@chiefgyk3d #QubesOS isn't bad as long as you've got a brain, compatible hardware, and don't stray too far from their usage guides. It's harder than Windows, but once you grok it it's not a big deal.

Was reading about virtualization and containers today.
Then I read about Qubes OS.
This things looks so freaking cool!!!
I read about a feature and think, yeah things should be like that!

ahahshdhd I wanna try itttt
but it doesn't seem to support live USB (version not supposed or reccomended) or dual booting.

And I don't wanna erase my computer again..

#qubesos #linux

@dekkzz76 Yeah. Such is #Debian life.

I could do it with #Guix, but then that means my configurations aren't portable to those #qubes and machines on which I purposely do not put Guix. And while I could handle an additional layer of environment variability... I really don't feel like it.

#QubesOS

Day 10: changing the game. #qubes doesn’t work as I would like with my external docks. The reason is CONFIG_HOTPLUG_PCI support disabled in kernel. Since it’s by design, and consistent with #qubesos focus on strict security, I see no point in compiling my own kernel (I think the last kernel I compiled was a 2.4 🫣) and even less in fighting a lifelong war with my setup. I’ll try to “roll my own” alternative, with similar networking concepts, and more lax hardware security.

Qubes OS Summit 2023: October 6-8 in Berlin

https://www.qubes-os.org/news/2023/08/25/qubes-os-summit-2023/

#qubes #qubesos #security #os #modularos #summit #virtualization #compartmentalization

Day 9: is it me, is it Qubes, or is it UEFI? Debian 12 live Kde Plasma edition, up and running with no additional config: thunderbolt dock connected and detected, all peripherals working (incl. usb audio amplifier), displays on, lid closed. It’s doable. #debian #qubes #qubesos

Days 7-8: I’m fighting with the hardware. Thunderbolt docks aren’t recognized properly, and usb-c hubs are a nuisance, at best. I need to investigate some more, but apparently #qubesos kernel doesn’t support PCI hotplug, so I should boot connected to the docking, but I can’t get them to work even if I do (which isn’t the best option, but I can live with that). Tomorrow I’ll try a live Debian 12, to look at some logs… #qubes

Have any #blind people used #Qubes and is it #accessible? I've been wanting to try it for a while. #QubesOS #accessibility

Proud to share that the QubesOS template builder for Alpine Linux is working. Here is the repo for any QubesOS users who'd like to try it out:
https://lab.ilot.io/ayakael/qubes-builder-alpine

Go to releases for RPMs installable on Qubes.

There's still a lot to do. For example, they can't really be used for system appvms, but I've been using a manually built template for a year, and it's been great!

#qubesos #alpinelinux

Day 5: spent some time cloning templates and configuring VPN qubes, so not much to show and tell. Right after packing for the evening, “let’s try, worse it will do, it will kernel panic”. It didn’t. Qubes and Caldigit Ts3, external display. Much still to be tweaked, but we definitely have a signal. #qubes #qubesos

#linux #distro #tierlist

Daily Driver: #fedora (maybe #blendos in future)
Server: #ubuntu
Security: #qubesos
Privacy: #tailsos
Coolness: #hannahmontanalinux

@zlatiah @wholesomedonut @lack @benjaminhollon

#QubesOS is actual VMs, or so I thought.

@SpaceLifeForm Yeah, #QubesOS thankfully disables hyperthreading by default.

(And I've also done so manually on all my other hardware that doesn't run it.)

You know, I think the #OpenBSD and #QubesOS folks have the right idea regarding hyperthreading.

The last few major hardware vulnerabilities all had it as a pretty central part of exploitation.

Is the slight gain in performance worth the #security tradeoff? I don't think so.

For Qubes, it's possible to ensure only threads from the same #Xen VM/trust-domain run collocated on a core, but for more conventional OSes, that's much harder to guarantee.

@matzipan @0xabad1dea @mjg59 Just disabling hyperthreading & separating things into different VMs (hewwo #QubesOS) will generally be enough for this one.

@debacle @cstross @marqle If you want to cover most of the unicode code-points it goes right back to being about as useful as the Alt codes in Windows (not very).

So it's inherently more limited... and since I try & do most things in #Emacs, it's not worth the bother.

(It's also one very unpleasant rabbit hole on #QubesOS.)

@qc @ipg Didn't #QubesOS mention this thing directly at some point?

Because that's pretty much exactly the threat model it's meant to handle.

@ramonita @thepoliticalcat Quite right.

This is also a consequence that flows from the (memory unsafe) monolithic kernel model. If the drivers were individual #microkernel servers, it would be entirely possible to deny it access to anything other than the #GPU hardware memory and calling interfaces for the display server (or whatever else) to use the driver.

No network, no nothing.

#QubesOS's GUIVM would have the same benefits if one were to use the proprietary drivers in it.

@gnemmi > It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading.
And I'm yet again so glad for #QubesOS' separation of trust domains and refusal of hyperthreading across domains (even intra-domain isn't enabled by default, the default is no hyperthreading).

I am so in love with #qubesos. I just love how much control i have over everything. The whole concept is just amazing. Planning to use it as my daily driver as soon as i get an apu.