Qubes OS 4.0 first release candidate (rc1) has been released!

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

We have just released Qubes 4.0-rc1:

https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZfxfZAAoJENuP0xzK19cswOMH/0k+rDX8EuoGXduK+q7zltmT
nZ06yFh5nzUIA0x8gi6XyFAL/Ph68d0WARKIB2r7X+e2IChG9WbXnBZAzLmnpwRP
G0PwkYSMQNeVxv7dT9cTyOXtFScZlfhTJtJAhd40LuuLB1tMbfA+wEQVYT4eR7r3
q7wftZRz5L6AAYZ2ofeDAkraIYF2i0PBC7NZeDnKKR6vT09S4a590HzqJukDz+Ob
HbOB3PhumFbCpISNjIhtPNgUitXbUreC1Wfc3hFF35UgzMatWzskP/lXeIZxztUI
TO+X7FsO3QO7LXJXidD7IZrPH6FWLfIL1Dhms8sj2MVuA1Ug5bayuYwJ/G4ci3Y=
=SV8T
-----END PGP SIGNATURE-----

[f.tut...@gmail.com]

I don't like that Qubes Manager was removed.
I am also looking for an icon for Backup/Restore. As long as I can't find this option I can't restore my VMs and this release is useless for me.

[P R]

Hello,

Am 31.07.2017 8:09 nachm. schrieb <f.tut...@gmail.com>:

I don't like that Qubes Manager was removed.

I can understand that this might feel strange, but after getting used to it you can do anything (even more than with Qubes Manager) from the command line/CLI.

As far as I have understand, the option is there that someone can program a Qubes GUI, but this is not in scope of the Qubes Core Team, which seem ro be focussed more on the "real"/difficult Qubes stuff.

I think this is a good decision, but having something like a "legacy" Qubes Manager for Newbies might be helpful for beginners.

I am also looking for an icon for Backup/Restore.

You can do backup and restores from the CLI (at least on Qubes 3.2) and I am sure that this can also be done in Qubes 4 RC1.

In dom0:

qubes-backup-restore --help

... will tell you exactly what you need to do.

 As long as I can't find this option I can't restore my VMs and this release is useless for me.

Have you tried to do a restore via CLI?

If you run into problems, just tell us where exactly the problem is and we'll figure it out.

I'll download RC1 this evening and will also restore my Qubes 3.2 VMs.

I can then update this post with a short how-to.

- PhR

[Foppe de Haan]

Tiny bug with 4rc1 (clean install): qvm-copy-to-vm doesn't exit once done transferring data.

[Eva Star]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Very good news, thanks :)

On 07/31/2017 02:43 PM, Marek Marczykowski-Górecki wrote:
> Hello,
>
> We have just released Qubes 4.0-rc1:
>
> https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/
>
>

- --

Regards

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZf4FCAAoJEGSin3PC/C0A/ZMQALsV5RzgmGmCu0JoDUROzG5u
a2nkQjtlh2uIeDOtd1xkYdOjtpoOv6Jllpjef/PJF01txwgz5paNRyvu+cW2hc2C
LNVeff6alf7rhDlZX11ZY6WI17ld/P/yQv/rlW6gQjW6Is5prMb6DKIhzx+1XoGS
W4SQmHThkT8ZGZ/fiuqxLHXKgSh/JWxG/De1KpSf0CByU6ugh2CGbOKV4RPHwa4X
Z6WMfvECr+KCvl7vqYmwQaBwKD2gNag5bKuy0DNpXKIyHf33CGFHVvfT6uPoTg40
RtRUSp/uw+mZAjKIzCzOn82gt4aeLVvczF3jvE2Prk0Td8CThQCwUxPXw4IcUZ8m
RSuxYspYYKz11WLZtM7pCDl+CkfrlM/ZUU88RJJ6waeVRPa2m0oM0d4dFn210usk
Uc5UOC0/sKqh15ZH3rlaHK0+CfKyMYyNEMYN6vGME1bzLkOZ3g/ZLmL5EzUuL7mn
NwlS1JkCX5yXUfZ+Xa0SnI4ZIWDxqzvyjY4VORAZxTua72R3iOYOKb/xU/N7CX91
vhZ9yamW3F3mnbiUYrP38tiVhH6XKhsfxzdotBVq5CuIccKlK1BrkEfKXZJDQuze
55MdXmbTaIDpivA5zfWjA7CDPHy82az3Aa7+XwaieD3jmX+jPYNXbXWBnRnLTCUz
oBTFff76TAPKfQt8kouU
=KJGq
-----END PGP SIGNATURE-----

[f.tut...@gmail.com]

I was able to restore all of my VMs via CLI but after restoring I couldn't start any VM.
Will downgrade to 3.2 and will wait for final release of 4.0 and I hope that this will then be fixed.

[miki]

Hi,
HVM Standalone option is greyed out. Also the --cdrom option no longer exists with the qvm-start command. Does anyone know if this is related to some Stubdom changes/problems and will be supported again in the final release?

[P R]

Hello,

Am 31.07.2017 9:42 nachm. schrieb <f.tut...@gmail.com>:

I was able to restore all of my VMs via CLI but after restoring I couldn't start any VM.
Will downgrade to 3.2 and will wait for final release of 4.0 and I hope that this will then be fixed.

Of course you can go straight back to 3.2 but as this is release candidate feedback could be helpful.

What happens when you start one of the AppVMs from the CLI?

Output/Error messages?

Have you tried to launch a template VM also, not only the AppVMs?

- PhR

[Holger Levsen]

On Mon, Jul 31, 2017 at 01:43:20PM +0200, Marek Marczykowski-Górecki wrote:
> We have just released Qubes 4.0-rc1:

awesome!

I've installed it on a lenovo x260 and upon the end of the installation I had some
error concerning sys-firewall stating "could not find capabilities for arch=x86_64",
despite that the installation seemed successful. But then when I logged into the
installed system and ran "qvm-run personal xterm" I got the same:

$ qvm-run personal xterm
Running 'xterm' on personal
personal: Start failed: invalid argument: could not find capabilities for arch=x86_64

IOW: this doesnt work for me at all. Happy to test+debug further though if someone
has an idea what to do…


--
cheers,
Holger

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Do you have VT-x enabled in BIOS?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZf5ccAAoJENuP0xzK19csMK0IAIYI/zVfwmAj7Zn8Ywja8oRQ
+s4EjLS+okL5bGDt+l86BOuVrtFi0W/9ugKWQgwab+MUEzfot4Y1IMUcIQG57Ee0
UPXXSFxY9TG93wgtgq1qPLp3j6rU7gD14DYiE8hoSkAa7XmqT5eMA/u4kKD7Mp0Q
cvGtcj+2qNiN2Klt+rSqAZhnQU/SbPNJncRTsI3QeU0Jvny2RT2/M5re261wa3cO
JlNv0vLojgQQ0TIaL/ObeZLN4RfQScCldNTlkecjgjASEFiiNokfLRFC1wAtvlOe
CGcY09DV0AXGKexmTxxE2rj6ayDloYGzhG7CWXHxCB9N3yHuCF2dHyPgA+F9Ff4=
=OXeO
-----END PGP SIGNATURE-----

[Holger Levsen]

On Mon, Jul 31, 2017 at 10:46:19PM +0200, Marek Marczykowski-Górecki wrote:
> Do you have VT-x enabled in BIOS?

doh, indeed it was disabled. (Which slightly puzzles me as I had running Qubes 3.2 running
on this machine before…)

Now I get another error OTOH, but I'll try a fresh reinstallation of 4.0rc1 first, before
reporting that exact error…

Thanks!


--
cheers,
Holger

[Micah Lee]

On 07/31/2017 04:43 AM, Marek Marczykowski-Górecki wrote:
> Hello,
>
> We have just released Qubes 4.0-rc1:
>
> https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/

I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs
Qubes 3.2 without a problem. After installing it, when I boot up, grub
works, but then as soon as Qubes starts to boot the computer reboots,
and I end up back in grub.

Any ideas on how to start troubleshooting?

[Foppe de Haan]

start by pressing esc to switch to text boot. Maybe get a camera so you can capture the error msg before reboot. If that doesn't provide enough info, you can try enabling debugging in the boot options by adding the relevant parameter.

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Micah Lee:

> I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs
> Qubes 3.2 without a problem. After installing it, when I boot up, grub
> works, but then as soon as Qubes starts to boot the computer reboots,
> and I end up back in grub.

I ran into the same behavior on a T420. Removing iommu=no-igfx from
the Xen command line fixed it. [1]

If that doesn't help, _adding_ console=vga should let you see what's
going on.

Rusty


1. https://github.com/QubesOS/qubes-issues/issues/2841#issuecomment-318172669
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZf62qXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfGk4P/A0pdDRjuAVchC6oy4XF4cqB
pYRckVY4hET5yvMY3bqU2NIILbfwkK0XGztAvoKEuF9eqT6sfeq8ZwKdtL02gXD0
O14Nig4oXXg3+uRhBaDA12wMKu6wuPRZ0fUjtPZk/KyP6/v24sGIxHTicSDJUpve
8u+yqJYOzqZSw8907YdMwe6vEZoDAeqXbb0nA7ngdmzSdIX3z5T2iG5SOEnRjZ64
U/1uS5OdEir7tbks+L/Xh+NSWmfk4pnMKFmF8rV1+3/bVToMmOWOQAcbgQIoMElL
tK+3aWqPOHX1+66qk07xIC8Uq+ORQOsHRRA0c2wUX03EY/23RNW1OzYlRlmBIWyb
xfJOdw5U8R2wSheO1wUyMO1hQ52W3fx8e927UjTaTAGzJ7t1UJ8wN1e5ZyurKLuI
iwVCaCq0o4AHsQbHsOdoRNNuIrzy12N3ZHPMaDQrw3UAX840/fDPAeg8aCi0Sr/6
CAKcu/wJUXTb24/6mRYBlDIRGtMd8f8UAAq37ikUBxOZB2EdYdYZHoedoTyqzSP6
SfponcAUSUG9KIOPLJDWG5OJSCuVJisMA0ScdnByRCdULvDaFcMlDWwee/7f8bbQ
JJ6IxF1BgyJdJ/8OoQViSx2055Glj8tYPivm7I0XDfTs0Cx6zGhlAWNv7ro30xYT
Pt+Wa4/IsIzuLB8HhlnL
=IbPe
-----END PGP SIGNATURE-----

[Holger Levsen]

On Mon, Jul 31, 2017 at 09:17:43PM +0000, Holger Levsen wrote:
> Now I get another error OTOH, but I'll try a fresh reinstallation of 4.0rc1 first, before
> reporting that exact error…

whoohooo - that fresh installation on an x260 for the first time showed
reliable suspend+resumes, I've done 42 suspends of the machine (which, granted,
was not doing anything) and it successfully resumed 42 times \o/

which to me is quite very amazing, running qubes 3.2 I'd estimate the success
rate rather to be 60% or so, maybe 70%… (while the same machine running
Debian 8 also had 99.x% successful resumes…)

so far so very good. i'm curious whether this will also be the case with qubes
3.2.1 and a 4.9 kernel (so far only tried with the older 4.8 one from the
qubes repos…)

(but then, see the other mail on this list about my problems installing the
4.9 kernel on qubes 3.2…)

OTOH, wireless didnt work after a few resumes (qubes 4.0rc1), i assume this
can be fixed by unloading+reloading the module, but…

I'm happy as long as resume works.


--
cheers,
Holger, who really did those 42 suspends and resumes…

[f.tut...@gmail.com]

I can't start any VM (AppVM & Template VM) even the Template VM that was created freshly with 4.0 installation can't start.

[lok...@gmail.com]

On Tuesday, 1 August 2017 13:19:21 UTC+8, Holger Levsen wrote:

> so far so very good. i'm curious whether this will also be the case with qubes
> 3.2.1 and a 4.9 kernel (so far only tried with the older 4.8 one from the
> qubes repos…)
>
> (but then, see the other mail on this list about my problems installing the
> 4.9 kernel on qubes 3.2…)

I'm having hangs on resume with kernel 4.9 on a Latitude E7470. That suggests to me that you'll probably have the same problem.

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/31/2017 01:43 PM, Marek Marczykowski-Górecki wrote:
> https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/

My Very First Impressions:

- - the "test this media & install Qubes" is hanging forever on my T450.
Before the graphical "qubes loader screen", I see some strange error
messages. Need to be fast to capture however. Was not lucky to get it.

- - The isntall process is really looooong.
Not debugged jet but the creating initramfs seems to be running forever.
But at least was successfull at the end :)

- - the missing Qubes Manager is a pain.
- - the 'replacement' in the task bar is small and buggy:
the tooltip? like thing is randomly shirk to unusable. But too
samll in general. I have 40 vm's right now.

- - the vm setting windows is the old one, no new features are usable
from that GUI :(

- - memory balancing are enabled on PCI asigned VM's.

- - network manager applet is (still?) not show on first start.
need to restart the sys-net VM to shown.


- - still only 8 available colors for the VM's. :(((
Again: I have 40 of them.

- - no VM status GUI. :(
The old Qubes manager would be fine till a the new tools(?) not ready
for use.

- - the 'new' Qubes firewall solution causing more confusions.
- mixed iptables and nftables? why?
- the old GUI not allow to use the new features.
- even if Allow is the default policy I see a DROP rule at the end.
Why? :o

- - qubes-hcl-report is not included.
just tested it (the latest version from github) and it working with
4.0 out of the box.

- - no KDE group available
Maybe the same reason with the recent 3.2?
Probably I'm the last KDE user under Qubes - and I just started to
migrate to XFCE because of the unresolved issues with KDE since the
3.2 release. And see no progress in 4.0

So I would really appreciate some statement if Qubes will really drop
KDE support. I can accept that, but then I not waste my time trying to
make it work. Instead focusing to fix the XFCE issues I have ;)

- - the default login screen is just ugly. I know that this is not the
first priority, and not even a technical issue. But new users will see
that ugly thing first. So it's should be a Qubes skinned one. at least.


- --
Zrubi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZgEjuAAoJEH7adOMCkunmiz8QAIESj31RZibLg4BapsXKIk5a
gUxZVMOkhDrc+N5serF28S1Ps5UnYemPOKSoYPUfZyk4C+5l8jk3GeyU5nO6Tvp0
Hrwsxj3gzgBUxYkSatqTCkICXtoR2K+X93IAPJWtjmOUi6VLQG00IpiPyHsdPPHF
MSjtQ6iJB4qyHzeUe0hzul/AektyOz2APO/ebojcdwlEZLVZpJZjrKD5YIUQYDzA
fafJE6una8ZxC1FULKFoqWCRbUMe396D1tuo1FIUhXG1Cnc/o8x4Xp2FW6SkzZRl
IEoKJPX4vFoHysUCeefOgfhjHKF5if+E3g47eZb+63sFvaS9aCFNAoPH4CiXnEkO
PaLLggR12etQP+4KQacnszKdl+mh4h+5ZAlus/LjPdlNUVh7t/M1dfv3J1qLAzcw
cDM9+OKFGmP9ThIHD+SgiNxIKsWSCctt4IdYsXjEJMEN+X6LHVOQY6F038ekkDZe
dhTaNv/RRrzR8sIEtafLQzBA0R2DLXM5sOPrZXKmcv4B3UTMFfo5sfS0xtqPn1z5
xjOjnk/uC9+pNOoAH1lusSHp/mUbFcikF1t9yMe6GFBeKIzQbJba+Hac6zPS4lIM
EK2/RksLRxKXP6/3u6lVMc2f5DK5IOVGW3aBEVsSa6C8Ve+O84ElVXs7/ueY8U8F
D2SOB+X0NIUUkEWk+936
=qI1g
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 01, 2017 at 11:25:11AM +0200, Zrubi wrote:
> On 07/31/2017 01:43 PM, Marek Marczykowski-Górecki wrote:
> > https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/
>
> My Very First Impressions:
>
> - the "test this media & install Qubes" is hanging forever on my T450.
> Before the graphical "qubes loader screen", I see some strange error
> messages. Need to be fast to capture however. Was not lucky to get it.

I've seen some problems with USB 3.0 on T460p. Basically it throws a lot
of I/O errors - sometimes during boot, sometimes in the middle of
installation. Using USB 2.0 stick, or USB 2.0 hub (or just cable)
helped.

> - The isntall process is really looooong.
> Not debugged jet but the creating initramfs seems to be running forever.
> But at least was successfull at the end :)

Is it just about initramfs and "post installation tasks" - compared to
the whole installation time? There may be some bug causing initramfs
being generated twice (or more...) - I think I've fixed something like
this before, but maybe not all the places. If you think it's important,
please open issue on github.

> - the missing Qubes Manager is a pain.
> - the 'replacement' in the task bar is small and buggy:
> the tooltip? like thing is randomly shirk to unusable. But too
> samll in general. I have 40 vm's right now.

What do you mean by "randomly shirk to unusable"? Can you provide a
screenshot?

> - the vm setting windows is the old one, no new features are usable
> from that GUI :(

Sadly that's true. Working on major features (like Admin API) took much
more time than anticipated, and we didn't want to delay 4.0 any further.
In practice there are not so much missing things, that are useful for
normal usage. I'd say this list:
- booting from external disk (useful to install windows)
- firewall rules
- network settings (custom IP, etc)
- allow starting DispVM out of this AppVM

I've created this ticket to track it:
https://github.com/QubesOS/qubes-issues/issues/2949

If you think some more will be useful, please comment there.

> - memory balancing are enabled on PCI asigned VM's.

In practice it is not, because VM itself have it disabled if have some
PCI device. So the issue is reporting it in GUI.

> - network manager applet is (still?) not show on first start.
> need to restart the sys-net VM to shown.
>
> - still only 8 available colors for the VM's. :(((
> Again: I have 40 of them.

Most backend code to support more labels is done. The (important!)
missing part is window manager support. AFAIR currently only awesome and
xfce4 generate colorful borders dynamically, other window managers
(especially KDE) have it hardcoded.

If you want to try, take a look here:
https://www.qubes-os.org/doc/admin-api/
Then use qubesd-query tool to issue those API calls. For example:
echo -n 0x00ffff | qubesd-query dom0 admin.label.Create dom0 cyan

(testing this, I've found you need to kill `qvm-start-gui --all --watch`
process and start it again after creating label)

> - no VM status GUI. :(
> The old Qubes manager would be fine till a the new tools(?) not ready
> for use.

What do you mean? Domains widget is specifically there to show you
VM status.

> - the 'new' Qubes firewall solution causing more confusions.
> - mixed iptables and nftables? why?

What do you mean by mixed? Setting for VMs are applied using nftables if
supported (Fedora), or iptables when not (Debian). Not both.

> - the old GUI not allow to use the new features.
> - even if Allow is the default policy I see a DROP rule at the end.
> Why? :o

To fail closed - if something goes wrong, there will be that DROP rule
at the end anyway.

> - qubes-hcl-report is not included.
> just tested it (the latest version from github) and it working with
> 4.0 out of the box.

Oh, I don't know how it happened. Will fix it shortly.

> - no KDE group available
> Maybe the same reason with the recent 3.2?

Probably, I will look into it shortly.

> Probably I'm the last KDE user under Qubes - and I just started to
> migrate to XFCE because of the unresolved issues with KDE since the
> 3.2 release. And see no progress in 4.0
>
> So I would really appreciate some statement if Qubes will really drop
> KDE support. I can accept that, but then I not waste my time trying to
> make it work. Instead focusing to fix the XFCE issues I have ;)

I think we can say that KDE migrated from "ITL supported" to "community
supported". OTOH Fedora 25 in dom0 brings also updated KDE, so maybe
some issues are fixed.

> - the default login screen is just ugly. I know that this is not the
> first priority, and not even a technical issue. But new users will see
> that ugly thing first. So it's should be a Qubes skinned one. at least.

Hmm, I do see Qubes logo in the background there. Do you have something
different?

Thanks for detailed report/review, we really appreciate it!
We receive a lot of emails, so if there is some actionable items, better
create issue on github, so we will not loose it...

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZgF+7AAoJENuP0xzK19csyZ8H/R20VMWtuRrdTUHt/24Kpeer
w4wqxoNgW2kcXOBORGV5aWk4S7HBA74g50G/Uk+SdfkTkvTNgFxw0UY8yYlDuHnO
buWob7x8psbidgDfmlo2CkZN114qbJ7jzCpKWM1uyODrvGmASnBaBMLmlT3Cxxyp
aPCzr7SddNqi/rTG2UGoctLEMztVekTg9ACbXKd07w/vt03BCDLCowtcIfx3E4vm
te36EsNHR8O+VDIYSO20G9FabaknMuGy6IIthRot6zmWk+jdFglrKjSf6DjOo34S
297Eu43CVmtxkGVAiFoERI+7hj6jyR86onOuRrDC0qdO9WJLxkVpjSQSMU8Bjio=
=65ED
-----END PGP SIGNATURE-----

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Zrubi:

> So I would really appreciate some statement if Qubes will really drop
> KDE support. I can accept that, but then I not waste my time trying to
> make it work. Instead focusing to fix the XFCE issues I have ;)
>
> - the default login screen is just ugly. I know that this is not the
> first priority, and not even a technical issue. But new users will see
> that ugly thing first. So it's should be a Qubes skinned one. at least.

Or, if the login screen isn't needed anymore (to switch between XFCE
and KDE), why not get rid of it entirely:

# mkdir /etc/lightdm/lightdm.conf.d
# cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf <<END
[SeatDefaults]
autologin-user=USERNAME
END

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZgF/WXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSPUP/jbW0wXOz2sljJXz4jQhy5Qq
6CY/MseG+8XkqS34QEZMOQpJTrA0j86faPxr5Sl4DGgi/lRrT2dcGdn5vCgIDYqF
71ITz0yieJ0iaX/Kt1H92qNm5Rfl7PV0kUvog3wfmj2pZfLixBFp83yzScLPOWbV
gZ3ZSGPncq75WVVVWn/1NJAIPZtLUqFQnoxt4Z3wrglpFaaoLESHbBFLIq1sVEwh
iA6Rf0dLu0yqXBXR41abUqR42XRodQETB10cK1glTDNZN4qhEfzCJJJ3wN6Ow0e9
012XbI4NBvWkdiSo+jSPUvoym4vs+B9WLsd86AtaeeZRFSQu8+Y/PRb6rMwfRMaZ
sDQNLxb38d/9TId5+Sgz026aL16/MlZOOMKQ1X93Wx/pv6u2y95gYYXlnrmv7pNC
KFR+emmV5Yr2eJytXrwRY+ZUzM6TPPu6rhVaWS78PV/Ns3lgWdvY+WULt6PPdR3l
Hrdbvs7G/IJfFhTf+79msKazelqjPEEBWCc36AeGxrJHHFPB4LfwR0UX7x4PJDqh
0UFpR+s/R0HgVwE/jU3rRi6NkfSfl0oyb5PVM/lsZjBpYm6y10Xf0XLq20KJ4iEy
x/NsUNj4uEZzBU1Xm8F4YYy1LwaTrQJRFIPkabz57/PPyvKwhsAOx86MdCQCucAn
n2zJdS86zae/7kezosVA
=CApl
-----END PGP SIGNATURE-----

[Jean-Philippe Ouellet]

On Tue, Aug 1, 2017 at 7:02 AM, Rusty Bird <rust...@openmailbox.org> wrote:
> Zrubi:
>> So I would really appreciate some statement if Qubes will really drop
>> KDE support. I can accept that, but then I not waste my time trying to
>> make it work. Instead focusing to fix the XFCE issues I have ;)
>>
>> - the default login screen is just ugly. I know that this is not the
>> first priority, and not even a technical issue. But new users will see
>> that ugly thing first. So it's should be a Qubes skinned one. at least.
>
> Or, if the login screen isn't needed anymore (to switch between XFCE
> and KDE), why not get rid of it entirely:
>
> # mkdir /etc/lightdm/lightdm.conf.d
> # cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf <<END
> [SeatDefaults]
> autologin-user=USERNAME
> END

Consider a briefly-unattended laptop protected by only a lock screen.

Normally the attacker would need a way to kill the X screensaver
without killing the X session. Would the above make crashing the X
session (and thus being dropped back to the display manager which
auto-logs-in) sufficient to gain access?

If so, this sounds like a bad idea (or at least an argument for
something like physlock).

[tiopa...@googlemail.com]

Why not include the Qubes Manager? It's a good simple tool, and those who wish to use the CLI instead would still be free to do so.

Thanks for all the work on 4.0 BTW. And 3.2. And 3.1 ...

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Jean-Philippe Ouellet:

Ah, I hadn't thought about that. I've been using physlock since
forever, if only to avoid seeing XScreenSaver's fonts...

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZgMHXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfyhoQAJOGYIxs/dD8H81yHH+cBQSj
r5pDoBgiWqsyBaa1RgxnfKaODRCVs3HT5CnuchxNMobTrPleH2JF04MpQ0NDHvfu
Us6OQ52CC27TxyXUkE0pa0TPGSPD4Y7aTbXVLRQ3jDDnbmOdXYvvlFrEIIWNTVCQ
p6PkHdhSet9guAXNEYV2xGQO12fxfWaqHUxHXViJ10vaYc+Puex/RgGegQp3V35W
nf4V7Mex+v5oalvKPhCR93PyVt2/pVZHbC1s/sDc4kNkrrs6Ji85cWI+KgNz6fu4
STSp3Gu/boD6pgUzjZ07zBa/LkN6hpGgcUl+tkw3iW095AI7YKO6U59wI5jyEI+T
s9W0Oo3NxaI1piBek0StV6vJ2TnLxDslhR2tENQiYeA9z0isRb8QQ4RLBqM65k/5
rxBZq+z+vhdjxehIxKkeyeSGvfUc6jMOHNEPFviHtVbWnXCqdmo3ErntExvlB1Tc
oouM+lhrfpbjkmSwE/RmJ8RIO8aoGOkdg4stO//NeNmBifM4KLWBiuirWknggptf
tiwaFFYgbMPHmBtHaPkCfNCVzBKCW/TxQ35f+91MJxRp0mN0HJqh3eIl5ki/yurD
ui9rY81OWRnwXbdt0LUMAvDG/U+gXgdLPh68PPkSqxPb90P20nMG8q71eoVwtfdJ
naFo4nRhSAC1ifxQCies
=b2nC
-----END PGP SIGNATURE-----

[Foppe de Haan]

Question: if we install 4.0, then restore backups, should we consider replacing pv template with hvm ones, and how would you advise going about that? (If this will be addressed in one of the upcoming blog posts, I can of course wait. :) )

[mikih...@gmail.com]

Some bugs, one pretty deal breaking:

If I remove an application from the appmenu, I am unable to set it again. More specifically I can set it in the VM-settings, but it won't show up in the Appmenu again.
The color of a VM can be changed, but again this is not reflected in the Appmenu. The VM itself (the running apps) have the correct window color.
Overall performance is OK, starting a Fedora VM takes longer than usual, about 1min. Work VM (not app) didn't start when I selected the chromium app from the appmenu. I had to start the VM from cli and then I could start Chromium.
The Qubes Manager is greatly missed! Especially the backup-restore. I tried to restore VMs from 3.2 which didn't work at all:
First it showed a lot of my VMs with the prefix "disps" ? (The backup had only templates and 2 AppVms).
I had to exclude -x a lot of Vms, honestly a pain when I just wanted one important VM to restore, but got several python errors STDOUT and read errors. Restoring all was the same and I had a list with 20 broken VMs, no apps in their menu, starting gave libxl error. I used verbose and the 2 ignore options.
Removing them with cli, all a bit tedious ;(

Finally, If someone knows how to create a VM for iso booting from CLI I would greatly appreciate a short info here. Looking forward to some docs/explanation on the changed qvm* tools since we are now supposed to do it from the command line. E.g. How to make net/proxy/app VM (qvm-create has some classes now...?) qvm-prefs options (kernel boot extern/intern and netvm settings), changes with LVM pools(? there was a option --boot-root-from-file?) , booting VM from iso file etc.

regards

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, Jul 31, 2017 at 01:10:08PM -0700, miki wrote:
>
> Hi,
> HVM Standalone option is greyed out. Also the --cdrom option no longer exists with the qvm-start command. Does anyone know if this is related to some Stubdom changes/problems and will be supported again in the final release?

This is something that will be fixed. See here:
https://github.com/QubesOS/qubes-issues/issues/2951

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZgOjoAAoJENuP0xzK19cs/NIH/RWSTp/Cm1v4rbl3RI6PMIZb
j2KcP+H5lV7xo6/klZyNed+AtfswrdiENmD4qI3km1cSu9n8H2ODE2P5/+UKWbIC
c8b+XFZpfQShFexg3ya//QT4gTzwa6JViwKxuIhPU5YTejIKcQsb4Z7SH41GTLRa
A/gtJ14ZjmJ2vEAzV703U1UWO0SaXRNnLc1CY91ePftMvu4XnxK4rbRjOeTAxnD5
zDB2OP2Lv4Q54Kgw0nO78b4V/6QrFfQfszlaDxx7GWN34JMlYGHAZrBlvPd8iGUv
/XjbKNtXQaxL5KRvfVW9DgHTU7ZDLxN3EvOsloaD4vLHzr3jcLDrBkRxdPNPTuQ=
=il/n
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 01, 2017 at 12:35:04PM -0700, Foppe de Haan wrote:
> Question: if we install 4.0, then restore backups, should we consider replacing pv template with hvm ones, and how would you advise going about that? (If this will be addressed in one of the upcoming blog posts, I can of course wait. :) )

The easiest thing to do is to switch restored VMs to use templates
installed with Qubes 4.0. Templates from 3.x should work too, even as
HVM. But some features may be missing.
We'll prepare instruction how to upgrade such templates, but it isn't
done yet.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZgOjyAAoJENuP0xzK19csyBcH/0Cb1NFN/7wZZuwtW6l16O1k
DkvcSWPeY2hfeldr8KTwZZ+jKz1bYVnXGpfpXeX314BrgnaYquu8D3umSgHZobXr
ldCAOmhIRAyb/xqj9QddXsFuvLuO6/mvKO2A1O0Q8MPI4G9fdhIMNmxOSI8JXSLk
uQl4tl6TJVfMRaCgDIw8bFkmqRqZ14nihfST/dCoWZ6err8y3ksJLazxtqEwIqtI
0N66r+EbPOb8LSgji4OH5vaE+CnSy/r3QJh/WMTMZ8lmeluToqN03ebt2AuMNBIi
yDZEOGnoEz4kRwJNoQSoXizZRS9zbUGGpUIuZHJ7oI6ikTU83+m4wqCTm9wEJaY=
=1YQi
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 01, 2017 at 12:42:01PM -0700, mikih...@gmail.com wrote:
> Some bugs, one pretty deal breaking:

Thanks for the report.

> If I remove an application from the appmenu, I am unable to set it again. More specifically I can set it in the VM-settings, but it won't show up in the Appmenu again.
> The color of a VM can be changed, but again this is not reflected in the Appmenu. The VM itself (the running apps) have the correct window color.

Created ticket for this:
https://github.com/QubesOS/qubes-issues/issues/2952
You can see there for a workaround.

> Overall performance is OK, starting a Fedora VM takes longer than usual, about 1min. Work VM (not app) didn't start when I selected the chromium app from the appmenu. I had to start the VM from cli and then I could start Chromium.

That's weird, did you get any error?

> The Qubes Manager is greatly missed! Especially the backup-restore. I tried to restore VMs from 3.2 which didn't work at all:
> First it showed a lot of my VMs with the prefix "disps" ? (The backup had only templates and 2 AppVms).

This is because how 4.0 deals with different DispVM settings. To restore
setting of 3.2 as much as possible, it create dispvm for each netvm used
there.

> I had to exclude -x a lot of Vms, honestly a pain when I just wanted one important VM to restore,

Instead of excluding, you can list VMs to include, just after backup
path.

> but got several python errors STDOUT and read errors. Restoring all was the same and I had a list with 20 broken VMs, no apps in their menu, starting gave libxl error. I used verbose and the 2 ignore options.

Do you have those messages saved somewhere? That would be really useful
to track down the issue...

> Removing them with cli, all a bit tedious ;(
>
> Finally, If someone knows how to create a VM for iso booting from CLI I would greatly appreciate a short info here.

This is a missing part...
https://github.com/QubesOS/qubes-issues/issues/2951

> Looking forward to some docs/explanation on the changed qvm* tools since we are now supposed to do it from the command line.

There will be separate post about it, but see below.

> E.g. How to make net/proxy/app VM (qvm-create has some classes now...?)

This one is possible also from GUI - in main menu you have "Create Qubes
VM" option and there you have "provides network" option which allow you
to create net/proxy VM.

> qvm-prefs options (kernel boot extern/intern and netvm settings),

There is qvm-prefs --help-properties, which shows details about each
property.

> changes with LVM pools(? there was a option --boot-root-from-file?) , booting VM from iso file etc.

See above...

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZgOj4AAoJENuP0xzK19csBtYIAIrt+ILqpdjskeg4aaHKa2JM
hAGHwbKSvAorCkx3DCd9eSvF7cnBOzsFuoYDjnvIC1D9W0f/5dxl6H8GP9JSH2oo
NM4vEA5QPH7C6Ed/s05HCT4D4yFE7jqM6vT71xAklI6niJxTf+AJ4oJtectBBFeA
g2S/4i65KbaBGW3Smec3ZvnY2eGSvxi9bvJXOWE8ks8siVPhhWRmsZDfmjeGmv9S
au0yuDa4Bmx1TW3hRB8wDWuXdLEm5YDn4F+EUbuAVZgl2XM3UlRK/flcQxCzzWN9
CyGO98c/DN5+7SZ5nzbEb2ZFucdVo+aij6Twp8XVt4mjMc5OYHEzNYLPUcp38bk=
=Iz/7
-----END PGP SIGNATURE-----

[cooloutac]

am I reading this right? There is no qubes-manager in 4.0? Does that mean everything must be done in a terminal? Tell me I read that wrong lol.

[Jean-Philippe Ouellet]

On Tue, Aug 1, 2017 at 7:46 PM, cooloutac <raah...@gmail.com> wrote:
> am I reading this right? There is no qubes-manager in 4.0? Does that mean everything must be done in a terminal? Tell me I read that wrong lol.

tl;dr - https://github.com/QubesOS/qubes-issues/issues/2132

[cooloutac]

oh ok I see, so a taskbar widget or something to replace the manager. I thought they lost their minds for a second. My immediate thought was what about attaching drives, and seeing if updates available? Joanna addressed all my concerns but I'm gonna have to wait and see what happens with this. Hopefully it doesn't turn out to be more confusing then the manager.

Right now my mother and family are able to use qubes no problem with no terminal actions required. none at all. I don't know why that shocks some people when I tell them. I hope that remains the same becvause they wouldn't be using Qubes without it.

[codge...@hotmail.com]

Having the EXACT same issue with my T430s

[P R]

Hello,

Am 02.08.2017 1:45 nachm. schrieb <codge...@hotmail.com>:

On Monday, July 31, 2017 at 5:23:20 PM UTC-4, Micah Lee wrote:
> On 07/31/2017 04:43 AM, Marek Marczykowski-Górecki wrote:

(...), when I boot up, grub

> works, but then as soon as Qubes starts to boot the computer reboots,
> and I end up back in grub.

Having the EXACT same issue with my T430s

Have you tried the suggestions from "Rusty Bird":

I ran into the same behavior on a T420. Removing iommu=no-igfx from
the Xen command line fixed it. [1]
If that doesn't help, _adding_ console=vga should let you see what's
going on.

@codgedodger:

Did this help in your case?

Kind regards

- PhR

[justi...@gmail.com]

I had this issue on my Thinkpad X230 with a fresh install of 4.0-rc1 and the fix let me boot, but, when I shutdown, the system hangs and when I hit escape on the shutdown screen, I see errors in device-mapper failing to remove ioctl on the VMs and then a bunch of the error "failed to write error node for backend/" for xen-pciback and vbd.

[turb...@gmail.com]

Have successful fresh install on T430

[tmc]

> We have just released Qubes 4.0-rc1:
>
> https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/

On a thinkpad x1, after removing iommu=no-igfx I got to initial-setup-graphical but that is failing on "qubes-prefs default-template fedora-25" with qubesadmin.exc.QubesVMNotFoundError: "No such domain: "fedora-25"'.

I see a qubesd warning a little before:

WARNING: Sum of all thin volume sizes (226.01 Gib) exceeds the size of thin pool qubes_dom0/pool00 and the size of the whole volume group (222.57 GiB)!

perhaps related.

[tmc]

FWIW: setup completed successfully after a re-install.

[Eva Star]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/02/2017 03:04 AM, cooloutac wrote:

> oh ok I see, so a taskbar widget or something to replace the
> manager. I thought they lost their minds for a second. My
> immediate thought was what about attaching drives, and seeing if
> updates available? Joanna addressed all my concerns but I'm gonna
> have to wait and see what happens with this. Hopefully it doesn't
> turn out to be more confusing then the manager.

It is a miscalculation. How about the words "we must make Qubes user
friendly for all users non IT advanced" and release Qubes without
manager? :(

Maybe, widgets is not a good idea, but Qubes Manager is one of the
important part that make Qubes useful to manage all vms with mouse.
Some UX to old one QM + start menu links to right mouse action and it
will be amazing.



- --
Regards

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZgnLPAAoJEGSin3PC/C0AyIUP/AuxhZfxWdFGYzLzUQX2fzn/
5ajxXWVNtTXWgpmUqzu1Ov/HMp9W7hFerw4GXwMotXDDXrIbf+8WEayS+q+SdXBn
qanSZ0EmBkwoFVptP+1TNQqQIcRLEF3gN3o3vq8tGaq2dUZ4HW9hSXBUZ71WcjXR
g95QUBBpl05/l//Vozu0GEUxpLBrzAhji95awd39vn/2BRKr6q4pGlNsi6BdqgCJ
WzmeaSTrYjNkBHypYjgpCXT6MQLRXEmlqX8OVxI5jopP7tYNZh5+bKp+1/U9vccJ
q4ddOTDlaCwY5bmQgWl05MNI4+OWr8xBlrfVCMmfxVO5dOBvoCjCrMTEySh3sPL7
gGMcT1349yiIllPPP0vhdm+0d0n0hWLR160WExQoF+oUgCbXFnf5sBT1bjWxXBOl
EEwg6IMElKgjI0jG0izCX7M3rn5m1H95KOGR2nn+IyJIzgJwk4+4YTWgFFfnwQyX
k9EcN8vffpokLz9I3u2qZSdDDYz71KVRAHMxL3h2WxEro7RVRtOcbpXO3ctcsdV0
QZfEwW2SAeZz798InY/Qb+7NmtpSsZUl3rCYUY7i5mubkGgnbtklCSUEzxZZ+4hx
SD6nV8tTjrNMxSNEytvIYd6wJZYrHkvA7Kf7KtNtxa7+mMr89LzL5qLHk/W15R14
iXk4BnVvkdfLntZ+Pa84
=ILr0
-----END PGP SIGNATURE-----

[Franz]

On Wed, Aug 2, 2017 at 9:47 PM, Eva Star <eva...@openmailbox.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/02/2017 03:04 AM, cooloutac wrote:

> oh ok I see,  so a taskbar widget or something to replace the
> manager.  I thought they lost their minds for a second. My
> immediate thought was what about attaching drives, and seeing if
> updates available?  Joanna addressed all my concerns but I'm gonna
> have to wait and see what happens with this.   Hopefully it doesn't
> turn out to be more confusing then the manager.

It is a miscalculation. How about the words "we must make Qubes user
friendly for all users non IT advanced" and release Qubes without
manager? :(

Maybe, widgets is not a good idea, but Qubes Manager is one of the
important part that make Qubes useful to manage all vms with mouse.
Some UX to old one QM + start menu links to right mouse action and it
will be amazing.

Well, I never use the start menu on the left lower side of the screen because it is too complicated, too many items and needs customization that I am too lazy to do or have better things to do. I do everything with the Qubes Manager that is so well organized and compact. I am afraid that the new arrangement may make things more difficult to find for a new user since items are spread over different buttons/places.  

I would suggest to mitigate this risk putting links to the other places on the widget/window that opens when you click on one of them. You can separate things, but better put links to find them again.

Also I imagine that somewhere I'll find the list of VMs. There please
1. keep the "run command in VM" choice and
2. add something new: the chance to show only preferred VM

The first is very important to avoid using the start button.

The second is important to simplify the view and speed up the most common routines

Cooloutac made me smile telling of his mother and family using Qubes.  I had my wife using Qubes for some years, but recently she rised up against Qubes telling that it is too complicated for her to be able to master it without help. She wanted a Mac.  Really it is impossible to maintain Qubes without the CLI and this makes it beyond limits for most people.  But perhaps if we are able to find a stable architecture and then Qubes matures enough, this may change. But we are not there yet.

Best

Fran

- --
Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZgnLPAAoJEGSin3PC/C0AyIUP/AuxhZfxWdFGYzLzUQX2fzn/
5ajxXWVNtTXWgpmUqzu1Ov/HMp9W7hFerw4GXwMotXDDXrIbf+8WEayS+q+SdXBn
qanSZ0EmBkwoFVptP+1TNQqQIcRLEF3gN3o3vq8tGaq2dUZ4HW9hSXBUZ71WcjXR
g95QUBBpl05/l//Vozu0GEUxpLBrzAhji95awd39vn/2BRKr6q4pGlNsi6BdqgCJ
WzmeaSTrYjNkBHypYjgpCXT6MQLRXEmlqX8OVxI5jopP7tYNZh5+bKp+1/U9vccJ
q4ddOTDlaCwY5bmQgWl05MNI4+OWr8xBlrfVCMmfxVO5dOBvoCjCrMTEySh3sPL7
gGMcT1349yiIllPPP0vhdm+0d0n0hWLR160WExQoF+oUgCbXFnf5sBT1bjWxXBOl
EEwg6IMElKgjI0jG0izCX7M3rn5m1H95KOGR2nn+IyJIzgJwk4+4YTWgFFfnwQyX
k9EcN8vffpokLz9I3u2qZSdDDYz71KVRAHMxL3h2WxEro7RVRtOcbpXO3ctcsdV0
QZfEwW2SAeZz798InY/Qb+7NmtpSsZUl3rCYUY7i5mubkGgnbtklCSUEzxZZ+4hx
SD6nV8tTjrNMxSNEytvIYd6wJZYrHkvA7Kf7KtNtxa7+mMr89LzL5qLHk/W15R14
iXk4BnVvkdfLntZ+Pa84
=ILr0
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a4c1304-cbcb-e447-97dc-9db848eae1fd%40openmailbox.org.

For more options, visit https://groups.google.com/d/optout.

[Foppe de Haan]

Anybody know what this stuff about thin volumes that I start seeing after rebooting vms a few times is about?

[Unman]

I completely disagree with you, and I'm with cooloutac on this.
I have a number of Qubes users who are fine, and NEVER touch the command
line. (Most of them would go to pieces at the prospect.) Most of them
rarely touch the Manager.

I suspect your wife suffered from your (self confessed ) laziness -
If you spend some time customizing the menu, creating shortcuts, and
hiding the infrastructure as much as possible, then in my experience,
most users are fine with Qubes.
The problems they report are user problems - funny copy/paste between
qubes/ difficulty with full screen playback/ inability to open lots of
images in the same disposableVM/ Qubes toggling wifi hardware switch on
boot.
For these users, the loss of QubesManager will be almost completely
irrelevant.

BUT, the new widget seems to me to be unreliable ,and doesn't keep
updated as qubes start.
Also,the very slow load times and lack of any user feedback on qubes
start are a major UX fail imo. Sometimes I see qubes fail to start for
no apparent reason, or loading with times in excess of 45 secs. Without
feedback that forces users to the command line, which is, I think, the
opposite of the intention. These are the major pain points for me.

unman

[Micah Lee]

On 07/31/2017 03:22 PM, Rusty Bird wrote:
> Micah Lee:

>> I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs

>> Qubes 3.2 without a problem. After installing it, when I boot up, grub

>> works, but then as soon as Qubes starts to boot the computer reboots,
>> and I end up back in grub.
>

> I ran into the same behavior on a T420. Removing iommu=no-igfx from
> the Xen command line fixed it. [1]

Thank you, this fixed it!

[Micah Lee]

I've finally got Qubes 4.0-rc1 booted! I've got a couple questions.

Without the VM Manager, is there a GUI way to delete VMs? I know you can
run "qvm-remove" from a dom0 terminal.

Is there a GUI way to start VMs without actually opening an application
in them? (I often configure stuff to autostart when the VM is started.)

I'm also noticing some strange USB VM stuff. On this computer I've opted
to make sys-net both my netvm and usbvm, and I've confirmed that sys-net
has my USB controller PCI devices attached.

By default, my sys-net uses memory balancing, even though it has the
warning message, "Dynamic memory balancing can result in some devices
not working!" Should I turn off memory balancing?

The devices systray applet thing for me lists these devices:

sys-firewall:1-1 QEMU_QEMU_USB_Tablet_42
sys-net:2-7 8087_07dc
sys-net:2-8 SunplusIT_INC._Integrated_Camera
dom0:mic Microphone

What is this qemu thing in sys-firewall? When I run lsusb in
sys-firewall I see two devices, "Adomax Technology Co., Ltd" and "Linux
Foundation 1.1 root hub". I confirm that sys-firewall doesn't have any
USB controller PCI devices. But even weirder, when I boot a different
AppVM, like personal, lsusb shows me the same USB devices, but it
doesn't appear in the Qubes devices systray applet.

And finally, when I plug in a USB device, the systray applet doesn't
seem to see it. I plugged in a Yubikey, and when I run qvm-usb in dom0
it displays:

sys-net:2-1 Yubico_Yubikey_4_OTP+U2F+CCID

And running lsusb in sys-net displays it as well. But the devices
dropdown doesn't list this.

Also, I noticed that qrexec clients now require an extra step. If I run
"qvm-copy-to-vm work example.txt" in my personal AppVM, the dom0 window
that pops up asks me to select the target ("work", in this case) before
clicking OK to allow it. This seems fine to me, and in fact I like how
clear it's being, but "work" isn't pre-filled in, so I have to manually
select it, or type it, each time, instead of just pressing enter.


Finally, pro tip: In xfce, and especially in Qubes, I find pressing
Alt-F3 and typing the name of a program much quicker than using the
start menu. If I want to open Firefox in the personal AppVM, I type
"personal:" and it shows me all the menu entries for personal, and
"personal: f" is enough to select Firefox by pressing enter.

[Foppe de Haan]

I would (also) appreciate having a GUI for the qubes-backup functionality, so we can easily pick/choose which VMs to restore.

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/01/2017 01:02 PM, Marek Marczykowski-Górecki wrote:
> On Tue, Aug 01, 2017 at 11:25:11AM +0200, Zrubi wrote:

>> - The isntall process is really looooong. Not debugged jet but
>> the creating initramfs seems to be running forever. But at least
>> was successfull at the end :)
>
> Is it just about initramfs and "post installation tasks" - compared
> to the whole installation time? There may be some bug causing
> initramfs being generated twice (or more...) - I think I've fixed
> something like this before, but maybe not all the places.
Yes, this is the case.
But have no time to install it again and again to identify the root
cause :(


>
>> - the missing Qubes Manager is a pain. - the 'replacement' in the
>> task bar is small and buggy: the tooltip? like thing is randomly
>> shirk to unusable. But too samll in general. I have 40 vm's right
>> now.
>
> What do you mean by "randomly shirk to unusable"? Can you provide
> a screenshot?
#2970


> What do you mean? Domains widget is specifically there to show you
> VM status.

Can't see the networking stuff.
The most important is (at least for me) the actual NetVM used by a Qube.


>> - the 'new' Qubes firewall solution causing more confusions. -
>> mixed iptables and nftables? why?
>
> What do you mean by mixed? Setting for VMs are applied using
> nftables if supported (Fedora), or iptables when not (Debian). Not
> both.

the default "self defending rules" are Iptables based, the VM traffic
forwarding rules are nftables based.

Custom firewall scripts now have to handle both.
My opinion that there is no real need for nftables until it can really
replace iptables. We are using just a really few rules here and the VM
based chains achievable by iptables too.

BTW:
I plan to continue the L7 filtering thing I started to play with. Can
you point the related documentation - if any - or at least the VM side
code processing the Qubes firewall rules please?

>> - even if Allow is the default policy I see a DROP rule at the
>> end. Why? :o
>
> To fail closed - if something goes wrong, there will be that DROP
> rule at the end anyway.

:)
It should be decided by the user, by selecting default policy.
IMHO Qubes should not try to override the user decisions.

>> - the default login screen is just ugly. I know that this is not
>> the first priority, and not even a technical issue. But new users
>> will see that ugly thing first. So it's should be a Qubes skinned
>> one. at least.
>

> Hmm, I do see Qubes logo in the background there. Do you have
> something different?

Nope, I see the qubes backround. :)

But still feels like a bare naked login screen.
IMHO this should be just as important as the Qubes boot (splash) screen.


- --
Zrubi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhFaWAAoJEH7adOMCkunmwEwQAIbwUTS/qKwczyhclNTPRknb
lSNTH9xPuh44fx3Iql+cwU6EpcDRvTswTZ0uuMsrCE5vk1XsZlgyRbJSL5n0Nmof
Ax+x6nMoEiOo3pbKOYRmqc5SmWCdi6rUbHRYmOa0eij7+rvdStAD6opca5x8lhkO
rStnTKVMTQSSYk/BHT7V2P27tChDAiD2ahB3tvi00SrszhHGrxW/oZ/8RPwkHEWi
XEdsqEqJWDS1BkR85IYV0bzoED/uDEtfNqMzPpvAaIORDGdClQi6Ky31BR7dxJRZ
o3ngKj9F/lvOd/1HYeD2bErB/y5LJSzgX/18lMiaA+CJa3cXwjzGMEuho7Hra0dK
ts1G5bfBDomHfriQElXhspggsleHV+V0aQJnMKd4gGfY0/5/h+xgeUMi/RevVScX
nCDvjguDJoktoUQXK8dgt5hwauvPWsSTyJjk5h9I94ij9hMGkbfRzwA+2gEriZw/
g8Dl3WGzm3kX5aOzO9S3CqKY2bQoJwWTO11q9VcjfdE3Qtnu7Y44ECa3bi59B1AD
UMc2RQEs9RZ37hUXd5Yfdj68fTD1qCuTX0NRBwxGddT/tOZYXvwEUjs8HqXsM2qf
mRGspB/OnHZ2F48J1q6uE4JE+Hyap1lJeSgXaUKpMtzvLBwQTC8v/v5wF8j581ao
vwPw7/gGelMGQ4qIAS6S
=zTfv
-----END PGP SIGNATURE-----

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Aug 04, 2017 at 01:12:29PM +0200, Zrubi wrote:
> On 08/01/2017 01:02 PM, Marek Marczykowski-Górecki wrote:
> > On Tue, Aug 01, 2017 at 11:25:11AM +0200, Zrubi wrote:
>
> >> - The isntall process is really looooong. Not debugged jet but
> >> the creating initramfs seems to be running forever. But at least
> >> was successfull at the end :)
> >
> > Is it just about initramfs and "post installation tasks" - compared
> > to the whole installation time? There may be some bug causing
> > initramfs being generated twice (or more...) - I think I've fixed
> > something like this before, but maybe not all the places.
> Yes, this is the case.
> But have no time to install it again and again to identify the root
> cause :(

I have some other installer issues to debug, so may look into this too.

> >> - the missing Qubes Manager is a pain. - the 'replacement' in the
> >> task bar is small and buggy: the tooltip? like thing is randomly
> >> shirk to unusable. But too samll in general. I have 40 vm's right
> >> now.
> >
> > What do you mean by "randomly shirk to unusable"? Can you provide
> > a screenshot?
> #2970
>
>
> > What do you mean? Domains widget is specifically there to show you
> > VM status.
>
> Can't see the networking stuff.
> The most important is (at least for me) the actual NetVM used by a Qube.

So, you switch netvm for VMs frequently? Doesn't it mean you should have
separate VMs, instead of switching one between two (or more) networks?

Anyway, adding such information to domains widget shouldn't be a big
problem. Just don't show it by default (see reasoning why dropping old
manager, in announcement post).

> >> - the 'new' Qubes firewall solution causing more confusions. -
> >> mixed iptables and nftables? why?
> >
> > What do you mean by mixed? Setting for VMs are applied using
> > nftables if supported (Fedora), or iptables when not (Debian). Not
> > both.
>
> the default "self defending rules" are Iptables based, the VM traffic
> forwarding rules are nftables based.

Ah I see.

> Custom firewall scripts now have to handle both.
> My opinion that there is no real need for nftables until it can really
> replace iptables. We are using just a really few rules here and the VM
> based chains achievable by iptables too.

The main reason for nftables is to simplify custom scripts. If you
have nftables, qubes-firewall no longer flush standard tables - it
register its own. This means you don't need to re-apply own rules every
time qubes-firewall change something. And you can register own tables
before or after qubes-firewall.
And in theory you can still use iptables for your custom rules.

> BTW:
> I plan to continue the L7 filtering thing I started to play with. Can
> you point the related documentation - if any - or at least the VM side
> code processing the Qubes firewall rules please?

It's here:
https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubesagent/firewall.py

I think you can extend one or both of those classes and use them instead
of default ones. Or submit a patch.
This code unfortunately do not have (yet?) nice interface to extend it
for other rule types.

> >> - even if Allow is the default policy I see a DROP rule at the
> >> end. Why? :o
> >
> > To fail closed - if something goes wrong, there will be that DROP
> > rule at the end anyway.
>
> :)
> It should be decided by the user, by selecting default policy.
> IMHO Qubes should not try to override the user decisions.

If you choose to have default action "allow", there will be appropriate
rule just before it.

> >> - the default login screen is just ugly. I know that this is not
> >> the first priority, and not even a technical issue. But new users
> >> will see that ugly thing first. So it's should be a Qubes skinned
> >> one. at least.
> >
> > Hmm, I do see Qubes logo in the background there. Do you have
> > something different?
>
> Nope, I see the qubes backround. :)
>
> But still feels like a bare naked login screen.
> IMHO this should be just as important as the Qubes boot (splash) screen.

Which also have similar aesthetic.
Do you think about just some better background there, or some bigger
change?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZhGZ5AAoJENuP0xzK19csrEUH/1oHKMAGQKfnD36j3CKN3qvb
JisyZ7AUhICjM7vVoWNw07PUMLtq4ijRdVjra1vNbZ6QHq5Hm7Er5DwOzstEIfYC
j96nWHLUczh5lqXEV/E2Yg+A8LEt8VodyhWrzNM8L/bYeyKK8pn+vS8Ofxqxr6pm
z2MO0APzOoR3I5Alru4W1+JA6c+kOGWjHzPIinL0v2xe7ROrkIczfL8+D4pj7PsQ
Sh74J6H8c8drRhixB9db2TomaB0gb0Hdzq065lUoVQtbjRwAYvsqkAfNMbrnejn2
YmUDMhJ6Xtefn+WK/1tWao1GbsK7Nv8sXOhi98NJDpXgK5Dk9NEdPsauyxOOd5o=
=COcE
-----END PGP SIGNATURE-----

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/03/2017 08:30 PM, Micah Lee wrote:
> The devices systray applet thing for me lists these devices:
>
> sys-firewall:1-1 QEMU_QEMU_USB_Tablet_42

>

> What is this qemu thing in sys-firewall?

Ihave the same issue, opened a ticket to track:
https://github.com/QubesOS/qubes-issues/issues/2969

- --
Zrubi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhHB7AAoJEH7adOMCkunmi/YP/RqQnkvTFedQmEI3GC64oebG
OvtHdsfxqOkecdPQyug7qTTImpN6IB3w7WwdoS09FcYq4FepOx08e672JQpMZeaT
nA1jMmgkS/PM4jUiX0/oDU7GP+gphANeHnV86KOhHxRBQz9yH2SjJ9iBsC3QNvWD
8ISaZt7nh+lZuig6IKLtA3AzmYnk1ZazQAkJgDqNw6QctnJ67fuhXAYoSexafEDX
A+esyTgBmWIELeloTkikksDlJpE4e3TKFEmk9n4/nouGTk7cArIeXOFgcRWo/5qI
LN2PAemSMjUyBG7ez3hG2kAXqRxAxztNBKnxwumgcqbio+G2BJd4OaPCn05p3MgQ
xY2+pZ6hwITDa0ouTbXL+xCn1f0m5hMlHvSvBLI2U927O+KIHLjoD7INuKejDdUj
puJ7UCwNgnGGmm9xx43VIdFZt6f1z2wOpIq53djHiOoMT2JzrSyk9Qu35iq/ik27
EzL1Bbnd31gX6mahtV2trpReWyk0GGhEgvi5Rugnfi1HGfkrq36hum3qjgNzM7FP
9pj9LquW9htdOTFyitIvVFMEF1Np0p8CkGsp62aMwitv/dgHAh52+lGzbiYkCtDP
fPRqCOkEd9g29S11Qt4y4IOjoK8rAdXb9ZL1OszzzA7284OB3lDxiEWJibrllA4+
fBhbT0oE8Nkl5MiyMSON
=+Lv7
-----END PGP SIGNATURE-----

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/04/2017 02:20 PM, Marek Marczykowski-Górecki wrote:
> On Fri, Aug 04, 2017 at 01:12:29PM +0200, Zrubi wrote:

>> Can't see the networking stuff. The most important is (at least
>> for me) the actual NetVM used by a Qube.
>
> So, you switch netvm for VMs frequently? Doesn't it mean you should
> have separate VMs, instead of switching one between two (or more)
> networks?

No.
I'm using separate WiFi, and Ethernet VM's, I have several VPN proxy
VM's as well, my dispVM start without net access. And need to use/test
lot of things with different network exits.

> Anyway, adding such information to domains widget shouldn't be a
> big problem. Just don't show it by default (see reasoning why
> dropping old manager, in announcement post).

I do not really agree with the reasoning tho.
But if it would be customizable? - just like the old Qubes manager ;)

> The main reason for nftables is to simplify custom scripts. If you
> have nftables, qubes-firewall no longer flush standard tables - it
> register its own. This means you don't need to re-apply own rules
> every time qubes-firewall change something. And you can register
> own tables before or after qubes-firewall. And in theory you can
> still use iptables for your custom rules.

Let's talk about these in a separate thread or ticket
Will collect my ideas and share it soon.

Currently even the basic networking looks unreliable, so I can't even
test my custom firewall rules...

>> But still feels like a bare naked login screen. IMHO this should
>> be just as important as the Qubes boot (splash) screen.
>
> Which also have similar aesthetic. Do you think about just some
> better background there, or some bigger change?

A would say it's needs a bigger change.
But of course this is really subjective, and currently do not have
time to design a qubes related skin for the login manager :(

So this is just my (and my surroundings) opinion.
Handle with sustenance ;)


- --
Zrubi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZhIJVAAoJEH7adOMCkunmTksP/3lDt5xZoRzMCdQWfdVGhvVk
qQOxLQq05QXi5r1+lxbg8gBHGiG3h/J1mLmeeqUjKgi1ywyxi6JUMOfwEyC77gtH
IG0Dz4yz0W/B1BsUngJFqPurvYJknmcQsughkwJGV17SiOoj71GBBPKkm7Dlow2w
BMrw8az4We5hulSSokSLKQGunZ9iPvm6e0pvRjhKtK/hlhao1w3/9UKKJEGGoIqN
kAAFiq9y4LYLTx8PHPZgNMnxw6XvxpXWRtAXeheG7VMuVO+1A8n4B0Th4hzB55Gs
bC+xCTJL7pJUbT0BtlnlqlM3CdiVVMRZo2GKGuAupjJ6UOm/6q1k2g2ZCF2aS5w2
3vPH0oFB6/E6Znfc/cxDJ+daAAN2vdcgbt9ExyAoUSr79sp9mYvKqaJftA9OAj99
XH35FlbuSPLxOrQ+1uKCImvmkHtAL6SV9Cnb8gWxiFTxMQ0FTw63W7oAkfzTFNEI
FT1sgBMv7RoxW/kpQf4LQOuyaLs4OUlgoK5V/pyw4M6IXNrQBL2leanbKeQkNlxQ
UlpFO/LvP261vlGV0znWCmnifffPtcTcfBI/b+Fxw4XsNzmJb3/Bzh9NRJ317gS1
WWleM0JdIQo4bp3qF3D4BsmdK8a+eUBNePlVaF/TB57DAAlAhh+YvOooFaI0QL0Z
QxiU4qQldkhOGdyG0nK/
=Qvvd
-----END PGP SIGNATURE-----

[Micah Lee]

On 08/04/2017 07:19 AM, Zrubi wrote:
>>> But still feels like a bare naked login screen. IMHO this should
>>> be just as important as the Qubes boot (splash) screen.
>> Which also have similar aesthetic. Do you think about just some
>> better background there, or some bigger change?
> A would say it's needs a bigger change.
> But of course this is really subjective, and currently do not have
> time to design a qubes related skin for the login manager :(
>
> So this is just my (and my surroundings) opinion.
> Handle with sustenance ;)

On a related note, I would love to see some better Qubes graphics
design. Especially, in my opinion, better built-in choices for the
desktop wallpaper.

Good default wallpaper makes a big difference in first impression of an
OS. (And until #215 is implemented, users who aren't comfortable with
Linux will have a hard time figuring out how to set a custom dom0
wallpaper themselves, and will probably expose dom0 to an untrusted
image in any case.)

Maybe there are some graphics designers or professional photographers in
the Qubes community. I wonder if a call for wallpaper submissions or
something similar could help?

[yura...@gmail.com]

I'm excited about the work you did on Qubes 4, it looks good so far. Can't wait to see the final stable version.

Obvious bugs during alpha/beta stages aside, I do feel sorrow for the lack of the Qubes VM Manager as well., and some other minor things that may have major user impact for some people.

- VM Backup GUI seems missing. Is this perhaps something still being worked on and is coming later? Seems really odd that it's missing. I am by no means worried about using the terminal, but it's often extra work. Which is really bad when it takes away valuable time, especially when on the move and in a hurry. It is also a disadvantage for people who are visually stronger to gather a mental overview of their system.

- Seems like there is a missing ability to see inactive VM's for the visual users (Just like the 3.2 VM Manager can show inactive VM's). This is really important for some people, while not important for some others. Albeit, perhaps I just missed the feature to turn it on in the widget?

- Not sure of this one, it might just be due to the VM starting bug, but it seems like we can't easily have an overview of used memory/drive space for each VM anymore? If true, this is a big problem for people on limited hardware resources, who need to be mindful of what is currently running in order not to spend it all up. For example (A contrast example), I never worry if I use all memory, it's essentially almost impossible for me to use it all up inside normal use cases. However on my "8GB ram/128GB SDD" laptop/tablet hybrid running Qubes, this is a very, very different story altogether.
Devices are only getting smaller, the inability to upgrade drives or memory in the near future, seems to make smart software more important than ever before. Having good overview of VM resources is imho a really, really good thing.
Especially because not everyone runs around with laptops that have 12-16+ GB memory.

- VM colors? It might be my limited knowledge here, but adding extra colors, even if just a few, shouldn't take long? 5-10 minutes to add? I might just be super naive here. But having said that, even a few extra colors would be really nice. Heck, even light and dark color versions, like for example light/dark variants of (blue,red,purple,green, etc.).

I did not have much time to look around, so perhaps I just missed some of the changes, but this is my first impression nontheless.

Having said that, I'm really, really excited about the increased virtualization security and the AdminVM features. Can't say nothing else but that it's an amazing job you guys did there (and a lot of hard work too, which we end users should appreciate more).

[Franz]

Sorry, but I do not believe that. How can your users perform the following basic required actions without a CLI:

 1. verify iso
2. put the iso on a usb stick
3. print (you need a custom DVM)

4. scan

5. update templates after EOL

6. update dom0 and templates when the same Manager command does not work for some reason. How many times it happened?

7. solve various issues when something simply does not work as expected, such as the last one with the wrong kernel when you Unman kindly helped me to solve it with the terminal because it did not work with the Manager

Most of them
rarely touch the Manager.

How can they update templates and dom0 without touching the Manager?

You users may be able to use Qubes only because you kindly help them with the above and other issues. Nothing wrong with that of course, you are a very nice person, but they are not autonomous. If they have to travel a couple of months and something wrong happens, as with my wife that had wifi dead, then they are unable to solve it. Worse,  NOBODY is able to help because when they see Qubes they declare inability.  In that case I was lucky to be able on the phone to tell her to connect with ethernet and upgrade Fedora 24 to Fedora 25 and it fixed it. But it was just luck that it worked and that she was able to correctly do what I told her. What was broken? No idea.

Without you, coouloutac  or even me, always ready to help, how can a normal person use Qubes without using the CLI. No way. Now Qubes is still a project for geeks. Too many issues. And it is obvious that this state cannot improve until we are obliged to continuously change architecture such as the last one release 4 for the Xen issues. But hopefully this is the last change we need to do and can concentrate on maturing Qubes into a more mainstream product.

Best

Fran

[yura...@gmail.com]

A worry I've been thinking about regarding the backup feature missing, is that it seems like it's intended to be used through the AdminVM over a network. In other words, this seems more like a move towards business users, rather than the regular every day user that might prefer an external USB drive through a GUI window.

Qubes is moving towards business users, we already know that much. But are the regular users getting ignored now as a result? or are both still being seen as primary users?

It's clear that Qubes 4 took a lot of hard work, so perhaps there just wasn't enough time to work on everyday touch and feels, like proper GUI and user experience.

But the deep worry that Qubes might or might not be giving up on normal users, is definitely there for me. I have high hopes for Qubes to change the PC/Mobile environment of the future, forcing the hand on any other OS out there. There should be no issues to support both users and businesses.

It's not that I believe this, but the elephant is still in the room. Are users getting ignored now? or was it just because Qubes 4 had so much work that there was little time left for anything else?

If the latter is indeed the case, what is the next everyday user experience development in planning? Gnome 3? Return of GUI tools such as backup? Graphics in VM's for high end graphics? Gaming even? I mean, I do believe if these mentioned issues were fixed, Qubes could draw in quite a lot of new users.
Heck many gamers care about privacy and security too, there is a large user-base there if you manage to make gaming through virtualization work smoothly.
Think about it, how highly connected gamers are through gaming news etc., if gaming worked in Qubes, it'd in my opinion draw a lot of positive attention, and a likely substantial Qubes userbase growth. Getting graphics to work in Qubes is being seen as a low priority, for the life of me, I cannot see why this is the case, with so many potential new Qubes users laying in wait.

[P R]

Hello,

Am 31.07.2017 1:43 nachm. schrieb "Marek Marczykowski-Górecki" <marm...@invisiblethingslab.com>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

We have just released Qubes 4.0-rc1:

https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/

I installed Qubes 4rc1 on my Lenovo X200, Installation took some time, but successful.

After the first boot I choosed to configure sys-net, sys-firewall, sys-usb.

After a few minutes I got an error message (attached).

I was able to login into Qubes afterwards but I can't start any VM except sys-net:

qvm-start sys-firewall, results in:

Start failed: internal error: libxenlight failed to create new domain 'sys-firewall'

If I enter qvm-ls I can see that a sys-firewall AppVM is present and that it is based on the same fedora-25 template like sys-net.

Any ideas where to continue from here?

I have also tried to add a new AppVM based on the same template but I get the same error message when starting it.

- PhR

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Aug 04, 2017 at 10:28:45PM -0400, P R wrote:
> I installed Qubes 4rc1 on my Lenovo X200, Installation took some time, but
> successful.
>
> After the first boot I choosed to configure sys-net, sys-firewall, sys-usb.
> After a few minutes I got an error message (attached).
> I was able to login into Qubes afterwards but I can't start any VM except
> sys-net:
>
> qvm-start sys-firewall, results in:
>
> Start failed: internal error: libxenlight failed to create new domain
> 'sys-firewall'

Make sure you have VT-x and VT-d enabled in BIOS.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZhXdUAAoJENuP0xzK19csSuUH/i69emcMrP6gFtdG/CpoMdHd
sXxTx7qbJ03vgaXnkCCS1weJHYgqnyApTKSvYTAsX6hUgQaaC9hGS0Xj3yoPMXYl
/O0X/49X//CudLbTAXm1LSs6ajo5KQXc5m+m8dZhAtZ2b4kBA8PdZC0jszF1aJ2Q
8J2yFh9WuRvrX2jxLnumtz/81PkonuHFgsaRPfblG6S6G5C4aSl2Oz1sgx/H8aVM
Rrw/roKw2a6j0qQlj/Wu+JFgnwUTzXX1hL+lbKy5i410YlQ7F/6KSj5Kbua2Nmsu
1hOeLizVPhUrmXonvKHLoATBnBc3prYdrvkNgFxrNnOm6BxxwV8Q20KA43cbo90=
=msxX
-----END PGP SIGNATURE-----

[P R]

Hello Marek,

Am 05.08.2017 9:44 vorm. schrieb "Marek Marczykowski-Górecki" <marm...@invisiblethingslab.com>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Aug 04, 2017 at 10:28:45PM 

> Start failed: internal error: libxenlight failed to create new domain
> 'sys-firewall'

Make sure you have VT-x and VT-d enabled in BIOS.

Indeed, I have checked BIOS setting and vt-d was disabled for some strange reason (it was enabled under Qubes 3.2 before).

If I try to start the AppVMs and also the Fedora-25 Template VM I get the same error.

As I also got the message at the end of the Qubes installation process, do you suggest to reinstall, now that vt-d is enabled?

Another strange issue is that I can only see 'Start' in the list of available applications in all Fedora VMs.

As I haven't read this before, it seems that something is broken.

Guess reinstalling  is the best option??

- PhR

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Aug 05, 2017 at 04:04:27AM -0400, P R wrote:
> Hello Marek,
>
> Am 05.08.2017 9:44 vorm. schrieb "Marek Marczykowski-Górecki" <
> marm...@invisiblethingslab.com>:
>

> On Fri, Aug 04, 2017 at 10:28:45PM
> > Start failed: internal error: libxenlight failed to create new domain
> > 'sys-firewall'
>
> Make sure you have VT-x and VT-d enabled in BIOS.
>
>
> Indeed, I have checked BIOS setting and vt-d was disabled for some strange
> reason (it was enabled under Qubes 3.2 before).
>
> If I try to start the AppVMs and also the Fedora-25 Template VM I get the
> same error.
> As I also got the message at the end of the Qubes installation process, do
> you suggest to reinstall, now that vt-d is enabled?
>
> Another strange issue is that I can only see 'Start' in the list of
> available applications in all Fedora VMs.
>
> As I haven't read this before, it seems that something is broken.
> Guess reinstalling is the best option??

Probably yes - without VT-x and VT-d, initial configuration failed.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZhYGuAAoJENuP0xzK19csojcH/iilrBnK1RpMqsB1SNP/MXmh
kD08X+4JgEImhph2xHWzKbU5DCb4gmVlfvfLdSOmvybE3G9QqAEyZouUN13/jW/O
LrTqZVRxC4eLqKZNI2lXc4AQHc5QATKaZoAFXmKMQerV/BTz9F9oD1IZYCWbPyzp
scDIFR4qRZXBEmqinqCTDI+vNwng7ZV0M+WOoD9Poq+RTc03vILeySb4uVAbPt++
Nmt3nwDHG/W5hIPhD+XfWOIh2stjK1GX/0bwEcmp8+JBd0WL8OqzhJfX6ROF+AFo
ZxH1nwpKuEtcs74bcPWurNQ5sopqiT/+4mxdegg38o2OO1RL5QvVUjOwtimAu0M=
=qYuI
-----END PGP SIGNATURE-----

[P R]

Hello,

Am 05.08.2017 10:28 vorm. schrieb "Marek Marczykowski-Górecki" <marm...@invisiblethingslab.com>:

(...)

Probably yes - without VT-x and VT-d, initial configuration failed.

I have no restarted installation on my Lenovo X200 with VT-x and VT-d enabled but it seems that the installation hangs after booting up.

I have removed rhgb quiet and set console=vga to see what is happening. After the first few lines the displays clears and I get a black screen while the drive LED is on (so there seems to be some activity, but nothing happens.

I remember that there were some issues with installing Qubes on a X200.

Question: is there any setting I can tweak during grub boot to be able to run the Qubes OS installed with VT-x and VT-d enabled?

Anyone else tried to install Qubes 4 on a Lenovo X200?

- PhR

[P R]

Additional information, I forgot to mention:

Am 05.08.2017 12:49 nachm. schrieb "P R" <p.rasc...@googlemail.com>:

Hello,

Am 05.08.2017 10:28 vorm. schrieb "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>:

(...)

Probably yes - without VT-x and VT-d, initial configuration failed.

I have no restarted installation on my Lenovo X200 with VT-x and VT-d enabled but it seems that the installation hangs after booting up.

I have removed rhgb quiet and set console=vga to see what is happening. After the first few lines the displays clears and I get a black screen while the drive LED is on (so there seems to be some activity, but nothing happens.

I remember that there were some issues with installing Qubes on a X200.

(...)

When I boot with VT-d disabled the Qubes 4 installer works and is booting into the Graphical installation GUI.

So it seems that there is a problem launching the installer with VT-d enabled.

But without VT-d I get error messages after the installation has finished, which means that I am currently out of luck installation Qubes 4 on my X200.

:-/

- PhR

[yura...@gmail.com]

Marek, no ill intentions meant here, but the concerns of the release isn't just technical ones. There are questions regarding which target group whom Qubes want to spend time and resources on.
Will these issues not be addressed? Are there no one in the Qubes team whom work with with public relation role, to address these issues,, especially during a major release?

Again, no ill intentions here, but it would be nice to know if your focus is now entirely business users, or if you also intend to make a system for the everyday users as originally planned.
Do regular users take a backseat now? or are both being kept in focus?

This is not a a complaint, but rather, it would just be nice to know rather than keeping it a secret. I do not believe you intend to make it a secret, but it can come across as such, that's why I request a statement on the matter.

[cooloutac]

> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

>
> To post to this group, send email to qubes...@googlegroups.com.
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a4c1304-cbcb-e447-97dc-9db848eae1fd%40openmailbox.org.
>
>
>
> For more options, visit https://groups.google.com/d/optout.

I always wished the start menu was organized identical to the qubes-manger. IMO thats what made it confusing for some.

[cooloutac]

On Wednesday, August 2, 2017 at 11:43:34 PM UTC-4, Francesco wrote:

> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

>
> To post to this group, send email to qubes...@googlegroups.com.
>
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a4c1304-cbcb-e447-97dc-9db848eae1fd%40openmailbox.org.
>
>
>
> For more options, visit https://groups.google.com/d/optout.

I'm being honest man. The only time we ever have to use the cli, is if we forget to restart the sys-usb and shut it down by accident. She has the command written on the wall to alt-f2, xterm, qvm-start sys-usb. Only command we ever use on occasion, and thats only cause we using mouse proxy in the sys-usb.

[cooloutac]

qubes-manager never failed to update dom0, not sure what you're talking about. Installing Qubes or setting up the machine for her is a separate issue, and yes she has me for that. Most windows users don't set up their machine either. She also doesn't need command line to print, she updates the qubes on her own.

OK you got me there on updating templates after eol, but that only happens once or twice a year. And you can simply just remove it and install, don't even need to update it.

I understand alot of people want to feel like they are special for using Qubes. But from the beginning it had an unnecessary stigma keeping people away. We need to stop acting like its so complicated to use, because thats just not true when given the chance.

The fact remains noone should have too use command line for daily activities, and if we do, my family won't be using Qubes anymore.

[yura...@gmail.com]

Honest or not, I believe you that this is sufficient for your needs. But keep in mind other people use software differently, not everyone use it the same way, or have the same needs for that matter.

Some want quick changes, which can be done faster than terminal.

Some prefer not to, or don't have time to, learn to use the terminal.

People have different learning styles, which applies to use-cases too. Some are much stronger graphically, while others don't need a visual overview.

Saying "we" I'd ask you to define "we". When you say "some people", you can refer to a group, and not everyone, without illegitimate people who are not the same as you, or have different needs than you.

This is an forever lasting problem in the culture of Linux where many people think their needs mean the needs of everyone else must be the same. Yet a big part of Linux's concept and philosophy is about having choice. This is a paradox, the culture does not match what Linux is all about.

We should respect that people have different needs, just because some people don't have the needs, does not make the problem irrelevant.

No offense meant at you. It's just overdue for a modern culture to grow out of the old paradigms which are both very limited, and in stark contrast to what Linux actually is about. Seeing the big picture, and not staying hyper focused on the small details.

[cooloutac]

I'm not asking to remove terminal, not sure what you are going on about.

The forever problem of linux, is the self fulfilling prophecies from people who want to feel superior over others. People want to give overly complicated solutions to simple problems to feel smart and feed their ego, they want to claim that linux is too complicated to use by noobs, and they end up keeping it down, which in their mind proves their point. In reality, using linux nowadays is no different then using windows. You don't need a commandline for anything in most major distros anymore either. But it has that stigma already.

I'm not using Qubes like some cool tech experiment, I don't think i'm a super computer genius for using it, We = my family, use it for practical everyday life like families use windows.

If Qubes is not aimed at the average home user anymore, then fine, We'll move on. More and more i wonder whats the point of using any o/s without secure boot anyways. I just hope itl stops listening to people from the linux community, or else Qubes is not going to be much different.

[cooloutac]

I remember when the tor dev Isis on irc, when I asked if anyone used Qubes, told me she was going to try it out but thought it was too hard to use. She started asking me how easy it was to install and use. I was in total shock! This someone who is a genius compared to me and she thought Qubes would be too hard for her to use? Then I realized its because thats what most people on irc thought. And thats because of that age old linux problem of people wanting to feel special for using it.

ANY DUMMY CAN USE QUBES!!!! Any old dumb computer illiterate windows user can learn how to use Qubes in 10 minutes. If you think I am exaggerating you really need to come down to earth, you're not special.

The hardrd part of Qubes is forcing yourself to compartmentalize and thinking of the system in that way. Some people can't do it. But that has nothing to do with a technical learning curve, which is no different then windows. But it seems people in this community want to change that, probably for the reasons I stated in my previous post.

Although itl isn't the typical linux type, and from Joanna's github post it seems like its more of her thinking the Qubes-manager is ugly and bulky. So i'm crossing my fingers we don't lose any UI functionality.

[yura...@gmail.com]

ah, I somehow didn't manage to link your name to the different posts and read into your single post regarding having few needs to use the Qubes Manager VM GUI. I apologize for the misunderstanding, the fault is on my part there.

But that aside, it seems we largely agree, we need a statement whether Qubes is still being designed for regular people, or if it's to remain to be for the elite and business users. Not going to resent the Qubes team for such a move, it would just be nice "knowing" so, exactly like you said, that we can move on.

If Qubes is not eventually meant for a choice to the masses, then I'm okay with that too (albeit a bit sad). But we need knowing.

I also highly agree that we should leave hind the "elite" and feeling "special", I agree with you there as well. It's not only tasteless, it's scaring new Linux users away.

I don't think the core of Linux is about being superior, though some might make it like that. But in times where large tech companies are growing stronger and stronger, and democracies weaker and weaker, we really do need Linux now more than ever, especially in the years to come, for freedom and democracy to flourish. Software is increasingly lock-in and toxic, profiling and anti-privacy, turning customers into money generating assets. Power is shifting to centralized technology rather than decentralized technology. It's a huge problem, one which will only become worse as the next few years (decades) go on.

I rather not see Linux fail in giving freedom to the people, and most of all, not because of some people wanting to feel "elite". So I'm definitely on the same page as you, I apologize for the misunderstanding.

[cooloutac]

I'll be disappointed but I'm not going to be mad at them for trying to get paid, they deserve it.

But I also wouldn't mind if they turned me into a money asset like windows so they can keep designing it for home users...lol

I look at things differently. You are referring to linux architecture and developers, while I'm referring to the majority of its users and community members, as the Product.

[P R]

Hello,

I think it makes sense to concentrate more on what we (different user types/groups) would like to see, instead of having some kind of 'flame war' GUI vs. Terminal.

The good thing was always that you can built very complicated workflows using  the terminal/bash scrips make life easier and that you can have a GUI for 80% of the standard tasks for "normal users", which are more interested in using their computer as a tool instead of tweaking around.

We can and should have both:

1) API/terminal commands for 'advanced users' and

2) a simple GUI for normal users who just want to use a PC that protects their privacy somewhat better than their current Windows 10 Laptop.

Am 05.08.2017 5:02 nachm. schrieb "cooloutac" <raah...@gmail.com>:

The forever problem of linux,  is the self fulfilling prophecies from people who want to feel superior over others. 

Disagree, I think that those people are just faster using the terminal.

And those users are technically skilled and have at least basic knowledge about an operating system.

I agree with cooloutac that Qubes has a benefit if it can be used for regular tasks without touching the terminal.

Even when using Windows lots of people use Laptops that have been setup by experienced users and then handover to them.

They don't bother with tweaking the system, so simplifying the use of Qubes would help to get those users on board.

BUT:

Important point is that additional security/privacy has most time a price that it add a small layer of complexity/less usability for the user.

But Qubes is doing a great job to reduce this overhead.

As far as I have understand the Qubes team statement, it seems that the concentrate more on the Qubes Core stuff and having the API/Terminal commands, someone can still write a GUI for Qubes like Qubes Manager.

Honestly I don't understand why it is that hard to Port Qubes Manager over to Qubes 4, so that the user can choose:

- terminal 

- old Qubes manager with maybe a reduced feature set

- new Qubes widgets

- ... ?

This topic reminds me about the vi vs. emacs discussions. What the heck? I use both ;-)

Or the new "Ribbon Bar" from Microsoft which was also not that accepted in the beginning.

- PhR

[yura...@gmail.com]

Alright, I respect that, we see some things differently. But the discussion is good, it does not have to come down to agreeing in the end.

I don't like customers being turned into assets though. The way I see it, it essentially make people "not people" anymore, customer service is out of the window, it's all about cheating and manipulating people into making the best use of them, rather than making a fair trade between a company and a customer. So I kind of black out when I see business models that turn people into assets, I really, really don't like that approach.

But I do really agree that I wouldn't mind Qubes taking a fee, ask for more donations, or focus partly or entirely on business users. They do a lot of hard work, and regardless of the target group, the change will be for the better of humanity. Perhaps it's asking too much for Qubes to focus on both companies and end-users at the same time, nontheless, I do hope they can manage to do that.

It's obvious they had their hands full on Qubes 4 too, so it might just be that and we're reading too much into the issue here at hand. But lets see, with time comes answers. I just hope it wiill be in good time rather the long wait.

[yura...@gmail.com]

Fully agree, and you make a good point too with the Qubes team having said they will focus on the core of Qubes.
Perhaps the issue here is rather that Qubes seems too closed off and too tightly controlled, that no new groups arise to team up with Qubes?

Also most of all, don't want to be too harsh on the Qubes team here, they're doing an amazing job. It's just the limbo of lack of communication that is a bit iffy, if one may call it that.

Perhaps a professional Strategy Mission/Vision page on the Qubes website would help creating clarity rather than having to dig through thousands of forum and mail posts?

[cooloutac]

there is no versus anything, noone is asking to get rid of the terminal?

This is nothing like vi vs emac discussions. what?

[cooloutac]

You are going to be someones asset or product as part of nature, whether you know it or not.

The ends justify the means to me. Especially if it means being able to use Qubes or not.

I also think its silly to not support secure boot, simply because the idea was created by Microsoft. FSF/Richard Stallman supporters who are against secure boot, is like Bernie supporters not voting for hillary. Seems more spiteful then practical.

[yura...@gmail.com]

hmm, I think he was referring to the earlier posts far up above, and not you specifically.
But he makes a good point in that matter, both are important if we want to find motivation and resources to make systems that not only reach the advanced users, but also reaching the everyday users.
One cannot afford not to take the other seriously, both need each others in modern PC systems, especially if we want to survive the next big thing, the next platform coming after smartphones, which is partially already happening right now. There won't be a laptop, desktop or tablet for Linux to live on, if we don't take emerging technologies seriously. The time to stand together is now, and making whole systems that take in both the advanced and everyday users, would be a game changer.

[cooloutac]

By not taking secure boot seriously you are creating that self fulfilling prophecy.

[cooloutac]

The reason why redhat, ubuntu, and gentoo jumped on the secure boot train, not just for the security benefits, but because they know if they didn't linux would indeed be left out in the cold with nothing to live on.

[cooloutac]

ever hear of the saying cut your nose to spite your face? Linux communities are the epitome of that.

[yura...@gmail.com]

Well yeah, only if one allows oneself to become a victim. We can oppose and create balance in the world.
Also secure boot is entirely pointless in a stateless computer. A non-stateless computer has a lot of closed source firmware which can be either buggy (which closed software have proven to almost always be), and backdoored, which is either illegal, can be abused by other than for the intended, and is at the fringe limit crossing into the realm of human rights.

We don't need closed source firmware, it only creates problems, and no benifit or solutions, other than maintaining market shares through force, rather than surviving on good customer service and customer support.
We don't need companies that leech on society.

I gather you think the world is ruled by bullies, and that you think it's okay. If so, using that perspective, we just have to become the bullies towards to big companies who wants to make use of us. By the end of the day, we the people are what matter, humanity matter, not some greedy individuals behind a large company. Having said that, I'm not a fanatic against big companies, but they must behave, or I'll be against them.

[cooloutac]

You can promote change, but we have to work with what we got right now.

And right now secure boot would of stopped hacking teams insyde bios attacks, which some experts said could be exploited remotely, and would of worked on most ami bios as well. Without it whats the point? Why even bother with Qubes? Like you said hardware has backdoors, and if bios also has no protections. Whats the point then?

The problem for me is this is not a cool tech experiment. Its for practical use.

[yura...@gmail.com]

ah I see, I follow you now.
I'm not entirely sure how effective Anti-Evil-Maid is into detecting change in the BIOS/UEFI, perhaps someone can enlighten us on the topic? Can AEM be tricked or bypassed? Practically or theoretically?

Though Joanna (head of Qubes) have said it might just be some years, if I remember correctly, before we might see true stateless computers. I'm not sure if anyone with resources would want to commit to such a thing, but it would definitely help us all out. I hope she can convince someone with resources with her goal for a true stateless pc.

But meanwhile, we have to live with closed off firmware indeed, and it would be interesting to know how effective and trustworthy AEM is.

I suppose it might also be possible to hardware firewall off any incoming signals to the computers BIOS/UEFI, which most routors do by default these days. At this point, it should be a simple matter to have a team to test if any BIOS/UEFI are phoning home.

The only way someone can attack a BIOS/UEFI is if they have a leak through the firewall, which be be gained by trojan horses by either user mistakes and hidden software malware.
The only other method, would be to have the BIOS/UEFI to phone home regularly, so that it can open up the hardware firewall, and these can be detected easily if someone keeps taps on them.
In other words, our BIOS/UEFI should only be exploitable if our firewalls are not set up properly or we make mistakes on the internet.

If I'm not mistaken, I don't want to claim to be an expert on this topic, I'm definitely not an expert. But as far as I understand the issue, this is the limit.

We should probably try stirrer back on-topic though, this is more Qubes general discussion than Qubes 4 discussion.

[cooloutac]

Unlike secure boot, aem does not stop a compromise, only notifies you of a change which might indicate a compromise has happened, which basically is a prompt to buy a new pc.

Reading posts on the forums tells me it can be buggy and false alarms happen though.

Intel says you need 3 things for the best boot protection. Secure boot, trusted boot, and measured boot. I'm a total noob but I believe aem falls into trusted boot category? So I wonder if its possible to use both? And I have no idea what measured boot is.

Another thing to consider is that if you use a usb key, which makes most sense to use with aem, then you can't use a sys-usb at the same time. So it depends on your threat model and how you use your system. Someone might have to correct me on this but I believe this to be the case.

[yura...@gmail.com]

Well yeah, most people with resources and knowhow to attack the BIOS/UEFI are governments. If you become a target of those, you really need to watch your step, in all liklihood, most if not all, would eventually get caught if they repeatedly appear on the internet with something that can tie them previous instances. Eventually you build up a profile that can lead to your detection, or vulnerabilities to use against your system.

I don't think we need to worry about regular and everyday hackers meaning to do harm, after all, these attacks are mostly only worth it on high profile people.

ALso in your scenario, BIOS/UEFI is still closed source firmware. It can be backdoored, and backdoors can be used by others than the creators. But it remains a fact (for now at least), that only groups with a lot of resources, can use these attacks, and they will only invest it into high target profile people.

Regarding the USB while Qubes isn't booted, that is a really good point. I've been thinking about that too, maybe create our own USB with open source firmware which can be hash value verified after it is turned into a binary package sitting on the USB sticker. But my knowledge is too limited to say for sure if this is possible, but it's worth studying more. There are some tools out there already as it is, but it's a bit cumberstone and "do it yourself".
Albeit for now, these USB attacks appear to be exotic and rare enough to ignore for low profile targets (for now).

However AEM should detect changes between reboots at least.

[PhR]

Hello,

after having problems to install Qubes on my X200 I have installed 4rc1 on my other laptop (Lenovo W540). Installation was sucessfull and the only tweak I needed was to remove iommu=no-igfx from grub boot.

I have uses Qubes 4rc1 now for ~2,5 hours, my feedback so far:

positive:

• in Qubes 3.2 the whole system froozes for a few seconds when a new VM was started.
  In Qubes 4rc1 this seems to be solved.
  

list of things that might need improvement, meant as constructive feedback - of course I am very thanksfull to the work of the Qubes Team.

• when launching an application from the start menu I would like to see a notification about the user interaction. Currently nothing happens, if the new apps needs a few seconds to start the user might click again
• Notifications - I haven't seen any notifications at all, like starting/stopping of VMs or when a new USB-device has been attached. Would like to see the notification from Qubes 3.2 in Qubes 4
• After setting up various AppVMs, working with templates, I feel that Qubes Manager is definitly missing as it allowed me to have a quick look, what is currently running and also attaching block devices was much easier.
  If I plugin an USB harddrive I see no notification and I need to attach devices via terminal, to much user interactions, compared to a graphical solution
• Positioning of Blockdevice and Running VMs widgets:
  I see my self moving the mouse from left to right a lot, just to start programs and get information (from the widgets) - again Qubes Manager was much more comfortable.
  Is it possible to have something like a desktop widget, showing all running AppVMs?
• IDEA "QuickstartBar": Could we get something like a shortcut so that a launch bar will open up, where I can enter either bash commands or something like: untrusted:firefox and then Firefox opens in my AppVM named untrusted (general syntax: AppVM:Command/Program? task completion would even be easier?
• The AppVM widget is only showing sys-usb, sys-net, sys-firewall, not other AppVMs which are running.
• In the "Start Menu" (left side) I would like to additional commands like (Start VM, Shutdown VM, Remove VM) maybe separated or at the beginning or end of the menu?
  Remove VM should of cause show a dialog which needs further user interaction.
  
• The "Create Qubes VM" menu entry could also be enhanced so that we have the option to create a clone from an existing VM. Maybe via something like an additional option "Clone from <LIST>"
• It seems impossible to hide VMs or VM-templates from the "Start Menu", whoch could be done via qvm-prefs in Qubes 3.2. Why? This setting was very usefull.
• Working with USB devices: Could we improve the handling of usb devices. Currently it seems that it is impossible to add a usb-device to a VM without touching the terminal.
  Maybe we need an usb widget or a submenu in the USB-App-VM?
  From user perspective I would like to get a notification popup as soon as I attach something to my laptop, then allowing me to choose with the next click where to attach this device to.
  If I am attaching a device it is most time because I need to get this device into an AppVM.
• Fonts/Display Resolution seems to be different compared to Qubes 3.2.
  My Laptop has a 3K resolution 2880x1620 Pixels. In 4rc1 the qubes window frames (which seems to be rendered in dom0) are small, but the content in the window (content of the AppVM) is using a bigger font (DPI-size).
  How can this be resolved?
• qvm-top ... seems to be gone, how can I quickly get a list of all running VMs?
  something like: qvm-ls --running
• Copy & Paste between AppVMs:
  I now have to enter the name of the target AppVM when pasting via global clipboard (Shift+Ctrl+V). While this adds more security, it is a pain for the user, when copying a lot. Could it make possible to have the option to get a slightly easier copy&paste process:
  the current appvm, to which the window belongs is already selected in the list of the target VM.
  If the user hits Enter two (!) times, the content of clipboard would be pasted into this AppVM clipboard.
  Benefit: additional security as not content will be copied by coincident (you need to press Enter twice) but easier copy & paste process when copying lots of entries between two AppVms.
  
• Backup and Restore of VMs should be possible via GUI not only per terminal.
  

feedback so far, I continue to test.

- PhR

[Foppe de Haan]

On Sunday, August 6, 2017 at 2:11:41 AM UTC+2, PR wrote:
> Hello,
hi. :)

> Notifications - I haven't seen any notifications at all, like
> starting/stopping of VMs or when a new USB-device has been
> attached. Would like to see the notification from Qubes 3.2 in
> Qubes 4

Agreed.

> Positioning of Blockdevice and Running VMs widgets:
>
> I see my self moving the mouse from left to right a lot, just to
> start programs and get information (from the widgets) - again
> Qubes Manager was much more comfortable.

few options for you:
- Alt-f2 (or alt-f1+arrow keys) is your friend. :p
- you can also choose to permanently move either the start menu or the widgets to the left of the menu bar. :)

> Is it possible to have something like a desktop widget, showing
> all running AppVMs?

Would a toggle to permanently expand/unfold the manager-widget do? Or do you also want additional features accessible from that QM-widget?

> IDEA "QuickstartBar": Could we get something like a shortcut
> so that a launch bar will open up, where I can enter either bash
> commands or something like: untrusted:firefox and then Firefox
> opens in my AppVM named untrusted (general syntax:
> AppVM:Command/Program? task completion would even be easier?

Beyond what you can do with alt-f2 (in xfce) + searching + arrow key navigation?

> The AppVM widget is only showing sys-usb, sys-net,
> sys-firewall, not other AppVMs which are running.

If this concerns VMs you've created yourself, this should probably be fixed in the next update. Or do you mean the 'devices' widget?

> The "Create Qubes VM" menu entry could also be enhanced so
> that we have the option to create a clone from an existing VM.
> Maybe via something like an additional option "Clone from
> <LIST>"

Not sure I'd use this often enough for it to make sense -- isn't this part of what dispvms are for?

> Working with USB devices: Could we improve the handling of usb
> devices. Currently it seems that it is impossible to add a
> usb-device to a VM without touching the terminal.

Huh? That should be there now, even if it doesn't look the part, and isn't very intuitive (devices widget in notification area? Or doesn't that do usb devices yet? (I can't test this myself due to a different bug)).

> From user perspective I would like to get a notification popup
> as soon as I attach something to my laptop, then allowing me to
> choose with the next click where to attach this device to.
>
> If I am attaching a device it is most time because I need to get
> this device into an AppVM.
> Fonts/Display Resolution seems to be different compared to
> Qubes 3.2.
>
> My Laptop has a 3K resolution 2880x1620 Pixels. In 4rc1 the
> qubes window frames (which seems to be rendered in dom0) are
> small, but the content in the window (content of the AppVM) is
> using a bigger font (DPI-size).
>
> How can this be resolved?

Does this help? https://groups.google.com/forum/#!searchin/qubes-users/hidpi$20vm|sort:relevance/qubes-users/GQOLttJeJTg/hubZ7gX8AwAJ ?

> qvm-top ... seems to be gone, how can I quickly get a list of
> all running VMs?

try qvm-ls

> I now have to enter the name of the target AppVM when pasting
> via global clipboard (Shift+Ctrl+V). While this adds more
> security, it is a pain for the user, when copying a lot. Could
> it make possible to have the option to get a slightly easier
> copy&paste process:
>
> the current appvm, to which the window belongs is already
> selected in the list of the target VM.
>
> If the user hits Enter two (!) times, the content of clipboard
> would be pasted into this AppVM clipboard.

Agreed.

[PhR]

On 08/06/17 09:16, Foppe de Haan wrote:
>
>> Notifications - I haven't seen any notifications at all, like
>> starting/stopping of VMs or when a new USB-device has been
>> attached. Would like to see the notification from Qubes 3.2 in
>> Qubes 4
> Agreed.

>> Positioning of Blockdevice and Running VMs widgets:
>>
>> I see my self moving the mouse from left to right a lot, just to
>> start programs and get information (from the widgets) - again
>> Qubes Manager was much more comfortable.
> few options for you:
> - Alt-f2 (or alt-f1+arrow keys) is your friend. :p
> - you can also choose to permanently move either the start menu or the widgets to the left of the menu bar. :)

Ok, I haven't used Alt+F2 before, this looks interesting, but I haven't
figured out how to use it.
Does it offers auto-completion?

>> Is it possible to have something like a desktop widget, showing
>> all running AppVMs?
> Would a toggle to permanently expand/unfold the manager-widget do? Or do you also want additional features accessible from that QM-widget?

It seems that we need to restart Qubes 4rc1 after reinstallation at
least one or two times, so that the widgets are working - maybe this
should be added to the documentation (?)
I have also updated dom0, maybe this brought also the solution?
Now all running VMs are shown in the widget, before I could only see
sys-net and sys-firewall there.

>> IDEA "QuickstartBar": Could we get something like a shortcut
>> so that a launch bar will open up, where I can enter either bash
>> commands or something like: untrusted:firefox and then Firefox
>> opens in my AppVM named untrusted (general syntax:
>> AppVM:Command/Program? task completion would even be easier?
> Beyond what you can do with alt-f2 (in xfce) + searching + arrow key navigation?

As mentioned, I havent used that before, can this be used without
mouse-navigation?
I've to enter untrusted: Terminal but when hitting enter, nothing
happens, except a red stop sign.
need to find out the syntax of that quick launcher, having the graphical
menu available from the quick-launcher is a nice addon, but this needs
more time, then just using the start menu.

>> The AppVM widget is only showing sys-usb, sys-net,
>> sys-firewall, not other AppVMs which are running.
> If this concerns VMs you've created yourself, this should probably be fixed in the next update. Or do you mean the 'devices' widget?

This has been fixed, after some restarts, I can now also see usb devices
in the device widget and can attach them from there to the running VMs -
very nice.
I like having block and usb devices in one view.
What would be nice, but I don't know if this can be done:
If a device has been attached to a VM, maybe it can be highlighted or
marked with a symbol in the device widget menu.
As such I can see directly which devices are attached. currently I need
to open the menu entry and I can then see, which AppVM has the device
attached (can be identified because it is grayed out and offers an eject
button).

>> The "Create Qubes VM" menu entry could also be enhanced so
>> that we have the option to create a clone from an existing VM.
>> Maybe via something like an additional option "Clone from
>> <LIST>"
> Not sure I'd use this often enough for it to make sense -- isn't this part of what dispvms are for?

Maybe you are right, but now I have to go to terminal to clone a vm.
What I am doing is, that I leave the default templates untouched and
create a clone of them, which I then use for my AppVMs. This makes sure
that I can always test an AppVM with the "original" default Qubes
template for troubleshooting.

>> Working with USB devices: Could we improve the handling of usb
>> devices. Currently it seems that it is impossible to add a
>> usb-device to a VM without touching the terminal.
> Huh? That should be there now, even if it doesn't look the part, and isn't very intuitive (devices widget in notification area? Or doesn't that do usb devices yet? (I can't test this myself due to a different bug)).

Solved, my mistake as mentioned above, it seems that Qubes needs one or
two restarts until the Widgets are working correctly.
A possible bug (?):
If you shutdown sys-usb the USB-devices are gone from the list, and
won't come back when restarting sys-usb.
Another strange effect:
I can then see entries called QEMU_QEMU_USB_Tablet_42 for every running
AppVM.
Is this the virtual USB Hub in every AppVM? I think this should be
hidden from the widget.

>> From user perspective I would like to get a notification popup
>> as soon as I attach something to my laptop, then allowing me to
>> choose with the next click where to attach this device to.
>>
>> If I am attaching a device it is most time because I need to get
>> this device into an AppVM.

When I attach a usb device through the device widget I get a nice
notification window in the upper right corner, so notification are
working just not for the majority of qubes events (starting / stopping VMs)

>> Fonts/Display Resolution seems to be different compared to

>> Qubes 3.2. (...) but the content in the window (content of the AppVM) is

>> using a bigger font (DPI-size).
>> How can this be resolved?
> Does this help? https://groups.google.com/forum/#!searchin/qubes-users/hidpi$20vm|sort:relevance/qubes-users/GQOLttJeJTg/hubZ7gX8AwAJ ?

Thanks, I tried this and seems to work in some apps. As mentioned in the
post, it seems that this will not help everywhere:

(...) this is not a universal approach but should work fine for gnome
apps. you should type them in terminal applications in each vm.
a more comprehensive approach to cover all bases is to set proper dpi
for X server, Xft, gsettings (if gnome-settings-daemon runs), xsettings
(IIRC Debian template needs that), dom0 desktop environment (KDE, Xfce)
and use hidpi themes/window decorations. (...)
From:
https://groups.google.com/forum/#!searchin/qubes-users/hidpi$20vm|sort:relevance/qubes-users/GQOLttJeJTg/hubZ7gX8AwAJ

Maybe someone can look into this topic and provide a short howto which
can be added to the Qubes Documentation as High Resolution Displays are
becoming more and more common.
xsettings,gsettings etc. sounds complicated to me :-)

>> qvm-top ... seems to be gone, how can I quickly get a list of
>> all running VMs?
> try qvm-ls

I know about qvm-ls, but qvm-ls show all VMs, and there doesn't seem to
be a switch to show only the running VMs, if we get an option for qvm-ls
--show-running, -r this would be handy.
But I don't get why qvm-top is not available any more, as the view from
qvm-top is slightly different compared to qvm-ls.
qvm-ls = show me my inventory and configuration data
qvm-top = show me metrics about ressource consumption of all running VMs

>> I now have to enter the name of the target AppVM when pasting
>> via global clipboard (Shift+Ctrl+V). While this adds more
>> security, it is a pain for the user, when copying a lot. Could
>> it make possible to have the option to get a slightly easier
>> copy&paste process:
>>
>> the current appvm, to which the window belongs is already
>> selected in the list of the target VM.
>>
>> If the user hits Enter two (!) times, the content of clipboard
>> would be pasted into this AppVM clipboard.
> Agreed.
>

I guess this means that the dialog windows which comes up when hitting
STRG+V must catch the AppVM name of the window that was currently in
focus - I am not sure if this can be done?
On the other hand dom0 should know everything.

- PhR

[Franz]

On Tue, Aug 1, 2017 at 5:47 PM, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Aug 01, 2017 at 12:42:01PM -0700, mikih...@gmail.com wrote:
> Some bugs, one pretty deal breaking:

Thanks for the report.

> If I remove an application from the appmenu, I am unable to set it again. More specifically I can set it in the VM-settings, but it won't show up in the Appmenu again.
> The color of a VM can be changed, but again this is not reflected in the Appmenu. The VM itself (the running apps) have the correct window color.

Created ticket for this:
https://github.com/QubesOS/qubes-issues/issues/2952
You can see there for a workaround.

> Overall performance is OK, starting a Fedora VM takes longer than usual, about 1min. Work VM (not app) didn't start when I selected the chromium app from the appmenu. I had to start the VM from cli and then I could start Chromium.

That's weird, did you get any error?

> The Qubes Manager is greatly missed! Especially the backup-restore. I tried to restore VMs from 3.2 which didn't work at all:
> First it showed a lot of my VMs with the prefix "disps" ? (The backup had only templates and 2 AppVms).

This is because how 4.0 deals with different DispVM settings. To restore
setting of 3.2 as much as possible, it create dispvm for each netvm used
there.

> I had to exclude -x a lot of Vms, honestly a pain when I just wanted one important VM to restore,

Instead of excluding, you can list VMs to include, just after backup
path.

It works Marek, many thanks. It is enough to list the VMs you want and all other are automatically excluded.  This is really important because it is fast and avoids errors. Listing lots VMs with -x I could not avoid errors very difficult to identify because the error message gave no hints. But just adding a few VMs at the end is easy to do and to check.

> but got several python errors STDOUT and read errors. Restoring all was the same and I had a list with 20 broken VMs, no apps in their menu, starting gave libxl error. I used verbose and the 2 ignore options.

Do you have those messages saved somewhere? That would be really useful
to track down the issue...

> Removing them with cli, all a bit tedious ;(
>
> Finally, If someone knows how to create a VM for iso booting from CLI I would greatly appreciate a short info here.

This is a missing part...
https://github.com/QubesOS/qubes-issues/issues/2951

> Looking forward to some docs/explanation on the changed qvm* tools since we are now supposed to do it from the command line.

There will be separate post about it, but see below.

> E.g. How to make net/proxy/app VM (qvm-create has some classes now...?)

This one is possible also from GUI - in main menu you have "Create Qubes
VM" option and there you have "provides network" option which allow you
to create net/proxy VM.

> qvm-prefs options (kernel boot extern/intern and netvm settings),

There is qvm-prefs --help-properties, which shows details about each
property.

> changes with LVM pools(? there was a option --boot-root-from-file?) , booting VM from iso file etc.

See above...

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZgOj4AAoJENuP0xzK19csBtYIAIrt+ILqpdjskeg4aaHKa2JM
hAGHwbKSvAorCkx3DCd9eSvF7cnBOzsFuoYDjnvIC1D9W0f/5dxl6H8GP9JSH2oo
NM4vEA5QPH7C6Ed/s05HCT4D4yFE7jqM6vT71xAklI6niJxTf+AJ4oJtectBBFeA
g2S/4i65KbaBGW3Smec3ZvnY2eGSvxi9bvJXOWE8ks8siVPhhWRmsZDfmjeGmv9S
au0yuDa4Bmx1TW3hRB8wDWuXdLEm5YDn4F+EUbuAVZgl2XM3UlRK/flcQxCzzWN9
CyGO98c/DN5+7SZ5nzbEb2ZFucdVo+aij6Twp8XVt4mjMc5OYHEzNYLPUcp38bk=
=Iz/7
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170801204752.GE8495%40mail-itl.

[cooloutac]

This aint the 90s anymore. low level actors have become equal to state level. Its probably partly why nsa built prism, only way they could one up them. 90% of ddos sites are run by 15 year olds. 2005 saw a dramatic increase, but 2012 was a real turning point, we are in an epidemic now.

I was complaining about bios exploits 10 years ago and people were lying to themselves then, nothing has changed.

And if you are worried about the gov't spying on you. Don't do anything online, period. Why are you even using a computer? Even worse, a cellphone. Just assume most things are not private.

[yura...@gmail.com]

Listen, you're not reading what I'm saying, especially across multiple of posts in this thread. Also there is a very, very thin line between fear and anxiety. I'm not planning to live a life of concerns through anxiety, I live a life with concerns through real fear from real threats. Fear is rationalized and real, while anxiety is based on baseless emotions which swallow you up. I'm pragmatic, I do what can be done now, I do not want to live in anxiety, or bash words around aimlessly. Things has to be done, and not just talking about it.

Security and privacy has always been a concern of real fear for me, especially with democracy rotting away slowly, year by year, which is made worse by technology that is increasingly, and slowly ever more so, being used against people. The fall of democracy, is what worries me, especially with the technology that can be used to either protect it, or destroy it.

I worry about the future. I do not worry much about the past, like the 90s repeating itself, rather new threats have the risk of emerging. They too must be handled with concerns of rationalized fear, and not through baseless anxiety. Even if there is just 5% risk, it must be taken seriously, and approached logically.

I do not see it as being good or constructive to continue discussing this in this thread, if you want, make a new thread and throw a link here, then I'll follow and keep discussing with you for as long as I have free time to do so. We're getting vastly off-topic here, in a thread which is about Qubes 4 release, we shouldn't talk more about this in this thread.

[blacklight]

this is probbaly a good time to try the unofficial qubes irc chat on freenode.

[Foppe de Haan]

Question: should windows-7 HVMs imported from R3.2 Just Work™ in R4?

[PhR]

Hello,

On 08/11/17 21:54, Foppe de Haan wrote:
> Question: should windows-7 HVMs imported from R3.2 Just Work™ in R4?
>

additional questions:

1) Can I install Windows at all, since it seems that there are no
qubes-windows-tools available .

2) What is the strategy with Windows Support in Qubes 4? In order to
have Qubes ready for the enterprise business, I'd like to see seamless
windows working in Qubes 4.

3) Is someone actually working on the Qubes Windows Tools? If not, would
it help if we raise a budget as motivation?

- PhR

[korig...@gmail.com]

Hello,

I've installed 4.0-rc1 on Intel i5-7200u Asus UX410UA laptop. System was rebooting after grub menu in loop until I removed 'iommu=no-igfx' option, then it boots successfully. System does not have discrete GPU, VT-i is on, booting in CMS (BIOS Legacy mode), because in EFI mode system reboots immediately after selection of any option in installation image's boot menu.

I have problems with touchpad, though: it works with 0.1-1 sec lags, pointer jumps here and there. Sometimes it freezes for minutes. Several tens of i2c_hid errors added to dmesg per second:
i2c_hid i2c-ELAN1200:00: i2c_hid_get_input: incomplete report (16/16466).
I believe it's Fedora 25 problem: https://bbs.archlinux.org/viewtopic.php?id=226194

[korig...@gmail.com]

On Sunday, August 13, 2017 at 5:39:06 PM UTC, korig...@gmail.com wrote:
> I believe it's Fedora 25 problem: https://bbs.archlinux.org/viewtopic.php?id=226194

My mistake, it's Arch forum, but the problem is the same. I've booted from KDE Neon Live USB (Ubuntu-based with 4.8.0 kernel) and the touchpad works flawlessly.

[ora...@riseup.net]

Justin wrote:

> On Wednesday, August 2, 2017 at 7:58:24 AM UTC-4, PR wrote:
>> Hello,
>>
>>
>>

>> Am 02.08.2017 1:45 nachm. schrieb <codge...@hotmail.com>:
>>
>> On Monday, July 31, 2017 at 5:23:20 PM UTC-4, Micah Lee wrote:
>>
>>> On 07/31/2017 04:43 AM, Marek Marczykowski-Górecki wrote:
>> (...), when I boot up, grub
>>
>>> works, but then as soon as Qubes starts to boot the computer
>>> reboots,
>>
>>> and I end up back in grub.
>>
>>
>>
>> Having the EXACT same issue with my T430s
>>
>>
>>
>> Have you tried the suggestions from "Rusty Bird":
>>
>>
>> I ran into the same behavior on a T420. Removing iommu=no-igfx
>> from the Xen command line fixed it. [1] If that doesn't help,
>> _adding_ console=vga should let you see what's going on.
>>
>>
>> @codgedodger: Did this help in your case?
>>
>>
>> Kind regards
>>
>>
>> - PhR
>
> I had this issue on my Thinkpad X230 with a fresh install of 4.0-rc1
> and the fix let me boot, but, when I shutdown, the system hangs and
> when I hit escape on the shutdown screen, I see errors in device-
> mapper failing to remove ioctl on the VMs and then a bunch of the
> error "failed to write error node for backend/" for xen-pciback and
> vbd.

for me fresh install on x230 using legacy boot and there is no grub, so
how make the iommu=no-igfx edit?

install again using EFI boot but installer stuck at beginning "Xen 4.8.1
(c/s) EFI loader" screen.

[Sean Dilda]

On Mon, Aug 14, 2017 at 6:23 AM ora...@riseup.net <ora...@riseup.net> wrote:

 

for me fresh install on x230 using legacy boot and there is no grub, so
how make the iommu=no-igfx edit?

I had to make the same edit..  however, I did see the grub screen for a few seconds until it started the boot, and rebooted the system.

 

install again using EFI boot but installer stuck at beginning "Xen 4.8.1
(c/s) EFI loader" screen.

What's the process for installing with EFI?  On my Dell Precision 5520, I wasn't able to see the USB as bootable until I enabled legacy boot mode and never saw any EFI options after that, so I'm stuck in legacy boot mode.

[Sean Dilda]

I tried again (EFI on, secureboot Off) with the same media and was able to install with EFI this time.  After the install, I did have the problem of the reboot loop, but no grub screen to pause at.

I fixed this by booting off the install media again and went into the rescue mode.  I then edited /boot/efi/EFI/qubes/xen.cfg and removed the iommu=no-igfx  from two different lines.   After that I was able to boot normally.

What I don't know is if anything will update that file again.  From https://github.com/QubesOS/qubes-issues/issues/2953 that you need to edit /etc/default/grub to make sure grub changes persist, but I'm not finding anything similar for EFI. 

[ora...@riseup.net]

Sean Dilda:

> On Mon, Aug 14, 2017 at 6:23 AM ora...@riseup.net <ora...@riseup.net> wrote:
>
>
>> for me fresh install on x230 using legacy boot and there is no grub, so
>> how make the iommu=no-igfx edit?
>>
>
> I had to make the same edit.. however, I did see the grub screen for a few
> seconds until it started the boot, and rebooted the system.

install again and I got the grub screen this time. I remove
iommu=no-igfx and got in. thank you!

[cooloutac]

I don't know what this fear vs anxiety things is, but neither is automatically rational.

If you are not using secure boot, you are not even reasonably secure. This needs to be discussed here. Worry about the future of Qubes if you care about those things.

[@LeeteqXV (Twitter & Mastodon.technology)]

On 04/08/17 18:18, Micah Lee wrote:

On 08/04/2017 07:19 AM, Zrubi wrote:

But still feels like a bare naked login screen. IMHO this should
be just as important as the Qubes boot (splash) screen.

Which also have similar aesthetic. Do you think about just some
better background there, or some bigger change?

A would say it's needs a bigger change.
But of course this is really subjective, and currently do not have
time to design a qubes related skin for the login manager :(

So this is just my (and my surroundings) opinion.
Handle with sustenance ;)

On a related note, I would love to see some better Qubes graphics
design. Especially, in my opinion, better built-in choices for the
desktop wallpaper.

Good default wallpaper makes a big difference in first impression of an
OS. (And until #215 is implemented, users who aren't comfortable with
Linux will have a hard time figuring out how to set a custom dom0
wallpaper themselves, and will probably expose dom0 to an untrusted
image in any case.)

Maybe there are some graphics designers or professional photographers in
the Qubes community. I wonder if a call for wallpaper submissions or
something similar could help?

Wallpapers (and first impressions...) are really important, even more so with less GUI snacks.
There are many great, suitable and royalty-free wallpaper images at www.Pixabay.com .
Just need to select some that have some practical areas where the Qubes logo can be added.

I think that Qubes should come with a decent collection with various categories to choose from (5-15 options in each category? nature, animals, urban, countryside, skyline, linux, tech, future, ... etc.)

Here are 10 potential wallpapers from Pixabay (royalty-free):
https://pixabay.com/en/coast-concrete-lighthouse-ocean-1838593/
https://pixabay.com/en/lighthouse-night-beacon-historic-1969705/
https://pixabay.com/en/human-group-clock-time-silhouette-439149/
https://pixabay.com/en/path-road-unknown-sand-dessert-1461447/
https://pixabay.com/en/fractals-background-mathematics-1800242/
https://pixabay.com/en/sunset-beach-hype-mijas-costa-1226113/
https://pixabay.com/en/anonymous-protect-campaign-2023760/
https://pixabay.com/en/water-flowing-whitewater-splash-195926/
https://pixabay.com/en/finger-fingerprint-security-digital-2081169/
https://pixabay.com/en/titan-3-super-computer-large-fast-79578/

Regards,
https://mastodon.technology/@LeeteqXV/
https://twitter.com/@LeeteqXV/
https://Leeteq.com/