Just realized one of the major disadvantages of Qubes OS...

[e5f3c2ea89...@tutanota.com]

... It makes you feel significantly less safe when using anything other than Qubes :]

[qmast...@gmail.com]

суббота, 21 января 2017 г., 22:12:10 UTC+3 пользователь e5f3c2ea89...@tutanota.com написал:

> ... It makes you feel significantly less safe when using anything other than Qubes :]

Haha you are a master of clickbait titles :]

[pixel fairy]

lets make it real then.

- picky about hardware. probably the biggest issue now.

- no 3d acceleration. xengt / kvmgt might fix that, but last i checked, that was a huge attack surface which no one at itl wants go over.

- some hardware will have performance issues even just watching videos as a result of the above.

- no nested virtualization. again, big, complex attack surface. two common use cases are vagrant and android development.

- only a few border colors to choose for appvms, so its easy to end up re using colors.

- for some reason, dom0 borders are blue, one of the appvm colors.

- you can copy / paste, but not copy / autotype into a vm. the support seems to be in the gui protocol, just no interface to do it. tried to script it with xdotool, but couldnt get window ids.

thats all i can think of as real disadvantages. i would like to see qubes on wayland. i think it greatly reduce attack surface and probably benefit performance.

[pixel fairy]

On Tuesday, January 24, 2017 at 1:50:56 AM UTC-8, pixel fairy wrote:
> On Sunday, January 22, 2017 at 2:04:43 AM UTC-8, qmast...@gmail.com wrote:
> > суббота, 21 января 2017 г., 22:12:10 UTC+3 пользователь e5f3c2ea89...@tutanota.com написал:
> > > ... It makes you feel significantly less safe when using anything other than Qubes :]
> >
> > Haha you are a master of clickbait titles :]
>
> lets make it real then.
>

also, no support for ipv6, though i think thats slated for qubes 4.x

[qmast...@gmail.com]

вторник, 24 января 2017 г., 12:50:56 UTC+3 пользователь pixel fairy написал:

> also, no support for ipv6, though i think thats slated for qubes 4.x
>

> no 3d acceleration

There is 3D acceleration but its only for dom0 (on Qubes R3.2 it is through Mesa 11.1.0 which gives OpenGL)

> no nested virtualization

I was sad when installed VirtualBox, tried launching it and it said that something like "not supported on Xen hosts" :P At other Linux distros it is possible to nest virtualizations one inside another, but only for 32 bit OS for inside VMs (last time I checked)

> no support for ipv6

not really a problem. it is 2017 and I still haven't encountered any situation where IPv6 is actually being used, despite working a lot with computers and routers (IPv6 is there but nobody is using it... Never ever had to use those ridiculous IPv6 addresses, yet)

[jkitt]

On Tuesday, 24 January 2017 11:54:34 UTC, qmast...@gmail.com wrote:

> I was sad when installed VirtualBox, tried launching it and it said that something like "not supported on Xen hosts"

But why would you want to do that? You already have virtual machines at your disposal..

[pixel fairy]

for development purposes, you might want other kinds. for example, vagrant is a big sticking point. its how we share and collaborate across platforms, so if you want to work on those projects, you better be able to run its vagrantfile. its also used as codified description of processes, sometimes across machines. so you can have a vagrantfile for your a web project that includes a vm for the back end database. more on that here, https://www.vagrantup.com/

another reason you might want it is nested virtualization for its own sake. for example, developing hypervisor management software.

for both cases, i just made a vagrant server to use remotely. but that has obvious limitations.

[qmast...@gmail.com]

четверг, 26 января 2017 г., 6:12:56 UTC+3 пользователь jkitt написал:

> On Tuesday, 24 January 2017 11:54:34 UTC, qmast...@gmail.com wrote:
>
> > I was sad when installed VirtualBox, tried launching it and it said that something like "not supported on Xen hosts"
>
> But why would you want to do that? You already have virtual machines at your disposal..

I need to use one app which is Mac OS X only and is not a cross platform (doesn't have a version for Linux or Windows). So I wanted to install a Hackintosh, but - while there are plenty of instructions about how to do it at VirtualBox and VMWare, there are no instructions for Xen. And I doubt that it could be done for Xen, because at their instructions for VirtualBox and VMWare they are setting up virtual machine's UEFI to make it be acceptable by Mac OS X, meanwhile - Xen does not have its own UEFI so I guess it cant be done there
(one person tried some time ago, but without success - http://wiki.osx86project.org/wiki/index.php/Snow_Leopard_Server_on_Xen )

[pixel fairy]

its theorectically possible.

https://groups.google.com/d/msg/qubes-users/RiVntUzgJmY/it7OEQI-AgAJ

[Oleg Artemiev]

what about using linux containers as vagrant provider or attempt to
use Xen same way? See thread 'Slow performance of Docker containers in
AppVMs' .

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9d9aba2e-0e6e-4e77-b549-3d30c12ea788%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

[pixel fairy]

On Thursday, January 26, 2017 at 12:16:17 PM UTC-8, Oleg Artemiev wrote:
> what about using linux containers as vagrant provider or attempt to
> use Xen same way? See thread 'Slow performance of Docker containers in
> AppVMs' .

lxc or xen would work for developers only on linux. one of the benefits of vagrant is that you can share work with developers on other platforms. with lxc, theres also os limitations. at work we have linux and windows in our vagrant runs. xen could get around this, though the xen back end is pretty limited.

i think the best solution would be a qrexec vagrant back end, syntactically compatible with the more common backends (virtualbox,vmware etc),something i plan on looking into when get qubes running again. too many of the alt back ends (lxc, xen) have syntax thats not easily worked around, so they're really only good for that backend. an obvious drawback is the lack of nesting, but few need that. of course this would also need packer and/or vagrant mutate support. maybe qubes-lite is the better solution.

[RSS]

> > no support for ipv6
>
> not really a problem. it is 2017 and I still haven't encountered any
> situation where IPv6 is actually being used, despite working a lot
> with computers and routers (IPv6 is there but nobody is using it...
> Never ever had to use those ridiculous IPv6 addresses, yet)

Actually, I run IPv6-enabled mail servers, and I am (at least some
times) getting IPv6 connections with Google's mail servers. This is
fairly recent behavior. A good chunk of Amazon AWS has recently enabled
IPv6.

I rent (very cheap) two servers that have no public IPv4 IP addresses,
only IPv6.

IPv6 is coming, count on it.

[raah...@gmail.com]

my isp going to start pushing ipv6 in a week or two. I'm scared lol.

[geoff.m...@gmail.com]

A bit of thread necromancy here, but - if you're using a smartphone in the US with mobile data, there's a *very* good chance you're already using IPv6.

Over 16% of traffic to Google is native IPv6: https://www.google.com/intl/en/ipv6/statistics.html

And as of AUgust 2016, more than 50% of the traffic to Facebook from users on the 4 major cellular (mobile data) networks in the US was via IPv6: http://www.internetsociety.org/deploy360/blog/2016/08/facebook-akamai-pass-major-milestone-over-50-ipv6-from-us-mobile-networks/

Akamai (one of the first CDNs) has some IPv6 adoption statistics, too: https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/state-of-the-internet-ipv6-adoption-visualization.jsp

So, IPv6 isn't quite as niche as a lot of folks in tech seem to think. My ISP started rolling it out, and while I had to do a small amount of massaging with my pfSense box to have it work properly, once it was functioning essentially the way an ISP-provided router might... essentially everything "just worked."

--Geo

[motech man]

I also expect to see routers for home market that will talk ipv6 externally and ipv4 internally. That will help a lot of people transition.

[Alex]

On 07/14/2017 05:30 AM, motech man wrote:
> On Thursday, July 13, 2017 at 12:05:34 PM UTC-5, geoff.m...@gmail.com
> wrote:
>> A bit of thread necromancy here, but - if you're using a smartphone
>> in the US with mobile data, there's a *very* good chance you're
>> already using IPv6.

>> [...]>>

>> --Geo
>
> I also expect to see routers for home market that will talk ipv6
> externally and ipv4 internally. That will help a lot of people
> transition.

Here in Italy (and a lot of other countries too) home routers just
started distributing /64 internally, in full dual-stack mode, during
this spring for the major ISPs.

Public institutions are expected to be fully dual-stack connected and
publicly available by the end of the year by law.

I don't see any advantage in having a situation like you described - why
not just full dual stack, and the devices connect to the technology they
support?

Apart from us qubes aficionados, any win10 pc, apple or android device,
and the vast majority of linux workstation/server distros fully support
dual stack configurations, and happily work preferring ipv6 when available.

--
Alex

[pixelfairy]

This thread should be renamed ipv6, and there was such a thread in qubes-devel. one of the issues is what to do when moving from an ipv6 enabled network to one without. netvm can easily note the difference and adapt, but weather your bridging or natting, all the appvms wont know any better and will start trying to use the non existent ipv6.

one possible solution is dns filtering. dont return AAAA records when no global address is present, but then your going down another rabbit hole.

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/rJYmO78ckxM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/809adbd0-7716-c7b8-9adf-df3d56787d34%40gmx.com.