Ubuntu templates

[Unman]

I'm just pushing up some PRs to remove zesty and institute build support
for artful (17.10).
If you cant wait there's a ready built 3.2 template you can try at:
http://qubes.3isec.org/Templates

unman

[mikih...@gmail.com]

What about Q4, are there downloads ready or does the build process work (and which versions)?
Regards

[Unman]

Xenial build works as is - I've pushed up a prebuilt template if you
want to try it. Look on http://qubes.3isec.org/
Artful for 4.0 is on its way, though there are some packaging issues to
resolve.

unman

[Yuraeitha]

This looks really nice unman. I do have a question though, which in the end might just be my lack of understanding.

Essentially, how is the build process executed in terms of security and also reliability?

I know you're one of the 13 contributors to the Qubes OS, but it'd be nice knowing if this is done securely and reliable like the official Qubes templates (like how Joanna explains the weak links in OS builds, i.e. in one of her presentations on youtube).

Also how come it's not released in the secondary templates community repository? Is this due to license issues?

I apologize for these questions, it's not out of lack of respect, but rather probably my lack of understanding.

[Foppe de Haan]

per https://www.qubes-os.org/doc/templates/ubuntu/ :
"These templates are currently not available in ready to use binary packages, because Canonical does not allow redistribution of a modified Ubuntu. The redistribution is not allowed by their Intellectual property rights policy."

[Yuraeitha]

@Foppe
hmm, that is an unfortunate hard stand on license.. Canonical seems a bit too needlessly strict here. It feels like an overkill lawyer lock-down on a contract, to cover all ends needlessly, just to be sure nothing is overlooked. I'm a bit sad about such mindless over-protection. Perhaps the license wasn't even written with Ubuntu in mind, but just an overall general protection... well I wouldn't know, but it seems like it might be.

Perhaps they can make an exception for cases like Qubes though, it seems like it would make good sense for them to do so, especially now when Qubes 4 is gaining a lot of increased attention and traction. I don't personally use Ubuntu, but it would be a nice addition to Qubes if Canonical gave their acceptance for this use-case.

I'm curious now after reading your post though. Since because there are other distributions of Ubuntu out there, I might dig into the licenses on these after half a month has passed, when I get the time for it. There must be a reason why Ubuntu offsprings like; Kubuntu, xubuntu, Edubuntu, Ubuntustudio, and so on, are allowed in the license.

[Unman]

These are really good questions: in reverse order -

Canonical has a strict license policy. The offspring you mention are
all licensed by Canonical and permitted to use the Ubuntu name or
variants thereof.
Canonical have not yet allowed Qubes a license to use Ubuntu, and the
Qubes project therefore cannot distribute Ubuntu templates. Ubuntu
templates are integrated in to the build system, which is designed to
be as simple as possible, and almost anyone should be able to build a
template for themselves.
It may be possible in the future to persuade Canonical to extend
licensing to Qubes. At the moment there are certain requirements on
their part which makes this difficult/impossible, but I hope that we
can change this at some point.

So for these reasons Qubes will not release Ubuntu templates, and they
are not included in the community repositories, as is clear on the page
Foppe cited.

When I post in these mailing lists I don't speak for Qubes: I'm posting
as a Qubes user. I think there may be some people who aren't confident
enough, or don't have time, to build Ubuntu templates for themselves, so
I build example Templates and make them available. I also host repos to
serve deb packages for Ubuntu.
I use a dedicated machine for building, a caching proxy to save
downloads, and run through Tor. Is that secure and reliable?

That said, I STRONGLY recommend that you build these templates for
yourself.
If you look at my posting history and contributions you may choose
to trust me and by extension the packages I put up. That's your decision.
For what it's worth, no one has reported anything untoward about any of the
packages I've posted, or the live images.
(Of course, if I were a malicious actor this is EXACTLY the approach I
would take.)

Hmm, security IS difficult, isn't it?

unman

[Bertrand Lec]

Thank you a lot for your work.

Do you know which qvm-* tools to install? The ones in http://qubes.3isec.org/3.2/ are not for artful and the Release file is missing. Can I use the debian ones?

Thanks a lot
Bertrand

[Sven Semmler]

On Mon, Feb 05, 2018 at 01:01:28AM +0000, Unman wrote:
> When I post in these mailing lists I don't speak for Qubes: I'm posting
> as a Qubes user. I think there may be some people who aren't confident
> enough, or don't have time, to build Ubuntu templates for themselves, so
> I build example Templates and make them available. I also host repos to
> serve deb packages for Ubuntu.
> I use a dedicated machine for building, a caching proxy to save
> downloads, and run through Tor. Is that secure and reliable?
>
> That said, I STRONGLY recommend that you build these templates for
> yourself.

Done. My only open question now is: how do I get qubes-specific
updates?

I know I could just hook up to unman's repos, but if I wanted to do it
myself?

- I have the qubes-builder setup and have successfully created a
bionic template (using it right now).

- How do I know there are changes to the qubes-* packages? Can I monitor
that on Github somehow? Just run qubes-builder every weekend?

- Obviously I don't want to redo all my customizations to the template
every time there are new packages. Where in the qubes-builder output
can I find the respective packages? I suppose I simply qvm-copy them
into my template and then run 'apt install'?

/Sven

--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

[Unman]

Good stuff.
It's somewhat difficult to see exactly what's happening in Github.
A "foolproof" method would be to watch for update-notifications for
Debian templates, and rebuilding accordingly. (If you generally use
stable you might care to set up a "testing" template and qube for this
purpose.)
The packages are in qubes-packages-mirror-repo, in the "deb" directory
under vm name. You can indeed just copy them in and install.

unman

[Sven Semmler]

On Fri, Feb 14, 2020 at 12:07:51PM +0000, Unman wrote:
> Good stuff.
> It's somewhat difficult to see exactly what's happening in Github.
> A "foolproof" method would be to watch for update-notifications for
> Debian templates, and rebuilding accordingly. (If you generally use
> stable you might care to set up a "testing" template and qube for this
> purpose.)

All my "system" qubes run on debian-10-minimal and by definition have
the critical qubes-core-agent- packages installed. I'll use that as a
notification mechanism.

> The packages are in qubes-packages-mirror-repo, in the "deb" directory
> under vm name. You can indeed just copy them in and install.

Great! Thank you!

[Sven Semmler]

On Fri, Feb 14, 2020 at 12:07:51PM +0000, Unman wrote:

> It's somewhat difficult to see exactly what's happening in Github.
> A "foolproof" method would be to watch for update-notifications for
> Debian templates, and rebuilding accordingly. (If you generally use
> stable you might care to set up a "testing" template and qube for this
> purpose.)

Got two more questions:

- the ubuntu templates have a file
/etc/apt/sources.list.d/qubes-contrib-r4.0.list which contains URI's
to the qubes-os server (e.g. https://contrib.qubes-os.org/deb/r4.0/vm
bionic main)

Those don't work for me, which makes sense as Qubes can't provide
Ubuntu binaries. Correct?

- the above though got me thinking... if I build using my own signing
key, run a webserver on the qubes-builder VM and configure the
firewall to allow the Ubuntu templates on my machine to connect to the
qubes-builder VM ... then I could replace the above URI with my local
qubes-builder VM IP and 'apt update' should pick it up - right?

There is probably another file that I need to create for this to work
("Release file")?

Thanks!

PS: I know Unman is doing all this work and that's awsome ... I could just
use his binaries ... but where is the fun it that ;-)

[Unman]

On Mon, Mar 02, 2020 at 02:36:13PM -0600, Sven Semmler wrote:
> On Fri, Feb 14, 2020 at 12:07:51PM +0000, Unman wrote:
> > It's somewhat difficult to see exactly what's happening in Github.
> > A "foolproof" method would be to watch for update-notifications for
> > Debian templates, and rebuilding accordingly. (If you generally use
> > stable you might care to set up a "testing" template and qube for this
> > purpose.)
>
> Got two more questions:
>
> - the ubuntu templates have a file
> /etc/apt/sources.list.d/qubes-contrib-r4.0.list which contains URI's
> to the qubes-os server (e.g. https://contrib.qubes-os.org/deb/r4.0/vm
> bionic main)
>
> Those don't work for me, which makes sense as Qubes can't provide
> Ubuntu binaries. Correct?
>

Yes, but I dont think my templates have that file.
Isnt it deleted as part of 09_cleanup?

> - the above though got me thinking... if I build using my own signing
> key, run a webserver on the qubes-builder VM and configure the
> firewall to allow the Ubuntu templates on my machine to connect to the
> qubes-builder VM ... then I could replace the above URI with my local
> qubes-builder VM IP and 'apt update' should pick it up - right?
>
> There is probably another file that I need to create for this to work
> ("Release file")?
>

Indeed you can do this - use reprepro to create the relevant files in
your repo, and serve it with a tiny web server.

> Thanks!
>
> PS: I know Unman is doing all this work and that's awsome ... I could just
> use his binaries ... but where is the fun it that ;-)
>
> /Sven
>

Keep having fun.

[Sven Semmler]

On Mon, Mar 02, 2020 at 11:58:56PM +0000, Unman wrote:
> Yes, but I dont think my templates have that file.
> Isnt it deleted as part of 09_cleanup?

All I did is:

-> new Fedora 23 minimal standalone VM
-> install all dependencies as listed on Qubes website
-> git clone
-> setup script
-> only bionic
-> no precompiled
-> the 4 make runs as instructed by the scripts output

I'll see if I can locate the '09_cleanup' section in the makefile and
have a look.

> Indeed you can do this - use reprepro to create the relevant files in
> your repo, and serve it with a tiny web server.

> Keep having fun.

I will & thank you for all the answers and work on Qubes.