Closed peakunshift closed 4 months ago
ben-grande
commented
4 months ago I have a script that does that, it is in my dotfiles repository.
It uses the same logic in the readme.
UPDATES_MAX_FILES=10000 qvm-copy-to-dom0 QUBE /path/to/projectYou can alias this (and save to your shell rc):
alias cp-qusal="UPDATES_MAX_FILES=10000 qvm-copy-to-dom0 QUBE /path/to/project"
peakunshift
commented
4 months ago Nice, can this be moved to the project? So no need to install something new, and limiting the amount of dom0 modifications is better to respect QubesOS security philosophy.
ben-grande
commented
4 months ago Yes, it can be moved because it the rationale is that it doesn't need to be a dotfile, it can be in /usr/bin.
There is nothing security-wise preventing the installation of anything to dom0, the Qrexec Admin API is not used because Qusal is deployed to Dom0 and not to an Admin Management qube, this is an idea for the future, but Qrexec has some known limitations that I don't think it is worth it with the current Qrexec protocol.
ben-grande
commented
4 months ago Note that git does automatic signature verification on merges as the dotfiles were placed in dom0, therefore manual signature verification is not necessary when updating. The downside you already know, installing git on dom0, which by itself is not bad, but the Git over Qrexec that I provide, I do not consider it the best against attacks, only woju/qubes-app-split-git is noteworthy on this aspect, but it is very limited.
ben-grande
commented
4 months ago Side note: I am glad that the installation instructions were understandable so you could install it. I will be updating soon the update section from the readme.
peakunshift
commented
4 months ago Great!
Btw when installing Qusal for the first time, I didn't install the Dotfiles, but I didn't have any blocking issues without it, at least from what I saw.
Git is not present in dom0 by default, and can still be optional as the user can decide not to install it. Currently the README implies Git is installed on dom0 for signature verification, but it can also be done in the VM from which we grad Qusal. Can the README reflects this?
peakunshift
commented
4 months ago I can open a PR for this doc change, but I also would like to fix one sentence in the README that is not clear:
Install git in the qube, if it is an AppVM, install it it's the TemplateVM and restart the AppVM.
The "install it it's the" must be a typo, what do you mean here?
ben-grande
commented
4 months ago Btw when installing Qusal for the first time, I didn't install the Dotfiles, but I didn't have any blocking issues without it, at least from what I saw.
Possible with many projects, dotfiles are mostly for UX in many of them.
Git is not present in dom0 by default, and can still be optional as the user can decide not to install it. Currently the README implies Git is installed on dom0 for signature verification, but it can also be done in the VM from which we grad Qusal. Can the README reflects this?
The salt state sys-git.install-client installs Git. You don't need to install git manually.
for signature verification, but it can also be done in the VM from which we grad Qusal. Can the README reflects this?
No, this would elevate the DomU to be as trusted as Dom0. If we do signature verification in Dom0, we are distrusting DomU, just like how Qubes updates Dom0, it downloads packages in the updatevm but it verifies the package signatures in Dom0.
ben-grande
commented
4 months ago Install git in the qube, if it is an AppVM, install it it's the TemplateVM and restart the AppVM.
The "install it it's the" must be a typo, what do you mean here?
It is a typo, is this clearer:
install git in the qube, if it is an AppVM, install in it's TemplateVM
Please continue these suggestions, as I wrote these texts, I read them without noticing the typos. Would you prefer to rewrite the phrase? I ask this because one typo is not supposed to make the whole sentence unclear, so maybe we need to reword it better, or maybe just a simpler phrase:
install git in the qube
and leave for the user to install on the template, this is basic qubes usage, but normally I don't leave for the user to figure it out themselves, so maybe the following:
install git in the qube you will download Qusal, if it is based on a template, install in the template
Commitment
I confirm that I have read the following resources:
[x] How to ask questions The Smart Way
[x] Writing the perfect question
[x] Question checklist
[x] Could you please make my preference the defafault?
Current problem (if any)
Syncing the project from the domU to dom0 can be achieved in multiple ways. The
qvm-runcommand written in the project's README is the simplest as it doesn't require any package installation like git in dom0, but is a bit long to type each time.Proposed solution
Create a script, for example
copy-from-domU.shthat can be executed each time we want to sync the project. We will need to define in it thequbeandfilevariables once.The value to a user, and who that user might be
The command will still need to be executed manually the first time to move the project to dom0, but then the script makes it faster, and no need to install any package in dom0.