From dcc2d545ef74050bc12da1dbae3be92eaf3cf963 Mon Sep 17 00:00:00 2001 From: jamke <47451874+jamke@users.noreply.github.com> Date: Sun, 10 Feb 2019 11:11:20 +0700 Subject: [PATCH 1/6] Fix typo --- customization/bind-dirs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md index 7dbdca99..b8a327b1 100644 --- a/customization/bind-dirs.md +++ b/customization/bind-dirs.md @@ -72,7 +72,7 @@ If you want to circumvent this process, you can create the relevant filestructur * Re-running `sudo /usr/lib/qubes/bind-dirs.sh` without a previous `sudo /usr/lib/qubes/bind-dirs.sh umount` does not work. * Running `sudo /usr/lib/qubes/bind-dirs.sh umount` after boot (before shutdown) is probably not sane and nothing can be done about that. * Many editors create a temporary file and copy it over the original file. If you have bind mounted an individual file this will break the mount. -Any changes you make will not survive a reboot. If you think it likely you will want to edit a file, then either include the parent directory in bind-dirs.rather than the file, or perform the file operation on the file in /rw/bind-dirs. +Any changes you make will not survive a reboot. If you think it likely you will want to edit a file, then either include the parent directory in bind-dirs rather than the file, or perform the file operation on the file in /rw/bind-dirs. * Some files are altered when a qube boots - e.g. /etc/hosts. If you try to use bind-dirs on such files you may break your qube in unpredictable ways. From a838306d2892aa1d29b55f9eb54b68bf4bfdb358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Sun, 10 Feb 2019 22:48:07 +0100 Subject: [PATCH 2/6] builder: explain how to use Qubes pre-built packages QubesOS/qubes-issues#4788 --- building/qubes-builder.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/building/qubes-builder.md b/building/qubes-builder.md index 7cabbc29..62415811 100644 --- a/building/qubes-builder.md +++ b/building/qubes-builder.md @@ -135,6 +135,20 @@ If you want to somehow modify sources, you can also do it, here are some basic s make iso +### Use pre-build Qubes packages + +For building just few selected packages, it's very useful to download pre-built qubes-specific dependencies from `{yum,deb}.qubes-os.org`. This is especially true for gcc, which takes several hours to build. + +Before creating the chroot, add to your builder.conf + + USE_QUBES_REPO_VERSION = $(RELEASE) + +It will add the 'current' Qubes repository to your chroot environment. In that case, you can build only the packages you are interested in. If you want to use also the 'current-testing' repository, add also to your configuration + + USE_QUBES_REPO_TESTING = 0 + +Please note that if you have an existing chroot, this will not add the necessary configuration into the build environement. In that case, you will have to clean first your chroot. + Code verification keys management --------------------------------- From 3daf19985f995bf758088a1ca019fecf7dc8f80b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Sun, 10 Feb 2019 23:31:53 +0100 Subject: [PATCH 3/6] Adjust explaination with respect to Marek's comment https://github.com/fepitre/qubes-doc/commit/a838306d2892aa1d29b55f9eb54b68bf4bfdb358 --- building/qubes-builder.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/building/qubes-builder.md b/building/qubes-builder.md index 62415811..82634d68 100644 --- a/building/qubes-builder.md +++ b/building/qubes-builder.md @@ -145,9 +145,11 @@ Before creating the chroot, add to your builder.conf It will add the 'current' Qubes repository to your chroot environment. In that case, you can build only the packages you are interested in. If you want to use also the 'current-testing' repository, add also to your configuration - USE_QUBES_REPO_TESTING = 0 + USE_QUBES_REPO_TESTING = 1 -Please note that if you have an existing chroot, this will not add the necessary configuration into the build environement. In that case, you will have to clean first your chroot. +In case of an existing chroot, for mock-enabled builds, it works immediately because chroot is constructed each time separately. For legacy builds, it will not add the necessary configuration into the build environement unless specific builder change or configuration would force rebuilding chroot. + +Also, once enabled, disabling this setting will not disable repositories in relevant chroots. And even if it would, there may be left packages installed from those repos (which may or may not be desirable). Code verification keys management --------------------------------- From 4138c85ec061549962876a0ef87c63dacda2ce8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 11 Feb 2019 16:16:42 +0100 Subject: [PATCH 4/6] FAQ: add info how to detect Qubes VM Fixes QubesOS/qubes-issues#1963 --- about/faq.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/about/faq.md b/about/faq.md index c666f9ca..375237bc 100644 --- a/about/faq.md +++ b/about/faq.md @@ -579,3 +579,8 @@ Arguably secure boot reliance on UEFI integrity is not the best design. The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by the Qubes Team and secure boot has not been tested. Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS. See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/) for a better-designed non-UEFI-based secure boot scheme with very good support for Qubes. + +### What is the canonical way to detect Qubes VM? + +Check `/usr/share/qubes/marker-vm` file existence. Additionally, its last line contains Qubes release version (`3.2`, `4.0` etc). +The file was introduced after initial Qubes 3.2 and 4.0 release. If you need to support not-fully-updated systems, check `/usr/bin/qrexec-client-vm` existence. From 3a8624ed20dccffd0b78db875a2ea90e69707429 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 11 Feb 2019 23:36:39 -0600 Subject: [PATCH 5/6] Clean up text --- building/qubes-builder.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/building/qubes-builder.md b/building/qubes-builder.md index 82634d68..0aefb037 100644 --- a/building/qubes-builder.md +++ b/building/qubes-builder.md @@ -135,21 +135,26 @@ If you want to somehow modify sources, you can also do it, here are some basic s make iso -### Use pre-build Qubes packages +### Use pre-built Qubes packages -For building just few selected packages, it's very useful to download pre-built qubes-specific dependencies from `{yum,deb}.qubes-os.org`. This is especially true for gcc, which takes several hours to build. +For building just few selected packages, it's very useful to download pre-built qubes-specific dependencies from `{yum,deb}.qubes-os.org`. +This is especially true for `gcc`, which takes several hours to build. -Before creating the chroot, add to your builder.conf +Before creating the `chroot`, add this to your `builder.conf`: USE_QUBES_REPO_VERSION = $(RELEASE) -It will add the 'current' Qubes repository to your chroot environment. In that case, you can build only the packages you are interested in. If you want to use also the 'current-testing' repository, add also to your configuration +It will add the 'current' Qubes repository to your `chroot` environment. +This way, you can build only the packages you are interested in. +If you also want to use the 'current-testing' repository, add this to your configuration: USE_QUBES_REPO_TESTING = 1 -In case of an existing chroot, for mock-enabled builds, it works immediately because chroot is constructed each time separately. For legacy builds, it will not add the necessary configuration into the build environement unless specific builder change or configuration would force rebuilding chroot. +In the case of an existing `chroot`, for mock-enabled builds, it works immediately because `chroot` is constructed each time separately. +For legacy builds, it will not add the necessary configuration into the build environment unless a specific builder change or configuration would force rebuilding chroot. -Also, once enabled, disabling this setting will not disable repositories in relevant chroots. And even if it would, there may be left packages installed from those repos (which may or may not be desirable). +Also, once enabled, disabling this setting will not disable repositories in relevant chroots. +And even if it did, there could be leftover packages installed from those repos (which may or may not be desirable). Code verification keys management --------------------------------- From 9ace8bd0947fe5f7c43d9ff2a8610fdc6cb8365f Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 11 Feb 2019 23:38:52 -0600 Subject: [PATCH 6/6] Remove unnecessary ellipsis --- managing-os/templates/fedora-minimal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md index 13b8afac..4bafa214 100644 --- a/managing-os/templates/fedora-minimal.md +++ b/managing-os/templates/fedora-minimal.md @@ -67,7 +67,7 @@ Use case | Description | Required steps Use case | Description | Required steps --- | --- | --- **Standard utilities** | If you need the commonly used utilities | Install the following packages: `pciutils` `vim-minimal` `less` `psmisc` `gnome-keyring` -**Audio** | If you want sound from your VM... | Install `pulseaudio-qubes` +**Audio** | If you want sound from your VM | Install `pulseaudio-qubes` **FirewallVM** | You can use the minimal template as a [FirewallVM](/doc/firewall/), such as the basis template for `sys-firewall` | Install at least `qubes-core-agent-networking` and `iproute`, and also `qubes-core-agent-dom0-updates` if you want to use it as the updatevm (which is normally sys-firewall). **NetVM** | You can use this template as the basis for a NetVM such as `sys-net` | Install the following packages: `qubes-core-agent-networking` `qubes-core-agent-network-manager` `NetworkManager-wifi` `network-manager-applet` `wireless-tools` `dejavu-sans-fonts` `notification-daemon` `gnome-keyring` `polkit` `@hardware-support`. **NetVM (extra firmware)** | If your network devices need extra packages for the template to work as a network VM | Use the `lspci` command to identify the devices, then run `dnf search firmware` (replace `firmware` with the appropriate device identifier) to find the needed packages and then install them.