Qubes repos on Debian-based custom template VMs
128 views
Skip to first unread message
Saswat Padhi
Mar 9, 2018, 2:59:51 AM3/9/18
to qubes-users
Hi everyone,
I was able to build a Xenial TemplateVM using the Qubes Builder,
but I don't see any repository on the VM for updating qubes packages.
Does anyone know if this is supported?
Thanks.
awokd
Mar 10, 2018, 5:49:05 AM3/10/18
to Saswat Padhi, qubes-users
SP
Mar 10, 2018, 11:17:10 AM3/10/18
to qubes-users
I'm afraid to try it since Ubuntu's package versioning, library paths etc. would be different from Debian, and that might potentially break my installation ...
I guess one solution would be to add the "source" Debian repos and compile them on Ubuntu.
Unman
Mar 10, 2018, 2:31:32 PM3/10/18
to SP, qubes-users
Completely unofficial.
My time is somewhat limited but I try to update at least once a month.
Have a look at http://qubes.3isec.org
You'll want to check my key, of course.
You're quite right not to mix Ubuntu and Debian packages. This almost
always creates more problems than it solves.
gas...@gmail.com
Jul 10, 2018, 12:12:12 PM7/10/18
to qubes-users
Are these templates really from Unman?
The key used there is different than the one used at https://www.qubes-os.org/team/ and isn't signed by any known Qubes developer keys.
Am I missing something?
awokd
Jul 11, 2018, 3:54:15 AM7/11/18
to gas...@gmail.com, qubes-users
beginning of the month. I'm guessing the other is newer.
gas...@gmail.com
Jul 11, 2018, 4:27:50 AM7/11/18
to qubes-users
On Wednesday, July 11, 2018 at 3:54:15 PM UTC+8, awokd wrote:
> Looks like the one used for the unofficial packages might have expired
> beginning of the month. I'm guessing the other is newer.
> Looks like the one used for the unofficial packages might have expired
> beginning of the month. I'm guessing the other is newer.
I see the same key for Unman on the Web Archive of 3 months ago:
https://web.archive.org/web/20180429161315/www.qubes-os.org/team/
And even the same key all the way back to 2016:
https://web.archive.org/web/20160723111532/www.qubes-os.org/team/
Unman
Jul 11, 2018, 6:40:55 PM7/11/18
to gas...@gmail.com, qubes-users
On Tue, Jul 10, 2018 at 09:12:11AM -0700, gas...@gmail.com wrote:
> Are these templates really from Unman?
Yes they are, but hideously out of date now.
> Are these templates really from Unman?
I'm in process of updating them this week..
>
> http://qubes.3isec.org/
>
> The key used there is different than the one used at https://www.qubes-os.org/team/ and isn't signed by any known Qubes developer keys.
key isn't difficult to find.
Not being signed is not relevant - it's a side effect of using split
gpg.
>
> Am I missing something?
No. Except that the signing key has expired and I cant get the updated
one out until I get home at the weekend.
unman
gas...@gmail.com
Jul 11, 2018, 9:52:18 PM7/11/18
to qubes-users
On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
> The key on the team page is the key I use for email. My Qubes signing
> key isn't difficult to find.
> Not being signed is not relevant
> The key on the team page is the key I use for email. My Qubes signing
> key isn't difficult to find.
> Not being signed is not relevant
How is it not relevant? There is no way to find if the key in qubes.3isec.org is trusted by anyone in the Qubes dev team.
Why should we trust the key at qubes.3isec.org as coming from the same Unman?
> it's a side effect of using split gpg.
Is there a way to check they both derive from the same master key?
> No. Except that the signing key has expired and I cant get the updated
> one out until I get home at the weekend.
Thank you so much. I would appreciate if you could also publish the set of commands you use to build the template. I've unsuccessfully trying to build it, but the resulting TemplateVM won't even run the Terminal app:
https://github.com/QubesOS/qubes-issues/issues/3871#issuecomment-403343461
Unman
Jul 14, 2018, 8:14:54 PM7/14/18
to gas...@gmail.com, qubes-users
On Wed, Jul 11, 2018 at 06:52:18PM -0700, gas...@gmail.com wrote:
> On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
> > The key on the team page is the key I use for email. My Qubes signing
> > key isn't difficult to find.
> > Not being signed is not relevant
>
> How is it not relevant? There is no way to find if the key in qubes.3isec.org is trusted by anyone in the Qubes dev team.
The lack of signatures is not relevant because no one using split gpg
> On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
> > The key on the team page is the key I use for email. My Qubes signing
> > key isn't difficult to find.
> > Not being signed is not relevant
>
> How is it not relevant? There is no way to find if the key in qubes.3isec.org is trusted by anyone in the Qubes dev team.
as recommended will be signing anybody's keys. (Look at the "Advanced"
paragraph on https://www.qubes-os.org/doc/split-gpg/)
In the absence of WOT it means that you cant pass off the responsibility
for confirming a key to others, and have to make these judgements for
yourself.
You'll find that signing key in various places, including in mailings by
me to this list, so you could check the archive.
Since you have my email and key you could always email me and ask if it is my
signing key. (That's what some people do.)
That's a good question. Without WOT how can you trust *any* key relates
to the person it's claimed for?
I've suggested some ways above that link the Qubes signing key and the
unman email key. Also, you can ask me and I will affirm it is, signed with an email key
that (perhaps) you do trust.
> Is there a way to check they both derive from the same master key?
purposes.
>
> > No. Except that the signing key has expired and I cant get the updated
> > one out until I get home at the weekend.
>
> Thank you so much. I would appreciate if you could also publish the set of commands you use to build the template. I've unsuccessfully trying to build it, but the resulting TemplateVM won't even run the Terminal app:
>
> https://github.com/QubesOS/qubes-issues/issues/3871#issuecomment-403343461
Once they are merged, then it will be a straightforward build - run
setup, 'make qubes-vm' and 'make template'. Of course, the resulting
templates are functional.
Ironically, in view of this thread, I cant upload them until I'm home
and upload my updated signing key. Should be tomorrow.
Marek Marczykowski-Górecki
Jul 15, 2018, 10:37:28 AM7/15/18
to Unman, gas...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Jul 15, 2018 at 01:14:50AM +0100, Unman wrote:
> On Wed, Jul 11, 2018 at 06:52:18PM -0700, gas...@gmail.com wrote:
> > On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
> > > The key on the team page is the key I use for email. My Qubes signing
> > > key isn't difficult to find.
> > > Not being signed is not relevant
> >
> > How is it not relevant? There is no way to find if the key in qubes.3isec.org is trusted by anyone in the Qubes dev team.
>
> The lack of signatures is not relevant because no one using split gpg
> as recommended will be signing anybody's keys. (Look at the "Advanced"
> paragraph on https://www.qubes-os.org/doc/split-gpg/)
>
> In the absence of WOT it means that you cant pass off the responsibility
> for confirming a key to others, and have to make these judgements for
> yourself.
> You'll find that signing key in various places, including in mailings by
> me to this list, so you could check the archive.
> Since you have my email and key you could always email me and ask if it is my
> signing key. (That's what some people do.)
>
> > Why should we trust the key at qubes.3isec.org as coming from the same Unman?
>
> That's a good question. Without WOT how can you trust *any* key relates
> to the person it's claimed for?
> I've suggested some ways above that link the Qubes signing key and the
> unman email key. Also, you can ask me and I will affirm it is, signed with an email key
> that (perhaps) you do trust.
Could you send here a key fingerprint for those packages, using _signed
email_ using your key listed on /team/ page? That would greatly ease its
verification.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAltLXB8ACgkQ24/THMrX
1ywNHAf/ahuZ1rFTO3H0/4PjqbnGI3EFvs0xHiXDZ9tVjr/ytnIuPc/PUB1oA1e9
0OWMSfEPXQgB1MmypfFcBkU4WMNaFI0SqBzSHHUiX+/xEknXcDHN3PgJLnhIMftL
qkYU/EIqhHvRBxQjvTfx3/KqxWr+yMHwdm/Xjf9PepJlQtG0yoP1iU3jP8lX5G6B
mNC826BcbBq1e171J/DbZvAn1iFQfbbVQvqaI6LCuZuvhhfTuKykGynhI9mtp4SU
bdGms+FscMobc9NffclZWK6irVUMm968bhkanWrgA0YboEvTie54GHXDQN8QsEWd
Y5KfEyMU/+UqAYBkrGy7x+LpaHrChw==
=6LMc
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Jul 15, 2018 at 01:14:50AM +0100, Unman wrote:
> On Wed, Jul 11, 2018 at 06:52:18PM -0700, gas...@gmail.com wrote:
> > On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
> > > The key on the team page is the key I use for email. My Qubes signing
> > > key isn't difficult to find.
> > > Not being signed is not relevant
> >
> > How is it not relevant? There is no way to find if the key in qubes.3isec.org is trusted by anyone in the Qubes dev team.
>
> The lack of signatures is not relevant because no one using split gpg
> as recommended will be signing anybody's keys. (Look at the "Advanced"
> paragraph on https://www.qubes-os.org/doc/split-gpg/)
>
> In the absence of WOT it means that you cant pass off the responsibility
> for confirming a key to others, and have to make these judgements for
> yourself.
> You'll find that signing key in various places, including in mailings by
> me to this list, so you could check the archive.
> Since you have my email and key you could always email me and ask if it is my
> signing key. (That's what some people do.)
>
> > Why should we trust the key at qubes.3isec.org as coming from the same Unman?
>
> That's a good question. Without WOT how can you trust *any* key relates
> to the person it's claimed for?
> I've suggested some ways above that link the Qubes signing key and the
> unman email key. Also, you can ask me and I will affirm it is, signed with an email key
> that (perhaps) you do trust.
email_ using your key listed on /team/ page? That would greatly ease its
verification.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAltLXB8ACgkQ24/THMrX
1ywNHAf/ahuZ1rFTO3H0/4PjqbnGI3EFvs0xHiXDZ9tVjr/ytnIuPc/PUB1oA1e9
0OWMSfEPXQgB1MmypfFcBkU4WMNaFI0SqBzSHHUiX+/xEknXcDHN3PgJLnhIMftL
qkYU/EIqhHvRBxQjvTfx3/KqxWr+yMHwdm/Xjf9PepJlQtG0yoP1iU3jP8lX5G6B
mNC826BcbBq1e171J/DbZvAn1iFQfbbVQvqaI6LCuZuvhhfTuKykGynhI9mtp4SU
bdGms+FscMobc9NffclZWK6irVUMm968bhkanWrgA0YboEvTie54GHXDQN8QsEWd
Y5KfEyMU/+UqAYBkrGy7x+LpaHrChw==
=6LMc
-----END PGP SIGNATURE-----
Andrew David Wong
Jul 15, 2018, 2:34:26 PM7/15/18
to Unman, gas...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2018-07-14 19:14, Unman wrote:
> On Wed, Jul 11, 2018 at 06:52:18PM -0700, gas...@gmail.com wrote:
>> On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
>>> The key on the team page is the key I use for email. My Qubes
>>> signing key isn't difficult to find. Not being signed is not
>>> relevant
>>
>> How is it not relevant? There is no way to find if the key in
>> qubes.3isec.org is trusted by anyone in the Qubes dev team.
>
> The lack of signatures is not relevant because no one using split
> gpg as recommended will be signing anybody's keys. (Look at the
> "Advanced" paragraph on https://www.qubes-os.org/doc/split-gpg/)
>
True, but you can still cross-sign your own separate keys without
violating security principles if you generated them in the same VM.
> In the absence of WOT it means that you cant pass off the
> responsibility for confirming a key to others, and have to make
> these judgements for yourself.
To some extent, you can. You just have to rely on others to do it more
manually, e.g.:
https://andrewdavidwong.com/fingerprints.txt
> You'll find that signing key in various places, including in
> mailings by me to this list, so you could check the archive. Since
> you have my email and key you could always email me and ask if it
> is my signing key. (That's what some people do.)
>
>> Why should we trust the key at qubes.3isec.org as coming from the
>> same Unman?
>
> That's a good question. Without WOT how can you trust *any* key
> relates to the person it's claimed for?
In addition to cross-signing (mentioned above), you can make the
fingerprint and/or key available from other places around the Web
associated with your identity. A disparate collection of sources,
while individually untrustworthy, can provide reasonably strong
evidence of identity in aggregate. Using myself as an example:
https://andrewdavidwong.com/
https://www.qubes-os.org/team/#andrew-david-wong
https://www.qubes-os.org/news/2016/04/29/community-manager/
https://invisiblethingslab.com/#andrew-david-wong
https://keybase.io/adw
https://github.com/andrewdavidwong
https://twitter.com/andrewdavidwong/status/583961424742854656
https://explorer.blockstack.org/name/adw.id
> I've suggested some ways above that link the Qubes signing key and
> the unman email key. Also, you can ask me and I will affirm it is,
> signed with an email key that (perhaps) you do trust.
>
>> Is there a way to check they both derive from the same master
>> key?
>
> They don't. I highly recommend using different keys for different
> purposes.
>
It's worth noting that Joanna uses a "separate master key" model for
her various personal keys, which are used for different purposes:
https://blog.invisiblethings.org/keys/
My setup is similar, except the master key in my model is the
certify-only primary key (master secret key / sec) of my main key,
with subkeys for signing and encryption, and separate cross-signed
keys for other purposes.
There's not much functional difference for others seeking to verify
our keys. Both allow for separate keys for different purposes that can
be verified from a single main key that never leaves the vault in
which it was generated (separate from the split-gpg backend). I think
the difference is mostly a personal preference regarding internal key
management and workflow.
>
> [...]
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltLk4gACgkQ203TvDlQ
MDCBdhAAzokAPrPnXHDmYIEBIkhdG6iQ8JeEnornYqOHh/erEyjRliqYWHsUZO74
/UWcry/WKY6Q06VJZ5j014V6PMwu5vEnyRA6wG+breW5h1KZFKIG6UEWzgZw3P1w
kNfdgzu1BQlr7enPf4TqBO/VuScM7dMA/ZWdMERiGX5AYSvbWr6haxyMqgNsySpj
cGj+Fyh3Oins1H+td8DR4+btupoNcaCBWpvnKtF7CrYrkq6CP/RgnTnqnf9wb5aT
KM4UDX2D1P2lmwsHdmB49gtNZABR5eYAbrRC0w+XH3ohennE2bvh61Zd/Dn21p3E
gFZHaG85UGscPZOd5y1AHzwBTKKTupFz36hwlfoeW00oG6n1mZ7Iuof4PsLwWTV1
LJZJTS7qBVH/QmuJCXyWBYIsROOsLM9DD7DY9vOGFgJ6vnnD/SRUmHqErU+LLokd
smt1moOPVcmR+E8HdXpaaetxINSme5peHBGpKWBIM6xpoZGk5B2g05kqeMtQ/j0f
bTOyAcUIr1Tl7IKth7jByJG/QllAH1Zjlsz3HsnMKsf5tOiF9QNzAVEEKd/6olbz
GV/h+u/jmCYCeQkbejtfg1cbG+xiyReHOcXhrPR+pE/RWt1rtTHS5w9h5qMTDvcq
j9+i9FiQN4WHH6HAAc7DKfa6FALAaQiS1gOxnzrfTCWNltPvSx4=
=ySSq
-----END PGP SIGNATURE-----
Hash: SHA512
On 2018-07-14 19:14, Unman wrote:
> On Wed, Jul 11, 2018 at 06:52:18PM -0700, gas...@gmail.com wrote:
>> On Thursday, July 12, 2018 at 6:40:55 AM UTC+8, Unman wrote:
>>> The key on the team page is the key I use for email. My Qubes
>>> signing key isn't difficult to find. Not being signed is not
>>> relevant
>>
>> How is it not relevant? There is no way to find if the key in
>> qubes.3isec.org is trusted by anyone in the Qubes dev team.
>
> The lack of signatures is not relevant because no one using split
> gpg as recommended will be signing anybody's keys. (Look at the
> "Advanced" paragraph on https://www.qubes-os.org/doc/split-gpg/)
>
violating security principles if you generated them in the same VM.
> In the absence of WOT it means that you cant pass off the
> responsibility for confirming a key to others, and have to make
> these judgements for yourself.
manually, e.g.:
https://andrewdavidwong.com/fingerprints.txt
> You'll find that signing key in various places, including in
> mailings by me to this list, so you could check the archive. Since
> you have my email and key you could always email me and ask if it
> is my signing key. (That's what some people do.)
>
>> Why should we trust the key at qubes.3isec.org as coming from the
>> same Unman?
>
> That's a good question. Without WOT how can you trust *any* key
> relates to the person it's claimed for?
fingerprint and/or key available from other places around the Web
associated with your identity. A disparate collection of sources,
while individually untrustworthy, can provide reasonably strong
evidence of identity in aggregate. Using myself as an example:
https://andrewdavidwong.com/
https://www.qubes-os.org/team/#andrew-david-wong
https://www.qubes-os.org/news/2016/04/29/community-manager/
https://invisiblethingslab.com/#andrew-david-wong
https://keybase.io/adw
https://github.com/andrewdavidwong
https://twitter.com/andrewdavidwong/status/583961424742854656
https://explorer.blockstack.org/name/adw.id
> I've suggested some ways above that link the Qubes signing key and
> the unman email key. Also, you can ask me and I will affirm it is,
> signed with an email key that (perhaps) you do trust.
>
>> Is there a way to check they both derive from the same master
>> key?
>
> They don't. I highly recommend using different keys for different
> purposes.
>
her various personal keys, which are used for different purposes:
https://blog.invisiblethings.org/keys/
My setup is similar, except the master key in my model is the
certify-only primary key (master secret key / sec) of my main key,
with subkeys for signing and encryption, and separate cross-signed
keys for other purposes.
There's not much functional difference for others seeking to verify
our keys. Both allow for separate keys for different purposes that can
be verified from a single main key that never leaves the vault in
which it was generated (separate from the split-gpg backend). I think
the difference is mostly a personal preference regarding internal key
management and workflow.
>
> [...]
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAltLk4gACgkQ203TvDlQ
MDCBdhAAzokAPrPnXHDmYIEBIkhdG6iQ8JeEnornYqOHh/erEyjRliqYWHsUZO74
/UWcry/WKY6Q06VJZ5j014V6PMwu5vEnyRA6wG+breW5h1KZFKIG6UEWzgZw3P1w
kNfdgzu1BQlr7enPf4TqBO/VuScM7dMA/ZWdMERiGX5AYSvbWr6haxyMqgNsySpj
cGj+Fyh3Oins1H+td8DR4+btupoNcaCBWpvnKtF7CrYrkq6CP/RgnTnqnf9wb5aT
KM4UDX2D1P2lmwsHdmB49gtNZABR5eYAbrRC0w+XH3ohennE2bvh61Zd/Dn21p3E
gFZHaG85UGscPZOd5y1AHzwBTKKTupFz36hwlfoeW00oG6n1mZ7Iuof4PsLwWTV1
LJZJTS7qBVH/QmuJCXyWBYIsROOsLM9DD7DY9vOGFgJ6vnnD/SRUmHqErU+LLokd
smt1moOPVcmR+E8HdXpaaetxINSme5peHBGpKWBIM6xpoZGk5B2g05kqeMtQ/j0f
bTOyAcUIr1Tl7IKth7jByJG/QllAH1Zjlsz3HsnMKsf5tOiF9QNzAVEEKd/6olbz
GV/h+u/jmCYCeQkbejtfg1cbG+xiyReHOcXhrPR+pE/RWt1rtTHS5w9h5qMTDvcq
j9+i9FiQN4WHH6HAAc7DKfa6FALAaQiS1gOxnzrfTCWNltPvSx4=
=ySSq
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages