Qubes-Whonix Development / Qubes Integration

Patrick · July 20, 2023, 11:55am

Qubes R4.2: The Qubes-Whonix 17 Templates were migrated to qubes-templates-community repository just now.

Patrick · August 6, 2023, 5:35pm

Patrick · August 29, 2023, 8:28pm

github.com/QubesOS/qubes-issues

bind-dirs wrong user / group permissions

opened 08:14PM - 29 Aug 23 UTC

adrelanos

T: bug P: default

### Qubes OS release R4.2 ### Brief summary User / group permissions in… [Qubes `bind-dirs` directory](https://www.qubes-os.org/doc/bind-dirs/) are wrong. ### Steps to reproduce Not sure. Might happen by swapping the the underlying Template of a App Qube for another Template or by restoring a VM using Qubes VM backup (which could be similar to the former). ### Expected behavior Correct user / group permissions. ### Actual behavior In corner cases, wrong user / group permissions. ### Additional information * For tracking purposes: This is not a Whonix specific issue. This is a general issues with Qubes bind-dirs. * Affects Qubes-Whonix: Yes. In corner cases users have to run a [Tor permissions fix](https://www.whonix.org/wiki/Tor#Permissions_Fix) because Tor fails to start due to wrong folder permissions. I was now able to most likely pin this issue to Qubes bind-dirs. The permissions in folder `/rw/bind-dirs` (where the fully-persistent data in App Qube resides) (for example "`/rw/bind-dirs/var/lib/tor`") are wrong to begin with. Therefore bind-dirs will mount it also with the wrong permissions as a follow-up error. Why are the user / group permissions in `/rw/bind-dirs` wrong to begin with? Because while Template A and Template B might use the same user / group names (example: "`debian-tor`"), the user identifier (`UID`) and group identifier (`GID`), which are numeric, are most likely different. Unfortunately, Linux stores UID / GID as number in the filesystem, not as literal names.

Patrick · September 4, 2023, 10:14am

add UpdateVM setting to qubes-vm-settings · Issue #3412 · QubesOS/qubes-issues · GitHub

github.com/QubesOS/qubes-issues

UpdateVM usability issue: renaming sys-net or sys-whonix results in Template upgrades being broken / notify about non-existing UpdatesProxy

opened 10:04AM - 04 Sep 23 UTC

adrelanos

T: bug ux P: default needs diagnosis C: updates affects-4.2

### Qubes OS release R4.2 ### Brief summary After renaming, * `sys-n…et` to `sys-net-customized` or * `sys-whonix` to `sys-whonix-customized-name`, Template upgrades are broken. ### Steps to reproduce 1. rename VMs UpdateVM (sys-net or sys-whonix) to something else 2. try to upgrade a TemplateVM ### Expected behavior Functional upgrades or at least some error message with advice how to fix the issue. ### Actual behavior Broken upgrades. ### Additional Maybe there should be an error popup (or something): * "Attempted to use non-existent UpdatesProxy sys-net." * "Attempted to use non-existent UpdatesProxy sys-whonix." "Check your Qubes UpdatesProxy configuration." Still not terribly useful. Hence I will shortly suggest an alternative in a related ticket: * https://github.com/QubesOS/qubes-issues/issues/3412

Patrick · September 5, 2023, 1:20pm

github.com/QubesOS/qubes-issues

avoid calling it GUI domain a "compromise solution" / clarify passthrough security vs usability feature

opened 01:19PM - 05 Sep 23 UTC

adrelanos

T: bug P: default

Quote https://www.qubes-os.org/news/2020/03/18/gui-domain/#the-compromise-soluti…on > The compromise solution This can cause a lot of confusion. I can follow your train of thought in the blog post. 1. best solution - [`GPU passthrough: the perfect-world desktop solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#virtual-server-the-perfect-remote-solution) 2. next best solution - [`Virtual server: the perfect remote solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#gpu-passthrough-the-perfect-world-desktop-solution) 3. third best solution - [`The compromise solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#the-compromise-solution) But this is far too complex for users to property contextualize. The problem is, the word `compromise` (also meaning "I got hacked") is very close to `compromised`. The `compromise` here implies "less secure". And yes, it might be "less secure". The fallacious interpretation is "then better don't use it". Less secure than what? Less secure than not using GUI domain at all? No. What the real ordering from best to worst security is, as far as I understand is the following: 1. best solution - Qubes [`GPU passthrough: the perfect-world desktop solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#virtual-server-the-perfect-remote-solution) 2. next best solution - Qubes [`Virtual server: the perfect remote solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#gpu-passthrough-the-perfect-world-desktop-solution) 3. third best solution - Qubes [`The compromise solution`](https://www.qubes-os.org/news/2020/03/18/gui-domain/#the-compromise-solution) 4. fourth best solution - Qubes without GUI domain 5. non-Qubes This also seems weird `compromise solution` is used in the following context: Quote https://www.qubes-os.org/doc/gui-domain/ > Here, we describe how to setup sys-gui that we call hybrid mode or referenced as a compromise solution in [GUI domain](https://www.qubes-os.org/news/2020/03/18/gui-domain/#the-compromise-solution). The next source of confusion exaggerating this issue is the word `passthrough` which is easily understood and already tagged as a negative word in this context. This is because quote [](https://www.qubes-os.org/doc/how-to-use-pci-devices/). > Attaching a PCI device to a qube has serious security implications. PCI passthrough and GPU passthrough are historically have often been usability features. Not security features. Using PCI passthrough has been used as a compromise to make certain devices work Or GPU passthrough might be useful for graphically intense applications such as gaming. However, using passthrough of devices to a dedicated VMs `sys-gui` / `sys-audio` is a security feature, not a usability feature. Qubes documentation is very technical but it lacks contextualization of the very essentials for laymen. These are easy to add. I can send some pull requests. Instead of `compromise` I would suggest words such as `reasonable` or `feasible`. The `compromise solution` could be renamed to the `hybrid solution`. Please correct me if my understanding is wrong.

Patrick · September 17, 2023, 8:45pm

github.com/QubesOS/qubes-issues

Qubes templates build command gpg issue Signature was created after the --not-after date

opened 08:44PM - 17 Sep 23 UTC

adrelanos

T: bug P: default

quote https://github.com/QubesOS/updates-status/issues/566#issuecomment-17222113…33 @fepitre > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > Build-template r4.2 whonix-gateway-17 202309150833 -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCAB9FiEEbpebKKbzfEO+MK+hy41Qu3e7PEgFAmUEF2tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZF OTc5QjI4QTZGMzdDNDNCRTMwQUZBMUNCOEQ1MEJCNzdCQjNDNDgACgkQy41Qu3e7 PEgjJw//Vem9ff/a8isIUM37m2MI9SJNzvuK/NDla/ma3r6JnalewKjGLS6zc/Gh 2DXkNhOJgC3RpbwE6vfb2/tbOkNumu5BQ7g4yt+E8ay3qHHIw916RmbDVNdIM3MA uG7o86KUDA3G1ouz0JXFI6yxppMbWFuM7UuQb2Hhji2bVD53Mmx/8OgdK3X52vYN joYptgHwM+LEyZID1xDMK9fMl+OvPAaaOTHx57tg5z8VhBM6JPknTjfZp5m0Qx8p PgJMvmvos/28H5H1QFZkWrY1BGQVpavUqWOAhRev6RpQRyIO1li2Wh9pbLN7LPJO +66RiYLsgGOixVYOJ/QUIwL26NXgZYrpQuzafn2kBZ9LqtD6F9YmNayC9ZO1JiHT 1M9O8Nhd612pyNdRwbeECUITCuqZ3GgLsbWXELxxV/nTkr/vAjLOG3xqOVslnVMc KcQGkqjuSz2n1f5v0hCTMBJ3Ha2V/1pWWt9oX4iQv00Ss03FL33aMMZwiuWLNGcP GtZaFflkykGyL7aO9YXeuxgFc20aDIS3CZZ4HjkPbU8nxQOaQRI4xcEZqkpIT4+z vmjSXXzei6Qhk+0Tn9pA7i3IMLyoUopSuz9aTl9ilB3Hq15KbIi2mjCfcfGo/ASE mU82aGFkAR4aQjvyAMb0gSXP1L175J6GqD23EK76IvQTcpyt3i0= =HoSa -----END PGP SIGNATURE----- > > "Signature by 6E97.....48 was created after the --not-after date." Are you sure you used the key allowed here: https://github.com/QubesOS/qubes-release-configs/blob/main/R4.2/qubes-os-r4.2-templates-community.yml#L99? I didn't touch my gpg config and I don't mix other keys into that VM. So this issue is surprising.

Patrick · September 27, 2023, 5:46pm

github.com/QubesOS/qubes-issues

stop users for changing their `anon-whonix` Net Qube to `sys-firewall` to avoid IP leaks

opened 05:44PM - 27 Sep 23 UTC

adrelanos

T: bug P: default

### Qubes OS release R4.2 ### Brief summary Some users are shooting the…ir own feet by setting the Net Qube of `anon-whonix` to `sys-firewall`. See [this example](https://www.reddit.com/r/Whonix/comments/16taa0e/qubes_monero_blockchain_download/). There should be some protection in place in QVMM or otherwise to prevent this. ### Steps to reproduce 1. configure the Net Qube of `anon-whonix` to be `sys-firewall` 2. `curl.anondist-orig 1.1.1.1` ### Expected behavior simplified: Not possible to change `anon-whonix` to any VM other than `sys-whonix` as Net Qube. formalized: Prohibited by QVMM to change a VM with the `anon-vm` qvm-tag to use a VM without the `anon-gateway` qvm-tag. (I wouldn't be opposed to this being only a warning that the user can choose to ignore. But that part does not seem important. That part could remain "patches welcome".) ### Actual behavior Functional networking. IP leak. ### Additional information Whonix for VirtualBox does not have the issue of new users being able to reconfigure this. While possible for advanced users, not something as simple as point and click as it can be done with Qubes. Details here: https://github.com/QubesOS/qubes-issues/issues/3994#issuecomment-397229398

Patrick · October 3, 2023, 1:27am

github.com/QubesOS/qubes-issues

Integrate Whonix firewall with Qubes nftables rules

opened 01:26AM - 03 Oct 23 UTC

adrelanos

T: bug P: default

Whonix firewall making progress towards nftables and IPv6 support. [`/usr/bin…/whonix-gateway-firewall.nftables`](https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall.nftables) was historically scripting based. That worked well for iptables but nftables shells scripting is discouraged. [1] (The `.nftables` suffix is only to ease testing. It will be dropped in the final version. Will replace the old iptables version `/usr/bin/whonix-gateway-firewall`.) To keep the delta small, easier to review, the Whonix firewalls shell script writes an nftables firewall script and stores it in file `/var/lib/whonix-firewall/firewall.nft`. This is a solution for the nftables shell scripting issue. Here is the work in progress version of that generated nftables script: ``` #!/usr/sbin/nft -f flush ruleset add table inet filter add table nat add chain ip nat OUTPUT add chain ip nat PREROUTING create table ip filter add chain filter INPUT { type filter hook input priority 0; policy drop; } add chain filter FORWARD { type filter hook forward priority 0; policy drop; } add chain filter OUTPUT { type filter hook output priority 0; policy drop; } add rule ip filter INPUT ct state invalid counter drop add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack counter drop add rule ip filter INPUT tcp flags & (fin|syn) == fin|syn counter drop add rule ip filter INPUT tcp flags & (syn|rst) == syn|rst counter drop add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop add rule ip filter INPUT tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop add rule ip filter INPUT iifname vif* tcp dport 8082 counter accept add rule ip filter OUTPUT oifname vif* tcp sport 8082 counter accept add chain ip nat PR-QBS-SERVICES add rule ip nat PREROUTING counter jump PR-QBS-SERVICES add rule ip nat PR-QBS-SERVICES iifname vif* ip daddr 10.137.255.254 tcp dport 8082 counter redirect add rule ip nat OUTPUT ip protocol udp skuid tinyproxy ct state new counter dnat to 127.0.0.1:5400 add rule ip nat OUTPUT ip protocol tcp skuid tinyproxy ct state new counter dnat to 127.0.0.1:9041 add rule ip filter OUTPUT ip daddr 127.0.0.1 skuid tinyproxy ct state new udp dport 5400 counter accept add rule ip filter OUTPUT ip daddr 127.0.0.1 skuid tinyproxy ct state new tcp dport 9041 counter accept add rule ip filter INPUT iifname lo counter accept add rule ip filter INPUT ct state established counter accept add rule filter INPUT icmp type destination-unreachable icmp code frag-needed ct state related counter accept add rule ip filter INPUT ip protocol icmp counter drop add rule ip filter INPUT iifname eth0 ip protocol tcp tcp dport { 22,9050,9051,9150,9151 } counter accept add rule ip filter INPUT iifname eth0 ip protocol udp udp dport { 22,9050,9051,9150,9151 } counter accept add rule ip filter INPUT iifname vif* udp dport 5300 counter accept add rule ip filter INPUT iifname vif* tcp dport 9040 counter accept add rule ip filter INPUT iifname vif* tcp dport 9051 counter accept add rule ip filter INPUT iifname vif* tcp dport 9050 counter accept add rule ip filter INPUT iifname vif* tcp dport 9100 counter accept add rule ip filter INPUT iifname vif* tcp dport 9101 counter accept add rule ip filter INPUT iifname vif* tcp dport 9102 counter accept add rule ip filter INPUT iifname vif* tcp dport 9103 counter accept add rule ip filter INPUT iifname vif* tcp dport 9104 counter accept add rule ip filter INPUT iifname vif* tcp dport 9105 counter accept add rule ip filter INPUT iifname vif* tcp dport 9106 counter accept add rule ip filter INPUT iifname vif* tcp dport 9107 counter accept add rule ip filter INPUT iifname vif* tcp dport 9108 counter accept add rule ip filter INPUT iifname vif* tcp dport 9109 counter accept add rule ip filter INPUT iifname vif* tcp dport 9110 counter accept add rule ip filter INPUT iifname vif* tcp dport 9111 counter accept add rule ip filter INPUT iifname vif* tcp dport 9114 counter accept add rule ip filter INPUT iifname vif* tcp dport 9115 counter accept add rule ip filter INPUT iifname vif* tcp dport 9117 counter accept add rule ip filter INPUT iifname vif* tcp dport 9118 counter accept add rule ip filter INPUT iifname vif* tcp dport 9122 counter accept add rule ip filter INPUT iifname vif* tcp dport 9123 counter accept add rule ip filter INPUT iifname vif* tcp dport 9124 counter accept add rule ip filter INPUT iifname vif* tcp dport 9125 counter accept add rule ip filter INPUT iifname vif* tcp dport 9150 counter accept add rule ip filter INPUT iifname vif* tcp dport 9152-9189 counter accept add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9051 counter redirect to :9051 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9051 counter redirect to :9051 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9051 counter redirect to :9051 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9050 counter redirect to :9050 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9050 counter redirect to :9050 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9050 counter redirect to :9050 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9100 counter redirect to :9100 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9100 counter redirect to :9100 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9100 counter redirect to :9100 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9101 counter redirect to :9101 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9101 counter redirect to :9101 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9101 counter redirect to :9101 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9102 counter redirect to :9102 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9102 counter redirect to :9102 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9102 counter redirect to :9102 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9103 counter redirect to :9103 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9103 counter redirect to :9103 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9103 counter redirect to :9103 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9104 counter redirect to :9104 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9104 counter redirect to :9104 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9104 counter redirect to :9104 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9105 counter redirect to :9105 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9105 counter redirect to :9105 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9105 counter redirect to :9105 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9106 counter redirect to :9106 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9106 counter redirect to :9106 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9106 counter redirect to :9106 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9107 counter redirect to :9107 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9107 counter redirect to :9107 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9107 counter redirect to :9107 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9108 counter redirect to :9108 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9108 counter redirect to :9108 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9108 counter redirect to :9108 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9109 counter redirect to :9109 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9109 counter redirect to :9109 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9109 counter redirect to :9109 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9110 counter redirect to :9110 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9110 counter redirect to :9110 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9110 counter redirect to :9110 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9111 counter redirect to :9111 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9111 counter redirect to :9111 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9111 counter redirect to :9111 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9114 counter redirect to :9114 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9114 counter redirect to :9114 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9114 counter redirect to :9114 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9115 counter redirect to :9115 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9115 counter redirect to :9115 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9115 counter redirect to :9115 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9117 counter redirect to :9117 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9117 counter redirect to :9117 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9117 counter redirect to :9117 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9118 counter redirect to :9118 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9118 counter redirect to :9118 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9118 counter redirect to :9118 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9122 counter redirect to :9122 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9122 counter redirect to :9122 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9122 counter redirect to :9122 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9123 counter redirect to :9123 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9123 counter redirect to :9123 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9123 counter redirect to :9123 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9124 counter redirect to :9124 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9124 counter redirect to :9124 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9124 counter redirect to :9124 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9125 counter redirect to :9125 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9125 counter redirect to :9125 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9125 counter redirect to :9125 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9150 counter redirect to :9150 add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9150 counter redirect to :9150 add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9150 counter redirect to :9150 add rule ip nat PREROUTING iifname vif* ip daddr 10.137.0.0/16 tcp dport 9152-9189 counter redirect add rule ip nat PREROUTING iifname vif* ip daddr 10.138.0.0/16 tcp dport 9152-9189 counter redirect add rule ip nat PREROUTING iifname vif* ip daddr 10.152.152.10 tcp dport 9152-9189 counter redirect add rule ip nat PREROUTING iifname vif* udp dport 53 counter redirect to :5300 add rule ip nat PREROUTING iifname vif* tcp flags & (fin|syn|rst|ack) == syn counter redirect to :9040 add rule ip filter INPUT counter drop add rule ip filter FORWARD counter reject with icmp type admin-prohibited add rule ip filter OUTPUT ct state invalid counter reject with icmp type admin-prohibited add rule ip filter OUTPUT ct state invalid counter reject with icmp type admin-prohibited add rule ip filter OUTPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack counter reject with icmp type admin-prohibited add rule ip filter OUTPUT tcp flags & (fin|syn) == fin|syn counter reject with icmp type admin-prohibited add rule ip filter OUTPUT tcp flags & (syn|rst) == syn|rst counter reject with icmp type admin-prohibited add rule ip filter OUTPUT ip frag-off & 0x1fff != 0 counter reject with icmp type admin-prohibited add rule ip filter OUTPUT tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter reject with icmp type admin-prohibited add rule ip filter OUTPUT tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter reject with icmp type admin-prohibited add rule ip nat OUTPUT skuid 104 counter return add rule ip nat OUTPUT skuid 102 counter return add rule ip nat OUTPUT skuid 100 counter return add rule ip filter OUTPUT ct state established counter accept add rule ip filter OUTPUT oifname lo counter accept add rule ip filter OUTPUT skuid 104 counter accept add rule ip filter OUTPUT skuid 102 counter accept add rule ip filter OUTPUT skuid 100 counter accept add rule ip filter OUTPUT counter reject with icmp type admin-prohibited ``` (iptables commands have been rewritten to nftables. Previous nftables commands are persisted as script comments for now comparison purposes.) The first line of the Whonix nftables script is: flush ruleset This seems to be good practice. And there's also no race condition due to nftables atomic replacement. However, this results in kicking out the Qubes nftables rules. This is what I mean by Qubes nftables rules that: ``` table ip qubes { set downstream { type ipv4_addr elements = { 10.137.0.68, 10.137.0.84 } } set allowed { type ifname . ipv4_addr elements = { "vif9.0" . 10.137.0.68, "vif11.0" . 10.137.0.84 } } chain prerouting { type filter hook prerouting priority raw; policy accept; iifgroup 2 goto antispoof ip saddr @downstream counter drop } chain antispoof { iifname . ip saddr @allowed accept counter drop } } table ip6 qubes { set downstream { type ipv6_addr } set allowed { type ifname . ipv6_addr } chain antispoof { iifname . ip6 saddr @allowed accept counter drop } chain prerouting { type filter hook prerouting priority raw; policy accept; iifgroup 2 goto antispoof ip6 saddr @downstream counter drop } } table inet qubes-nat-accel { flowtable qubes-accel { hook ingress priority filter devices = { eth0, eth1, lo, vif11.0, vif9.0 } } chain qubes-accel { type filter hook forward priority filter + 5; policy accept; meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel counter } } ``` How do you suggest `/usr/bin/whonix-gateway-firewall.nftables` (`.nftabels`) should load these Qubes nftables rules? Append the Qubes nftables rules source files to `/var/lib/whonix-firewall/firewall.nft`, run some systemd unit or script? ---- [1] https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rule_replacement#Warning_about_Shell_scripting_.2B_nftables

Patrick · October 3, 2023, 11:02am

qubes-template-whonix-workstation-17 4.2.0-202310030143 (r4.2) · Issue #4080 · QubesOS/updates-status · GitHub

Patrick · October 7, 2023, 3:58am

github.com/QubesOS/qubes-issues

tb-updater during Qubes build process failing issue

opened 03:58AM - 07 Oct 23 UTC

adrelanos

T: bug P: default

Build https://github.com/QubesOS/updates-status/issues/4080 was failing for myst…erious reasons. The last build succeeded. (With verbose mode enabled, which cannot become the final package version.) Did anything related to build machine setup change? It's a bit difficult to get to the button of of this. I was never able to reproduce this locally. Making a change and then issuing a new build command isn't very productive. Only happening on this build server. Can you run manually commands on the server to simulate the environment? Or some other suggestion so I can iterate and test faster? I disabled use of [`/usr/libexec/helper-scripts/curl-prgrs`](https://github.com/Kicksecure/helper-scripts/blob/master/usr/libexec/helper-scripts/curl-prgrs). Maybe something `curl-prgrs` does with streams (stdout, stderr) gets disrupted? By carefully reading curl man page option [--max-filesize <bytes>](https://manpages.debian.org/bookworm/curl/curl.1.en.html#max-filesize) one can conclude that it doesn't protest against an endless data attack (as described in the TUF threat model). `curl-prgrs` provides a nice progress bar (useful in terminal, not so much during Qubes build process) as well as environment variable `CURL_PRGRS_MAX_FILE_SIZE_BYTES` that can be used to prevent an endless data attack (or remote server bug). So I'd hope the functionality of `curl-prgrs` (progress bar + endless data attack/bug defense) can be kept. Replacing `curl-prgrs` with a more elegant and less code solution would be fine but that's hard, unrealistic.

Patrick · October 13, 2023, 3:21pm

github.com/QubesOS/qubes-issues

Whonix Template upgrades broken - tinyproxy[846]: Proxying refused on filtered domain "127.0.0.1"

opened 03:21PM - 13 Oct 23 UTC

adrelanos

T: bug P: default

### Qubes OS release Qubes 4.2 ### Brief summary Updates stopped workin…g for Whonix Templates. ### Steps to reproduce 1. Start a Whonix Template such as `whonix-gateway-17`. 2. `sudo apt update` ### Expected behavior Functional upgrades. ### Actual behavior Broken updates. ### Additional information `whonix-gateway-17` Template: curl.anondist-orig http://127.0.0.1:8082/ > curl: (1) Received HTTP/0.9 when not allowed > zsh: exit 1 curl.anondist-orig http://127.0.0.1:8082/ curl.anondist-orig http://127.0.0.1:8082/ curl: (1) Received HTTP/0.9 when not allowed zsh: exit 1 curl.anondist-orig http://127.0.0.1:8082/ `sys-whonix`: sudo journalctl -f -u qubes-updates-proxy.service > Oct 13 15:13:42 host tinyproxy[846]: Proxying refused on filtered domain "127.0.0.1" Did something change recently realted to Qubes UpdatesProxy?

Patrick · October 14, 2023, 5:57am

github.com/QubesOS/qubes-issues

qvm-features-request error during upgrade

opened 05:56AM - 14 Oct 23 UTC

adrelanos

T: bug P: default

### Qubes OS release R4.2 ### Brief summary `qvm-features-request` (par…t of `qubes-core-agent`) shows an error during upgrade. ### Steps to reproduce 1. Install `whonix-gateway-17` or `whonix-gateway-17`. ### Expected behavior No error. ### Actual behavior The following error. ``` Setting up whonix-shared-packages-dependencies-cli (3:23.8-1) ... Setting up qubes-core-agent (4.2.21-1+deb12u1) ... Installing new version of config file /etc/apt/sources.list.d/qubes-r4.list ... Removed "/etc/systemd/system/sysinit.target.wants/haveged.service". Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /lib/systemd/system/haveged.service. Leaving 'diversion of /etc/init/plymouth-shutdown.conf to /etc/init/plymouth-shutdown.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/prefdm.conf to /etc/init/prefdm.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/splash-manager.conf to /etc/init/splash-manager.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/start-ttys.conf to /etc/init/start-ttys.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/tty.conf to /etc/init/tty.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/serial.conf to /etc/init/serial.conf.qubes-orig by qubes-core-agent' Traceback (most recent call last): File "/usr/bin/qvm-features-request", line 88, in <module> sys.exit(main()) ^^^^^^ File "/usr/bin/qvm-features-request", line 79, in main qdb.write('/features-request/' + feature, value) qubesdb.Error: (0, 'Error') Traceback (most recent call last): File "/usr/bin/qvm-features-request", line 88, in <module> sys.exit(main()) ^^^^^^ File "/usr/bin/qvm-features-request", line 79, in main qdb.write('/features-request/' + feature, value) qubesdb.Error: (0, 'Error') qubes-sync-time.service is a disabled or a static unit not running, not starting it. qubes-update-check.service is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. Setting up qubes-core-agent-dom0-updates (4.2.21-1+deb12u1) ... Setting up sdwdate-gui (1:9.0-1) ... ``` ### Additional information * Affects Qubes-Whonix: yes * Caused by Whonix source code: no * Caused by Qubes source code: yes * Affects non-Whonix such as Debian templates: untested but quite likely ### Complete log ``` [template gateway user ~]% upgrade-nonroot Get:1 tor+https://deb.debian.org/debian bookworm InRelease [151 kB] Get:2 https://deb.qubes-os.org/r4.2/vm bookworm InRelease [2,513 B] Get:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB] Get:4 tor+https://deb.whonix.org bookworm InRelease [39.4 kB] Get:5 tor+https://deb.kicksecure.com bookworm InRelease [39.7 kB] Get:6 https://deb.qubes-os.org/r4.2/vm bookworm/main amd64 Packages [27.3 kB] Get:7 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/contrib amd64 Packages [7,100 B] Get:8 tor+https://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] Get:9 tor+https://deb.kicksecure.com bookworm/contrib amd64 Packages [2,652 B] Get:10 tor+https://deb.whonix.org bookworm/non-free amd64 Packages [470 B] Get:11 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/main amd64 Packages [4,992 B] Get:12 tor+https://fasttrack.debian.net/debian bookworm-fasttrack/non-free amd64 Packages [496 B] Get:13 tor+https://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] Get:14 tor+https://deb.kicksecure.com bookworm/main amd64 Packages [34.0 kB] Get:15 tor+https://deb.kicksecure.com bookworm/non-free amd64 Packages [1,374 B] Get:16 tor+https://deb.whonix.org bookworm/main amd64 Packages [13.8 kB] Get:17 tor+https://deb.debian.org/debian bookworm-backports InRelease [56.5 kB] Get:18 tor+https://deb.debian.org/debian bookworm/non-free amd64 Packages [96.9 kB] Get:19 tor+https://deb.debian.org/debian bookworm/main amd64 Packages [8,780 kB] Get:20 tor+https://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6,204 B] Get:21 tor+https://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB] Get:22 tor+https://deb.debian.org/debian bookworm-updates/main amd64 Packages [6,408 B] Get:23 tor+https://deb.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B] Get:24 tor+https://deb.debian.org/debian-security bookworm-security/main amd64 Packages [79.7 kB] Get:25 tor+https://deb.debian.org/debian bookworm-backports/contrib amd64 Packages [4,932 B] Get:26 tor+https://deb.debian.org/debian bookworm-backports/non-free amd64 Packages [1,284 B] Get:27 tor+https://deb.debian.org/debian bookworm-backports/main amd64 Packages [114 kB] Fetched 9,639 kB in 2min 16s (70.7 kB/s) Reading package lists... Done N: Repository 'tor+https://deb.debian.org/debian bookworm InRelease' changed its 'Version' value from '12.0' to '12.2' Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: libgles2 libqubes-pure0 qubes-repo-templates snowflake-client The following packages will be upgraded: anon-apps-config anon-apt-sources-list anon-connection-wizard apparmor-profile-dist apparmor-profile-hexchat apparmor-profile-thunderbird apparmor-profile-torbrowser apparmor-profiles-kicksecure base-files bind9-dnsutils bind9-host bind9-libs bindp bootclockrandomization curl damngpl dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-x11 debian-archive-keyring debianutils desktop-config-dist dist-base-files dnf dnf-data dnsutils gir1.2-gtk-3.0 grub-common grub2-common gtk-update-icon-cache hardened-malloc helper-scripts icon-pack-dist initializer-dist kicksecure-dependencies-cli kicksecure-desktop-applications-xfce kicksecure-recommended-cli legacy-dist libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libcups2 libcurl3-gnutls libcurl4 libdbus-1-3 libgssapi-krb5-2 libgtk-3-0 libgtk-3-common libhwy1 libjavascriptcoregtk-4.1-0 libk5crypto3 libkrb5-3 libkrb5support0 libnftables1 libpam-modules libpam-modules-bin libpam-runtime libpam-systemd libpam0g libqrexec-utils2 libqubes-rpc-filecopy2 librsvg2-2 librsvg2-bin libssl3 libsystemd-shared libsystemd0 libudev1 libvpx7 libvte-2.91-0 libvte-2.91-common libwebkit2gtk-4.1-0 libwebp7 libwebpdemux2 libwebpmux3 libx11-6 libx11-data libx11-xcb1 libxml2 libxpm4 libyajl2 linux-libc-dev locales mate-notification-daemon mate-notification-daemon-common msgcollector msgcollector-gui nftables onion-grater open-link-confirmation openssl openvpn python3-dnf python3-qrexec qubes-core-agent qubes-core-agent-dom0-updates qubes-core-agent-nautilus qubes-core-agent-networking qubes-core-agent-passwordless-root qubes-core-agent-thunar qubes-core-qrexec qubes-gui-agent qubes-input-proxy-sender qubes-kernel-vm-support qubes-utils qubes-vm-dependencies qubes-whonix qubes-whonix-gateway qubes-whonix-gateway-packages-recommended qubes-whonix-shared-packages-recommended repository-dist repository-dist-wizard sdwdate sdwdate-gui security-misc setup-dist setup-wizard-dist sudo systemcheck systemd systemd-sysv timesanitycheck tor-control-panel tor-ctrl udev usability-misc uwt vm-config-dist whonix-base-files whonix-firewall whonix-gateway-default-applications-gui whonix-gateway-packages-dependencies-cli whonix-gateway-packages-dependencies-pre whonix-gateway-shared-packages-shared-meta whonix-shared-default-applications-gui whonix-shared-packages-dependencies-cli whonix-shared-packages-recommended-cli xserver-xorg-input-qubes xserver-xorg-qubes-common xserver-xorg-video-dummyqbs 144 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 87.8 MB of archives. After this operation, 11.3 MB of additional disk space will be used. Do you want to continue? [Y/n] Fetched 87.8 MB in 9min 13s (159 kB/s) Extracting templates from packages: 100% Preconfiguring packages ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../base-files_12.4+deb12u2_amd64.deb ... Unpacking base-files (12.4+deb12u2) over (12.4) ... Setting up base-files (12.4+deb12u2) ... Installing new version of config file /etc/debian_version ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../debianutils_5.7-0.5~deb12u1_amd64.deb ... Unpacking debianutils (5.7-0.5~deb12u1) over (5.7-0.4) ... Setting up debianutils (5.7-0.5~deb12u1) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libc6-dev_2.36-9+deb12u3_amd64.deb ... Unpacking libc6-dev:amd64 (2.36-9+deb12u3) over (2.36-9) ... Preparing to unpack .../libc-dev-bin_2.36-9+deb12u3_amd64.deb ... Unpacking libc-dev-bin (2.36-9+deb12u3) over (2.36-9) ... Preparing to unpack .../linux-libc-dev_6.1.55-1_amd64.deb ... Unpacking linux-libc-dev:amd64 (6.1.55-1) over (6.1.37-1) ... Preparing to unpack .../libc6_2.36-9+deb12u3_amd64.deb ... Unpacking libc6:amd64 (2.36-9+deb12u3) over (2.36-9) ... Setting up libc6:amd64 (2.36-9+deb12u3) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libc-bin_2.36-9+deb12u3_amd64.deb ... Unpacking libc-bin (2.36-9+deb12u3) over (2.36-9) ... Setting up libc-bin (2.36-9+deb12u3) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libpam0g_1.5.2-6+deb12u1_amd64.deb ... Unpacking libpam0g:amd64 (1.5.2-6+deb12u1) over (1.5.2-6) ... Setting up libpam0g:amd64 (1.5.2-6+deb12u1) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libpam-modules-bin_1.5.2-6+deb12u1_amd64.deb ... Unpacking libpam-modules-bin (1.5.2-6+deb12u1) over (1.5.2-6) ... Setting up libpam-modules-bin (1.5.2-6+deb12u1) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libpam-modules_1.5.2-6+deb12u1_amd64.deb ... Unpacking libpam-modules:amd64 (1.5.2-6+deb12u1) over (1.5.2-6) ... Setting up libpam-modules:amd64 (1.5.2-6+deb12u1) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../libpam-runtime_1.5.2-6+deb12u1_all.deb ... Unpacking libpam-runtime (1.5.2-6+deb12u1) over (1.5.2-6) ... Setting up libpam-runtime (1.5.2-6+deb12u1) ... (Reading database ... 47910 files and directories currently installed.) Preparing to unpack .../0-dbus-system-bus-common_1.14.10-1~deb12u1_all.deb ... Unpacking dbus-system-bus-common (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../1-dbus-session-bus-common_1.14.10-1~deb12u1_all.deb ... Unpacking dbus-session-bus-common (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../2-libsystemd-shared_252.17-1~deb12u1_amd64.deb ... Unpacking libsystemd-shared:amd64 (252.17-1~deb12u1) over (252.6-1) ... Preparing to unpack .../3-libpam-systemd_252.17-1~deb12u1_amd64.deb ... Unpacking libpam-systemd:amd64 (252.17-1~deb12u1) over (252.6-1) ... Preparing to unpack .../4-systemd_252.17-1~deb12u1_amd64.deb ... Unpacking systemd (252.17-1~deb12u1) over (252.6-1) ... Preparing to unpack .../5-libsystemd0_252.17-1~deb12u1_amd64.deb ... Unpacking libsystemd0:amd64 (252.17-1~deb12u1) over (252.6-1) ... Setting up libsystemd0:amd64 (252.17-1~deb12u1) ... (Reading database ... 47912 files and directories currently installed.) Preparing to unpack .../0-dbus-x11_1.14.10-1~deb12u1_amd64.deb ... Unpacking dbus-x11 (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../1-dbus-bin_1.14.10-1~deb12u1_amd64.deb ... Unpacking dbus-bin (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../2-dbus_1.14.10-1~deb12u1_amd64.deb ... Unpacking dbus (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../3-dbus-daemon_1.14.10-1~deb12u1_amd64.deb ... Unpacking dbus-daemon (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../4-libdbus-1-3_1.14.10-1~deb12u1_amd64.deb ... Unpacking libdbus-1-3:amd64 (1.14.10-1~deb12u1) over (1.14.6-1) ... Preparing to unpack .../5-libx11-6_2%3a1.8.4-2+deb12u2_amd64.deb ... Unpacking libx11-6:amd64 (2:1.8.4-2+deb12u2) over (2:1.8.4-2+deb12u1) ... Preparing to unpack .../6-libx11-xcb1_2%3a1.8.4-2+deb12u2_amd64.deb ... Unpacking libx11-xcb1:amd64 (2:1.8.4-2+deb12u2) over (2:1.8.4-2+deb12u1) ... Preparing to unpack .../7-libx11-data_2%3a1.8.4-2+deb12u2_all.deb ... Unpacking libx11-data (2:1.8.4-2+deb12u2) over (2:1.8.4-2+deb12u1) ... Setting up libsystemd-shared:amd64 (252.17-1~deb12u1) ... Setting up systemd (252.17-1~deb12u1) ... Installing new version of config file /etc/systemd/system.conf ... (Reading database ... 47912 files and directories currently installed.) Preparing to unpack .../00-systemd-sysv_252.17-1~deb12u1_amd64.deb ... Unpacking systemd-sysv (252.17-1~deb12u1) over (252.6-1) ... Preparing to unpack .../01-libssl3_3.0.11-1~deb12u1_amd64.deb ... Unpacking libssl3:amd64 (3.0.11-1~deb12u1) over (3.0.9-1) ... Preparing to unpack .../02-apparmor-profile-thunderbird_3%3a5.5-1_all.deb ... Unpacking apparmor-profile-thunderbird (3:5.5-1) over (3:5.4-1) ... Preparing to unpack .../03-apparmor-profile-torbrowser_3%3a8.7-1_all.deb ... Unpacking apparmor-profile-torbrowser (3:8.7-1) over (3:8.6-1) ... Preparing to unpack .../04-apparmor-profile-hexchat_3%3a5.0-1_all.deb ... Unpacking apparmor-profile-hexchat (3:5.0-1) over (3:4.9-1) ... Preparing to unpack .../05-apparmor-profiles-kicksecure_3%3a27.4-1_all.deb ... Unpacking apparmor-profiles-kicksecure (3:27.4-1) over (3:27.0-1) ... Preparing to unpack .../06-libc-l10n_2.36-9+deb12u3_all.deb ... Unpacking libc-l10n (2.36-9+deb12u3) over (2.36-9) ... Preparing to unpack .../07-locales_2.36-9+deb12u3_all.deb ... Unpacking locales (2.36-9+deb12u3) over (2.36-9) ... Preparing to unpack .../08-sudo_1.9.13p3-1+deb12u1_amd64.deb ... Unpacking sudo (1.9.13p3-1+deb12u1) over (1.9.13p3-1) ... Preparing to unpack .../09-helper-scripts_3%3a20.2-1_all.deb ... Unpacking helper-scripts (3:20.2-1) over (3:19.8-1) ... Preparing to unpack .../10-dist-base-files_3%3a10.2-1_all.deb ... Unpacking dist-base-files (3:10.2-1) over (3:9.6-1) ... Preparing to unpack .../11-apparmor-profile-dist_3%3a8.4-1_all.deb ... Unpacking apparmor-profile-dist (3:8.4-1) over (3:8.3-1) ... Preparing to unpack .../12-desktop-config-dist_3%3a8.7-1_all.deb ... Unpacking desktop-config-dist (3:8.7-1) over (3:7.9-1) ... Preparing to unpack .../13-setup-dist_3%3a8.2-1_all.deb ... Unpacking setup-dist (3:8.2-1) over (3:7.8-1) ... Preparing to unpack .../14-security-misc_3%3a29.4-1_all.deb ... addgroup: The group `sysfs' already exists as a system group. Exiting. addgroup: The group `cpuinfo' already exists as a system group. Exiting. adduser: The user `root' is already a member of `sudo'. addgroup: The group `console' already exists as a system group. Exiting. addgroup: The group `console-unrestricted' already exists as a system group. Exiting. adduser: The user `root' is already a member of `console'. Unpacking security-misc (3:29.4-1) over (3:29.3-1) ... Preparing to unpack .../15-repository-dist_3%3a9.6-1_all.deb ... Unpacking repository-dist (3:9.6-1) over (3:9.5-1) ... Preparing to unpack .../16-sdwdate_3%3a22.8-1_all.deb ... Unpacking sdwdate (3:22.8-1) over (3:22.5-1) ... Preparing to unpack .../17-msgcollector_3%3a9.5-1_all.deb ... Unpacking msgcollector (3:9.5-1) over (3:9.3-1) ... Preparing to unpack .../18-bootclockrandomization_3%3a6.2-1_all.deb ... Unpacking bootclockrandomization (3:6.2-1) over (3:6.0-1) ... Preparing to unpack .../19-timesanitycheck_3%3a6.0-1_all.deb ... Unpacking timesanitycheck (3:6.0-1) over (3:5.9-1) ... Preparing to unpack .../20-damngpl_3%3a4.0-1_all.deb ... Unpacking damngpl (3:4.0-1) over (3:3.9-1) ... Preparing to unpack .../21-initializer-dist_3%3a6.7-1_all.deb ... Unpacking initializer-dist (3:6.7-1) over (3:6.6-1) ... Preparing to unpack .../22-kicksecure-dependencies-cli_3%3a27.4-1_all.deb ... Unpacking kicksecure-dependencies-cli (3:27.4-1) over (3:27.0-1) ... Preparing to unpack .../23-kicksecure-desktop-applications-xfce_3%3a27.4-1_all.deb ... Unpacking kicksecure-desktop-applications-xfce (3:27.4-1) over (3:27.0-1) ... Preparing to unpack .../24-libgssapi-krb5-2_1.20.1-2+deb12u1_amd64.deb ... Unpacking libgssapi-krb5-2:amd64 (1.20.1-2+deb12u1) over (1.20.1-2) ... Preparing to unpack .../25-libkrb5-3_1.20.1-2+deb12u1_amd64.deb ... Unpacking libkrb5-3:amd64 (1.20.1-2+deb12u1) over (1.20.1-2) ... Preparing to unpack .../26-libkrb5support0_1.20.1-2+deb12u1_amd64.deb ... Unpacking libkrb5support0:amd64 (1.20.1-2+deb12u1) over (1.20.1-2) ... Preparing to unpack .../27-libk5crypto3_1.20.1-2+deb12u1_amd64.deb ... Unpacking libk5crypto3:amd64 (1.20.1-2+deb12u1) over (1.20.1-2) ... Preparing to unpack .../28-libxml2_2.9.14+dfsg-1.3~deb12u1_amd64.deb ... Unpacking libxml2:amd64 (2.9.14+dfsg-1.3~deb12u1) over (2.9.14+dfsg-1.2) ... Preparing to unpack .../29-bind9-dnsutils_1%3a9.18.19-1~deb12u1_amd64.deb ... Unpacking bind9-dnsutils (1:9.18.19-1~deb12u1) over (1:9.18.16-1~deb12u1) ... Preparing to unpack .../30-bind9-host_1%3a9.18.19-1~deb12u1_amd64.deb ... Unpacking bind9-host (1:9.18.19-1~deb12u1) over (1:9.18.16-1~deb12u1) ... Preparing to unpack .../31-bind9-libs_1%3a9.18.19-1~deb12u1_amd64.deb ... Unpacking bind9-libs:amd64 (1:9.18.19-1~deb12u1) over (1:9.18.16-1~deb12u1) ... Preparing to unpack .../32-dnsutils_1%3a9.18.19-1~deb12u1_all.deb ... Unpacking dnsutils (1:9.18.19-1~deb12u1) over (1:9.18.16-1~deb12u1) ... Preparing to unpack .../33-openvpn_2.6.3-1+deb12u1_amd64.deb ... Unpacking openvpn (2.6.3-1+deb12u1) over (2.6.3-1) ... Preparing to unpack .../34-curl_7.88.1-10+deb12u4_amd64.deb ... Unpacking curl (7.88.1-10+deb12u4) over (7.88.1-10) ... Preparing to unpack .../35-libcurl4_7.88.1-10+deb12u4_amd64.deb ... Unpacking libcurl4:amd64 (7.88.1-10+deb12u4) over (7.88.1-10) ... Preparing to unpack .../36-systemcheck_3%3a28.1-1_all.deb ... Unpacking systemcheck (3:28.1-1) over (3:26.9-1) ... Preparing to unpack .../37-usability-misc_3%3a16.8-1_all.deb ... Unpacking usability-misc (3:16.8-1) over (3:15.1-1) ... Preparing to unpack .../38-icon-pack-dist_3%3a4.2-1_all.deb ... Unpacking icon-pack-dist (3:4.2-1) over (3:4.1-1) ... Preparing to unpack .../39-open-link-confirmation_3%3a5.8-1_all.deb ... Unpacking open-link-confirmation (3:5.8-1) over (3:5.4-1) ... Preparing to unpack .../40-hardened-malloc_0%3a11.3-1_amd64.deb ... Unpacking hardened-malloc (11.3-1) over (11.2-1) ... Preparing to unpack .../41-kicksecure-recommended-cli_3%3a27.4-1_all.deb ... Unpacking kicksecure-recommended-cli (3:27.4-1) over (3:27.0-1) ... Preparing to unpack .../42-repository-dist-wizard_3%3a9.6-1_all.deb ... Unpacking repository-dist-wizard (3:9.6-1) over (3:9.5-1) ... Preparing to unpack .../43-sdwdate-gui_1%3a9.0-1_all.deb ... Unpacking sdwdate-gui (1:9.0-1) over (1:8.7-1) ... Preparing to unpack .../44-mate-notification-daemon_1.26.0-1+deb12u1_amd64.deb ... Unpacking mate-notification-daemon (1.26.0-1+deb12u1) over (1.26.0-1) ... Preparing to unpack .../45-mate-notification-daemon-common_1.26.0-1+deb12u1_all.deb ... Unpacking mate-notification-daemon-common (1.26.0-1+deb12u1) over (1.26.0-1) ... Preparing to unpack .../46-libcups2_2.4.2-3+deb12u4_amd64.deb ... Unpacking libcups2:amd64 (2.4.2-3+deb12u4) over (2.4.2-3) ... Preparing to unpack .../47-libgtk-3-common_3.24.38-2~deb12u1_all.deb ... Unpacking libgtk-3-common (3.24.38-2~deb12u1) over (3.24.37-2) ... Preparing to unpack .../48-libgtk-3-0_3.24.38-2~deb12u1_amd64.deb ... Unpacking libgtk-3-0:amd64 (3.24.38-2~deb12u1) over (3.24.37-2) ... Preparing to unpack .../49-msgcollector-gui_3%3a9.5-1_all.deb ... Unpacking msgcollector-gui (3:9.5-1) over (3:9.3-1) ... Preparing to unpack .../50-setup-wizard-dist_3%3a8.9-1_all.deb ... Unpacking setup-wizard-dist (3:8.9-1) over (3:8.6-1) ... Preparing to unpack .../51-whonix-shared-default-applications-gui_3%3a23.8-1_all.deb ... Unpacking whonix-shared-default-applications-gui (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../52-whonix-base-files_3%3a9.4-1_all.deb ... Unpacking whonix-base-files (3:9.4-1) over (3:9.3-1) ... Preparing to unpack .../53-anon-apt-sources-list_3%3a6.2-1_all.deb ... Unpacking anon-apt-sources-list (3:6.2-1) over (3:6.0-1) ... Preparing to unpack .../54-whonix-firewall_3%3a13.1-1_all.deb ... Unpacking whonix-firewall (3:13.1-1) over (3:13.0-1) ... Preparing to unpack .../55-whonix-shared-packages-dependencies-cli_3%3a23.8-1_all.deb ... Unpacking whonix-shared-packages-dependencies-cli (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../56-bindp_3%3a3.4-1_all.deb ... Unpacking bindp (3:3.4-1) over (3:3.3-1) ... Preparing to unpack .../57-uwt_3%3a7.7-1_all.deb ... Unpacking uwt (3:7.7-1) over (3:7.6-1) ... Preparing to unpack .../58-tor-ctrl_3%3a5.4-1_all.deb ... Unpacking tor-ctrl (3:5.4-1) over (3:5.3-1) ... Preparing to unpack .../59-whonix-shared-packages-recommended-cli_3%3a23.8-1_all.deb ... Unpacking whonix-shared-packages-recommended-cli (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../60-anon-connection-wizard_1%3a7.7-1_all.deb ... Unpacking anon-connection-wizard (1:7.7-1) over (1:7.4-1) ... Preparing to unpack .../61-tor-control-panel_1%3a5.1-1_all.deb ... Unpacking tor-control-panel (1:5.1-1) over (1:4.8-1) ... Preparing to unpack .../62-whonix-gateway-default-applications-gui_3%3a23.8-1_all.deb ... Unpacking whonix-gateway-default-applications-gui (3:23.8-1) over (3:23.7-1) ... Selecting previously unselected package snowflake-client. Preparing to unpack .../63-snowflake-client_2.5.1-1+b3_amd64.deb ... Unpacking snowflake-client (2.5.1-1+b3) ... Preparing to unpack .../64-onion-grater_3%3a11.9-1_all.deb ... Unpacking onion-grater (3:11.9-1) over (3:11.8-1) ... Preparing to unpack .../65-whonix-gateway-packages-dependencies-pre_3%3a23.8-1_all.deb ... Unpacking whonix-gateway-packages-dependencies-pre (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../66-whonix-gateway-packages-dependencies-cli_3%3a23.8-1_all.deb ... Unpacking whonix-gateway-packages-dependencies-cli (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../67-whonix-gateway-shared-packages-shared-meta_3%3a23.8-1_all.deb ... Unpacking whonix-gateway-shared-packages-shared-meta (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../68-libqubes-rpc-filecopy2_4.2.13+deb12u1_amd64.deb ... Unpacking libqubes-rpc-filecopy2 (4.2.13+deb12u1) over (4.2.11+deb12u1) ... Selecting previously unselected package libqubes-pure0. Preparing to unpack .../69-libqubes-pure0_4.2.13+deb12u1_amd64.deb ... Unpacking libqubes-pure0 (4.2.13+deb12u1) ... Preparing to unpack .../70-python3-qrexec_4.2.11-1+deb12u1_amd64.deb ... Unpacking python3-qrexec (4.2.11-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../71-qubes-core-qrexec_4.2.11-1+deb12u1_amd64.deb ... Unpacking qubes-core-qrexec (4.2.11-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../72-libqrexec-utils2_4.2.11-1+deb12u1_amd64.deb ... Unpacking libqrexec-utils2 (4.2.11-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../73-qubes-utils_4.2.13+deb12u1_amd64.deb ... Unpacking qubes-utils (4.2.13+deb12u1) over (4.2.11+deb12u1) ... Preparing to unpack .../74-qubes-core-agent-thunar_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent-thunar (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../75-qubes-core-agent-passwordless-root_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent-passwordless-root (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../76-qubes-core-agent-nautilus_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent-nautilus (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../77-dnf_4.14.0-3+deb12u1_all.deb ... Unpacking dnf (4.14.0-3+deb12u1) over (4.14.0-3) ... Preparing to unpack .../78-python3-dnf_4.14.0-3+deb12u1_all.deb ... Unpacking python3-dnf (4.14.0-3+deb12u1) over (4.14.0-3) ... Preparing to unpack .../79-dnf-data_4.14.0-3+deb12u1_all.deb ... Unpacking dnf-data (4.14.0-3+deb12u1) over (4.14.0-3) ... Selecting previously unselected package qubes-repo-templates. Preparing to unpack .../80-qubes-repo-templates_4.2.2-1+deb12u1_amd64.deb ... Unpacking qubes-repo-templates (4.2.2-1+deb12u1) ... Preparing to unpack .../81-qubes-core-agent-dom0-updates_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent-dom0-updates (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../82-librsvg2-2_2.54.7+dfsg-1~deb12u1_amd64.deb ... Unpacking librsvg2-2:amd64 (2.54.7+dfsg-1~deb12u1) over (2.54.5+dfsg-1) ... Preparing to unpack .../83-librsvg2-bin_2.54.7+dfsg-1~deb12u1_amd64.deb ... Unpacking librsvg2-bin (2.54.7+dfsg-1~deb12u1) over (2.54.5+dfsg-1) ... Preparing to unpack .../84-qubes-core-agent-networking_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent-networking (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../85-qubes-core-agent_4.2.21-1+deb12u1_amd64.deb ... Unpacking qubes-core-agent (4.2.21-1+deb12u1) over (4.2.15-1+deb12u1) ... Preparing to unpack .../86-nftables_1.0.6-2+deb12u2_amd64.deb ... Unpacking nftables (1.0.6-2+deb12u2) over (1.0.6-2) ... Preparing to unpack .../87-libnftables1_1.0.6-2+deb12u2_amd64.deb ... Unpacking libnftables1:amd64 (1.0.6-2+deb12u2) over (1.0.6-2) ... Preparing to unpack .../88-qubes-whonix_1%3a18.5-1_all.deb ... Unpacking qubes-whonix (1:18.5-1) over (1:18.4-1) ... Preparing to unpack .../89-grub2-common_2.06-13+deb12u1_amd64.deb ... Unpacking grub2-common (2.06-13+deb12u1) over (2.06-13) ... Preparing to unpack .../90-grub-common_2.06-13+deb12u1_amd64.deb ... Unpacking grub-common (2.06-13+deb12u1) over (2.06-13) ... Preparing to unpack .../91-qubes-kernel-vm-support_4.2.13+deb12u1_amd64.deb ... Unpacking qubes-kernel-vm-support (4.2.13+deb12u1) over (4.2.11+deb12u1) ... Preparing to unpack .../92-qubes-input-proxy-sender_1.0.34-1+deb12u1_amd64.deb ... Unpacking qubes-input-proxy-sender (1.0.34-1+deb12u1) over (1.0.32-1+deb12u1) ... Preparing to unpack .../93-qubes-whonix-shared-packages-recommended_1%3a18.5-1_all.deb ... Unpacking qubes-whonix-shared-packages-recommended (1:18.5-1) over (1:18.4-1) ... Preparing to unpack .../94-qubes-whonix-gateway-packages-recommended_1%3a18.5-1_all.deb ... Unpacking qubes-whonix-gateway-packages-recommended (1:18.5-1) over (1:18.4-1) ... Preparing to unpack .../95-vm-config-dist_3%3a9.1-1_all.deb ... Unpacking vm-config-dist (3:9.1-1) over (3:8.9-1) ... Preparing to unpack .../96-qubes-whonix-gateway_3%3a23.8-1_all.deb ... Unpacking qubes-whonix-gateway (3:23.8-1) over (3:23.7-1) ... Preparing to unpack .../97-debian-archive-keyring_2023.3+deb12u1_all.deb ... Unpacking debian-archive-keyring (2023.3+deb12u1) over (2023.3) ... Setting up debian-archive-keyring (2023.3+deb12u1) ... (Reading database ... 47968 files and directories currently installed.) Preparing to unpack .../udev_252.17-1~deb12u1_amd64.deb ... Unpacking udev (252.17-1~deb12u1) over (252.6-1) ... Preparing to unpack .../libudev1_252.17-1~deb12u1_amd64.deb ... Unpacking libudev1:amd64 (252.17-1~deb12u1) over (252.6-1) ... Setting up libudev1:amd64 (252.17-1~deb12u1) ... (Reading database ... 47969 files and directories currently installed.) Preparing to unpack .../00-anon-apps-config_3%3a8.5-1_all.deb ... Unpacking anon-apps-config (3:8.5-1) over (3:8.4-1) ... Preparing to unpack .../01-gir1.2-gtk-3.0_3.24.38-2~deb12u1_amd64.deb ... Unpacking gir1.2-gtk-3.0:amd64 (3.24.38-2~deb12u1) over (3.24.37-2) ... Preparing to unpack .../02-gtk-update-icon-cache_3.24.38-2~deb12u1_amd64.deb ... Unpacking gtk-update-icon-cache (3.24.38-2~deb12u1) over (3.24.37-2) ... Preparing to unpack .../03-legacy-dist_3%3a14.6-1_all.deb ... Unpacking legacy-dist (3:14.6-1) over (3:14.4-1) ... Preparing to unpack .../04-libcurl3-gnutls_7.88.1-10+deb12u4_amd64.deb ... Unpacking libcurl3-gnutls:amd64 (7.88.1-10+deb12u4) over (7.88.1-10) ... Selecting previously unselected package libgles2:amd64. Preparing to unpack .../05-libgles2_1.6.0-1_amd64.deb ... Unpacking libgles2:amd64 (1.6.0-1) ... Preparing to unpack .../06-libhwy1_1.0.3-3+deb12u1_amd64.deb ... Unpacking libhwy1:amd64 (1.0.3-3+deb12u1) over (1.0.3-3) ... Preparing to unpack .../07-libwebp7_1.2.4-0.2+deb12u1_amd64.deb ... Unpacking libwebp7:amd64 (1.2.4-0.2+deb12u1) over (1.2.4-0.2) ... Preparing to unpack .../08-libwebpdemux2_1.2.4-0.2+deb12u1_amd64.deb ... Unpacking libwebpdemux2:amd64 (1.2.4-0.2+deb12u1) over (1.2.4-0.2) ... Preparing to unpack .../09-libwebkit2gtk-4.1-0_2.42.1-1~deb12u1_amd64.deb ... Unpacking libwebkit2gtk-4.1-0:amd64 (2.42.1-1~deb12u1) over (2.40.3-2~deb12u1) ... Preparing to unpack .../10-libjavascriptcoregtk-4.1-0_2.42.1-1~deb12u1_amd64.deb ... Unpacking libjavascriptcoregtk-4.1-0:amd64 (2.42.1-1~deb12u1) over (2.40.3-2~deb12u1) ... Preparing to unpack .../11-libvpx7_1.12.0-1+deb12u2_amd64.deb ... Unpacking libvpx7:amd64 (1.12.0-1+deb12u2) over (1.12.0-1) ... Preparing to unpack .../12-libvte-2.91-0_0.70.6-2~deb12u1_amd64.deb ... Unpacking libvte-2.91-0:amd64 (0.70.6-2~deb12u1) over (0.70.3-1) ... Preparing to unpack .../13-libvte-2.91-common_0.70.6-2~deb12u1_amd64.deb ... Unpacking libvte-2.91-common (0.70.6-2~deb12u1) over (0.70.3-1) ... Preparing to unpack .../14-libwebpmux3_1.2.4-0.2+deb12u1_amd64.deb ... Unpacking libwebpmux3:amd64 (1.2.4-0.2+deb12u1) over (1.2.4-0.2) ... Preparing to unpack .../15-libxpm4_1%3a3.5.12-1.1+deb12u1_amd64.deb ... Unpacking libxpm4:amd64 (1:3.5.12-1.1+deb12u1) over (1:3.5.12-1.1) ... Preparing to unpack .../16-libyajl2_2.1.0-3+deb12u2_amd64.deb ... Unpacking libyajl2:amd64 (2.1.0-3+deb12u2) over (2.1.0-3) ... Preparing to unpack .../17-openssl_3.0.11-1~deb12u1_amd64.deb ... Unpacking openssl (3.0.11-1~deb12u1) over (3.0.9-1) ... Preparing to unpack .../18-xserver-xorg-video-dummyqbs_4.2.8-1+deb12u1_amd64.deb ... Unpacking xserver-xorg-video-dummyqbs (4.2.8-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../19-qubes-gui-agent_4.2.8-1+deb12u1_amd64.deb ... Unpacking qubes-gui-agent (4.2.8-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../20-xserver-xorg-input-qubes_4.2.8-1+deb12u1_amd64.deb ... Unpacking xserver-xorg-input-qubes (4.2.8-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../21-xserver-xorg-qubes-common_4.2.8-1+deb12u1_amd64.deb ... Unpacking xserver-xorg-qubes-common (4.2.8-1+deb12u1) over (4.2.7-1+deb12u1) ... Preparing to unpack .../22-qubes-vm-dependencies_4.2.9-1+deb12u1_amd64.deb ... Unpacking qubes-vm-dependencies (4.2.9-1+deb12u1) over (4.2.5-1+deb12u1) ... Setting up libqrexec-utils2 (4.2.11-1+deb12u1) ... Setting up gtk-update-icon-cache (3.24.38-2~deb12u1) ... Setting up systemd-sysv (252.17-1~deb12u1) ... Setting up libc-l10n (2.36-9+deb12u3) ... Setting up libnftables1:amd64 (1.0.6-2+deb12u2) ... Setting up nftables (1.0.6-2+deb12u2) ... Setting up qubes-repo-templates (4.2.2-1+deb12u1) ... Setting up repository-dist-wizard (3:9.6-1) ... Setting up libvte-2.91-common (0.70.6-2~deb12u1) ... Setting up onion-grater (3:11.9-1) ... adduser: The user `onion-grater' is already a member of `debian-tor'. Setting up apparmor-profile-torbrowser (3:8.7-1) ... Setting up libyajl2:amd64 (2.1.0-3+deb12u2) ... Setting up libssl3:amd64 (3.0.11-1~deb12u1) ... Setting up linux-libc-dev:amd64 (6.1.55-1) ... Setting up mate-notification-daemon-common (1.26.0-1+deb12u1) ... Setting up timesanitycheck (3:6.0-1) ... Setting up libhwy1:amd64 (1.0.3-3+deb12u1) ... Setting up anon-connection-wizard (1:7.7-1) ... Setting up hardened-malloc (11.3-1) ... Setting up bindp (3:3.4-1) ... Setting up qubes-core-agent-passwordless-root (4.2.21-1+deb12u1) ... Installing new version of config file /etc/sudoers.d/qubes ... Setting up apparmor-profile-thunderbird (3:5.5-1) ... Setting up locales (2.36-9+deb12u3) ... Generating locales (this might take a while)... en_US.UTF-8... done Generation complete. Setting up qubes-utils (4.2.13+deb12u1) ... Installing new version of config file /etc/xen/scripts/qubes-block ... Setting up libkrb5support0:amd64 (1.20.1-2+deb12u1) ... Setting up uwt (3:7.7-1) ... Setting up grub-common (2.06-13+deb12u1) ... Setting up dnf-data (4.14.0-3+deb12u1) ... Setting up libjavascriptcoregtk-4.1-0:amd64 (2.42.1-1~deb12u1) ... Setting up libgles2:amd64 (1.6.0-1) ... Setting up libx11-data (2:1.8.4-2+deb12u2) ... Setting up icon-pack-dist (3:4.2-1) ... Setting up libdbus-1-3:amd64 (1.14.10-1~deb12u1) ... Setting up tor-ctrl (3:5.4-1) ... Setting up udev (252.17-1~deb12u1) ... Setting up python3-qrexec (4.2.11-1+deb12u1) ... Setting up sudo (1.9.13p3-1+deb12u1) ... Setting up xserver-xorg-qubes-common (4.2.8-1+deb12u1) ... Setting up desktop-config-dist (3:8.7-1) ... Installing new version of config file /etc/sudoers.d/desktop-config-dist ... Installing new version of config file /etc/zsh/zshrc.dist ... Installing new version of config file /etc/zsh/zshrc_completions ... Adding 'diversion of /etc/zsh/zprofile to /etc/zsh/zprofile.dist-orig by desktop-config-dist' Setting up libk5crypto3:amd64 (1.20.1-2+deb12u1) ... Setting up apparmor-profile-hexchat (3:5.0-1) ... Setting up libwebp7:amd64 (1.2.4-0.2+deb12u1) ... Setting up anon-apps-config (3:8.5-1) ... Current default time zone: 'Etc/UTC' Local time is now: Fri Oct 13 20:48:03 UTC 2023. Universal Time is now: Fri Oct 13 20:48:03 UTC 2023. Setting up anon-apt-sources-list (3:6.2-1) ... Installing new version of config file /etc/apt/sources.list.d/debian.list ... Setting up dbus-session-bus-common (1.14.10-1~deb12u1) ... Setting up damngpl (3:4.0-1) ... Setting up xserver-xorg-input-qubes (4.2.8-1+deb12u1) ... Setting up libx11-6:amd64 (2:1.8.4-2+deb12u2) ... Setting up libvpx7:amd64 (1.12.0-1+deb12u2) ... Setting up libkrb5-3:amd64 (1.20.1-2+deb12u1) ... Setting up dbus-system-bus-common (1.14.10-1~deb12u1) ... Setting up libc-dev-bin (2.36-9+deb12u3) ... Setting up xserver-xorg-video-dummyqbs (4.2.8-1+deb12u1) ... Setting up openssl (3.0.11-1~deb12u1) ... Setting up libwebpmux3:amd64 (1.2.4-0.2+deb12u1) ... Setting up helper-scripts (3:20.2-1) ... Setting up snowflake-client (2.5.1-1+b3) ... Setting up libxml2:amd64 (2.9.14+dfsg-1.3~deb12u1) ... Setting up dbus-bin (1.14.10-1~deb12u1) ... Setting up libgtk-3-common (3.24.38-2~deb12u1) ... Setting up python3-dnf (4.14.0-3+deb12u1) ... Setting up libqubes-pure0 (4.2.13+deb12u1) ... Setting up libx11-xcb1:amd64 (2:1.8.4-2+deb12u2) ... Setting up usability-misc (3:16.8-1) ... Generating grub configuration file ... done orca-kill-at-shutdown.service is a disabled or a static unit not running, not starting it. Setting up openvpn (2.6.3-1+deb12u1) ... Setting up libxpm4:amd64 (1:3.5.12-1.1+deb12u1) ... Setting up tor-control-panel (1:5.1-1) ... Setting up setup-dist (3:8.2-1) ... Setting up msgcollector (3:9.5-1) ... Setting up grub2-common (2.06-13+deb12u1) ... Setting up qubes-core-qrexec (4.2.11-1+deb12u1) ... Setting up libwebpdemux2:amd64 (1.2.4-0.2+deb12u1) ... Setting up open-link-confirmation (3:5.8-1) ... update-alternatives: using /usr/libexec/open-link-confirmation/open-link-confirmation to provide /usr/bin/x-www-browser (x-www-browser) in auto mode update-alternatives: using /usr/libexec/open-link-confirmation/open-link-confirmation to provide /usr/bin/gnome-www-browser (gnome-www-browser) in auto mode Setting up dist-base-files (3:10.2-1) ... Setting up dbus-daemon (1.14.10-1~deb12u1) ... Setting up bootclockrandomization (3:6.2-1) ... Setting up legacy-dist (3:14.6-1) ... Setting up repository-dist (3:9.6-1) ... function Setting up libqubes-rpc-filecopy2 (4.2.13+deb12u1) ... Setting up librsvg2-2:amd64 (2.54.7+dfsg-1~deb12u1) ... Setting up dnf (4.14.0-3+deb12u1) ... Setting up vm-config-dist (3:9.1-1) ... + set -e + true ' ##################################################################### ## INFO: BEGIN: vm-config-dist postinst configure' '3:8.9-1 ##################################################################### ' + true '1: '\''configure'\''' + true '2: '\''3:8.9-1'\''' + case "$1" in + true 'INFO: Configuring vm-config-dist...' + power_savings_disable_in_vms + '[' user = '' ']' + ischroot --default-false + '[' -x /etc/profile.d/20_power_savings_disable_in_vms.sh ']' + sudo --non-interactive -u user /etc/profile.d/20_power_savings_disable_in_vms.sh + '[' -x /etc/X11/Xsession.d/20power_savings_disable_in_vms ']' + sudo --non-interactive -u user /etc/X11/Xsession.d/20power_savings_disable_in_vms + '[' 3:8.9-1 = '' ']' + true 'INFO: Upgrade. Therefore not calling function vbox_guest_installer.' + true 'INFO: End configuring vm-config-dist.' + true 'INFO: debhelper beginning here.' + package=vm-config-dist + ours=.dist + theirs=.dist-orig + '[' configure = configure ']' + displace_link /etc/gdm3/daemon.conf + prefix=/etc/gdm3/daemon.conf + suffix= + file=/etc/gdm3/daemon.conf + ourfile=/etc/gdm3/daemon.conf.dist + theirfile=/etc/gdm3/daemon.conf.dist-orig + displace_link_divert /etc/gdm3/daemon.conf /etc/gdm3/daemon.conf.dist /etc/gdm3/daemon.conf.dist-orig + file=/etc/gdm3/daemon.conf + ourfile=/etc/gdm3/daemon.conf.dist + theirfile=/etc/gdm3/daemon.conf.dist-orig + LC_ALL=C + dpkg-divert --list vm-config-dist + grep -xFq 'diversion of /etc/gdm3/daemon.conf to /etc/gdm3/daemon.conf.dist-orig by vm-config-dist' + displace_link_symlink /etc/gdm3/daemon.conf /etc/gdm3/daemon.conf.dist /etc/gdm3/daemon.conf.dist-orig + file=/etc/gdm3/daemon.conf + ourfile=/etc/gdm3/daemon.conf.dist + theirfile=/etc/gdm3/daemon.conf.dist-orig + '[' '!' -L /etc/gdm3/daemon.conf ']' + '[' '!' -L /etc/gdm3/daemon.conf ']' ++ readlink /etc/gdm3/daemon.conf ++ basename /etc/gdm3/daemon.conf.dist ++ readlink /etc/gdm3/daemon.conf ++ basename /etc/gdm3/daemon.conf.dist-orig + '[' daemon.conf.dist '!=' daemon.conf.dist -a daemon.conf.dist '!=' daemon.conf.dist-orig ']' + dpkg-maintscript-helper rm_conffile /etc/sudoers.d/power-savings-disable-in-vms -- configure 3:8.9-1 + '[' configure = configure ']' + deb-systemd-helper unmask mnt-shared-kvm.service + deb-systemd-helper --quiet was-enabled mnt-shared-kvm.service + deb-systemd-helper enable mnt-shared-kvm.service + '[' configure = configure ']' + deb-systemd-helper unmask mnt-shared-vbox.service + deb-systemd-helper --quiet was-enabled mnt-shared-vbox.service + deb-systemd-helper enable mnt-shared-vbox.service + '[' configure = configure ']' + '[' -d /run/systemd/system ']' + systemctl --system daemon-reload + '[' -n 3:8.9-1 ']' + _dh_action=restart + deb-systemd-invoke restart mnt-shared-kvm.service mnt-shared-vbox.service + true 'INFO: Done with debhelper.' + true ' ##################################################################### ## INFO: END : vm-config-dist postinst configure' '3:8.9-1 ##################################################################### ' + exit 0 Setting up whonix-gateway-default-applications-gui (3:23.8-1) ... Setting up whonix-base-files (3:9.4-1) ... Generating grub configuration file ... done *** OMINOUS WARNING ***: /etc/hosts is not linked to either hosts.whonix or hosts.whonix-orig Setting up dbus (1.14.10-1~deb12u1) ... A reboot is required to replace the running dbus-daemon. Please reboot the system when convenient. dbus.service is a disabled or a static unit, not starting it. Setting up apparmor-profile-dist (3:8.4-1) ... Setting up security-misc (3:29.4-1) ... Generating grub configuration file ... done /usr/libexec/security-misc/mmap-rnd-bits: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'). Therefore using built-in defaults. /usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map config file: /etc/sysctl.d/30_security-misc_aslr-mmap.conf hide-hardware-info.service is a disabled or a static unit not running, not starting it. permission-hardening.service is a disabled or a static unit not running, not starting it. proc-hidepid.service is a disabled or a static unit not running, not starting it. remount-secure.service is a disabled or a static unit not running, not starting it. Setting up libgssapi-krb5-2:amd64 (1.20.1-2+deb12u1) ... Setting up qubes-kernel-vm-support (4.2.13+deb12u1) ... update-initramfs: deferring update (trigger activated) Generating grub configuration file ... done Setting up qubes-core-agent-nautilus (4.2.21-1+deb12u1) ... Setting up libcups2:amd64 (2.4.2-3+deb12u4) ... Setting up whonix-firewall (3:13.1-1) ... Installing new version of config file /etc/whonix_firewall.d/30_whonix_gateway_default.conf ... Installing new version of config file /etc/whonix_firewall.d/30_whonix_host_default.conf ... Setting up initializer-dist (3:6.7-1) ... Setting up dbus-x11 (1.14.10-1~deb12u1) ... Setting up libpam-systemd:amd64 (252.17-1~deb12u1) ... Setting up libcurl4:amd64 (7.88.1-10+deb12u4) ... Setting up libc6-dev:amd64 (2.36-9+deb12u3) ... Setting up setup-wizard-dist (3:8.9-1) ... Installing new version of config file /etc/sudoers.d/setup-wizard-dist ... Installing new version of config file /etc/xdg/autostart/setup-wizard-dist.desktop ... Setting up curl (7.88.1-10+deb12u4) ... Setting up apparmor-profiles-kicksecure (3:27.4-1) ... Setting up qubes-core-agent-thunar (4.2.21-1+deb12u1) ... Setting up librsvg2-bin (2.54.7+dfsg-1~deb12u1) ... Setting up whonix-gateway-packages-dependencies-pre (3:23.8-1) ... Setting up bind9-libs:amd64 (1:9.18.19-1~deb12u1) ... Setting up whonix-gateway-packages-dependencies-cli (3:23.8-1) ... Setting up kicksecure-desktop-applications-xfce (3:27.4-1) ... Setting up sdwdate (3:22.8-1) ... Installing new version of config file /etc/sdwdate.d/30_default.conf ... usermod: no changes adduser: The user `sdwdate' is already a member of `debian-tor'. Setting up libcurl3-gnutls:amd64 (7.88.1-10+deb12u4) ... Setting up whonix-shared-packages-dependencies-cli (3:23.8-1) ... Setting up qubes-core-agent (4.2.21-1+deb12u1) ... Installing new version of config file /etc/apt/sources.list.d/qubes-r4.list ... Removed "/etc/systemd/system/sysinit.target.wants/haveged.service". Created symlink /etc/systemd/system/sysinit.target.wants/haveged.service → /lib/systemd/system/haveged.service. Leaving 'diversion of /etc/init/plymouth-shutdown.conf to /etc/init/plymouth-shutdown.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/prefdm.conf to /etc/init/prefdm.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/splash-manager.conf to /etc/init/splash-manager.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/start-ttys.conf to /etc/init/start-ttys.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/tty.conf to /etc/init/tty.conf.qubes-disabled by qubes-core-agent' Leaving 'diversion of /etc/init/serial.conf to /etc/init/serial.conf.qubes-orig by qubes-core-agent' Traceback (most recent call last): File "/usr/bin/qvm-features-request", line 88, in <module> sys.exit(main()) ^^^^^^ File "/usr/bin/qvm-features-request", line 79, in main qdb.write('/features-request/' + feature, value) qubesdb.Error: (0, 'Error') Traceback (most recent call last): File "/usr/bin/qvm-features-request", line 88, in <module> sys.exit(main()) ^^^^^^ File "/usr/bin/qvm-features-request", line 79, in main qdb.write('/features-request/' + feature, value) qubesdb.Error: (0, 'Error') qubes-sync-time.service is a disabled or a static unit not running, not starting it. qubes-update-check.service is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. Setting up qubes-core-agent-dom0-updates (4.2.21-1+deb12u1) ... Setting up sdwdate-gui (1:9.0-1) ... Installing new version of config file /etc/sudoers.d/sdwdate-gui ... usermod: no changes Setting up bind9-host (1:9.18.19-1~deb12u1) ... Setting up qubes-whonix-gateway-packages-recommended (1:18.5-1) ... Setting up bind9-dnsutils (1:9.18.19-1~deb12u1) ... Setting up dnsutils (1:9.18.19-1~deb12u1) ... Processing triggers for desktop-file-utils (0.26-1) ... Processing triggers for initramfs-tools (0.142) ... Processing triggers for hicolor-icon-theme (0.17-2) ... Processing triggers for libglib2.0-0:amd64 (2.74.6-2) ... Setting up libgtk-3-0:amd64 (3.24.38-2~deb12u1) ... Processing triggers for libc-bin (2.36-9+deb12u3) ... Setting up gir1.2-gtk-3.0:amd64 (3.24.38-2~deb12u1) ... Setting up qubes-gui-agent (4.2.8-1+deb12u1) ... Installing new version of config file /etc/security/limits.d/90-qubes-gui.conf ... Setting up kicksecure-dependencies-cli (3:27.4-1) ... Setting up libvte-2.91-0:amd64 (0.70.6-2~deb12u1) ... Processing triggers for man-db (2.11.2-2) ... Setting up systemcheck (3:28.1-1) ... Installing new version of config file /etc/apparmor.d/usr.bin.systemcheck ... Installing new version of config file /etc/sudoers.d/systemcheck ... adduser: The user `canary' is already a member of `debian-tor'. adduser: The user `systemcheck' is already a member of `debian-tor'. adduser: The user `systemcheck' is already a member of `systemd-journal'. Setting up qubes-core-agent-networking (4.2.21-1+deb12u1) ... Setting up qubes-whonix (1:18.5-1) ... qubes-whonix-redirect-9050.service is a disabled or a static unit not running, not starting it. qubes-whonix-remote-support.service is a disabled or a static unit not running, not starting it. Setting up qubes-input-proxy-sender (1.0.34-1+deb12u1) ... Setting up mate-notification-daemon (1.26.0-1+deb12u1) ... Setting up qubes-vm-dependencies (4.2.9-1+deb12u1) ... Setting up libwebkit2gtk-4.1-0:amd64 (2.42.1-1~deb12u1) ... Setting up qubes-whonix-shared-packages-recommended (1:18.5-1) ... Setting up kicksecure-recommended-cli (3:27.4-1) ... Setting up msgcollector-gui (3:9.5-1) ... Setting up whonix-shared-packages-recommended-cli (3:23.8-1) ... Setting up whonix-shared-default-applications-gui (3:23.8-1) ... Setting up whonix-gateway-shared-packages-shared-meta (3:23.8-1) ... Setting up qubes-whonix-gateway (3:23.8-1) ... Processing triggers for libc-bin (2.36-9+deb12u3) ... [template gateway user ~]% ```

Patrick · October 14, 2023, 6:10am

github.com/QubesOS/qubes-issues

output by `/etc/profile.d` (or `/etc/X11/Xsession.d`?) scripts breaks Qubes UpdatesProxy

opened 06:09AM - 14 Oct 23 UTC

adrelanos

T: bug P: default

### Qubes OS release R4.2 ### Brief summary Output generated by `/etc/p…rofile.d` (or `/etc/X11/Xsession.d`?) breaks Qubes UpdatesProxy. This can cause confusing, difficult to debug situations. (https://github.com/QubesOS/qubes-issues/issues/8606) ### Steps to reproduce in UpdatesProxy VM: (that VM used as UpdatesProxy by a Template) 1. add a script to `/etc/profile.d` (or `/etc/X11/Xsession.d`?) 2. make the script `echo` something to stdout and stderr 3. make it executable in the Template: 5. run `sudo apt update` ### Expected behavior Qubes UpdatesProxy unaffected. `/etc/profile.d` (or `/etc/X11/Xsession.d`?) shouldn't interact with UpdatesProxy. ### Actual behavior Qubes UpdatesProxy broken. `/etc/profile.d` (or `/etc/X11/Xsession.d`?) interacts with UpdatesProxy.

Patrick · October 24, 2023, 2:27pm

Patrick · October 24, 2023, 2:28pm

github.com/QubesOS/qubes-issues

Simplify and promote using in-vm kernel

opened 01:21PM - 01 Aug 19 UTC

marmarek

T: enhancement C: kernel C: doc P: major release notes security

**The problem you're addressing (if any)** Currently by default all qubes use k…ernel provided by dom0. This has multiple issues: - kernel build for dom0 environment has incompatible kernel-devel package (especially painful for Debian templates, but also an issue for different Fedora versions): #2844 #3835 - template doesn't control kernel options: #4088 - kernel config not necessary matching template expectation (https://github.com/QubesOS/qubes-linux-kernel/commit/96b8fba8769951659fb9413b1d50a7e2172b90dd) Using in-vm kernel isn't enabled by default and it's not straightforward: - for HVM, one needs to choose "(none)" / "" kernel - for PV, one needs to choose "pvgrub2" kernel - for PVH, one needs to choose "pvgrub2-pvh" kernel (only recently available) **Describe the solution you'd like** Unify setting in-vm kernel - possibly translate "(none)" to "pvgrub2" if virt_mode is PV and to "pvgrub2-pvh" if virt_mode is PVH. Note that "(none)" normally is an invalid choice for PV/PVH. This would require adjusting "(none)" label at UI level, to be less confusing/magic. Something like "(use kernel from within the qube)". Set is as default value. **Where is the value to a user, and who might that user be?** Less deviation from template's system, according to https://www.qubes-os.org/faq/#what-is-qubes-attitude-toward-changing-guest-distros **Possible drawbacks** This change may lead also to some issues: - less control over qube kernel means we won't be able to quickly apply qubes-specific fixes there - we'll need to wait until relevant distribution pick up updated kernel - less control over qube kernel config - for example if some kernel feature is disabled, we may have a problem - harder to provide extra kernel modules (fortunately we [don't need u2mfn in R4.1](https://github.com/QubesOS/qubes-issues/issues/4280) anymore) - different grub2 version - for example the one in Fedora is heavily patched and grub.cfg may rely on it (for example support for "Boot Loader Specification") **Describe alternatives you've considered** Implement automatic pvgrub choice for kernel "(none)", but don't set it as default. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/managing-vm-kernel/

Patrick · October 24, 2023, 2:58pm

github.com/QubesOS/qubes-issues

mount /tmp /var/tmp /dev/shm with nodev nosuid

opened 11:29AM - 18 Sep 19 UTC

adrelanos

T: enhancement C: templates security P: default

These folders * /tmp * /var/tmp * /dev/shm are user writable. Similar… to * https://github.com/QubesOS/qubes-issues/issues/5263 * https://github.com/tasket/Qubes-VM-hardening/issues/41 [Quote](https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132) Joanna (founder of Qubes OS): > I've been recently talking about this with Solar Designer of Openwall (a person who probably knows more about Linux security model than most of us together) [Quote](https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301320361 ) solar: > Ideally, there should be no SUID binaries reachable from the user account, as otherwise significant extra attack surface inside the VM is exposed (dynamic linker, libc startup, portions of Linux kernel including ELF loader, etc.) Therefore I concluded: SUID has to go away. At least user (speak: possibly malware) created SUID should be prevented form being easily executed. [Getting rid of SUID binaries which are installed by default is worthwhile too but less trivial.](https://forums.whonix.org/t/disable-suid-binaries/7706) Therefore out of scope for this ticket.

Patrick · October 24, 2023, 3:14pm

github.com/QubesOS/qubes-issues

qubes-vm-kernel - dracut support

opened 03:12PM - 24 Oct 23 UTC

adrelanos

T: enhancement P: default

### The problem you're addressing (if any) Qubes inside VM kernel booting is …broken when using dracut. * https://www.qubes-os.org/doc/managing-vm-kernels/#distribution-kernel ### The solution you'd like * Add dracut support. ### The value to a user, and who that user might be * Better security, because then security-misc's dracut module for nosuid, nodev, noexec could be used. (https://github.com/QubesOS/qubes-issues/issues/5329) (https://github.com/QubesOS/qubes-issues/issues/1885) * Perhaps faster booting. * Other dracut functionality, advantages. * Towards https://github.com/QubesOS/qubes-issues/issues/1310 ### Related * https://github.com/QubesOS/qubes-issues/issues/5212 ### Additional information This might actually be a bug report. Qubes VMs might already have dracut booting functionality. But I haven't found any documentation on this. This is implied because Qubes already has several dracut modules. * `/usr/lib/dracut/modules.d/90qubes-vm` * `/usr/lib/dracut/modules.d/90qubes-vm-modules` * `/usr/lib/dracut/modules.d/90qubes-vm-simple`

Patrick · November 6, 2023, 12:27am

Patrick · November 7, 2023, 12:48pm

github.com/Whonix/updates-status

OpenQA test result for build 2023110114-4.2

opened 04:45PM - 01 Nov 23 UTC

qubesos-bot

# OpenQA test summary Complete test suite and dependencies: https://openqa.qubes…-os.org/tests/overview?distri=qubesos&version=4.2&build=2023110114-4.2&flavor=qubes-whonix ## Failed tests <details><summary>2 failures</summary> * system_tests_whonix * whonixcheck: [fail](https://openqa.qubes-os.org/tests/85127#step/whonixcheck/20) (unknown) `Whonixcheck for anon-whonix failed...` * whonixcheck: [unnamed test](https://openqa.qubes-os.org/tests/85127#step/whonixcheck/21) (unknown) </details> ## Unstable tests <details> * system_tests_whonix <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84077](https://openqa.qubes-os.org/tests/84077#step/whonix_torbrowser/9) `None` </details> <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84081](https://openqa.qubes-os.org/tests/84081#step/whonix_torbrowser/11) `None` </details> <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84077](https://openqa.qubes-os.org/tests/84077#step/whonix_torbrowser/12) `None` </details> <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84054](https://openqa.qubes-os.org/tests/84054#step/whonix_torbrowser/13) `None` </details> <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84081](https://openqa.qubes-os.org/tests/84081#step/whonix_torbrowser/14) `None` </details> <details><summary>whonix_torbrowser/ (1/5 times with errors)</summary> - [job 84054](https://openqa.qubes-os.org/tests/84054#step/whonix_torbrowser/17) `None` </details> <details><summary>whonix_torbrowser/Failed (1/5 times with errors)</summary> - [job 84077](https://openqa.qubes-os.org/tests/84077#step/whonix_torbrowser/10) `# Test died: no candidate needle with tag(s) 'tor-browser-ipcheck-o...` </details> <details><summary>whonix_torbrowser/Failed (1/5 times with errors)</summary> - [job 84081](https://openqa.qubes-os.org/tests/84081#step/whonix_torbrowser/12) `# Test died: no candidate needle with tag(s) 'desktop-clear' matche...` </details> <details><summary>whonix_torbrowser/Failed (1/5 times with errors)</summary> - [job 84054](https://openqa.qubes-os.org/tests/84054#step/whonix_torbrowser/14) `# Test died: no candidate needle with tag(s) 'anon-whonix-tor-brows...` </details> * system_tests_suspend <details><summary>suspend/Failed (2/5 times with errors)</summary> - [job 84711](https://openqa.qubes-os.org/tests/84711#step/suspend/20) `# Test died: command 'true' timed out at /usr/lib/os-autoinst/autot...` - [job 84715](https://openqa.qubes-os.org/tests/84715#step/suspend/20) `# Test died: command 'true' timed out at /usr/lib/os-autoinst/autot...` </details> <details><summary>suspend/wait_serial (2/5 times with errors)</summary> - [job 84711](https://openqa.qubes-os.org/tests/84711#step/suspend/19) `# wait_serial expected: qr/p5~T5-\d+-/...` - [job 84715](https://openqa.qubes-os.org/tests/84715#step/suspend/19) `# wait_serial expected: qr/p5~T5-\d+-/...` </details> </details>

Patrick · November 26, 2023, 3:54am

github.com/QubesOS/qubes-issues

rename/fork base distributions such as Debian, Fedora for trademark compliance and to avoid confusion

opened 03:54AM - 26 Nov 23 UTC

adrelanos

T: bug P: default

Qubes official Templates should not use the original names of the base distribut…ions such as `Debian` or `Fedora`. Quote myself from https://github.com/QubesOS/qubes-issues/issues/2238#issuecomment-546984756 > We can't or shouldn't harden Debian (much) since the result wouldn't be a Debian template with only necessarily modifications to integrate with Qubes. That would be a fork of Debian. Debian is a trademark. > > https://www.debian.org/trademark > > Forks of Debian shouldn't be called Debian to avoid confusion. Quote [Debian wiki, Derivatives Guidelines chapter Trademark](https://wiki.debian.org/Derivatives/Guidelines#Trademark): > Derivative distributions must not be named Debian :) What the Qubes Debian template is, isn't really Debian. It's a fork of Debian. A Debian Derivative. Qubes already derivatives a lot from Debian: * https://github.com/QubesOS/qubes-issues/issues/5367 * additional hardening (for example `/etc/profile.d/zqubes_disable_lesspipe.sh` by qubes-core-agent) * lots of systemd drop-in files (to see, use `dpkg-query -L qubes-core-agent | grep service.d`) How do I even discuss a Qubes Debian template with a real Debian installed on hardware in some Qubes aware place (issues, forums)? Then I invent terminology such as "a real (non-Qubes) Debian bookworm". This is to show the confusion that is already reached. Further Qubes plans to derivative from distribution culture: * https://github.com/QubesOS/qubes-issues/issues/2238 - I agree with that ticket. Services not starting by default is cleaner, saves system resources and is more secure, however that shouldn't be called Debian since Debian starts most installed services by default, has the opposite policy. * https://github.com/QubesOS/qubes-issues/issues/1885 Related Qubes FAQ: [What is Qubes’ attitude toward changing guest distros?](https://www.qubes-os.org/faq/#what-is-qubes-attitude-toward-changing-guest-distros). The policy of respecting distribution policy is in direct conflict with Qubes making changes for customization (selected default installed packages), usability (Qubes tools integrations) and security hardening. If this bug report gets accepted, * I suggest to create dedicated tickets or discussions for names of the forked Linux distributions separately. * Keeping this ticket limited to policy/goal question of "should we do this". Technical steps required might require sub tickets. Fork in this context as used in the title only means to rename for example the Debian template to something else and updating the Qubes documentation. No other gigantic steps (such as forking all of Debian archive `packages.debian.org`, re-building all the Debian archive are suggested. Only acknowledgement that it is a fork of Debian, based on Debian, but not the original Debian.