Minimal builder.conf and template security

[bobthe...@tutamail.com]

What is the minimal configuration for building qubes? I want to build a custom iso minus most of the templates so I only need dom0, netvm, usbvm and whonix. Are there any components that always need to build or can the whole iso be build from packages and templates in the yum or deb repository? Are templates in the repositories automatically rebuild and uploaded so the latest bugfixes are always integrated or do you need to update the templates yourself?

[awokd]

See https://www.qubes-os.org/doc/qubes-r3-building/ for steps on how to
build. You might be able to use Fedora 28 instead of 26, but I haven't
fully tested. From your list of "dom0, netvm, usbvm and whonix", the only
template you could exclude is debian-9. All templates and build components
get updated to current levels on a full build, so you shouldn't have to
update immediately after installing it.

[Unman]

If you want Whonix then you *have* to include debian-9 I think: aren't
the whonix templates configured off the debian-9 base?

If you are building an iso from scratch you can include custom templates
that you have built - for example, a minimal debian with additional
networking and usb packages - in preference to the Qubes standards. You
can drop Fedora templates alltogether. Remember to edit the salt
packages appropriately.
Otherwise you can just build a barebones iso, install without
creating any qubes, and then manually configure them using the template
you have included.

The templates in the repositories are rebuilt, but do not always
incorporate the latest bugfixes. It's good practice to immediately
update after installing a new template. (If you roll your own, of
course, you wont have this issue.)

unman

[awokd]

On Sun, August 12, 2018 2:09 pm, Unman wrote:
> On Fri, Aug 10, 2018 at 09:01:46PM -0000, 'awokd' via qubes-users wrote:
>
>> On Fri, August 10, 2018 6:43 pm, bobthe...@tutamail.com wrote:
>>
>>> What is the minimal configuration for building qubes? I want to build
>>> a custom iso minus most of the templates so I only need dom0, netvm,
>>> usbvm and whonix. Are there any components that always need to build
>>> or can the whole iso be build from packages and templates in the yum
>>> or deb repository? Are templates in the repositories automatically
>>> rebuild and uploaded so the latest bugfixes are always integrated or
>>> do you need to update the templates yourself?
>>
>> See https://www.qubes-os.org/doc/qubes-r3-building/ for steps on how to
>> build. You might be able to use Fedora 28 instead of 26, but I haven't
>> fully tested. From your list of "dom0, netvm, usbvm and whonix", the
>> only template you could exclude is debian-9. All templates and build
>> components get updated to current levels on a full build, so you
>> shouldn't have to update immediately after installing it.
>>
>
> If you want Whonix then you *have* to include debian-9 I think: aren't
> the whonix templates configured off the debian-9 base?

You have to include the debian builder to build Whonix templates, but I'm
not positive about the actual debian-9 template.

> The templates in the repositories are rebuilt, but do not always
> incorporate the latest bugfixes. It's good practice to immediately update
> after installing a new template. (If you roll your own, of course, you
> wont have this issue.)

A full build downloads/syncs everything off Qubes' repos and current
distribution patches. What other bugfixes are there?

[bobthe...@tutamail.com]

"make qubes" will build everything from source but I'd like to skip as much as I can to build an iso and mostly rely on packages already present in the yum and deb repo. 

Just building gcc takes more than 12 hours:

https://github.com/QubesOS/qubes-issues/issues/3979

marmarek instead suggests to remove this component and use USE_QUBES_REPO_VERSION = 4.0 to use the package from the mirror.

The question is what else could be skipped to build the iso?

Some other shortcut I found was:

"COMPONENTS = linux-template-builder builder builder-debian \

    template-whonix "

from

https://groups.google.com/forum/?_escaped_fragment_=msg/qubes-devel/W917Ur9XBVI/CM2bBa8-AQAJ#!msg/qubes-devel/W917Ur9XBVI/CM2bBa8-AQAJ

How often are the official templates rebuild?

When I use the below builder.conf "make qubes" seems to be successful (I guess the xenstore-read is not critical). But when I then do "make iso" I get an error. I'm building on fedora 28.

# vim: ft=make ts=4 sw=4

# Ready to use config for full build of the lastest Qubes OS (aka "master").

GIT_BASEURL ?= http://github.com

GIT_PREFIX ?= QubesOS/qubes-

NO_SIGN ?= 1

USE_QUBES_REPO_VERSION=4.0

DEBUG=1

VERBOSE=3

BRANCH ?= release4.0

BACKEND_VMM=xen

DIST_DOM0 ?= fc25 

DISTS_VM ?= fc26

MGMT_COMPONENTS = \

mgmt-salt \

mgmt-salt-base \

mgmt-salt-base-topd \

mgmt-salt-base-config \

mgmt-salt-base-overrides \

mgmt-salt-dom0-qvm \

mgmt-salt-dom0-virtual-machines \

mgmt-salt-dom0-update

COMPONENTS ?= \

linux-template-builder \

builder \

builder-debian

BUILDER_PLUGINS ?= \

builder-rpm \

builder-debian \

mgmt-salt 

BRANCH_vmm_xen = xen-4.8

BRANCH_linux_kernel = stable-4.14

BRANCH_linux_template_builder = master

BRANCH_linux_yum = master

BRANCH_linux_deb = master

BRANCH_app_linux_split_gpg = master

BRANCH_app_linux_tor = master

BRANCH_app_thunderbird = master

BRANCH_app_linux_pdf_converter = master

BRANCH_app_linux_img_converter = master

BRANCH_app_linux_input_proxy = master

BRANCH_app_linux_usb_proxy = master

BRANCH_app_yubikey = master

BRANCH_builder = master

BRANCH_builder_rpm = master

BRANCH_builder_debian = master

BRANCH_builder_archlinux = master

BRANCH_builder_github = master

BRANCH_builder_windows = master

BRANCH_infrastructure = master

BRANCH_template_whonix = master

BRANCH_linux_pvgrub2 = master

BRANCH_linux_scrypt = master

BRANCH_linux_gbulb = master

BRANCH_python_xcffib = master

BRANCH_python_sphinx = master

BRANCH_python_pillow = master

BRANCH_python_quamash = master

BRANCH_intel_microcode = master

TEMPLATE_ROOT_WITH_PARTITIONS = 1

TEMPLATE_LABEL ?=

TEMPLATE_LABEL += fc25:fedora-25

TEMPLATE_LABEL += fc26:fedora-26

TEMPLATE_LABEL += fc27:fedora-27

TEMPLATE_LABEL += fc28:fedora-28

TEMPLATE_ALIAS ?=

TEMPLATE_ALIAS += jessie:jessie+standard

TEMPLATE_ALIAS += jessie+gnome:jessie+gnome+standard

TEMPLATE_ALIAS += jessie+minimal:jessie+minimal+no-recommends

TEMPLATE_ALIAS += stretch:stretch+standard

TEMPLATE_ALIAS += stretch+gnome:stretch+gnome+standard

TEMPLATE_ALIAS += stretch+minimal:stretch+minimal+no-recommends

TEMPLATE_LABEL += fc25+minimal:fedora-25-minimal

TEMPLATE_LABEL += fc26+minimal:fedora-26-minimal

TEMPLATE_LABEL += fc27+minimal:fedora-27-minimal

TEMPLATE_LABEL += fc28+minimal:fedora-28-minimal

TEMPLATE_LABEL += fc25+xfce:fedora-25-xfce

TEMPLATE_LABEL += fc26+xfce:fedora-26-xfce

TEMPLATE_LABEL += fc27+xfce:fedora-27-xfce

TEMPLATE_LABEL += fc28+xfce:fedora-28-xfce

TEMPLATE_LABEL += jessie:debian-8

TEMPLATE_LABEL += jessie+standard:debian-8

TEMPLATE_LABEL += stretch:debian-9

TEMPLATE_LABEL += stretch+standard:debian-9

about::

@echo "qubes-os-r4.0.conf"

...

./create_template_list.sh: line 13: xenstore-read: command not found

Currently installed dependencies:

git-2.17.0-1.fc28.x86_64

rpmdevtools-8.10-4.fc28.noarch

rpm-build-4.14.1-7.fc28.x86_64

createrepo-0.10.3-15.fc28.noarch

python2-sh-1.12.14-3.fc28.noarch

wget-1.19.4-2.fc28.x86_64

python2-pyyaml-3.12-10.fc28.x86_64

[user@localhost qubes-builder]$ make iso

-> Preparing for ISO build...

--> Removing old rpms from the installer repos...

---> Cleaning up repo: dom0-updates...

---> Cleaning up repo: installer...

---> Cleaning up repo: qubes-dom0...

make: *** No rule to make target 'iso.copy-rpms.builder-debian', needed by 'iso.copy-rpms'.  Stop.

[bobthe...@tutamail.com]

I am using this builder.conf :

"make qubes" seems to be successful and the xenstore-read error does not look critical. But when I then do "make iso" I get an error. I am building on fedora 28 btw.