- Use tags to help on the Qrexec policy notation;
- Create AppVMs also to fetch and send emails, useful for OfflineIMAP
that requires sync;
- OfflineIMAP is smart enough depending on the server, such as Gmail;
- Quote options managed by the user such as password fields as they
could contain spaces; and
- Default fetching method to always keep files on the remote to avoid
users being surprised about the fetcher behavior or losing data.
GPGME can be relevant for client applications such as Thunderbird.
Pinentry can be relevant for the server side, but it is way less tested
in split-gpg2 and discouraged to be used.
For: https://github.com/ben-grande/qusal/issues/83
In case the target qube is the last qube in the chain, such as sys-net,
add the appropriate rules to it and modify the destination address to be
the public IP, not the local qube IP.
- Add to qvm-run:
- no-gui when command doesn't require a GUI
- filter-escape-chars when pass-io is set and output is not a file,
such as a pipe that could later be used to print information.
- Change remaining echo to printf
- Add end-of-options separator when possible
Many people reported problems with the installation command, most of
them had typos, understandable due to the long command. Tar is available
even on minimal templates. Using tar is not more dangerous than using
qfile-unpacker in this case because the project has no signed archives
and passing a directory to dom0 is insecure, considering a git repo, an
attacker could find information in the .git directory or modify files
and add them to git exclude, which won't be noticed when verifying the
commit signature.
In the future, if a signed tarball were to be provided, qvm-run and pipe
would be used instead, making the command even simpler.
Check commit signature and if it fails, check if any signed tags
associated with commit exist from a keyring that can be found only
locally.
For: https://github.com/ben-grande/qusal/issues/105
Skipping the Git system configuration on Whonix weakens the state as it
starts depending on the dotfiles, but it is the only way to not break
system updates due to Whonix security-misc package owning the same file.
Fix: https://github.com/ben-grande/qusal/issues/101
If the commit of the spec file is not done separate from formula files
or at last, the check fails. I was skipping it locally but best to
comment out as it is not being used.
Echo can interpret operand as an option and checking every variable to
be echoed is troublesome while with printf, if the format specifier is
present before the operand, printing as string can be enforced.
The feature is more reliable than the whonix-updatevm tag as the tag can
be deleted for other Whonix tags to take effect to target different
gateways, which is the case for the Bitcoin formula.
- libgtk4-1 is not used by Signal and now it declares the libgtk3-0
as a dependency;
- Zenity is not needed as a file manager once Thunar is used;
- ATK is installed for Signal but not for any apps, remove until there
is a shared formula or pillar to install accessibility tools; and
- Ayatana AppIndicator for tray widget. Signal tray widget is buggy,
sometimes quitting doesn't quit and there is no configuration option
to start the tray, only command-line option. Because of these reasons,
not enabling the tray bar was chosen.
As NFTables converts domain names to IPs on the first query, it is not
possible to depend on it to have a stable connection. Implementing a DNS
proxy configuration might still be difficult due to the use of CDNs.
Selecting the output and input device in the AudioVM using a GUI audio
manager such as Pavucontrol or Easyeffects to the connected USB device
is enough to make audio work. USB audio devices should not be connected
to audio clients.
