Re: [qubes-users] Q4: vm-templates and updates
On Mon, Dec 11, 2017 at 06:03:20PM +, 'Tom Zander' via qubes-users wrote: > On Monday, 11 December 2017 17:48:45 GMT Unman wrote: > > This is a case where "making stuff work a lot nicer" isn't necessarily a > > good idea. > > The "log nicer" is that it is quite a bit faster and error handling is much > better. > If you are updating over Tor (as op seems to) the speed wont change. > > I don't think you should advise against this without explaining the risks. > > Can you perhaps explain what you think those risks are? > > To me it boils down to; don't run any software except for "software upgrades" > in your template. > > I'm wondering if this is a "protect the user from himself" or something real. > It's a "protect the user from himself" thing, and real. I dont understand why you would put these in opposition. The TemplateVM is as trusted as the most trusted qube based on it - it makes sense to keep it as isolated as possible, and to restrict user activities. Not having network access also helps mitigate risks from potentially malicious software and install scripts. I personally preferred it when the proxy filtered access, and run it like this in my set-up. I also use a caching proxy instead of tinyproxy. Of course, you dont need to use the proxy - you can install software from wherever you like and allow unrestricted access from the Template, if you choose. You dont need to validate software before installing. You can do whatever you like, and Qubes will let you do it. That doesn't mean it's a good idea. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171211183251.2gknth3gy7elnkgc%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 17:48:45 GMT Unman wrote: > This is a case where "making stuff work a lot nicer" isn't necessarily a > good idea. The "log nicer" is that it is quite a bit faster and error handling is much better. > I don't think you should advise against this without explaining the risks. Can you perhaps explain what you think those risks are? To me it boils down to; don't run any software except for "software upgrades" in your template. I'm wondering if this is a "protect the user from himself" or something real. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4356475.d642LDFU23%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Mon, Dec 11, 2017 at 01:06:28PM +, 'Tom Zander' via qubes-users wrote:
> On Monday, 11 December 2017 12:43:37 GMT haaber wrote:
> > On 12/11/2017 06:31 AM, Connor Page wrote:
> > > did you update it in R4 before cloning and upgrading?
> > >
> > > templates establish a connection to a proxy running in some netvm defined
> > > in dom0 over a vchan.
> > yes, I did. I had to run apt-get dist-upgrade -d a dozen times (and
> > spread over half a day) to fetch all ~800 packages. Now that they are
> > there, I can install normally. I got the impression that changing
> > identify in anon-browser (and hence resetting tor connections) improved
> > the #{of error messages} per apt-get run. But this is no science, just
> > a feeling. Bernhard
>
> I still have not figured this out myself, but I can help you with one step of
> the puzzle.
>
> In the archlinux template I noticed a config file is re-created every time I
> boot by someone. The config file for the package manager sets a (http) proxy
> to
> localhost, port 8082
>
> Removing that config (so it stops using the proxy) and enabling the
> networking
> on the qube makes stuff work a lot nicer.
>
> Also, do check if you updated your /etc/apt/sources to use a local mirror.
It's a basic part of securing the template that you don't make it network
connected - that's what the proxy mechanism is for. I don't think you
should advise against this without explaining the risks. Use of an
update proxy for templates has been a long standing part of Qubes - it
used to contain rules to restrict what the template could connect to,
but this was removed some time back - you can reinstate those controls
if you wish.
This is a case where "making stuff work a lot nicer" isn't necessarily a
good idea.
Also, if you're using Whonix it suggests you have some concern about
your anonymity, so setting a local mirror would not be recommended. (And
if you are updating over Whonix pointless.)
unman
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20171211174845.ia6z7vgbtqknrvsd%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
Please refer to Qubes issue #3118 which spells it out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/27de156b-aed8-4167-b8fc-316793097622%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On Monday, 11 December 2017 11:31:22 GMT Connor Page wrote: > templates establish a connection to a proxy running in some netvm defined > in dom0 over a vchan. Would you be able to repeat that in English ? :-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1868560.ghOpRHun3K%40mail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
On 12/11/2017 06:31 AM, Connor Page wrote:
> did you update it in R4 before cloning and upgrading?
>
> templates establish a connection to a proxy running in some netvm defined in
> dom0 over a vchan.
>
yes, I did. I had to run apt-get dist-upgrade -d a dozen times (and
spread over half a day) to fetch all ~800 packages. Now that they are
there, I can install normally. I got the impression that changing
identify in anon-browser (and hence resetting tor connections) improved
the #{of error messages} per apt-get run. But this is no science, just
a feeling. Bernhard
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1aff806b-66ca-808d-1b9d-b4e00a9d05d1%40web.de.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Q4: vm-templates and updates
did you update it in R4 before cloning and upgrading? templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0c7b5ea-c3eb-4b40-8356-3cc1a7572842%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Q4: vm-templates and updates
did you update it in R4 before cloning and upgrading? templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/22d38540-b053-4a5f-9cf5-c23ab5260465%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Q4: vm-templates and updates
Hello, I try t understand the update process in Q4: according to qvm-ls the vm-templates have *no* SYSNET. How do they update (they do!) ? I came to this question since a dist-upgrade to stretch in a debian-8-clone is (a) slow (suggesting sys-whonix as connections) and (b) looses 1 out of 4 package downloads with " 500 unable to connect" so that I have to run apt-get over and over to collect all packages. Some explanation? Best, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23f116a5-a870-7514-cdc3-5becb67ec60b%40web.de. For more options, visit https://groups.google.com/d/optout.
