The spec-build.sh was necessary for a proper build, but it is not
correct to depend on external scripts to generate the correct
RPM_BUILD_ROOT files. Now everything is contained in the spec file. The
spec-build.sh can be used in the future to automate the process of
copying sources to the specified directory and signing, but not
modifying the sources contents on a per file basis.
For: https://github.com/ben-grande/qusal/issues/59
Running apt-cacher-ng-repo is during update is unnecessary, the
install-repo macro already does it and the systemd service is run on
boot before Qrexec Agent starts.
Fixes: https://github.com/ben-grande/qusal/issues/66
Cacher client installation state included in the common update state as
all qubes that updates with Qusal states use it, rather than including
it on all the installation states. The macro utils.macros.install-repo
still also run's apt-cacher-ng-repo in case the user is not updating at
that moment, just adding a new repository without restarting the qube
(systemd service has already ran).
Fixes: https://github.com/ben-grande/qusal/issues/66
- Install RPC service to template;
- Move qube configuration to template configuration;
- Start server after the Qubes Services are created;
- Qrexec policy ask to both app and disposable qube; and
- Rename systemd service to qusal prefix instead of qubes.
- Remove OpenVPN code comments;
- Reorganize rules for easier reading;
- Server can connect without having client attached;
- Systemd service for easier monitoring of wg-quick; and
- Firewall also restarts wg-quick and apply new endpoint rules.
The state module git.latest does not allow setting environment variable
for us to set the correct GNUPGHOME. The module environ.set does not
work as we call git as the normal user and not as root, but may still be
the problem of git.latest not respecting environment variables.
The problem with always pulling new commits is that it may conflict with
the current work the user has done on the repository locally. It will
also not work in case the last commit is not signed by a trusted key
deployed by the formula, in this case, you should add the key manually
to verify the commit.
Setting the gpg.program only for the required repositories solves the
aforementioned problem and also enhances usability by removing extra
commands that the user needs to learn and remember.
Fixes: https://github.com/ben-grande/qusal/issues/58
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
The wget package can be downloaded from the command-line, but as Salt
does not follow DNF package redirects, the package is installed but the
state fails as Salt cannot find a package with the same name installed.
Passing files to Dom0 is always dangerous:
- Passing a git repository is dangerous as it can have ignored modified
files and signature verification will pass.
- Passing an archive is troublesome for updates.
- Passing an RPM package depends on the RPM verification to be correct,
some times it is not.
- Passing a RPM repository definition is less troublesome for the user,
as it is a small file to verify the contents and update mechanism is
via the package manager. Trust in RPM verification is still required.
Many improvements were made to the build scripts:
- requires-program: Single function to check if program is installed;
- spec-get: Sort project names for the usage message;
- spec-get: Only running commands that are necessary;
- spec-get: Fix empty summary when readme has copyright header;
- spec-gen: Fix grep warning of escaped symbol;
- spec-build: Sign RPM and verify signature;
- spec-build: Only lint the first SPEC for faster runtime;
- yumrepo-gen: Generate a local yum repository with signed metadata;
- qubesbuilder-gen: Generate a .qubesbuilder based on tracked projects;
- release: Build, sign and push all RPMs to repository.
Goal is to be able to build with qubes-builderv2 Qubes Executor.
For: https://github.com/ben-grande/qusal/issues/37
Only deb and rpm where cached and only if used from the Qubes website
and made to individual directories. Now every package from every package
manager Qubes supports will be cached.
Update according to upstream.
If user just installed Qubes, the full templates can have updates
available. If user restored backups of templates and standalones, they
could also have updates available. Available updates can contain fixes
that if not applied, can make the states fail, such as a buggy salt
package and Qrexec service that can make a state fail in case the
full outdated templates and standalones are responsible for the
functionality specially of management_dispvm, updatevm, default_netvm
and qubes.UpdatesProxy service.
- Enforce uninstall in Fedora, it has been too problematic due to zchunk
checksum mismatch errors;
- Skip tagging and installing on unsupported qubes, before it tagged
every template that did not have the tag 'whonix-updatevm', this is
error prone as it would fail the installation on unsupported clients
such as Gentoo, Mirage.
Fixes: https://github.com/ben-grande/qusal/issues/54
Ability to read the program's manual from the terminal is much better
than to ask the user to search the manual page on the internet, we
already trust the installed program and documentation, but we should not
trust every manual page on the internet.
- Maim causes no errors and has region and window capabilities;
- Scrot region capture puts some weird borders when dragging the mouse;
- Spectacle allows editing but is too feature rich (complicated); and
- Xfce4-screenshooter does not allow selecting both region and window.
Fixes: https://github.com/ben-grande/qusal/issues/51
It is not possible to troubleshoot network module loading without
pciutils. Although it is a troubleshooting tools, it is not
troubleshooting the network, but to make the system itself be able to
load kernel modules and reach the network, therefore necessary.
Qubes that have the updates-proxy-service enabled will have the
repository definitions set to work with the proxy, being it a TemplateVM
or another type of qube. Qubes that have that same service disabled and
are based on templates that are being cached, will have the repository
definitions corrected for it to work like normal systems via the
networking instead of caching proxy.
Optimizations were done for a faster runtime, previously it would call
sed 38 times on Fedora-39, now it only calls sed 2 times for Fedora
repositories (one extra for rpmfusion) and some more for PackageKit and
dnf.conf markers. Inexpensive runtime is a must for a script that may
run multiple times, such as when being called by a tool monitoring the
filesystem such as inotify.
Code from /usr/lib/qubes/update-proxy-configs was used for the NetVM use
case of the cacher, thus the license had to be changed.
For: https://github.com/ben-grande/qusal/issues/44
Fixes: https://github.com/ben-grande/qusal/issues/31
Very useful for template based qubes to uninstall the cacher definition
to reach remote repository definitions with direct connection.
https://github.com/ben-grande/qusal/issues/31