=^.^=

Install Telegram Messenger on a Qubes Fedora VM

karma

Launch a terminal for the desired TemplateVM then enable the RPM Fusion repositories:
sudo bash dnf config-manager --set-enabled rpmfusion-free rpmfusion-nonfree dnf upgrade --refresh
Now install telegram-desktop
dnf install telegram-desktop

It should be noted that if you enable RPM Fusion repos and use KDE packages the version of Qt or KDE provided by Fusion will likely break virtually every KDE package except konsole and updating Qt amicably will eject Telegram. For this reason you should consider duplicating your Fedora TemplateVM before installing Telegram or using the RPM Fusion repos in general.

Don't forget to reduce your storage limits in the settings.

Updating Qubes Post-Installation

karma

This is a brief checklist of operations to conduct after a fresh installation of Qubes. Full documentation is available at https://www.qubes-os.org/doc/updating-qubes-os/.

After configuring your network first update the dom0:
sudo qubes-dom0-update

Next, update your TemplateVMs: Qubes Menu > System Tools > Qubes Update.

The Qubes Update utility doesn't always work the first time for me. If you find it hangs and produces no details launch the TemplateVMs individually and from the command line run:
dnf update
for Fedora and
apt-get update
for Debian.

Now reboot to effect any kernel updates and load the updated dom0 environment.

Install critical software that you will definitely need to your TemplateVMs. Things like:

  • screen
  • sshfs
  • nmap
  • links/lynx
  • nano
  • whois
  • bind-utils (fedora) dnsutils (debian)

Next, duplicate the default fedora and debian TemplateVMs and update your personal, work etc AppVMs to rely on the copies. Since system Qubes like sys-net and usb rely on the default fedora TemplateVM you may regret making changes directly to it when setting up your regular working AppVMs.

Software I like to install into my duplicated TemplateVMs includes:

  • kde-standard
  • kate
  • chromium (part of default repos) or google-chrome (third party download)
  • telegram-desktop

It is prudent to check your repositories for meta packages that install bundles of packages which might otherwise leave a system piecemeal and produce unexpected dysfunction. For example, it is possible to install kate by referring to it directly. However if your intention is to have a fully functioning KDE environment rather than just the essential packages required to install and run kate you are liable to find yourself in trouble if you end up trying to use a KDE function that either didn't or relies on a package that was not part of the dependency tree you initially installed.

On Fedora and Red Hat descendant images you can pull up a list of such meta packages or "package groups" by running (as root):
# dnf grouplist Last metadata expiration check: 0:19:25 ago on Tue Jun 13 04:20:04 2023. Available Environment Groups: Fedora Custom Operating System Minimal Install Fedora Server Edition Fedora Workstation Fedora Cloud Server KDE Plasma Workspaces Xfce Desktop LXDE Desktop LXQt Desktop Cinnamon Desktop MATE Desktop Sugar Desktop Environment Deepin Desktop Budgie Desktop Development and Creative Workstation Web Server Infrastructure Server Basic Desktop i3 desktop Available Groups: 3D Printing Administration Tools Audio Production Authoring and Publishing Budgie Budgie Desktop Applications C Development Tools and Libraries Cloud Infrastructure Cloud Management Tools Compiz Container Management D Development Tools and Libraries Design Suite Development Tools Domain Membership Editors Educational Software Electronic Lab Engineering and Scientific FreeIPA Server Games and Entertainment Headless Management LibreOffice MATE Applications Milkymist Network Servers Neuron Modelling Simulators Office/Productivity Python Classroom Python Science Robotics RPM Development Tools Security Lab Sound and Video System Tools Text-based Internet Window Managers Qubes Environment Qubes UI (Audio/Gui)
Then one may install such a group thus:
dnf groupinstall "KDE Plasma Workspaces"

It's a good idea to install the latest TemplateVM images. You may like to experiment with updating your critical system VMs (i.e.: sys-net, sys-usb) to use the latest fedora template. I personally would advise duplicating freshly installed images, just as with those installed from the installation media, before making any base modifications - including package updates. sys-net can generally be expected to run smoothly off a fresh image, after all. From the offical documentation at https://www.qubes-os.org/doc/templates/:

# qvm-template list --available Available Templates debian-10-minimal 0:4.0.6-202010131933 qubes-templates-itl debian-10 0:4.0.6-202009131420 qubes-templates-itl debian-11-minimal 0:4.0.6-202302031359 qubes-templates-itl debian-11 0:4.0.6-202302031359 qubes-templates-itl fedora-32-minimal 0:4.0.6-202010191916 qubes-templates-itl fedora-32-xfce 0:4.0.6-202010191916 qubes-templates-itl fedora-32 0:4.0.6-202010192324 qubes-templates-itl ... fedora-38-minimal 0:4.0.6-202305201231 qubes-templates-itl fedora-38-xfce 0:4.0.6-202305200036 qubes-templates-itl fedora-38 0:4.0.6-202305200036 qubes-templates-itl

To gain access to the official community repository of templates affix:
qvm-template --enablerepo qubes-templates-community list --available

Then install your preferred templates thus:
qvm-template install template-name

The GUI tool qvm-template-gui can be used in later stages to rapidly reassign AppVMs their updated templates but at present has no facility for browsing or installing new images.

Enable USB Keyboard for Qubes dom0

karma

Full documentation is available at https://www.qubes-os.org/doc/usb-qubes/. You should read the Security Warning about USB Input Devices before doing this.

To enable a USB keyboard for dom0 (making it available to all VMs) modify /etc/qubes-rpc/policy/qubes.InputKeyboard on dom0 to reflect:
#sys-usb dom0 allow,user=root sys-usb dom0 ask,default_target=dom0 $anyvm $anyvm deny

You will then be prompted to grant USB keyboards access any time they are connected. To also allow USB keyboards to enter the LUKS and login passwords please refer to the official documentation.

Comparing proc and ps Process Counts

karma

Some rootkits and malicious versions of ps will hide processes from stdout but leave /proc alone. You can compare the number of processes ps reports to the number of processes being tracked inside /proc to help determine if your ps is lying to you. Note that a race condition exists here, it is possible on a server with lots of new processes being spawned naturally that the number reported will change between the execution of the two commands so it may be necessary to run this script multiple times to get a clear picture. Since speed is essential it is important to run them together in a script rather than individually.

#!/bin/bash ls /proc | grep "^[0-9]" | wc -l ps aux | wc -l

Disable (Most) Annoying and Useless Emergency Alerts on Android

karma
REMAIN INDOORS! DO NOT THINK OF THE EVENT!

It's a quiet, snowy Sunday morning. Finally slipping off to sleep with the cat curled up on my chest I am treated to the banshee's serenade of an Android emergency alert. Maybe if I ignore it it will go away.... it cries out again. And again. The damn thing will not leave you alone until you physically get up and throw your phone out the window. Or acknowledge receipt of the message. Your call; no judgement.

[attachment-nsEiot]
WARNING EVERYTHING IS FINE!!!

EMERGENCY ALERTS EMERGENCY ALERT / ALERTE D'URGENCE
This is a Province of Ontario emergency bulletin which applies to people within ten (10) kilometres of the Pickering Nuclear Generating Station. An incident was reported at the Pickering Nuclear Generating Station. There has been NO abnormal release of radioactivity from the station and emergency staff are responding to the situation. People near the Pickering Nuclear Generating Station DO NOT need to take any protective actions at this time. Remain tuned to local media for further information and instructions.

Let me get this straight, wise overlords. You just woke and put the fear of god into me - in the most obnoxious and irritating way posible - to tell me that:

  • DON'T PANIC! - Everything is OK.
  • The alert only applies to people within 10 KM of Pickering WHICH IS 100 KM AWAY.
  • This message has no useful details; glue your docile plebeian eyes to local media for further trauma.

I quickly found out people as far as Ottawa received the same message. Evidently in this golden age of geolocation the alerts system is lazily province-wide. Maybe that makes sense in Bumscrew Delaware but you can fit a dozen european countries in a province the size of Ontario.

Which reminds me... didn't I disable this crap after the third missing child alert that happened 100 miles away and was resolved within 10 minutes without the child even having the baseline courtesy to lose a leg (or at least a finger)...

[attachment-ZwxDq5]
Forgive me for taking you seriously...

Oh. Silly me. It seems I left "Emergency Alerts" enabled, on the assumption that it would only give me a fun surprise heart attack for serious issues, like those pertaining to "extreme threats to life and property". Do forgive my stupidity for assuming this classification would not also become abused by the same power-drunk, trigger-happy freakout artists (or whatever title is properly attributed to the officials at the wheel).

The exact location of the Emergency Alert settings differs depending on your version of Android. The simplest route is to use the built-in search function:

  1. Open the Settings app.
  2. Use the Search bar along the top of the screen to search for Emergency Alert.
  3. Tap on the first result, which should simply be titled Emergency Alert.
  4. You should now be presented with the settings page similar to the figure shown above.
  5. Disable each of the alert types you no longer wish to receive. In the United States "Extreme alerts" might be called "Presidential alerts" or an additional option may be present to distinguish an alert type pursuant to legislation recently enacted there.
  6. In case there are additional alert types it may be impossible to disable, you may wish to additionally disable vibration, the text-to-speech option abd disable the Alert reminder. On my Android it is sadly not possible to change the alert tone.

I've heard reports that even with Extreme Alerts disabled this particular type of alert bypasses your settings. However it has been conjectured by some users that having the DnD mode enabled does block the sound.

[attachment-i0JqGj]
Well that's embarrassing...

Yep, not 20 minutes later my screed was rendered impotent by another goddamned alert that gave zero regard to my updated settings.

Sorry folks, at least if you follow these steps you will reduce the number of lower level alerts you receive!

Can't win em all I guess... q.q