'Re: [qubes-users] Installing/updating apps in a TemplateVM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] Installing/updating apps in a TemplateVM
From:       unman <unman () thirdeyesecurity ! org>
Date:       2018-09-28 13:14:53
Message-ID: 20180928131453.xmgirtdbj64takp4 () thirdeyesecurity ! org
[Download RAW message or body]

On Fri, Sep 28, 2018 at 01:56:41PM +0100, unman wrote:
> On Fri, Sep 28, 2018 at 01:02:22PM +0100, unman wrote:
> > On Fri, Sep 28, 2018 at 03:15:22AM -0700, OutdoorAcorn wrote:
> > > On Friday, 28 September 2018 10:48:19 UTC+1, unman  wrote:
> > > > On Fri, Sep 28, 2018 at 05:09:22AM +0000, 'awokd' via qubes-users wrote:
> > > > > 
> > > > > 
> > > > > OutdoorAcorn:
> > > > > > I've just installed Qubes OS 4.0 on my old laptop to get the hang of it \
> > > > > > before I (hopefully) make my leap over from Windows! 
> > > > > > I wanted to install some new software in the personal and work domains so \
> > > > > > I went to the "Qubes Menu -> Template: fedora-26 -> fedora-26: Software" \
> > > > > > and clicked the Install button for an app however it only ever displayed \
> > > > > > pending. I opened up the Qubes Manager and noticed that no NetVM was \
> > > > > > assigned to any of the templates. I opened the settings and assigned it \
> > > > > > sys-firewall which then allowed me to install programs. 
> > > > > > On the https://www.qubes-os.org/doc/software-update-vm/ page under "Notes \
> > > > > > on trusting your TemplateVM(s)" heading it says: 
> > > > > > "Only install packages from trusted sources – e.g. from the \
> > > > > > pre-configured Fedora repositories. All those packages are signed by \
> > > > > > Fedora, and we expect that at least the package's installation scripts \
> > > > > > are not malicious. This is enforced by default (at the firewall VM \
> > > > > > level), by not allowing any networking connectivity in the default \
> > > > > > template VM, except for access to the Fedora repos." 
> > > > > > This no longer seems the case in Qubes OS 4.0 - no NetVM is attached to \
> > > > > > the TemplateVMs and no default firewall rules. Okay, onto the questions: 
> > > > > > 1) Have these defaults been missed out from the Qubes OS 4.0 install?
> > > > > > 2) Or is the documentation out of date and it's now recommended to do \
> > > > > > something else? 3) How should I go about installing/updating apps in the \
> > > > > > TemplateVMs? 3a) permanently attach sys-firewall and create firewall \
> > > > > > rules to only allow trusted repos as the docs currently suggest 3b) or \
> > > > > > only attach sys-firewall when updating/installing and disconnect \
> > > > > > afterwards?
> > > > > 
> > > > > The docs are right, but what they mean is that you can't use the "Software"
> > > > > application to install apps in templates. You should leave NetVM on (none)
> > > > > on the templates and instead use dnf on Fedora or apt on Debian.
> > > > 
> > > > To put a bit more flesh on that:
> > > > 1. The mechanism has changed in Qubes 4.0, so the old defaults no longer
> > > > apply.
> > > > Instead of using restricted access to a netvm, in Qubes 4.0 the update
> > > > proxy is reached by qrexec calls. This provides better insulation for
> > > > the template.
> > > > You should not attach a TemplateVM to a netVM.
> > > > 2. The docs should be clarified.
> > > > 3. Open a terminal in the TemplateVM and run 'sudo dnf' or appropriate
> > > > package manager, as awokd says.
> > > > 3a. For reason above do not do this in Qubes 4.0
> > > > 3b. For reason above do not do this in Qubes 4.0
> > > > 
> > > > 
> > > > If you want to install software not already packaged, then download (and
> > > > verify) it in a online qube and qvm-move it to the TemplateVM. Be aware
> > > > of the additional risks involved.
> > > > 
> > > > unman
> > > 
> > > 
> > > Thanks for the response awokd and unman. I can confirm that this works as \
> > > expected using dnf and apt. Reading further down on that page it explains in \
> > > more detail how this is done via the qubes-update-proxy service. 
> > > If you can't install apps via the "Software" gui app how come it is listed in \
> > > "Qubes Menu -> Template: fedora-26"? It seems like this is just going to lead \
> > > newbies like myself down a dead end.  
> > > You could go as far to say that the "Software" app isn't useful and should be \
> > > removed. It can only be used in an AppVM or DVM (with an attached NetVM) and in \
> > > the case of the AppVM the installed app would be removed on reboot. 
> > > Thanks again for clearing this up for me.
> > > =)
> > > 
> > 
> > I'm not a Fedora user, but I would have expected the Software gui to
> > work. The proxy use is set in dnf config and it would be surprising if
> > the GUI program didn't honour that.
> > Certainly in Debian based Ubuntu all the dpkg based package managers use
> > the same config settings and honour the proxy.
> > 
> 
> It seems to be an extremely long running issue with Gnome Software tool.
> There is a suggestion that setting ProxyHTTP in
> /etc/PackageKit/PackageKit.conf may fix this, and Qubes does that by
> default, but it doesnt seem to work.
> I'm not a Fedora user (or Gnome really), but maybe someone else has
> suggestion?
> 

There's an open issue for this (#3815):
https://github.com/QubesOS/qubes-issues/issues/3815

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/20180928131453.xmgirtdbj64takp4%40thirdeyesecurity.org.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic