31 PM:
> > It is, of course, still linked as /usr/lib/qubes/bind-dirs.sh
> > 
> Achim, why did you think it was init?

[user@work applications]$ sudo find / -name bind-dirs.sh
find: ‘/run/user/1000/doc’: Permission denied
find: ‘/run/user/1000/gvfs’: Permission denied
/usr/lib/qubes/init/bind-dirs.sh
[user@work applications]$ uname -a
Linux work 4.19.12-3.pvops.qubes.x86_64 #1 SMP Wed Dec 26 22:31:51 UTC
2018 x86_64 x86_64 x86_64 GNU/Linux
[user@work applications]$ 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e640cfb98522db8cbb57c4c64d1854b079863469.camel%40noses.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Does anyone use any integrity checking in Dom0

2019-01-08 Thread simon . newton 
As per subject, does anyone use things such as AIDE (or other file integrity 
IDS) ?

I understand the security model is "if dom0 is compromised, you are fscked" but 
it would be at least nice to have something that gave me a heads up if such an 
event happens.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d932843f-43db-4e5d-b4e5-c754f043f0e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qube max storage size

2019-01-08 Thread simon . newton 
On Monday, January 7, 2019 at 3:03:00 PM UTC, unman wrote:
> On Mon, Jan 07, 2019 at 07:52:25AM -0600, Stuart Perkins wrote:
> > 
> > 
> > On Sun, 6 Jan 2019 07:41:35 -0800 (PST)
> > Plex  wrote:
> > 
> > >On Sunday, January 6, 2019 at 3:20:08 PM UTC, Plex wrote:
> > >> Is there a technical limitation/reason why a qube private max storage 
> > >> size can only go to 1048576MiB in qube manager? Is this a limitation 
> > >> with the qube itself or qube manager?
> > >> 
> > >> TIA  
> > >
> > >I should RTFM
> > >
> > >https://www.qubes-os.org/doc/resize-disk-image/
> > >
> > 
> > but..asking questions introduces the topic to the rest of the mailing list, 
> > and does indeed serve a purpose.  :)
> > 
> 
> And I had assumed you *had* RTFM and it was that that raised the
> question. Why IS there this limitation in the manager?

Hmm good point - its not in the underlying so its likely in the manager code 
itself I would imagine. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/795f9465-c233-41d7-82e8-85db0eada001%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] 4.0.1

2019-01-08 Thread joeh9617 
I see you guys (or is it folks?) replaced the 4.0.1pre1 with the 4.0.1, thank 
you for that! :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8392be55-1d6e-4815-bc16-9cd4d93800bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.