howto add untrusted repository to appVM (without using seperate template)
167 views
Skip to first unread message
emilcr...@gmail.com
Aug 6, 2016, 9:05:26 PM8/6/16
to qubes-users
Hi there,
How do I add an outside/untrusted repository to an app-vm based on the standard template, *without* changing the whole template? And/or how do I, after succeding, install a program from the outside source in the appVM and make the program survive reboot?
I guess this is a general question, although my problem is concerned with the VoIP-program Jtisi: they are not included in neither Fedora or Debian repos, and I would not like to add their "untrusted" repo only to the appVM wich would actually run the program. (I know I could create a standalone VM, but I prefer not to use 3 GB of space to run just one program :)).
SO: How to solve this? (Without jepoardizing my template-VM)
Best regards,
E
PS: Why oh why is there no voip-client with zrtp-support in the fedora/debian repos?!
Andrew David Wong
Aug 6, 2016, 9:36:18 PM8/6/16
to emilcr...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
You could do this by installing the program to some place in the AppVM that
survives reboot (e.g., the AppVM's home/ directory). Besides that, I can't
think of any way to satisfy all of your desiderata simultaneously. (You could
clone the TemplateVM, but you said you didn't want to create a StandaloneVM
because it would take up too much disk space, and a cloned TemplateVM would
take up roughly the same amount.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXppCLAAoJENtN07w5UDAwNbwQALclKJQwipRfeP/fPsNtRwiz
R/ujnQmz+rEulQFw0t+tjcIONCGVzxGfSkM3A7Ud1N6oWm8s51mV/kLjn/AD/NIe
69ZPb/gCXVKmyoGpaFmvYxVasUlTXBibVntz1M4pptmUe/34WW8zvF29etByjWhf
o8nKfzacchKQRpsbzh1hZp1EjWmIc7x58KFF4UBNX4yU1jH4zls6q+FzxaVeNfQi
t2HYndN83/9U0UqJxFqmTStz8phHv8EqqqvUmAX8UXyuQfBtdSWTqLX/bzTx57RR
wopdgj1p3Q4wzkLnjMkIaj5Z7ElJMz1g37dmg+W4Ixd89jkTicnXbvlnccgsc5d1
IPaYUvH547OqOXYFSrif+iNAD2z0dyWHZX81lqA2uPlJJLrPn+5XRA7RNCNVzP2D
KGE4ljUrqApxbfYMRzeNQH2ryQ/6uaxGy0Fv0y++/aQ0tSfhuXLv6IhnAZO204h5
fY4Y+lMBjYG8sNeUm4NRGLvnl72ZCuS4GRhru6oAEq/DWBUPtxXY9qIhAS3fUric
8Nk9vxhkqCYqfXd2IQCBoQ5teKAjJnPdtS+hCBQzWGuLsa1vleH9+L+vw84PO7u+
CFpuIGlri86aZyupAomnnDjFrL6yUvZdcNz/X1D+ni0s9zzW6jN5EjT7ndBQ528s
6nlh5jWh4zeZYtyeG5Je
=wXOr
-----END PGP SIGNATURE-----
Hash: SHA512
survives reboot (e.g., the AppVM's home/ directory). Besides that, I can't
think of any way to satisfy all of your desiderata simultaneously. (You could
clone the TemplateVM, but you said you didn't want to create a StandaloneVM
because it would take up too much disk space, and a cloned TemplateVM would
take up roughly the same amount.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXppCLAAoJENtN07w5UDAwNbwQALclKJQwipRfeP/fPsNtRwiz
R/ujnQmz+rEulQFw0t+tjcIONCGVzxGfSkM3A7Ud1N6oWm8s51mV/kLjn/AD/NIe
69ZPb/gCXVKmyoGpaFmvYxVasUlTXBibVntz1M4pptmUe/34WW8zvF29etByjWhf
o8nKfzacchKQRpsbzh1hZp1EjWmIc7x58KFF4UBNX4yU1jH4zls6q+FzxaVeNfQi
t2HYndN83/9U0UqJxFqmTStz8phHv8EqqqvUmAX8UXyuQfBtdSWTqLX/bzTx57RR
wopdgj1p3Q4wzkLnjMkIaj5Z7ElJMz1g37dmg+W4Ixd89jkTicnXbvlnccgsc5d1
IPaYUvH547OqOXYFSrif+iNAD2z0dyWHZX81lqA2uPlJJLrPn+5XRA7RNCNVzP2D
KGE4ljUrqApxbfYMRzeNQH2ryQ/6uaxGy0Fv0y++/aQ0tSfhuXLv6IhnAZO204h5
fY4Y+lMBjYG8sNeUm4NRGLvnl72ZCuS4GRhru6oAEq/DWBUPtxXY9qIhAS3fUric
8Nk9vxhkqCYqfXd2IQCBoQ5teKAjJnPdtS+hCBQzWGuLsa1vleH9+L+vw84PO7u+
CFpuIGlri86aZyupAomnnDjFrL6yUvZdcNz/X1D+ni0s9zzW6jN5EjT7ndBQ528s
6nlh5jWh4zeZYtyeG5Je
=wXOr
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Aug 7, 2016, 7:22:18 AM8/7/16
to Andrew David Wong, emilcr...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, Aug 06, 2016 at 06:36:10PM -0700, Andrew David Wong wrote:
> On 2016-08-06 18:05, emilcr...@gmail.com wrote:
> > Hi there,
> >
> > How do I add an outside/untrusted repository to an app-vm based on the
> > standard template, *without* changing the whole template? And/or how do I,
> > after succeding, install a program from the outside source in the appVM
> > and make the program survive reboot?
> >
> > I guess this is a general question, although my problem is concerned with
> > the VoIP-program Jtisi: they are not included in neither Fedora or Debian
> > repos, and I would not like to add their "untrusted" repo only to the appVM
> > wich would actually run the program. (I know I could create a standalone
> > VM, but I prefer not to use 3 GB of space to run just one program :)).
> >
> > SO: How to solve this? (Without jepoardizing my template-VM)
> >
> > Best regards, E
> >
> > PS: Why oh why is there no voip-client with zrtp-support in the
> > fedora/debian repos?!
> >
>
> You could do this by installing the program to some place in the AppVM that
> survives reboot (e.g., the AppVM's home/ directory). Besides that, I can't
> think of any way to satisfy all of your desiderata simultaneously. (You could
> clone the TemplateVM, but you said you didn't want to create a StandaloneVM
> because it would take up too much disk space, and a cloned TemplateVM would
> take up roughly the same amount.)
I have similar problem with spotify - I don't want to include it in any
of my standard template, but on the other hand, I don't want to waste
disk space just for one VM. So I ended up with installing it at each VM
startup. Using this script:
#!/bin/sh
# 1. Add the Spotify repository signing key to be able to verify
# downloaded packages
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys
BBEBDCB318AD50EC6865090613B00F1FD2C19886
# 2. Add the Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee
/etc/apt/sources.list.d/spotify.list
# 3. Update list of available packages
sudo apt-get update
# 4. Install Spotify
sudo apt-get -y install spotify-client xdg-utils libxss1 zenity
Since I don't restart this VM that often, I call this script manually,
just before starting spotify client itself (shell command history is
useful ;) ). But is should be enough to put it into /rw/config/rc.local.
Downsides:
- it downloads the packages each time; not a big problem for me, but
can be for others
- there is no spotify entry in the menu (needs to be started from
terminal)
First issue could be fixed by downloading deb files (apt-get -d) and
then installing them from a local directory (dpkg -i /rw/debs/*.deb).
But it will not automatically download new version.
The second issue can be fixed by creating the entry manually.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXpxnjAAoJENuP0xzK19csR+gH/jWJNCWvt65vP1Dw+CI6MV/D
BNx45JmUvIjcF14zxe3Fmnw9fZ/tWCTQEMACi49zMkfZQZdUWlKo3iy7jshStxMN
dux+nIM6c0XXgKNzzWunAi/1XZkx4AXEF/PkFJgqqRVdMmq5hzButHXXQZ1RwTWu
I+Sh7zVIFexqSM89mI6IGMoFW2rtMgH8z7kYC6BMXLBpiG7yDAHzGIzbQ4SIvtf4
xKGgzFaZOQU2PrA7zTiwVRMravO0RmRsfxceLwW/8wU48myQUB6RUpZW+Apmjs+u
zgvSg8Vde7uy19P5uFdoex8BiIEbqz7ZH1ufa9bOczDZDv9deMf/Mu+oObxoghE=
=Z+nH
-----END PGP SIGNATURE-----
Hash: SHA256
On Sat, Aug 06, 2016 at 06:36:10PM -0700, Andrew David Wong wrote:
> On 2016-08-06 18:05, emilcr...@gmail.com wrote:
> > Hi there,
> >
> > How do I add an outside/untrusted repository to an app-vm based on the
> > standard template, *without* changing the whole template? And/or how do I,
> > after succeding, install a program from the outside source in the appVM
> > and make the program survive reboot?
> >
> > I guess this is a general question, although my problem is concerned with
> > the VoIP-program Jtisi: they are not included in neither Fedora or Debian
> > repos, and I would not like to add their "untrusted" repo only to the appVM
> > wich would actually run the program. (I know I could create a standalone
> > VM, but I prefer not to use 3 GB of space to run just one program :)).
> >
> > SO: How to solve this? (Without jepoardizing my template-VM)
> >
> > Best regards, E
> >
> > PS: Why oh why is there no voip-client with zrtp-support in the
> > fedora/debian repos?!
> >
>
> You could do this by installing the program to some place in the AppVM that
> survives reboot (e.g., the AppVM's home/ directory). Besides that, I can't
> think of any way to satisfy all of your desiderata simultaneously. (You could
> clone the TemplateVM, but you said you didn't want to create a StandaloneVM
> because it would take up too much disk space, and a cloned TemplateVM would
> take up roughly the same amount.)
of my standard template, but on the other hand, I don't want to waste
disk space just for one VM. So I ended up with installing it at each VM
startup. Using this script:
#!/bin/sh
# 1. Add the Spotify repository signing key to be able to verify
# downloaded packages
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys
BBEBDCB318AD50EC6865090613B00F1FD2C19886
# 2. Add the Spotify repository
echo deb http://repository.spotify.com stable non-free | sudo tee
/etc/apt/sources.list.d/spotify.list
# 3. Update list of available packages
sudo apt-get update
# 4. Install Spotify
sudo apt-get -y install spotify-client xdg-utils libxss1 zenity
Since I don't restart this VM that often, I call this script manually,
just before starting spotify client itself (shell command history is
useful ;) ). But is should be enough to put it into /rw/config/rc.local.
Downsides:
- it downloads the packages each time; not a big problem for me, but
can be for others
- there is no spotify entry in the menu (needs to be started from
terminal)
First issue could be fixed by downloading deb files (apt-get -d) and
then installing them from a local directory (dpkg -i /rw/debs/*.deb).
But it will not automatically download new version.
The second issue can be fixed by creating the entry manually.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXpxnjAAoJENuP0xzK19csR+gH/jWJNCWvt65vP1Dw+CI6MV/D
BNx45JmUvIjcF14zxe3Fmnw9fZ/tWCTQEMACi49zMkfZQZdUWlKo3iy7jshStxMN
dux+nIM6c0XXgKNzzWunAi/1XZkx4AXEF/PkFJgqqRVdMmq5hzButHXXQZ1RwTWu
I+Sh7zVIFexqSM89mI6IGMoFW2rtMgH8z7kYC6BMXLBpiG7yDAHzGIzbQ4SIvtf4
xKGgzFaZOQU2PrA7zTiwVRMravO0RmRsfxceLwW/8wU48myQUB6RUpZW+Apmjs+u
zgvSg8Vde7uy19P5uFdoex8BiIEbqz7ZH1ufa9bOczDZDv9deMf/Mu+oObxoghE=
=Z+nH
-----END PGP SIGNATURE-----
Andrew David Wong
Aug 7, 2016, 8:36:36 AM8/7/16
to Marek Marczykowski-Górecki, emilcr...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I didn't want to mention the option of installing at each VM startup using
rc.local because one of the requirements was "surviving reboot." But I agree
that this is otherwise a good option.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXpytEAAoJENtN07w5UDAw+kUP/idj5N01/UZe53c/P4esHYOP
WxbpAUp4CQQWdcZ/2Tl/yGWk/RrvBx+IynbljjqhF72H40oUfIcUgv/x0kn652PZ
liwv1TNnFERUhBPGRJfZXfD/l7rXYkWa7nULLIOlpXciXiyoFS8qfEQWS8Y1pPkX
hPdcYrNm3tOEBVw6gle1Wd1l1DIMAOOvcvL5no9XnzwvjPApNjuINOLRsJk09Lj+
U+960D5RruK1zsno11r+CImiZWfLsbJSsHoAXBcn3rbvB0lt8RTW859iw+QW9qaA
blbgCnK8MBmDim6txxVeOK3mpt59e9c+CQKe0G2dOEw6RujAfl6gE289JdKoeMDr
0/eVnMhZ43p98AgjpHcl+r0smUHag+B4Av4CSOIfIi9dYTA6RPqaiF7aagFcVqtH
v3q/ibFLRpoNlGdsmcYXrRoEDwJj9YkpG0r2irhMbaS982+utfOAKUu4iLORPI9o
d/fxliiz+nBT97ubCpfLq+X0uc2oU/7RIsS7lB272hEkiFxJBnnGxIBhOzs6mAjw
8ilnbT4TGTsZLwnXnu5+dJAAsTWV7RgJ6HZFLcA711vH+PXKU/Wy5GLVLqP/HCzo
DONSm2plN6lEa3yXYKlThhjLlZ+jI4otuF3+LhHqb18woU+AoRY8ZeCnAo4HZXn/
uX5F70wiOPJ3f40AMi6a
=889o
-----END PGP SIGNATURE-----
Hash: SHA512
rc.local because one of the requirements was "surviving reboot." But I agree
that this is otherwise a good option.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
WxbpAUp4CQQWdcZ/2Tl/yGWk/RrvBx+IynbljjqhF72H40oUfIcUgv/x0kn652PZ
liwv1TNnFERUhBPGRJfZXfD/l7rXYkWa7nULLIOlpXciXiyoFS8qfEQWS8Y1pPkX
hPdcYrNm3tOEBVw6gle1Wd1l1DIMAOOvcvL5no9XnzwvjPApNjuINOLRsJk09Lj+
U+960D5RruK1zsno11r+CImiZWfLsbJSsHoAXBcn3rbvB0lt8RTW859iw+QW9qaA
blbgCnK8MBmDim6txxVeOK3mpt59e9c+CQKe0G2dOEw6RujAfl6gE289JdKoeMDr
0/eVnMhZ43p98AgjpHcl+r0smUHag+B4Av4CSOIfIi9dYTA6RPqaiF7aagFcVqtH
v3q/ibFLRpoNlGdsmcYXrRoEDwJj9YkpG0r2irhMbaS982+utfOAKUu4iLORPI9o
d/fxliiz+nBT97ubCpfLq+X0uc2oU/7RIsS7lB272hEkiFxJBnnGxIBhOzs6mAjw
8ilnbT4TGTsZLwnXnu5+dJAAsTWV7RgJ6HZFLcA711vH+PXKU/Wy5GLVLqP/HCzo
DONSm2plN6lEa3yXYKlThhjLlZ+jI4otuF3+LhHqb18woU+AoRY8ZeCnAo4HZXn/
uX5F70wiOPJ3f40AMi6a
=889o
-----END PGP SIGNATURE-----
Chris Laprise
Aug 7, 2016, 1:00:23 PM8/7/16
to Marek Marczykowski-Górecki, Andrew David Wong, emilcr...@gmail.com, qubes-users
Spotify:
The former is used as a trusted component to protect the users' privacy
and probably security. Although that depends on how you're going to use
Jitsi, the question is posed in a way that suggests the app would be
used to maintain privacy.
So the relevant questions are: 1) Is the Jitsi repo signed, and if so...
2) How much do you trust the developers? If you trust them to keep your
communications private, you might also trust them enough to add their
repo to one or more templates.
You could also look for a "portable" version of the app; Such versions
don't require standard installation procedures and usually run from
whatever folder you place them in. Although Tor Browser is a portable
app from the start, for example, there are many examples of apps that
have been converted to portable, including Jitsi (for Windows):
https://sourceforge.net/projects/jitsiportable/
I wish Ring.cx had a portable version, too, as that app shows a lot of
promise... https://ring.cx
BTW, you can also just create a standalone appvm and add the Jitsi repo
to that.
> PS: Why oh why is there no voip-client with zrtp-support in the fedora/debian repos?!
Chris
Reply all
Reply to author
Forward
0 new messages