QSB-072: Inconsistent handling of the override-redirect flag
https://www.qubes-os.org/news/2021/09/27/qsb-072/
We have just published Qubes Security Bulletin (QSB) 072:
Inconsistent handling of the override-redirect flag.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-072 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-072-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 072 ]===---
2021-09-27
Inconsistent handling of the override-redirect flag
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- qubes-gui-dom0 version 4.0.15
For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) [1]:
- qubes-gui-daemon version 4.1.16
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [3]
The user session must be restarted afterward in order for the updates to
take effect, e.g., by logging out then logging back in.
Summary
--------
An override-redirect flag in the X11 protocol tells the window manager
not to manage a particular window. Windows with such flags do not get
their frames or noscript bars from the window manger, nor does the window
manager determine their positions. This feature is used for application
menus, tooltips, and similar accessory windows.
Since the window manager ignores such windows, the GUI daemon imposes
certain extra constraints on them, such as drawing thin colored frames.
Unfortunately, there are several cases in which the window manager and
GUI daemon do not agree on the override-redirect flag state, leading to
neither of them imposing the appropriate constraints.
Impact
-------
Normally, every window in Qubes OS has an unspoofable colored frame,
except for those belonging to dom0 or a GUI qube. [1] The flaws
described in this bulletin allow a malicious qube to create a window
that has no such colored frame. Such a window might be made to appear as
though it belongs to a different qube. For example, a malicious qube
with an untrusted color label might draw a passphrase prompt window.
Then, in order to induce the user to enter a valuable passphrase into
this window, the malicious qube might draw a fake frame in a different
color (more trusted than its own) along the inside edge of the window.
Since the window has no externally-imposed colored frame of its own, the
user might be deceived into accepting the fake internally-drawn frame as
a reliable indicator of the window's trust level or origin.
Such windows are also capable of bypassing limits normally imposed on
windows with the override-redirect flag. For example, such windows are
capable of covering desktop environment panels, potentially preventing
users from interacting with certain parts of the system or displaying
fake interface elements. Since such windows also lack colored frames,
they could be made to appear as though they belong to dom0 or a GUI qube
in an attempt to deceive users into believing that they are interacting
with trusted parts of the system.
Discussion
-----------
There were several cases in which the GUI daemon's view of the
override-redirect flag did not match the window manager's expectations:
1. Using an MSG_CONFIGURE GUI protocol [4] command to change the
override-redirect flag of a window that has already been mapped
https://www.qubes-os.org/news/2021/09/27/qsb-072/
We have just published Qubes Security Bulletin (QSB) 072:
Inconsistent handling of the override-redirect flag.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-072 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-072-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 072 ]===---
2021-09-27
Inconsistent handling of the override-redirect flag
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- qubes-gui-dom0 version 4.0.15
For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) [1]:
- qubes-gui-daemon version 4.1.16
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [3]
The user session must be restarted afterward in order for the updates to
take effect, e.g., by logging out then logging back in.
Summary
--------
An override-redirect flag in the X11 protocol tells the window manager
not to manage a particular window. Windows with such flags do not get
their frames or noscript bars from the window manger, nor does the window
manager determine their positions. This feature is used for application
menus, tooltips, and similar accessory windows.
Since the window manager ignores such windows, the GUI daemon imposes
certain extra constraints on them, such as drawing thin colored frames.
Unfortunately, there are several cases in which the window manager and
GUI daemon do not agree on the override-redirect flag state, leading to
neither of them imposing the appropriate constraints.
Impact
-------
Normally, every window in Qubes OS has an unspoofable colored frame,
except for those belonging to dom0 or a GUI qube. [1] The flaws
described in this bulletin allow a malicious qube to create a window
that has no such colored frame. Such a window might be made to appear as
though it belongs to a different qube. For example, a malicious qube
with an untrusted color label might draw a passphrase prompt window.
Then, in order to induce the user to enter a valuable passphrase into
this window, the malicious qube might draw a fake frame in a different
color (more trusted than its own) along the inside edge of the window.
Since the window has no externally-imposed colored frame of its own, the
user might be deceived into accepting the fake internally-drawn frame as
a reliable indicator of the window's trust level or origin.
Such windows are also capable of bypassing limits normally imposed on
windows with the override-redirect flag. For example, such windows are
capable of covering desktop environment panels, potentially preventing
users from interacting with certain parts of the system or displaying
fake interface elements. Since such windows also lack colored frames,
they could be made to appear as though they belong to dom0 or a GUI qube
in an attempt to deceive users into believing that they are interacting
with trusted parts of the system.
Discussion
-----------
There were several cases in which the GUI daemon's view of the
override-redirect flag did not match the window manager's expectations:
1. Using an MSG_CONFIGURE GUI protocol [4] command to change the
override-redirect flag of a window that has already been mapped
(i.e., made visible). In this case, the GUI daemon saved the new
state of the flag (and thus stopped applying its own constraints),
but it had not yet sent this flag to the X server.
2. Using an MSG_MAP GUI protocol [4] command to change the
override-redirect flag of a window that has already been mapped. In
this case, the attribute was updated in the X server, but the window
manager did not pick up the change, since the window was already
mapped.
3. The override-redirect protection feature, which prevents a window
from covering more than 90% of the screen if it has the
override-redirect flag, suffered from the same problem described in
the first point.
4. It was unclear how docked windows (aka "tray icons") should interact
with the override-redirect flag. Neither the XEmbed Protocol
Specification [5] nor the System Tray Protocol Specification [6]
defines how they should interact.
5. Docking a window passes control over mapping and unmapping the window
to the embedder (the application that "holds" the docked windows).
The implications of this behavior are unclear, and we cannot rule
out the possibility that this could be abused in some way.
6. There are two things that draw externally-imposed colored frames in
Qubes OS: the window manager and the GUI daemon. The GUI daemon draws
colored frames around windows with the override-redirect flag and
docked windows (aka "tray icons"), while the window manager draws all
other colored frames, e.g., for "normal" windows. (The window manager
also controls the noscript bar, which is another type of trusted window
decoration.)
Any window, including a docked window, can have a "child" window,
which is a separate window embedded in the parent window. Children do
not have the override-redirect flag, even when their parents do.
Children also do not have colored frames externally imposed by the
GUI daemon, even when their parents do.
Therefore, it is possible for a child window to extend its position
to cover the parent window's GUI-daemon-imposed colored frame, then
draw a fake frame in a different color directly on top of the parent
window's colored frame. A malicious qube could exploit this in order
to make it appear that a window belongs to a higher trust level than
its actual trust level.
Likewise, since the GUI daemon also forces coloring on docked windows
by default, a child window could cover its parent's docked window in
order to draw a "tray icon" in a different color.
To fix these problems, the GUI daemon will no longer accept changes to
the override-redirect flag in the cases described above. Instead, the
override-redirect flag can now be changed in only two cases:
- When the window is not yet visible (either as a normal window or as a
tray icon) and has no children
- When override-redirect protection forcefully clears the flag, in which
case the window is unmapped, the flag is cleared, and the window is
mapped again
Moreover, in order to avoid confusing the embedder and the GUI daemon,
windows that are already mapped or have children will now be prevented
from being docked.
Credits
--------
This issue was discovered by Demi Marie Obenour.
Notes
------
[1] In Qubes 4.1, certain GUI functions historically served by dom0 can
be delegated to separate template-based "GUI qubes." A single Qubes
4.1 system can have multiple GUI qubes.
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.qubes-os.org/doc/how-to-update/
[4] https://www.qubes-os.org/doc/gui/
[5] https://specifications.freedesktop.org/xembed-spec/xembed-spec-latest.html
[6] https://specifications.freedesktop.org/systemtray-spec/systemtray-spec-latest.html
--
The Qubes Security Team
state of the flag (and thus stopped applying its own constraints),
but it had not yet sent this flag to the X server.
2. Using an MSG_MAP GUI protocol [4] command to change the
override-redirect flag of a window that has already been mapped. In
this case, the attribute was updated in the X server, but the window
manager did not pick up the change, since the window was already
mapped.
3. The override-redirect protection feature, which prevents a window
from covering more than 90% of the screen if it has the
override-redirect flag, suffered from the same problem described in
the first point.
4. It was unclear how docked windows (aka "tray icons") should interact
with the override-redirect flag. Neither the XEmbed Protocol
Specification [5] nor the System Tray Protocol Specification [6]
defines how they should interact.
5. Docking a window passes control over mapping and unmapping the window
to the embedder (the application that "holds" the docked windows).
The implications of this behavior are unclear, and we cannot rule
out the possibility that this could be abused in some way.
6. There are two things that draw externally-imposed colored frames in
Qubes OS: the window manager and the GUI daemon. The GUI daemon draws
colored frames around windows with the override-redirect flag and
docked windows (aka "tray icons"), while the window manager draws all
other colored frames, e.g., for "normal" windows. (The window manager
also controls the noscript bar, which is another type of trusted window
decoration.)
Any window, including a docked window, can have a "child" window,
which is a separate window embedded in the parent window. Children do
not have the override-redirect flag, even when their parents do.
Children also do not have colored frames externally imposed by the
GUI daemon, even when their parents do.
Therefore, it is possible for a child window to extend its position
to cover the parent window's GUI-daemon-imposed colored frame, then
draw a fake frame in a different color directly on top of the parent
window's colored frame. A malicious qube could exploit this in order
to make it appear that a window belongs to a higher trust level than
its actual trust level.
Likewise, since the GUI daemon also forces coloring on docked windows
by default, a child window could cover its parent's docked window in
order to draw a "tray icon" in a different color.
To fix these problems, the GUI daemon will no longer accept changes to
the override-redirect flag in the cases described above. Instead, the
override-redirect flag can now be changed in only two cases:
- When the window is not yet visible (either as a normal window or as a
tray icon) and has no children
- When override-redirect protection forcefully clears the flag, in which
case the window is unmapped, the flag is cleared, and the window is
mapped again
Moreover, in order to avoid confusing the embedder and the GUI daemon,
windows that are already mapped or have children will now be prevented
from being docked.
Credits
--------
This issue was discovered by Demi Marie Obenour.
Notes
------
[1] In Qubes 4.1, certain GUI functions historically served by dom0 can
be delegated to separate template-based "GUI qubes." A single Qubes
4.1 system can have multiple GUI qubes.
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.qubes-os.org/doc/how-to-update/
[4] https://www.qubes-os.org/doc/gui/
[5] https://specifications.freedesktop.org/xembed-spec/xembed-spec-latest.html
[6] https://specifications.freedesktop.org/systemtray-spec/systemtray-spec-latest.html
--
The Qubes Security Team
Whonix 16 template available
https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/
The Whonix Project (https://www.whonix.org/) has announced the release of Whonix 16 (https://forums.whonix.org/t/12465). For a list of
changes and further details, please see the official announcement (https://forums.whonix.org/t/12465).
Please note that, according to the Whonix support schedule (https://www.whonix.org/wiki/About#Support_Schedule), Whonix 15 will
reach end-of-life (EOL) in one month. This coincides with the end date for
Whonix 15 template support in Qubes according to the Whonix Project’s support
policy for Whonix templates in Qubes (https://www.qubes-os.org/doc/supported-releases/#note-on-whonix-support). Therefore, all Whonix users are urged to
upgrade from Whonix 15 to Whonix 16 within the next month.
The Whonix Project provides instructions for installing fresh Whonix 16
templates (https://www.whonix.org/wiki/Qubes/Install) as well as instructions for performing an in-place upgrade from
Whonix 15 to Whonix 16 (https://www.whonix.org/wiki/Release_Upgrade_Whonix_15_to_Whonix_16).
https://www.qubes-os.org/news/2021/09/30/whonix-16-template-available/
The Whonix Project (https://www.whonix.org/) has announced the release of Whonix 16 (https://forums.whonix.org/t/12465). For a list of
changes and further details, please see the official announcement (https://forums.whonix.org/t/12465).
Please note that, according to the Whonix support schedule (https://www.whonix.org/wiki/About#Support_Schedule), Whonix 15 will
reach end-of-life (EOL) in one month. This coincides with the end date for
Whonix 15 template support in Qubes according to the Whonix Project’s support
policy for Whonix templates in Qubes (https://www.qubes-os.org/doc/supported-releases/#note-on-whonix-support). Therefore, all Whonix users are urged to
upgrade from Whonix 15 to Whonix 16 within the next month.
The Whonix Project provides instructions for installing fresh Whonix 16
templates (https://www.whonix.org/wiki/Qubes/Install) as well as instructions for performing an in-place upgrade from
Whonix 15 to Whonix 16 (https://www.whonix.org/wiki/Release_Upgrade_Whonix_15_to_Whonix_16).
XSAs released on 2021-10-05
https://www.qubes-os.org/news/2021/10/07/xsas-released-on-2021-10-05/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-386 (in practice affects only Xen 4.14.3+ due to another bug that cancels out this security flaw; the other bug was fixed in 4.14.3, which exposed this flaw)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2021/10/07/xsas-released-on-2021-10-05/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(None)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-386 (in practice affects only Xen 4.14.3+ due to another bug that cancels out this security flaw; the other bug was fixed in 4.14.3, which exposed this flaw)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
Reproducible builds for Debian: a big step forward
https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/
This is the second article in the “reproducible builds” series.
Previously: Improvements in testing and building: GitLab CI and reproducible builds (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/).
In the previous article, Improvements in testing and building: GitLab CI and reproducible builds (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/#reproducible-builds), we discussed reproducible builds and our current short-term goals for them in Qubes OS. Notably, we aimed to start by building our Debian templates such that packages can be installed only when configured rebuilders confirm that they really came from the source code we publish. Today, we go beyond this expectation.
Reproducible builds: retrieve the past
The challenge in reproducible builds lies in rebuilding a package in the same environment in which it was officially published. This means that we need to retrieve every single package version that was used as dependency to rebuild a given package. For Debian, some packages in the current release were built several releases in the past but not necessarily with the exact same dependencies. In order to retrieve them, there is only one solution: a Debian service called snapshot.debian.org, which is an archive acting as a Wayback Machine (https://web.archive.org/) that allows access to old packages based on dates and version numbers. It contains all past and present packages that the Debian archive provides. Unfortunately, this service is known to suffer significant blocking issues on usability. For example, watch the DebConf 2021 talk Making use of snapshot.debian.org for fun and profit (https://debconf21.debconf.org/talks/22-making-use-of-snapshotdebianorg-for-fun-and-profit/) and have a look at some related Debian issues like #977653 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%977653), #960304 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%960304), #969906 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%969906), #969603 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%969603), and #782857 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=x2857). To summarize: There are throttling limits and availability issues such as repeatedly cutting off connections, returning partial content, etc. As announced in our previous article, we developed our own rebuilder tool, debrebuild (https://github.com/fepitre/debrebuild), which is able to rebuild a single Debian package together with a rebuilder orchestrator PackageRebuilder (https://github.com/fepitre/package-rebuilder). We started to put it in production in order to actively rebuild Qubes OS and Debian packages, but it quickly ceased to function, as the snapshot.debian.org service was unable to sustain the load of rebuilding even a single Debian package. That said, the question was: How should we proceed in order to make it work? Clearly, those issues are critical and make the snapshot.debian.org service awful or useless for reproducible builds.
Is rebuilding Debian really possible?
The snapshot.debian.org issues have still not been addressed even after several years. The service has existed for more than a decade, yet it still suffers from the aforementioned limitations. It’s either a design problem or a lack of resources, but we still had to do something.
That’s why we decided to create our own snapshot (https://github.com/fepitre/debian-snapshot) service. Easy to say, but not to do. First, the original snapshot service from Debian is roughly 90 TB of repository data. Second, we cannot download files easily because only HTTP(S) is available, and downloading multiple files means we are impeded by availability issues.
https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/
This is the second article in the “reproducible builds” series.
Previously: Improvements in testing and building: GitLab CI and reproducible builds (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/).
In the previous article, Improvements in testing and building: GitLab CI and reproducible builds (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/#reproducible-builds), we discussed reproducible builds and our current short-term goals for them in Qubes OS. Notably, we aimed to start by building our Debian templates such that packages can be installed only when configured rebuilders confirm that they really came from the source code we publish. Today, we go beyond this expectation.
Reproducible builds: retrieve the past
The challenge in reproducible builds lies in rebuilding a package in the same environment in which it was officially published. This means that we need to retrieve every single package version that was used as dependency to rebuild a given package. For Debian, some packages in the current release were built several releases in the past but not necessarily with the exact same dependencies. In order to retrieve them, there is only one solution: a Debian service called snapshot.debian.org, which is an archive acting as a Wayback Machine (https://web.archive.org/) that allows access to old packages based on dates and version numbers. It contains all past and present packages that the Debian archive provides. Unfortunately, this service is known to suffer significant blocking issues on usability. For example, watch the DebConf 2021 talk Making use of snapshot.debian.org for fun and profit (https://debconf21.debconf.org/talks/22-making-use-of-snapshotdebianorg-for-fun-and-profit/) and have a look at some related Debian issues like #977653 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%977653), #960304 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%960304), #969906 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%969906), #969603 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%969603), and #782857 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=x2857). To summarize: There are throttling limits and availability issues such as repeatedly cutting off connections, returning partial content, etc. As announced in our previous article, we developed our own rebuilder tool, debrebuild (https://github.com/fepitre/debrebuild), which is able to rebuild a single Debian package together with a rebuilder orchestrator PackageRebuilder (https://github.com/fepitre/package-rebuilder). We started to put it in production in order to actively rebuild Qubes OS and Debian packages, but it quickly ceased to function, as the snapshot.debian.org service was unable to sustain the load of rebuilding even a single Debian package. That said, the question was: How should we proceed in order to make it work? Clearly, those issues are critical and make the snapshot.debian.org service awful or useless for reproducible builds.
Is rebuilding Debian really possible?
The snapshot.debian.org issues have still not been addressed even after several years. The service has existed for more than a decade, yet it still suffers from the aforementioned limitations. It’s either a design problem or a lack of resources, but we still had to do something.
That’s why we decided to create our own snapshot (https://github.com/fepitre/debian-snapshot) service. Easy to say, but not to do. First, the original snapshot service from Debian is roughly 90 TB of repository data. Second, we cannot download files easily because only HTTP(S) is available, and downloading multiple files means we are impeded by availability issues.
In order to work around the huge volume of data, we decided to get repositories from 2017 to today (which corresponds approximately to when Debian “Buster” was released) and only related architectures amd64, source, and all. (all indicates no specific architecture in the Debian world.) For the download part itself, we needed to parse the metadata of each Debian repository in order to get the list of files to download for every timestamp for which a snapshot had been made. Then, we developed resume and retry download functions, which unfortunately are brute force download functions. For storing the data, a simple approach has been employed: storing files as SHA-256 names, then creating symlinks to reconstruct the repository layout. In order to get file information (package and repository metadata), we rely on simply reading a symlink. It took 3-4 months to get 4.2 TB of data, which represents 2017 to the present. Most of the information about the downloaded files and their source repository is stored in a database. In parallel, we added — like the original snapshot.debian.org — an API, snapshot-api (https://github.com/fepitre/debian-snapshot#API), to expose information about repositories. Unlike the original one, we added much more information that rebuilder software, e.g. debrebuild, needs to have when requesting package information, such as the exact location of a given package in terms of Debian archive, timestamp, suite, architecture and component. The service is now publicly exposed at https://snapshot.notset.fr (https://snapshot.notset.fr/) and the API endpoints at https://snapshot.notset.fr/mr. The service is home-hosted by the author.
This is exactly where the dream of rebuilding Debian packages in the same environment in which they were official published became a reality. Thanks to our standalone orchestrator and rebuilder software debrebuild, results of the rebuilding process, links to reproducible attestations called in-toto metadata (https://in-toto.io/), and even why a package is not reproducible can all be found at https://rebuild.notset.fr (https://rebuild.notset.fr/). As of this writing, we have successfully rebuilt more than 80% of the latest Debian packages for the unstable release while doing tests. Since it started, several adjustments have been made, and we have finally reached a stable rebuilding process. That is why, after a few late improvements during this almost first full rebuild, we flushed it all and started again for latest Debian stable release, Bullseye. We will again rebuild unstable after the full rebuild of Bullseye is complete. As time passes, we will have fewer and fewer pending tasks, as there are a couple thousand package rebuilds remaining. Please note that, in addition to the initial package build, the process of rebuilding a package means querying the snapshot.notset.fr API multiple times to get package information and location, set up the same environment as the original published one, and finally, actually build it. All of this is possible thanks to several servers, home-hosted by the author, that intensively build packages non-stop for more than a month.
What’s next?
For Qubes OS, we already track reproducibility status in our continuous integration (CI) tests (see the previous article (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/) for details), and they are also rebuilt independently like Debian packages in the same Package Rebuilder instance. We already have most of the reproducible attestations for our specific Debian packages (see https://rebuild.notset.fr/qubesos.html), and we will soon have all the needed ones for Debian. In consequence, we are happy to announce that we have already started the process of integrating the rebuild check status both at the build phase of our Debian templates and when later installing a package in the template itself. That’s the reason we restarted the whole process of a full rebuild for Bullseye.
This is exactly where the dream of rebuilding Debian packages in the same environment in which they were official published became a reality. Thanks to our standalone orchestrator and rebuilder software debrebuild, results of the rebuilding process, links to reproducible attestations called in-toto metadata (https://in-toto.io/), and even why a package is not reproducible can all be found at https://rebuild.notset.fr (https://rebuild.notset.fr/). As of this writing, we have successfully rebuilt more than 80% of the latest Debian packages for the unstable release while doing tests. Since it started, several adjustments have been made, and we have finally reached a stable rebuilding process. That is why, after a few late improvements during this almost first full rebuild, we flushed it all and started again for latest Debian stable release, Bullseye. We will again rebuild unstable after the full rebuild of Bullseye is complete. As time passes, we will have fewer and fewer pending tasks, as there are a couple thousand package rebuilds remaining. Please note that, in addition to the initial package build, the process of rebuilding a package means querying the snapshot.notset.fr API multiple times to get package information and location, set up the same environment as the original published one, and finally, actually build it. All of this is possible thanks to several servers, home-hosted by the author, that intensively build packages non-stop for more than a month.
What’s next?
For Qubes OS, we already track reproducibility status in our continuous integration (CI) tests (see the previous article (https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/) for details), and they are also rebuilt independently like Debian packages in the same Package Rebuilder instance. We already have most of the reproducible attestations for our specific Debian packages (see https://rebuild.notset.fr/qubesos.html), and we will soon have all the needed ones for Debian. In consequence, we are happy to announce that we have already started the process of integrating the rebuild check status both at the build phase of our Debian templates and when later installing a package in the template itself. That’s the reason we restarted the whole process of a full rebuild for Bullseye.
There is preliminary work for integrating Fedora into the orchestrator, but that deserves a separate effort. The rebuilder rpmreproduce (https://github.com/fepitre/rpmreproduce) can be used to rebuild Fedora packages, but some discussions with RPM upstream are still needed (see https://github.com/rpm-software-management/rpm/pull/1532). Also, we plan to support input other than a buildinfo file for RPM, such as a Koji build denoscription (which is the build infrastructure used by Fedora and CentOS) or any denoscription piece that would make it clear how an RPM package was built. We also plan to add other distributions pretty easily and quickly, like Arch Linux, which we are going to ship officially soon.
Conclusion
Improved documentation for the orchestrator is in progress to make it easier for others who want to rebuild Qubes OS or Debian in the same way that we are currently doing it. Having more independent rebuilders publishing reproducibility attestations would be especially good for the community.
In all of these efforts, we are really satisfied that the Reproducible Builds Project (https://reproducible-builds.org/) has decided to use our work and results as an example of what it has been advocating for years, notably for Debian. The official website https://beta.tests.reproducible-builds.org (https://beta.tests.reproducible-builds.org/) currently mirrors our results website https://rebuild.notset.fr (https://rebuild.notset.fr/).
The author warmly thanks Marta Marczykowska-Górecka and Marek Marczykowski-Górecki for their moral support and technical discussions throughout this rough and intensive journey while juggling other projects.
Conclusion
Improved documentation for the orchestrator is in progress to make it easier for others who want to rebuild Qubes OS or Debian in the same way that we are currently doing it. Having more independent rebuilders publishing reproducibility attestations would be especially good for the community.
In all of these efforts, we are really satisfied that the Reproducible Builds Project (https://reproducible-builds.org/) has decided to use our work and results as an example of what it has been advocating for years, notably for Debian. The official website https://beta.tests.reproducible-builds.org (https://beta.tests.reproducible-builds.org/) currently mirrors our results website https://rebuild.notset.fr (https://rebuild.notset.fr/).
The author warmly thanks Marta Marczykowska-Górecka and Marek Marczykowski-Górecki for their moral support and technical discussions throughout this rough and intensive journey while juggling other projects.
Qubes OS 4.1-rc1 has been released!
https://www.qubes-os.org/news/2021/10/11/qubes-4-1-rc1/
After many years of work, the team is pleased to announce the first
release candidate for Qubes 4.1!
Qubes 4.1 includes several major new features, each of which is
explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
This release candidate also includes numerous other improvements and
bug fixes, which are listed in the release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue
tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
Qubes 4.1-rc1 is available on the downloads (https://www.qubes-os.org/downloads/) page.
How to test Qubes 4.1-rc1
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
There are two ways to migrate to 4.1-rc1:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, perform a fresh install (https://www.qubes-os.org/doc/installation-guide/) of 4.1-rc1,
then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
As with any initial release candidate, it’s likely that user testing
will reveal important bugs that we’ll want to fix before the stable
release. Depending on the severity of the bugs discovered and how long
it takes to fix them, we expect that it may be anywhere from a few weeks
to a few months before we announce the second release candidate.
https://www.qubes-os.org/news/2021/10/11/qubes-4-1-rc1/
After many years of work, the team is pleased to announce the first
release candidate for Qubes 4.1!
Qubes 4.1 includes several major new features, each of which is
explained in depth in its own article:
Qubes Architecture Next Steps: The GUI Domain (https://www.qubes-os.org/news/2020/03/18/gui-domain/)
Qubes Architecture Next Steps: The New Qrexec Policy System (https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/)
New Gentoo templates and maintenance infrastructure (https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/)
Reproducible builds for Debian: a big step forward (https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/)
This release candidate also includes numerous other improvements and
bug fixes, which are listed in the release notes (https://www.qubes-os.org/doc/releases/4.1/release-notes/) and in the issue
tracker (https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+).
Finally, Qubes 4.1 features the following updated default components:
Xen 4.14
Fedora 32 in dom0
Fedora 34 template
Debian 11 template
Whonix 16 Gateway and Workstation templates
Linux kernel 5.10
Qubes 4.1-rc1 is available on the downloads (https://www.qubes-os.org/downloads/) page.
How to test Qubes 4.1-rc1
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help to
improve the stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/).
Experienced users are strongly encouraged to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190)!
There are two ways to migrate to 4.1-rc1:
Back up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) your current installation, perform a fresh install (https://www.qubes-os.org/doc/installation-guide/) of 4.1-rc1,
then restore (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) from your backup.
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/).
Release candidate planning
As with any initial release candidate, it’s likely that user testing
will reveal important bugs that we’ll want to fix before the stable
release. Depending on the severity of the bugs discovered and how long
it takes to fix them, we expect that it may be anywhere from a few weeks
to a few months before we announce the second release candidate.
QSB-073: Race condition when setting override-redirect flag
https://www.qubes-os.org/news/2021/10/15/qsb-073/
We have just published Qubes Security Bulletin (QSB) 073:
Race condition when setting override-redirect flag.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-073 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-073-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 073 ]===---
2021-10-15
Race condition when setting override-redirect flag
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- qubes-gui-dom0 version 4.0.17
For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) [1]:
- qubes-gui-daemon version 4.1.18
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [3]
The user session must be restarted afterward in order for the updates to
take effect, e.g., by logging out then logging back in.
Summary
--------
An override-redirect flag in the X11 protocol tells the window manager
not to manage a particular window. Windows with such flags do not get
their frames or noscript bars from the window manger, nor does the window
manager determine their positions. This feature is used for application
menus, tooltips, and similar accessory windows.
Unfortunately, some window managers get confused if the
override-redirect flag is set shortly before making the window visible.
When that happens, the window manager may try to move or resize the
window without respecting any size and position constraints imposed by
the GUI daemon. Normally, every window move and resize action requested
by the VM is validated by the GUI daemon. However, if the action is
initiated by the window manager, it doesn't require the GUI daemon's
validation.
Impact
-------
A malicious application may try to hide its unspoofable colored frame
off-screen. Hiding all four sides is prevented by another constraint
(forbidding a override-redirect window from covering more than 90% of
the screen), but hiding some sides is possible. The issue is known to
affect XFCE and KDE. Other desktop environments may also be affected.
Discussion
-----------
This is yet another corner case in handling the override-redirect flag.
In the long term, we will try to eliminate use of this flag completely.
As an immediate fix, we are adding additional validation of constraints
placed on windows with the override-redirect flag. This validation is
done whenever a window is moved or resized, regardless of what initiated
the action. If an illegal size or position is detected, the GUI daemon
will try to resize or move the window back to a legal size and position.
While this is a reactive solution (in the sense that it allows windows
to enter illegal states before correcting them), it will cover several
more cases, including the case in which another application resizes a
window behind the GUI daemon's back (which is the case being reported in
this QSB). Moreover, this solution serves as an additional safety check
in case the GUI daemon itself misses any other edge cases.
Credits
--------
This issue was discovered by Demi Marie Obenour.
Notes
------
[1] In Qubes 4.1, certain GUI functions historically served by dom0 can
be delegated to separate template-based "GUI qubes." A single Qubes
https://www.qubes-os.org/news/2021/10/15/qsb-073/
We have just published Qubes Security Bulletin (QSB) 073:
Race condition when setting override-redirect flag.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-073 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-073-2021.txt
In addition, you may wish to:
Get the qubes-secpack: https://www.qubes-os.org/security/pack/
View all past QSBs: https://www.qubes-os.org/security/qsb/
View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 073 ]===---
2021-10-15
Race condition when setting override-redirect flag
User action required
---------------------
Users must install the following specific packages in order to address
the issues discussed in this bulletin:
For Qubes 4.0, in dom0:
- qubes-gui-dom0 version 4.0.17
For Qubes 4.1, in dom0 and the template(s) of any GUI qube(s) [1]:
- qubes-gui-daemon version 4.1.18
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [3]
The user session must be restarted afterward in order for the updates to
take effect, e.g., by logging out then logging back in.
Summary
--------
An override-redirect flag in the X11 protocol tells the window manager
not to manage a particular window. Windows with such flags do not get
their frames or noscript bars from the window manger, nor does the window
manager determine their positions. This feature is used for application
menus, tooltips, and similar accessory windows.
Unfortunately, some window managers get confused if the
override-redirect flag is set shortly before making the window visible.
When that happens, the window manager may try to move or resize the
window without respecting any size and position constraints imposed by
the GUI daemon. Normally, every window move and resize action requested
by the VM is validated by the GUI daemon. However, if the action is
initiated by the window manager, it doesn't require the GUI daemon's
validation.
Impact
-------
A malicious application may try to hide its unspoofable colored frame
off-screen. Hiding all four sides is prevented by another constraint
(forbidding a override-redirect window from covering more than 90% of
the screen), but hiding some sides is possible. The issue is known to
affect XFCE and KDE. Other desktop environments may also be affected.
Discussion
-----------
This is yet another corner case in handling the override-redirect flag.
In the long term, we will try to eliminate use of this flag completely.
As an immediate fix, we are adding additional validation of constraints
placed on windows with the override-redirect flag. This validation is
done whenever a window is moved or resized, regardless of what initiated
the action. If an illegal size or position is detected, the GUI daemon
will try to resize or move the window back to a legal size and position.
While this is a reactive solution (in the sense that it allows windows
to enter illegal states before correcting them), it will cover several
more cases, including the case in which another application resizes a
window behind the GUI daemon's back (which is the case being reported in
this QSB). Moreover, this solution serves as an additional safety check
in case the GUI daemon itself misses any other edge cases.
Credits
--------
This issue was discovered by Demi Marie Obenour.
Notes
------
[1] In Qubes 4.1, certain GUI functions historically served by dom0 can
be delegated to separate template-based "GUI qubes." A single Qubes
4.1 system can have multiple GUI qubes.
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.qubes-os.org/doc/how-to-update/
--
The Qubes Security Team
https://www.qubes-os.org/security/
[2] https://www.qubes-os.org/doc/testing/
[3] https://www.qubes-os.org/doc/how-to-update/
--
The Qubes Security Team
https://www.qubes-os.org/security/
Fedora 33 approaching EOL; Fedora 34 templates available
https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/
Fedora 33 is scheduled to reach EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)) on 2021-11-30, and
new Fedora 34 templates are now available for both Qubes 4.0 and 4.1.
We strongly recommend that all Qubes users upgrade (https://www.qubes-os.org/doc/templates/fedora/#upgrading) their Fedora 33
templates and standalones to Fedora 34 before Fedora 33 reaches EOL.
We provide fresh Fedora 34 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/fedora/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases supported for your specific
Qubes releases, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
Note for 4.1 release candidate testers: Qubes R4.1-rc1 already
includes the Fedora 34 template by default, so no action is required.
https://www.qubes-os.org/news/2021/11/11/fedora-33-approaching-eol-fedora-34-templates-available/
Fedora 33 is scheduled to reach EOL (end-of-life (https://fedoraproject.org/wiki/End_of_life)) on 2021-11-30, and
new Fedora 34 templates are now available for both Qubes 4.0 and 4.1.
We strongly recommend that all Qubes users upgrade (https://www.qubes-os.org/doc/templates/fedora/#upgrading) their Fedora 33
templates and standalones to Fedora 34 before Fedora 33 reaches EOL.
We provide fresh Fedora 34 template packages through the official Qubes
repositories, which you can install in dom0 by following the standard
installation instructions (https://www.qubes-os.org/doc/templates/fedora/#installing). Alternatively, we also provide step-by-step
instructions for performing an in-place upgrade (https://www.qubes-os.org/doc/template/fedora/upgrade/) of an existing Fedora
template. After upgrading your templates, please remember to switch all
qubes that were using the old template to use the new one (https://www.qubes-os.org/doc/templates/#switching).
For a complete list of template releases supported for your specific
Qubes releases, see our supported template releases (https://www.qubes-os.org/doc/supported-releases/#templates).
Please note that no user action is required regarding the OS version in
dom0. For details, please see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).
Note for 4.1 release candidate testers: Qubes R4.1-rc1 already
includes the Fedora 34 template by default, so no action is required.
New Qubes application menu
https://www.qubes-os.org/news/2021/11/12/new-qubes-application-menu/
The new application menu is here!
If you are running a release candidate of Qubes OS 4.1 (https://www.qubes-os.org/news/2021/10/11/qubes-4-1-rc1/) and wish to just dive on in, the new app menu can be found here (https://github.com/QubesOS/qubes-desktop-linux-menu). But first, a couple important caveats:
This new menu requires 4.1 and cannot run on 4.0.
This is experimental software for testing purposes only!
Still want to give it a go? To install, enter this command in a dom0 terminal:
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-desktop-linux-menu
Once installed, add the new menu to the XFCE panel using the provided .desktop file (instructions (https://github.com/QubesOS/qubes-desktop-linux-menu#how-to-run)). For those who want to learn more, read on!
Background
One of the key issues raised by users in last year’s Qubes User Survey (see the write-up (https://www.qubes-os.org/news/2020/11/26/qubes-survey-results/) — and a big thank you to everyone who participated!) was general usability. Qubes OS is great for security, but the experience of using it can be somewhat opaque or even confusing. The UX difficulties are exacerbated by the fact that most of our GUI components are adapted from those designed for single-environment systems, like XFCE on Fedora. This served as a good first pass for an open-source project developed by a small team, but the time has come to begin working on a GUI tailored to Qubes OS’s particular multi-environment setting.
Helpfully, three years ago the SecureDrop team began user research in support of their SecureDrop Workstation project (https://securedrop.org/news/piloting-securedrop-workstation-qubes-os/) (built atop Qubes OS). In the course of their work, they discovered that it was not just SecureDrop users who wanted the Qubes OS GUI to be friendlier — a lot of other folks seemed to want Qubes OS to be more usable, too! From the SecureDrop Workstation project, Nina Alter began contributing to Qubes, and we subsequently joined forces to tackle the app menu project. This project received a generous grant from the Mozilla Foundation!
Goals
The main idea behind the new application menu is simple: to create a way of accessing programs that’s native to Qubes OS, takes into account its quirks and approach, and is both easy to use and accessible. The visual clarity of the current application menu, which uses XFCE’s default menu and adds a folder within the menu for each qube, leaves much to be desired. Research showed us most users prefer GUI system tools. The classic Linux nerd answer of “Just use the terminal. It’s easy!” does not really capture how most people work. Thus, we needed a better approach, one that’s more accessible, easier to use, and represents a mental model consistent with Qubes OS rather than a typical monolithic Linux distribution.
For those interested, we presented our work on the new app menu on the second day of our 2021 Qubes Mini Summit (https://www.youtube.com/watch?v=KdDr6TiqF0k). The presentation begins at the 01h 15min mark of the video.
Application Menu Features
Qubes
The new application menu has three tabs (as seen on the left): qubes, favorites, and system tools. The first tab is the most similar one to the old menu. It contains all qubes, but now sorted into three groups (on top of the middle pane): normal application qubes (the APP section), qube templates (TEMPLATES), and various system qubes (SYSTEM).
https://www.qubes-os.org/news/2021/11/12/new-qubes-application-menu/
The new application menu is here!
If you are running a release candidate of Qubes OS 4.1 (https://www.qubes-os.org/news/2021/10/11/qubes-4-1-rc1/) and wish to just dive on in, the new app menu can be found here (https://github.com/QubesOS/qubes-desktop-linux-menu). But first, a couple important caveats:
This new menu requires 4.1 and cannot run on 4.0.
This is experimental software for testing purposes only!
Still want to give it a go? To install, enter this command in a dom0 terminal:
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-desktop-linux-menu
Once installed, add the new menu to the XFCE panel using the provided .desktop file (instructions (https://github.com/QubesOS/qubes-desktop-linux-menu#how-to-run)). For those who want to learn more, read on!
Background
One of the key issues raised by users in last year’s Qubes User Survey (see the write-up (https://www.qubes-os.org/news/2020/11/26/qubes-survey-results/) — and a big thank you to everyone who participated!) was general usability. Qubes OS is great for security, but the experience of using it can be somewhat opaque or even confusing. The UX difficulties are exacerbated by the fact that most of our GUI components are adapted from those designed for single-environment systems, like XFCE on Fedora. This served as a good first pass for an open-source project developed by a small team, but the time has come to begin working on a GUI tailored to Qubes OS’s particular multi-environment setting.
Helpfully, three years ago the SecureDrop team began user research in support of their SecureDrop Workstation project (https://securedrop.org/news/piloting-securedrop-workstation-qubes-os/) (built atop Qubes OS). In the course of their work, they discovered that it was not just SecureDrop users who wanted the Qubes OS GUI to be friendlier — a lot of other folks seemed to want Qubes OS to be more usable, too! From the SecureDrop Workstation project, Nina Alter began contributing to Qubes, and we subsequently joined forces to tackle the app menu project. This project received a generous grant from the Mozilla Foundation!
Goals
The main idea behind the new application menu is simple: to create a way of accessing programs that’s native to Qubes OS, takes into account its quirks and approach, and is both easy to use and accessible. The visual clarity of the current application menu, which uses XFCE’s default menu and adds a folder within the menu for each qube, leaves much to be desired. Research showed us most users prefer GUI system tools. The classic Linux nerd answer of “Just use the terminal. It’s easy!” does not really capture how most people work. Thus, we needed a better approach, one that’s more accessible, easier to use, and represents a mental model consistent with Qubes OS rather than a typical monolithic Linux distribution.
For those interested, we presented our work on the new app menu on the second day of our 2021 Qubes Mini Summit (https://www.youtube.com/watch?v=KdDr6TiqF0k). The presentation begins at the 01h 15min mark of the video.
Application Menu Features
Qubes
The new application menu has three tabs (as seen on the left): qubes, favorites, and system tools. The first tab is the most similar one to the old menu. It contains all qubes, but now sorted into three groups (on top of the middle pane): normal application qubes (the APP section), qube templates (TEMPLATES), and various system qubes (SYSTEM).
When you select a qube, its applications appear on the right — the same applications that you chose for the old menu, in Qube Settings. Now, however, they are accompanied by a couple of utility features, like quick access to start and shut down commands and an indicator of the networking state of the qube on top.
The menu itself also communicates more information about system state. Names of running qubes are bolded, and those of disposable qubes and their templates are italicized. There’s also a clear visual indicator of the disposable template each disposable is based on.
Further enhancements (coming in the future) will be — as inspired by many users citing frustrations with memory management and information in the menu — more data about RAM usage or qube template on top of the application pane.
The menu itself also communicates more information about system state. Names of running qubes are bolded, and those of disposable qubes and their templates are italicized. There’s also a clear visual indicator of the disposable template each disposable is based on.
Further enhancements (coming in the future) will be — as inspired by many users citing frustrations with memory management and information in the menu — more data about RAM usage or qube template on top of the application pane.
In order to make the use of disposable qubes more conveniently, now programs can be started in a running disposable qube from the menu. It works just like any other qube. There’s only one limitation: If the qube was started for a program (which is usually the case), it will shut down when that first program is closed.
Favorites
You asked, and we have delivered! Second in the primary menu, after qubes, is a completely new tab: Favorites.
Favorites
You asked, and we have delivered! Second in the primary menu, after qubes, is a completely new tab: Favorites.
You can right-click on any application in the qube menu and add it to your favorites. It will then appear in this menu. To remove it, simply right-click on the app within the Favorites tab and select “Remove from Favorites.”
System tools
The last tab is devoted to all sorts of configuration and system tools and, in practice, also “random things installed in dom0.” (It’s a bad idea to install random things in dom0, but if it happens, that’s where you will find them.) System tools can also be added to favorites. Some of us find it useful, for example, to have a dom0 terminal shortcut there.
System tools
The last tab is devoted to all sorts of configuration and system tools and, in practice, also “random things installed in dom0.” (It’s a bad idea to install random things in dom0, but if it happens, that’s where you will find them.) System tools can also be added to favorites. Some of us find it useful, for example, to have a dom0 terminal shortcut there.