Most secure way to enable RPM Fusion in dom0? / 'cannot find valid baseurl for repo: rpmfusion-free/3.0/x86_64' issue
679 views
Skip to first unread message
Patrick Schleizer
Jun 23, 2015, 6:11:06 PM6/23/15
to qubes-users, Patrick Schleizer
Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
How do I import RPMFUsion in dom0? Seems more complicated?
> Marek Marczykowski-Górecki
>> 1. Download rpmfusion repository package, transfer it to dom0 and
install with yum. [1]
How do I do this?
Instructions on rpmfusion homepage [3] aren't secure. They are using
'--nogpgcheck'.
Let me guess...
- dom0 cannot connect to gpg key server. So download/verify the gpg key
for example in a DispVM.
- (Temporarily) import the key for verification purposed by using 'rpm
--import RPM-GPG-KEY-rpmfusion-free-fedora-21'
- dom0 cannot download the rpmfusion repository package. So download
[wget] it for example in a DispVM or so. 'wget
http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-21.noarch.rpm'
- verify rpmfusion-free-release-21.noarch.rpm by using 'rpm -K
rpmfusion-free-release-21.noarch.rpm' in a DispVM or so.
- copy 'rpmfusion-free-release-21.noarch.rpm' to dom0 using instructions
[4] Typing a somewhat lengthy command by hand.
qvm-run --pass-io <src_domain> 'cat
/home/user/rpmfusion-free-release-21.noarch.rpm' >
~/rpmfusion-free-release-21.noarch.rpm
- Then in dom0: 'sudo rpm --install --nodeps --force
rpmfusion-free-release-21.noarch.rpm' ?
'--nodeps --force' was required, otherwise it would show an error
'system release issue >= 21'. Bug in Qubes Q3 RC1?
Like this?
Kinda complicated/time-consuming?
And a related issue...
- Then in dom0: 'sudo qubes-dom0-update kernel-4.0*' shows an error:
'cannot find valid baseurl for repo: rpmfusion-free/3.0/x86_64'
Is this a bug in Qubes Q3 RC1 or am I totally off the track here?
Trivia:
- Why do I want this? Due to a gibberish graphics unusable Qubes issue
[2], I would like to try a newer kernel.
- (Qubes Q3 RC1)
Cheers,
Patrick
References:
[1] https://groups.google.com/forum/#!topic/qubes-users/lPr_kndwKtQ
[2]
https://groups.google.com/forum/#!msg/qubes-users/e96S3KazSGA/WZMnx6L3a38J
[3] http://rpmfusion.org/Configuration
[4] https://www.qubes-os.org/doc/CopyToDomZero/
[5] https://groups.google.com/forum/#!topic/qubes-users/pcXh0bYc5jY
How do I import RPMFUsion in dom0? Seems more complicated?
> Marek Marczykowski-Górecki
>> 1. Download rpmfusion repository package, transfer it to dom0 and
install with yum. [1]
How do I do this?
Instructions on rpmfusion homepage [3] aren't secure. They are using
'--nogpgcheck'.
Let me guess...
- dom0 cannot connect to gpg key server. So download/verify the gpg key
for example in a DispVM.
- (Temporarily) import the key for verification purposed by using 'rpm
--import RPM-GPG-KEY-rpmfusion-free-fedora-21'
- dom0 cannot download the rpmfusion repository package. So download
[wget] it for example in a DispVM or so. 'wget
http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-21.noarch.rpm'
- verify rpmfusion-free-release-21.noarch.rpm by using 'rpm -K
rpmfusion-free-release-21.noarch.rpm' in a DispVM or so.
- copy 'rpmfusion-free-release-21.noarch.rpm' to dom0 using instructions
[4] Typing a somewhat lengthy command by hand.
qvm-run --pass-io <src_domain> 'cat
/home/user/rpmfusion-free-release-21.noarch.rpm' >
~/rpmfusion-free-release-21.noarch.rpm
- Then in dom0: 'sudo rpm --install --nodeps --force
rpmfusion-free-release-21.noarch.rpm' ?
'--nodeps --force' was required, otherwise it would show an error
'system release issue >= 21'. Bug in Qubes Q3 RC1?
Like this?
Kinda complicated/time-consuming?
And a related issue...
- Then in dom0: 'sudo qubes-dom0-update kernel-4.0*' shows an error:
'cannot find valid baseurl for repo: rpmfusion-free/3.0/x86_64'
Is this a bug in Qubes Q3 RC1 or am I totally off the track here?
Trivia:
- Why do I want this? Due to a gibberish graphics unusable Qubes issue
[2], I would like to try a newer kernel.
- (Qubes Q3 RC1)
Cheers,
Patrick
References:
[1] https://groups.google.com/forum/#!topic/qubes-users/lPr_kndwKtQ
[2]
https://groups.google.com/forum/#!msg/qubes-users/e96S3KazSGA/WZMnx6L3a38J
[3] http://rpmfusion.org/Configuration
[4] https://www.qubes-os.org/doc/CopyToDomZero/
[5] https://groups.google.com/forum/#!topic/qubes-users/pcXh0bYc5jY
Marek Marczykowski-Górecki
Jun 23, 2015, 6:22:55 PM6/23/15
to Patrick Schleizer, qubes-users, Patrick Schleizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jun 23, 2015 at 10:11:01PM +0000, Patrick Schleizer wrote:
> Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
>
> How do I import RPMFUsion in dom0? Seems more complicated?
>
> > Marek Marczykowski-Górecki
> >> 1. Download rpmfusion repository package, transfer it to dom0 and
> install with yum. [1]
>
> How do I do this?
>
> Instructions on rpmfusion homepage [3] aren't secure. They are using
> '--nogpgcheck'.
>
> Let me guess...
>
> - dom0 cannot connect to gpg key server. So download/verify the gpg key
> for example in a DispVM.
>
> - (Temporarily) import the key for verification purposed by using 'rpm
> --import RPM-GPG-KEY-rpmfusion-free-fedora-21'
>
> - dom0 cannot download the rpmfusion repository package. So download
> [wget] it for example in a DispVM or so. 'wget
> http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-21.noarch.rpm'
>
> - verify rpmfusion-free-release-21.noarch.rpm by using 'rpm -K
> rpmfusion-free-release-21.noarch.rpm' in a DispVM or so.
Actually you need rpmfusion-free-release-20.noarch.rpm, as Qubes dom0
is based on Fedora 20.
> - copy 'rpmfusion-free-release-21.noarch.rpm' to dom0 using instructions
> [4] Typing a somewhat lengthy command by hand.
>
> qvm-run --pass-io <src_domain> 'cat
> /home/user/rpmfusion-free-release-21.noarch.rpm' >
> ~/rpmfusion-free-release-21.noarch.rpm
>
> - Then in dom0: 'sudo rpm --install --nodeps --force
> rpmfusion-free-release-21.noarch.rpm' ?
>
> '--nodeps --force' was required, otherwise it would show an error
> 'system release issue >= 21'. Bug in Qubes Q3 RC1?
rpmfusion assumes that "system release" is "fedora release", which isn't
true on Qubes. Here it is "qubes release".
You need to manually replace "$releasever" with "20" in
/etc/yum.repos.d/rpmfusion*repo.
> Like this?
Yes, something like this. Some steps can be simplified as the default
template already contains a key and the package installed - you can
simply copy repository definition and the key to dom0. This should be
preferably done just after system installation (even if you don't use
rpmfusion just now - you don't need to enable it), because if the
template later would be compromised, you'll have key copied before that
happened. But template compromise is quite fatal anyway (unless you use
multiple templates for different purposes).
> Kinda complicated/time-consuming?
>
> And a related issue...
>
> - Then in dom0: 'sudo qubes-dom0-update kernel-4.0*' shows an error:
>
> 'cannot find valid baseurl for repo: rpmfusion-free/3.0/x86_64'
See above info regarding $releasever.
> Is this a bug in Qubes Q3 RC1 or am I totally off the track here?
>
> Trivia:
>
> - Why do I want this? Due to a gibberish graphics unusable Qubes issue
> [2], I would like to try a newer kernel.
>
> - (Qubes Q3 RC1)
>
> Cheers,
> Patrick
>
> References:
>
> [1] https://groups.google.com/forum/#!topic/qubes-users/lPr_kndwKtQ
>
> [2]
> https://groups.google.com/forum/#!msg/qubes-users/e96S3KazSGA/WZMnx6L3a38J
>
> [3] http://rpmfusion.org/Configuration
>
> [4] https://www.qubes-os.org/doc/CopyToDomZero/
>
> [5] https://groups.google.com/forum/#!topic/qubes-users/pcXh0bYc5jY
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVidvZAAoJENuP0xzK19cshEAIAI43NoCN2QYIqlZqQlci3vle
IyXXBn/SQ43HEiSLiBnw9LzaSCG8pURvQjskP4KRfgJ1iv5g0vtv/56kOhl1c8/c
6L6R579VuWwaZ+SoHfLz1ibRjrIzm5Gn5RlBj0whhULGETAwWvDR5GBNyaDvUzNg
gY1/pfXtyAzJ+SOcamyZSj2zPN/8GRtqFoLWpt4CmtRjmNCv0BxvfBQHNrFt5f0M
gGHhq+bItG4KwVm9ZtFMO1ZwBg7LLMhpOYy7Md86nrRH4dq0uph0X0kXIV6sdRSi
2G5wUsz7V1rH2zgMwu59B3FIE5MUPAK6bd5gL6XewqbiA92OpSjoxmuKLWrmxl8=
=Rt7i
-----END PGP SIGNATURE-----
Hash: SHA1
On Tue, Jun 23, 2015 at 10:11:01PM +0000, Patrick Schleizer wrote:
> Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
>
> How do I import RPMFUsion in dom0? Seems more complicated?
>
> > Marek Marczykowski-Górecki
> >> 1. Download rpmfusion repository package, transfer it to dom0 and
> install with yum. [1]
>
> How do I do this?
>
> Instructions on rpmfusion homepage [3] aren't secure. They are using
> '--nogpgcheck'.
>
> Let me guess...
>
> - dom0 cannot connect to gpg key server. So download/verify the gpg key
> for example in a DispVM.
>
> - (Temporarily) import the key for verification purposed by using 'rpm
> --import RPM-GPG-KEY-rpmfusion-free-fedora-21'
>
> - dom0 cannot download the rpmfusion repository package. So download
> [wget] it for example in a DispVM or so. 'wget
> http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-21.noarch.rpm'
>
> - verify rpmfusion-free-release-21.noarch.rpm by using 'rpm -K
> rpmfusion-free-release-21.noarch.rpm' in a DispVM or so.
is based on Fedora 20.
> - copy 'rpmfusion-free-release-21.noarch.rpm' to dom0 using instructions
> [4] Typing a somewhat lengthy command by hand.
>
> qvm-run --pass-io <src_domain> 'cat
> /home/user/rpmfusion-free-release-21.noarch.rpm' >
> ~/rpmfusion-free-release-21.noarch.rpm
>
> - Then in dom0: 'sudo rpm --install --nodeps --force
> rpmfusion-free-release-21.noarch.rpm' ?
>
> '--nodeps --force' was required, otherwise it would show an error
> 'system release issue >= 21'. Bug in Qubes Q3 RC1?
true on Qubes. Here it is "qubes release".
You need to manually replace "$releasever" with "20" in
/etc/yum.repos.d/rpmfusion*repo.
> Like this?
Yes, something like this. Some steps can be simplified as the default
template already contains a key and the package installed - you can
simply copy repository definition and the key to dom0. This should be
preferably done just after system installation (even if you don't use
rpmfusion just now - you don't need to enable it), because if the
template later would be compromised, you'll have key copied before that
happened. But template compromise is quite fatal anyway (unless you use
multiple templates for different purposes).
> Kinda complicated/time-consuming?
>
> And a related issue...
>
> - Then in dom0: 'sudo qubes-dom0-update kernel-4.0*' shows an error:
>
> 'cannot find valid baseurl for repo: rpmfusion-free/3.0/x86_64'
> Is this a bug in Qubes Q3 RC1 or am I totally off the track here?
>
> Trivia:
>
> - Why do I want this? Due to a gibberish graphics unusable Qubes issue
> [2], I would like to try a newer kernel.
>
> - (Qubes Q3 RC1)
>
> Cheers,
> Patrick
>
> References:
>
> [1] https://groups.google.com/forum/#!topic/qubes-users/lPr_kndwKtQ
>
> [2]
> https://groups.google.com/forum/#!msg/qubes-users/e96S3KazSGA/WZMnx6L3a38J
>
> [3] http://rpmfusion.org/Configuration
>
> [4] https://www.qubes-os.org/doc/CopyToDomZero/
>
> [5] https://groups.google.com/forum/#!topic/qubes-users/pcXh0bYc5jY
>
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVidvZAAoJENuP0xzK19cshEAIAI43NoCN2QYIqlZqQlci3vle
IyXXBn/SQ43HEiSLiBnw9LzaSCG8pURvQjskP4KRfgJ1iv5g0vtv/56kOhl1c8/c
6L6R579VuWwaZ+SoHfLz1ibRjrIzm5Gn5RlBj0whhULGETAwWvDR5GBNyaDvUzNg
gY1/pfXtyAzJ+SOcamyZSj2zPN/8GRtqFoLWpt4CmtRjmNCv0BxvfBQHNrFt5f0M
gGHhq+bItG4KwVm9ZtFMO1ZwBg7LLMhpOYy7Md86nrRH4dq0uph0X0kXIV6sdRSi
2G5wUsz7V1rH2zgMwu59B3FIE5MUPAK6bd5gL6XewqbiA92OpSjoxmuKLWrmxl8=
=Rt7i
-----END PGP SIGNATURE-----
cprise
Jun 23, 2015, 6:26:24 PM6/23/15
to Patrick Schleizer, qubes-users, Patrick Schleizer
On 06/23/2015 06:11 PM, Patrick Schleizer wrote:
> Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
>
> How do I import RPMFUsion in dom0? Seems more complicated?
>
>> Marek Marczykowski-Górecki
>>> 1. Download rpmfusion repository package, transfer it to dom0 and
> install with yum. [1]
>
> How do I do this?
I think Marek was suggesting in the other thread that you add RPMfusion
> Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
>
> How do I import RPMFUsion in dom0? Seems more complicated?
>
>> Marek Marczykowski-Górecki
>>> 1. Download rpmfusion repository package, transfer it to dom0 and
> install with yum. [1]
>
> How do I do this?
to a template vm, get the needed packages with --downloadonly and
--downloaddir, then transfer the rpms to dom0.
Adding the repo itself to dom0 sounds fraught with risk.
Marek Marczykowski-Górecki
Jun 23, 2015, 7:10:30 PM6/23/15
to cprise, Patrick Schleizer, qubes-users, Patrick Schleizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
On Tue, Jun 23, 2015 at 06:25:32PM -0400, cprise wrote:
> On 06/23/2015 06:11 PM, Patrick Schleizer wrote:
> >Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
> >
> >How do I import RPMFUsion in dom0? Seems more complicated?
> >
> >>Marek Marczykowski-Górecki
> >>>1. Download rpmfusion repository package, transfer it to dom0 and
> >install with yum. [1]
> >
> >How do I do this?
>
> I think Marek was suggesting in the other thread that you add RPMfusion to a
> template vm, get the needed packages with --downloadonly and --downloaddir,
> then transfer the rpms to dom0.
This is basically the same as the qubes-dom0-update tool would do.
> On 06/23/2015 06:11 PM, Patrick Schleizer wrote:
> >Importing RPMFusion for a Fedora TemplateVM is kinda simple. [5]
> >
> >How do I import RPMFUsion in dom0? Seems more complicated?
> >
> >>Marek Marczykowski-Górecki
> >>>1. Download rpmfusion repository package, transfer it to dom0 and
> >install with yum. [1]
> >
> >How do I do this?
>
> I think Marek was suggesting in the other thread that you add RPMfusion to a
> template vm, get the needed packages with --downloadonly and --downloaddir,
> then transfer the rpms to dom0.
But indeed after installing the package you want, you may consider
disabling rpmfusion repository (also remember to remove appropriate key
from dom0 rpm keyring - check rpm -qa gpg-pubkey*).
You can also configure yum to use only selected packages from such
repository - "includepkgs" option in repository configuration. Details
in yum.conf manual. But this is only based on package name, not content
(so does not prevent "whitelisted" package to override arbitrary file,
or run any post installation script). And having control over some
kernel module, or X driver in dom0 in practice give control over dom0 ->
the whole system. So if you trust RPMFusion to that extent to install
some such package in dom0, there is probably no reason to not keep the
repository enabled.
>
> Adding the repo itself to dom0 sounds fraught with risk.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJViedcAAoJENuP0xzK19csqC0H/jhw/ellxRuvjF5OPs8rOGOy
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
RQ+f5RRT9lGAY05IUapEhdsMQuw09NjLA+aTGLVWGzhL1HVffhZmASsOw4D447zF
TQ6NMxB7WpL/wVKMZxmNh1EvZnIgCukmZz7+DmeGNQ5PXKwNczWw7yMHoBlTmyJ+
q8Zf2UIVmm7EwqZJxCELmdgHzk2Dbp5QfWnA0BIaxLSHiFsBe6XweDc9d9hnQsc3
Or+80+5WHCN/NSOoRoN/wJ7+awhuMrBxpmXL5nN870Ep4mULIjX1nzxWyes0a7rL
KdTFPg21KlfkIob5bp/+nTDKvfdEK5GZIKhmSyTX1NqCSd+eD4ZZ4/y74ob7fdM=
=1boC
-----END PGP SIGNATURE-----
Patrick Schleizer
Jun 23, 2015, 8:04:02 PM6/23/15
to cprise, qubes-users, Patrick Schleizer
cprise:
But then noticing available [security] upgrades for that kernel and
installing those would be a manual task. Easily forgotten.
I guess not upgrading the kernel in dom0 poses a lower risk than adding
the repo itself to dom0?
Cheers,
Patrick
>
> I think Marek was suggesting in the other thread that you add RPMfusion
> to a template vm, get the needed packages with --downloadonly and
> --downloaddir, then transfer the rpms to dom0.
>
> Adding the repo itself to dom0 sounds fraught with risk.
I see.
> I think Marek was suggesting in the other thread that you add RPMfusion
> to a template vm, get the needed packages with --downloadonly and
> --downloaddir, then transfer the rpms to dom0.
>
> Adding the repo itself to dom0 sounds fraught with risk.
But then noticing available [security] upgrades for that kernel and
installing those would be a manual task. Easily forgotten.
I guess not upgrading the kernel in dom0 poses a lower risk than adding
the repo itself to dom0?
Cheers,
Patrick
Marek Marczykowski-Górecki
Jun 23, 2015, 8:11:25 PM6/23/15
to Patrick Schleizer, cprise, qubes-users, Patrick Schleizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
were none so far.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Co8lXPQL/ltSlLgLaa4eFZbYpDOAz8ze8acCKBdX3S+ABEWMENMt4FwkmCFjaQD8
5uTJQTRP4BdiCN3VwJiNkQN8kVkT+MtlcAlGbIetMSRTiyvZiDE73Ft5PPTpZU6m
Hg9YTfb1QIG0M4EUlYsd4ulLrI0VzrZ8WcDYtlOUDVMN6g5zX/FGkYmS2aAFqgg3
oWt5PpRSqn9N0K26lF/tEOsL0nwS5yuAzsGyeNEmqzH6aVRkeghyKJxcAcxliM9j
5GArSKJSfmLUgQdzxJP3wYo+2xN4sboNK8XG/6GZ8QyBzJKsFpBy2epuscURJ6E=
=ZGPB
-----END PGP SIGNATURE-----
Patrick Schleizer
Jun 23, 2015, 10:50:35 PM6/23/15
to cprise, qubes-users, Patrick Schleizer
cprise:
mean I should try installing Bumblebee on Qubes?
Cheers,
Patrick
>> - Why do I want this? Due to a gibberish graphics unusable Qubes issue
>> [2], I would like to try a newer kernel.
>
>
> Did you try installing Qubes with optimus already disabled?
Sorry, I am not following. What do you mean by optimus? Bumblebee? You
>> [2], I would like to try a newer kernel.
>
>
> Did you try installing Qubes with optimus already disabled?
mean I should try installing Bumblebee on Qubes?
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages