Any chance of moving dom0 to F26 for 4.0 final release

185 views
Skip to first unread message

Kushal Das

unread,
Dec 12, 2017, 9:52:46 PM12/12/17
to Qubes-devel
Hi,

This is my first email to this list. Thank you all for the amazing
work. I am wondering if there is any plan of moving the dom0 to Fedora
26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
12th December.

Also on a related note, is there anyway existsing Fedora contributors/
packagers can help/contribute to project?

Kushal
--
Staff, Freedom of the Press Foundation
CPython Core Developer
Director, Python Software Foundation
https://kushaldas.in

Marek Marczykowski-Górecki

unread,
Dec 13, 2017, 9:20:49 AM12/13/17
to Kushal Das, Qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Dec 13, 2017 at 08:22:43AM +0530, Kushal Das wrote:
> Hi,
>
> This is my first email to this list. Thank you all for the amazing
> work. I am wondering if there is any plan of moving the dom0 to Fedora
> 26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
> 12th December.

No, it's too late to change dom0 distribution this late in release
cycle. See here for some info:

https://www.qubes-os.org/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0

But, there is already available fedora-26 template for some time
and if it got enough testing, we may consider switching default template
to fedora-26 for the next release candidate.

> Also on a related note, is there anyway existsing Fedora contributors/
> packagers can help/contribute to project?

Can you rephrase?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaLMZ/AAoJENuP0xzK19cskysIAIsTaF9veIt6/kzPlxOAKTCo
7UAxGfRYYN8suGjFWr7NlPWU2BYrKp7kdhN3kXcj3/RDm6cvJmYPe+MD6cGsWXNO
w58Sjxpcxy2b1+HlDyz/P0k249AP0ZIDOKmJgovXZOpsOVCI3BikzRZsqSer0Vyo
dGayBYedCJMBmGSinbW7yJmj9q90yLQYWlQm5079RyH8mzdOGG7TscGo3vyYeov6
QTh4yyxctHuVxZ65eSSrHs/qdVCdgx462sk+brsCY2eIZmCCpR6PL4GAX33utln9
1YwjYpV/TAwhvVxKs3flO/FUv5re8gBCuIkYNalzOVQTqHHw+3A+snT6cZXKdDw=
=DKta
-----END PGP SIGNATURE-----

Kushal Das

unread,
Dec 13, 2017, 9:33:39 AM12/13/17
to Marek Marczykowski-Górecki, Qubes-devel
On Wed, Dec 13, 2017 at 7:50 PM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Wed, Dec 13, 2017 at 08:22:43AM +0530, Kushal Das wrote:
>> Hi,
>>
>> This is my first email to this list. Thank you all for the amazing
>> work. I am wondering if there is any plan of moving the dom0 to Fedora
>> 26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
>> 12th December.
>
> No, it's too late to change dom0 distribution this late in release
> cycle. See here for some info:
>
> https://www.qubes-os.org/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0

Thank you for the reply.

>
> But, there is already available fedora-26 template for some time
> and if it got enough testing, we may consider switching default template
> to fedora-26 for the next release candidate.
>
>> Also on a related note, is there anyway existsing Fedora contributors/
>> packagers can help/contribute to project?
>
> Can you rephrase?

I am a Fedora contributor. I do packaging and also part of the Fedora
Infrastructure team. If I want to help
out Qubes as volunteer, do you have any process or issues which I can
look into? I am also a Python developer,
so I can dig into Python code too.

Kushal

Marek Marczykowski-Górecki

unread,
Dec 13, 2017, 10:02:59 AM12/13/17
to Kushal Das, Qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Dec 13, 2017 at 08:03:36PM +0530, Kushal Das wrote:
> I am a Fedora contributor. I do packaging and also part of the Fedora
> Infrastructure team. If I want to help
> out Qubes as volunteer, do you have any process or issues which I can
> look into? I am also a Python developer,
> so I can dig into Python code too.

We do have some packages (generic) that are not available in Fedora:
https://github.com/QubesOS/qubes-linux-gbulb
https://github.com/QubesOS/qubes-linux-pvgrub2
https://github.com/QubesOS/qubes-linux-scrypt

We'll probably also need a package for this:
https://github.com/harvimt/quamash

Having them upstream would help a lot.

Another thing is support for signature verification in anaconda and co.
This is main reason why we have our forks of many packages (pykickstart,
pungi, livecd-tools, anaconda). We've tried to upstream this, but
apparently there is not much interest it in... See here for related
pull requests and discussion:
https://github.com/rhinstaller/pykickstart/pull/32#issuecomment-144046375
https://bugzilla.redhat.com/show_bug.cgi?id=1448164

Thanks!

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaLNBiAAoJENuP0xzK19csoe0H/RGYnVlhJzDtJ9SWnwiGyJOP
L5ycw5khNI0ecv94dT2/YriCWz6sUDXR9xUvrVLv5KfhaX/LNpvvVahZtcmInulm
ljFbyMnqE9thGhu7ZIXHn38iJxbSkVUg8uqcmR0jVCmcgQTEU1WDxG7OkLrzGiDg
0W7P7YsxzQgUi+K66uP7bCa0+ea1RN2LrdcZQyNa09v674jBymSnki8LimY0ZkAS
0t7PFETPl+JPnBTaVUOK2vD6NXMgmMWem6rkFGsIREbqVEzthwsAWuQg3HxyLC/v
B4feKvvNIRV2bjRJP7VMy0xsNkQIzfHznczZbSVo1gKExVzwCLm5734RwN9+agE=
=ualp
-----END PGP SIGNATURE-----

Kushal Das

unread,
Dec 13, 2017, 10:16:45 AM12/13/17
to Marek Marczykowski-Górecki, Qubes-devel
On Wed, Dec 13, 2017 at 8:32 PM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Wed, Dec 13, 2017 at 08:03:36PM +0530, Kushal Das wrote:
>> I am a Fedora contributor. I do packaging and also part of the Fedora
>> Infrastructure team. If I want to help
>> out Qubes as volunteer, do you have any process or issues which I can
>> look into? I am also a Python developer,
>> so I can dig into Python code too.
>
> We do have some packages (generic) that are not available in Fedora:
> https://github.com/QubesOS/qubes-linux-gbulb
> https://github.com/QubesOS/qubes-linux-pvgrub2
> https://github.com/QubesOS/qubes-linux-scrypt
>
> We'll probably also need a package for this:
> https://github.com/harvimt/quamash
>
> Having them upstream would help a lot.

Thank you, I will start looking into these.


>
> Another thing is support for signature verification in anaconda and co.
> This is main reason why we have our forks of many packages (pykickstart,
> pungi, livecd-tools, anaconda). We've tried to upstream this, but
> apparently there is not much interest it in... See here for related
> pull requests and discussion:
> https://github.com/rhinstaller/pykickstart/pull/32#issuecomment-144046375
> https://bugzilla.redhat.com/show_bug.cgi?id=1448164
>
I am also pinging the folks to find out more details on that bug. Thank you
once again for pointing to the issues.

Kushal

Andrew David Wong

unread,
Dec 13, 2017, 10:30:31 AM12/13/17
to Kushal Das, Marek Marczykowski-Górecki, Qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-12-13 08:20, Marek Marczykowski-Górecki wrote:
> On Wed, Dec 13, 2017 at 08:22:43AM +0530, Kushal Das wrote:
>> Hi,
>
>> This is my first email to this list. Thank you all for the amazing
>> work. I am wondering if there is any plan of moving the dom0 to Fedora
>> 26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
>> 12th December.
>
> No, it's too late to change dom0 distribution this late in release
> cycle. See here for some info:
>
> https://www.qubes-os.org/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0
>

Also see the note here specifically regarding the dom0 OS reaching EOL:

https://www.qubes-os.org/doc/supported-versions/#dom0

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJaMUeNAAoJENtN07w5UDAwv7cP/1D7EjmKfd+VwHcQJaV3GP0F
1gOUignd+TpRgYcLl+G/xvmYW3zFuv9rJppNQ8s3Nw3ki728BWpAcAo1jcb9gsdg
4T2zgLkPiUfqiD+uDd+i5TUDNca+IKhzGN5inec0TEqrM7qDJaQp7eGX9VOttmfP
t6e9A85A+vK7+PN523W37KroNnTSdXF2Ud048VljwB8pBi9KkEhzcaRsuYAr4Wra
Dvpp0oIZ2Uvfa8Tpj0Vnh7a6wL4ly4jy7rYGLNpm9SNIwH4YNUBY2P4VPUfyrtUH
usgOb6kXR/7ZXnESUeqiSqvz9js3SkPNEtEXnL7KULzpmzrd0169C902eT6O3c65
MEcxhbdWyc+vXEfVgUcS0H+qwkfshSL5OImRE/kPEgTcS8KuPRIXDJ/zVU+4orKq
cCo65UFz8/8XdQ2eAat2N/WqjBxxlssGPiGZQ1AhuOBNI2CwvteQ5NLT/s7v7elr
sBNSeXi2q+yTqrdCR8KLhVQmi0K1Z60O8h2u+ENn4CRMqXgBttf/XTzwDeTdSgnq
qROY4WKO14ETYchMTTji1+xGAph53vZfq0GRoaGva68iyu5xghUxdYGKEdqUkh88
LvQ4Hs5lES7bmFzzIX3rlEO3b3Oi78x1kVXmwdjZlLyLwsm2Sj27n5yfJ2udcyq+
apOw1wz6sBOY0awczmAR
=sY1C
-----END PGP SIGNATURE-----


Chris Laprise

unread,
Dec 13, 2017, 11:10:51 AM12/13/17
to Kushal Das, Marek Marczykowski-Górecki, Qubes-devel
On 12/13/2017 10:16 AM, Kushal Das wrote:
> On Wed, Dec 13, 2017 at 8:32 PM, Marek Marczykowski-Górecki
> <marm...@invisiblethingslab.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On Wed, Dec 13, 2017 at 08:03:36PM +0530, Kushal Das wrote:
>>> I am a Fedora contributor. I do packaging and also part of the Fedora
>>> Infrastructure team. If I want to help
>>> out Qubes as volunteer, do you have any process or issues which I can
>>> look into? I am also a Python developer,
>>> so I can dig into Python code too.
>> We do have some packages (generic) that are not available in Fedora:
>> https://github.com/QubesOS/qubes-linux-gbulb
>> https://github.com/QubesOS/qubes-linux-pvgrub2
>> https://github.com/QubesOS/qubes-linux-scrypt
>>
>> We'll probably also need a package for this:
>> https://github.com/harvimt/quamash
>>
>> Having them upstream would help a lot.
> Thank you, I will start looking into these.

I'd also like to mention that Fedora's version of tboot is very outdated
(from 2014). Qubes uses this for the anti-evil-maid feature:
https://sourceforge.net/projects/tboot/files/?source=navbar

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Chris Laprise

unread,
Dec 13, 2017, 11:16:23 AM12/13/17
to Marek Marczykowski-Górecki, Kushal Das, Qubes-devel
On 12/13/2017 09:20 AM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Wed, Dec 13, 2017 at 08:22:43AM +0530, Kushal Das wrote:
>> Hi,
>>
>> This is my first email to this list. Thank you all for the amazing
>> work. I am wondering if there is any plan of moving the dom0 to Fedora
>> 26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
>> 12th December.
> No, it's too late to change dom0 distribution this late in release
> cycle. See here for some info:
>
> https://www.qubes-os.org/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0
>
> But, there is already available fedora-26 template for some time
> and if it got enough testing, we may consider switching default template
> to fedora-26 for the next release candidate.

I have tried a few apps + Openvpn on fedora-26 and it seems OK. But
fedora-26-minimal is a different story; some essential component is
missing for vpn and haven't had time to track it down.

Jean-Philippe Ouellet

unread,
Dec 13, 2017, 12:04:56 PM12/13/17
to Chris Laprise, Marek Marczykowski-Górecki, Kushal Das, Qubes-devel
On Wed, Dec 13, 2017 at 11:15 AM, Chris Laprise <tas...@posteo.net> wrote:
> On 12/13/2017 09:20 AM, Marek Marczykowski-Górecki wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On Wed, Dec 13, 2017 at 08:22:43AM +0530, Kushal Das wrote:
>>>
>>> Hi,
>>>
>>> This is my first email to this list. Thank you all for the amazing
>>> work. I am wondering if there is any plan of moving the dom0 to Fedora
>>> 26 in the final 4.0 release. I am asking this as Fedors 25 EOLed on
>>> 12th December.
>>
>> No, it's too late to change dom0 distribution this late in release
>> cycle. See here for some info:
>>
>>
>> https://www.qubes-os.org/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0
>>
>> But, there is already available fedora-26 template for some time
>> and if it got enough testing, we may consider switching default template
>> to fedora-26 for the next release candidate.
>
>
> I have tried a few apps + Openvpn on fedora-26 and it seems OK. But
> fedora-26-minimal is a different story; some essential component is missing
> for vpn and haven't had time to track it down.

qubes-core-agent-networking (the thing that actually brings up the
interfaces and handles ip/nftables, etc. according to the config
passed via qubesdb) is not installed by default. Perhaps that's your
issue?

entr0py

unread,
Dec 13, 2017, 2:17:23 PM12/13/17
to Chris Laprise, Qubes-devel
Chris Laprise:
>
> I have tried a few apps + Openvpn on fedora-26 and it seems OK. But fedora-26-minimal is a different story; some essential component is missing for vpn and haven't had time to track it down.
>
>

I've used openvpn with /r3.2/templates-itl/rpm/qubes-template-fedora-26-minimal-4.0.0-201711170336.noarch.rpm without any issues. `iptables` needs to be installed.

Tom Zander

unread,
Dec 15, 2017, 11:54:06 PM12/15/17
to Qubes-devel
On Wednesday, 13 December 2017 15:20:39 CET Marek Marczykowski-Górecki
wrote:
> But, there is already available fedora-26 template for some time
> and if it got enough testing, we may consider switching default template
> to fedora-26 for the next release candidate.

Would be interesting to know if KDE actually installs in that version;

https://github.com/QubesOS/qubes-issues/issues/3212

--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/floweethehub
Reply all
Reply to author
Forward
0 new messages