3.2.1 should be released

[rmji...@use.startmail.com]

It seems irresponsible to offer 3.2 as the latest stable version. It is outdated, since it was released there were many critical vulnerabilities in templates (apt bug for Debian-based templates), Fedora 23 is not supported anymore, and there were even critical Xen vulnerabilities that affect Qubes OS. All the templates and dom0 is vulnerable.

Installing 3.2 now could easily lead to compromised dom0. If I am wrong, please correct me.

I think 3.3 or 3.2.1 should be released before 4.0, probably 3.2.1 to make it clear this is just a security and template update and doesn't add any features.

---

Take back your privacy. Switch to StartMail.com

[Reg Tiangha]

On 06/15/2017 10:59 AM,

rmji...@use.startmail.com wrote:
> It seems irresponsible to offer 3.2 as the latest stable version. It
> is outdated, since it was released there were many critical
> vulnerabilities in templates (apt bug for Debian-based templates),
> Fedora 23 is not supported anymore, and there were even critical Xen
> vulnerabilities that affect Qubes OS. All the templates and dom0 is
> vulnerable.
>
> Installing 3.2 now could easily lead to compromised dom0. If I am
> wrong, please correct me.
>
> I think 3.3 or 3.2.1 should be released before 4.0, probably 3.2.1 to
> make it clear this is just a security and template update and doesn't
> add any features.

> ------------------------------------------------------------------------

There will be one, but right now, it's being held up by kernel 4.9
testing, plus Debian 9 is coming out in two days and Whonix 14 probably
shortly after, so might as well wait for those to stabilize before
generating a new official ISO.

You can always make your own custom ISO with qubes-builder at any time,
though. If it works, it'll build an ISO with all of the latest packages.
We're still stuck with FC23 in dom0 though, although you could attempt
to build an ISO that uses FC24 or FC25 in dom0; some people have. It's
unsupported though and you're on your own when it comes to compiling
Qubes updates for dom0 afterwards.

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/15/2017 06:59 PM, rmji...@use.startmail.com wrote:

> Installing 3.2 now could easily lead to compromised dom0. If I am
> wrong, please correct me.

You only need to use the default install to update your system.
So even if that state is really out of date and vulnerable, I do not
see it as a severe issue as you described.

BTW: every OS install image has this kind of "lag" between the
official releases. Even the enterprise ones.


- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZQud9AAoJEH7adOMCkunmQdYQAKc5LW/88SmELjJPWK3rEGZZ
OWeVvIANVcveF1YlXKuTqjkuZD+NHusjpJOS2j3TwUQobW9JW3lP1kwwmDR//V7W
U/9YumxnDy8w2rKIEd0GUDYOJId8IRxn0H6BTaEuQU0Oy031t+9AUr6XVFcNrEsu
nzXndArjPGxQs1vW0ISuQ9cEEMsXBBGFc4sY7DgAOSp0iWPutCjoDzDTVla1exNF
VMtR5C2p2N/BcTDl9MzfzWbeeEDPeWC74anrgajbDV2REqvJyli+UsCrK43CAR7n
AtbXJnjfbXjXi0aCPr57QVIy/gUPGyReb231fNoHEDnkttGbY0CF5iY3tT3YCOuU
bkXZx2Aq0duHraOqUjsvEqtGkHl8j4rvTWQdNOYGCQ9k7aBLXPExZ9WNdbmEBZTm
T6RNIyg5SfsLw5r27N8FphlyD0aBgSR/rsCKNmsl6R8oCLIjo+Gmn0KiN/ECbfBF
JMK1KYBLrfswV68Qyanib+qLuMy9VrjuEPJbLp0Le4Nb9STPqxT4ZpawD3V9ZLbs
WiNQ+HQAPvb0CrM1HGVHFBqM0Ql33Q5zVaVS3e+x27KYzIk4voItqjLsUu3jeS4h
8P0VDDMyH3ARFhcKbday77KgSYgz7VNBrmfnbbyKSkY0t2peJFCyDh0Z7XsQrSzk
PD0/XmuPtYdgFx7B3vOM
=FTBc
-----END PGP SIGNATURE-----

[pixel fairy]

On Thursday, June 15, 2017 at 11:50:31 AM UTC-7, Reg Tiangha wrote:

We're still stuck with FC23 in dom0 though, although you could attempt
to build an ISO that uses FC24 or FC25 in dom0; some people have. It's
unsupported though and you're on your own when it comes to compiling
Qubes updates for dom0 afterwards.

why stuck with fc23? thought marek had built fc25, but was having trouble with fc26

[Reg Tiangha]

> --
>
Will they update dom0 in R3.2 to FC25? It'd be great if they did, but I
was under the impression that FC25 in dom0 was an R4.0 only thing. If
I'm wrong, that'd be fantastic.

[Joe]

On 06/15/2017 10:01 PM, Zrubi wrote:
> On 06/15/2017 06:59 PM, rmji...@use.startmail.com wrote:
>> Installing 3.2 now could easily lead to compromised dom0. If I am
>> wrong, please correct me.
>
> You only need to use the default install to update your system.
> So even if that state is really out of date and vulnerable, I do not
> see it as a severe issue as you described.

Yes, and a critical bug has been found in the component that takes care
of that (in Debian, which is the only sane default for templates if you
don't want to get owned by the Fedora "well we don't support the things
you installed yesterday" mantra).

> BTW: every OS install image has this kind of "lag" between the
> official releases. Even the enterprise ones.
>

Not really. "Enterprise" ("fisher price"?) distributions are notorious
for their horrendous security in terms of lacking updates. I literally
can't think of *any* setting in which "enterprise" has ever been a
positive label in IT security. It's right up there with "military-grade".

There's a plethora of distributions that generate daily images, so your
postulate is plainly false.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

R3.2 will stay at fc23 in dom0. There may be fc26 template, but there
are issues (build failures of Xen, because of much newer gcc).

Dom0 in Qubes 4.0 is based on fc25.

As for Qubes 3.2.1 - exactly as Reg said - it's blocked on 4.9 kernel
testing.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZRrWmAAoJENuP0xzK19csjssH/3U83Hi4Bud4q7dPFw+6/y6B
KkLmTPCcJzrCj7rYHErtxG1DjSJKGdZtFcSMJXUJYuZCiIzosNtwqnkhFcLcVvCJ
8vFJST7NNBUI75xLynXQ4XlxPQyknt+pjjiAHDUBopuXcubhhFgoEiVtu766zivf
7er8zHJpQsaZH5zasu9K3J03B8M/6wN4jeu7OhHTV1HGFUVtXFQx50KYfpFZRHng
n/FTaH/9OlFG/hghA9zBdux2iLj//uF1hj+YipUedDAYzeEyNFmnhHDuEEG8L4wv
UKRaOe1Y8YdMp5Bp2aNZIb1ix9SMaXrGpJQXemUZ3/8RRR6cqa1um0hrROTlNtA=
=qx0U
-----END PGP SIGNATURE-----

[Outback Dingo]

On Sun, Jun 18, 2017 at 7:17 PM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Thu, Jun 15, 2017 at 05:39:08PM -0600, Reg Tiangha wrote:
>> On 06/15/2017 05:12 PM, pixel fairy wrote:
>> > On Thursday, June 15, 2017 at 11:50:31 AM UTC-7, Reg Tiangha wrote:
>> >
>> >
>> > We're still stuck with FC23 in dom0 though, although you could
>> > attempt
>> > to build an ISO that uses FC24 or FC25 in dom0; some people have.
>> > It's
>> > unsupported though and you're on your own when it comes to compiling
>> > Qubes updates for dom0 afterwards.
>> >
>> >
>> > why stuck with fc23? thought marek had built fc25, but was having
>> > trouble with fc26
>> > --
>> >
>> Will they update dom0 in R3.2 to FC25? It'd be great if they did, but I
>> was under the impression that FC25 in dom0 was an R4.0 only thing. If
>> I'm wrong, that'd be fantastic.
>
> R3.2 will stay at fc23 in dom0. There may be fc26 template, but there
> are issues (build failures of Xen, because of much newer gcc).
>
> Dom0 in Qubes 4.0 is based on fc25.
>
> As for Qubes 3.2.1 - exactly as Reg said - it's blocked on 4.9 kernel
> testing.

does it not make sense to anyone else that at the least the testing
image should also be released to get more eyes on it ????
curious that everything is starting to lag behind, and i know its a
small team and alot of work. however... when i want software to be
tested i generally
release an RC image so everyone can hammer away at it, and if theres a
fed25 dom0 / iso anywhere id like to test it, as 3.2 doesnt
work on my laptop due to segfaults in networking in the netvm,
mentioned before... its been what a year since i cant use qubes

>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJZRrWmAAoJENuP0xzK19csjssH/3U83Hi4Bud4q7dPFw+6/y6B
> KkLmTPCcJzrCj7rYHErtxG1DjSJKGdZtFcSMJXUJYuZCiIzosNtwqnkhFcLcVvCJ
> 8vFJST7NNBUI75xLynXQ4XlxPQyknt+pjjiAHDUBopuXcubhhFgoEiVtu766zivf
> 7er8zHJpQsaZH5zasu9K3J03B8M/6wN4jeu7OhHTV1HGFUVtXFQx50KYfpFZRHng
> n/FTaH/9OlFG/hghA9zBdux2iLj//uF1hj+YipUedDAYzeEyNFmnhHDuEEG8L4wv
> UKRaOe1Y8YdMp5Bp2aNZIb1ix9SMaXrGpJQXemUZ3/8RRR6cqa1um0hrROTlNtA=
> =qx0U
> -----END PGP SIGNATURE-----
>

> --
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170618171726.GC3857%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Packages are in testing repository - just enable it and help us.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZR32eAAoJENuP0xzK19cs/J4H/3FwSOy3AVzbFW0AjjnaRjZx
vXjgcNHQWuDTE1TZdUAvXoqwgPJIjDd5+XjNcyvdB+6+gqEpoX2RHlFFxy2iR0Ng
DLdzN3NdUfBJeQ2nsxPRiKzq8+FayeZm7ZfmdxDEPl2stHpmlrIu8dIWVD+bW5Ys
E/m73FmIwYMWNq4yM2SegaXitdgmRNujtp6KtE9g92SpRfen+K1c0LZuFt/U+PVd
hH2i5JQkIxuTLHm4x6fAXk4lzpprQbCQACp0AOupKlspapn+Cu4ZdRsGtTXW0wyl
rPLFDSY6FQbzY4x6jjUBNqmUWtDUf33INpUDIBGehqFXewdMMiEWy33/9Pp8Rw8=
=T67t
-----END PGP SIGNATURE-----

[Outback Dingo]

On Mon, Jun 19, 2017 at 9:30 AM, Marek Marczykowski-Górecki

what part of qubes doesnt run on my laptop for the past year did you miss ?? :)
id help if i could... is there an iso i can attempt to install to get
past the net issue?

[Reg Tiangha]

On 2017-06-19 1:32 AM, Outback Dingo wrote:

>
> Packages are in testing repository - just enable it and help us.
>
>
>> what part of qubes doesnt run on my laptop for the past year did you miss ?? :)
>> id help if i could... is there an iso i can attempt to install to get
>> past the net issue?
>
>
>

If you have access to another computer and a USB flash drive, you can
download the kernel and kernel-qubes-vm packages on that machine and use
the flash drive to copy it over to your laptop.

https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/kernel-4.9.31-17.pvops.qubes.x86_64.rpm
https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/kernel-qubes-vm-4.9.31-17.pvops.qubes.x86_64.rpm

Scroll to the bottom to learn how to copy from a VM to Dom0:
https://www.qubes-os.org/doc/copy-from-dom0/

Otherwise, you can use qubes-builder on a Fedora 23 machine to create a
custom ISO that should incorporate the latest packages in the
repositories, although I'm not sure how to force it to grab the 4.9
kernel from the current-testing repository (although maybe it does that
automatically now; I haven't tried in a while):


https://github.com/QubesOS/qubes-builder

[Outback Dingo]

mmmmm seems not
-> Updating sources for core-libvirt...
--> Fetching from https://github.com/marmarek/qubes-core-libvirt.git
release3.2...
fatal: Remote branch release3.2 not found in upstream origin
make: *** [Makefile:187: core-libvirt.get-sources] Error 1




> https://github.com/QubesOS/qubes-builder

>
> --
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/oi7v4n%24947%241%40blaine.gmane.org.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Set builder to use QubesOS github account (GIT_PREFIX=QubesOS/qubes-). I
don't keep all the stable branches on my account.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZR41TAAoJENuP0xzK19cshkIH/3FJ7gNuOYiQl8HYgdLeSgZd
6XvQS3IqSR1vc1Qp3bwFtzjBilEHJm2PEtHbq8eANepef29xw9QiobdQMILKexCJ
/OjIJO0/WDAASXkIv+zmiTljvUGjZZr25sqQUJfWu5Ex33I2QTDaR3Wg7kzi8bm3
H4GRNykNFTNlmnj+xSvNvThIjKYMrkjAo+4UMzRFdfkZSYLGLpzl/aUa+dng8X+b
U9/YQTbtHLcAUwQiLlQ20jyK2FNHDMqV8IQrGg9FXD3n+QW0kcLlHwDtAISr+gR/
xIXP7ALRu3Cz0fMBDqkFpS40Y8riKgzgEtP854EFDQTq9b8/0U1fPtzMrZERyRA=
=EXXv
-----END PGP SIGNATURE-----

[Outback Dingo]

ok lastly how can i specifiy a F25 dom0

[Holger Levsen]

On Mon, Jun 19, 2017 at 09:30:37AM +0200, Marek Marczykowski-Górecki wrote:
> > > As for Qubes 3.2.1 - exactly as Reg said - it's blocked on 4.9 kernel
> > > testing.
> > does it not make sense to anyone else that at the least the testing
> > image should also be released to get more eyes on it ????
> Packages are in testing repository - just enable it and help us.

I think it would be useful to send a dedicated short email, subject
"please help testing 3.2.1 - howto included" and then indeed include the few
steps needed to do so.

currently that information is very well hidden…

(and it doesnt help that there are several "testing" repositories…)


--
cheers,
Holger