Saturday, July 21, 2012

Qubes 1.0 Release Candidate 1!

I would like to announce the release of Qubes RC1. The installation ISO and instructions can be found here.



This release is expected to essentially be identical to the final 1.0 release, which will likely follow in the coming weeks, except for some minor, cosmetic fixes.

Comparing to the previous Beta 3 release, the major changes and improvements in this version include:
  • A much improved Qubes Manager, that now allows to configure and manage almost every aspect of the Qubes system using a simple and intuitive GUI.
  • All the VMs are now based on Fedora 17 template.
  • Cleaned up and improved command lines tools for both Dom0 and for the VMs.
  • Updated Dom0 and VM kernels are now based on 3.2.7-pvops kernel, which offer better hardware and power management support.
  • Convenient menu improvements, that include e.g. a handy icon for launching a Disposable Web browser in a Disposable VM.
  • Support for “yum proxy”, which smartly allows to update packages in a template VM (or other updateable VM), without requiring to grant general HTTP access for this VM. This has been a problem before, as the Fedora repos use hundreds of mirrored yum servers, and it wasn't possible to setup a single rule in the firewall VM to allow only access to the yum servers, and nothing else. Now, this is possible, and the primary application is to prevent user mistakes, e.g. against using the temaplate VM for Web Browsing.
  • We also added support for an opt-in fullscreen mode for select VMs.
  • ...plus lots of other improvements and fixes under the hood. As can be seen in the wiki, there has been over 200 tickets closed as part of the work on this release!
So, again, this is almost the final release, please test it and report any problems to the mailing list, so that we could fix them before Qubes 1.0 comes out officially.

15 comments:

Anonymous said...

Congratulations for reaching RC1!

Joanna, I'd be very interested to hear your comments on the upcoming Bromium microvisor. Whitepaper here if you're interested: http://www.bromium.com/misc/BromiumMicrovirtualization.pdf

h said...

How Qubes can help with a modified BIOS?
As explained by http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf you can use a backdoored BIOS without noticing it. And since its made at factory, TPM seals won't help at all.

gsteenss said...

Hi, would love to try it, but amazon is returning a redirect error it seems...

Joanna Rutkowska said...

@Anon: read between the lines:

http://theinvisiblethings.blogspot.com/2012/06/some-comments-on-operation-high-roller.html

@h: If your BIOS got compromised at factory, Qubes won't help you at all. On ther other hand, Qubes (+ Anti Evil Maid or similar tool) will try to make it very hard to compromise your BIOS when you use your laptop.

@gsteenss: Not sure why, please provide more info.

Anonymous said...

Are there still any ways to donate money?

basilfish said...

Here's the AWS error, still cannot download anything:

PermanentRedirect

The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.

RequestId: C12F021D356543A
Bucket: qubes-os
HostId:4TkaATbkQsJMYnHOlMtuP+bchOvJnIYSqKczSB0TmytQ2dlg+3qvSmFRng7+cgyN
Endpoint: qubes-os.s3.amazonaws.com

Joanna Rutkowska said...

@basilfish: I cannot reproduce it. Have you tries to use a different browser? Perhaps you have some extension that screw things up?

basilfish said...

Joanna: Yes, that seems to be it. Firefox with NoScript and other privacy/security extensions was the problem. Using plain IE worked, downloading now!

Joanna Rutkowska said...

@basilfish: Yeah, thins like NoScript are a thing of the past -- one doesn't need them when using something like Qubes OS :)

Seriously -- turning your modern Firefox into a 90's Mosaic is not a most thoughtful way to securing yourself IMHO.

basilfish said...

Yeah, it's gotten in the way more than helped. Hoping to make Qubes my primary soon. :) Great work, I told people about Qubes at Defcon.

Anonymous said...

Moje gratulacje :)

Anonymous said...

Hi Joanna! Really nice work, i was searching the whole web for a solution like this. THANK YOU & TEAM! But one problem, dvd install fails with the following message:

x startup failed

Samsung 830 SSD 128GB, i5 3550 intern gpu used, asRock Z77 Pro4-M, 8GB DDR3, bios fw is new - default setup

Any idea what to change?

Regards from berlin ;)

Joanna Rutkowska said...

@anonymous_from_berlin_and_others_asking_for_help_troubelshooting_installation_problems_etc: please send questions to the qubes-devel mailing list.

Anonymous said...

about fullscreen...i rather use it in specific windows rather than on domain.
For example: plugin container in firefox which is used by flash. Seeing the title bar make me want to close it with the close button rather ESC. i right click on title bar of the plugin-container(not firefox) and Advanced -> no border or fullscreen. In Advanced -> Special Windows Settings. It will apply to the specific windows title...like 'plugin-container'. Seems to me as a better alternatives for viewing full screen videos in the untrusted VMs

Beside i don't understand the differences between the red, yellow, green VMs...(even less when it comes to blue and black.

I understand that i should use them differently but beside that...since they share the same filesystem(except private and volatile part) that come from the TemplateVM, they SEEMS to run pretty much the same software when started, they can all run the same software.
I mean i can run browse the web from netVM. i noticed the Applications tab in VM settings but does that only effects shortcuts in KDE desktop menus?

its the first version i try of Qubes OS and i like it. i think the VM manager is very user friendly. Would be even better if there was Applications shortcuts in the right click menu that show up for selected VM.

few minor bug(as far as i can see)... work pretty well on my Dell M4400. i had the non functional Update bug with the debug kernel but found out the fix soon enough.

Anonymous not from Mtl

Joanna Rutkowska said...

@Anonymous-not-from-Mtl(whatever it could be):

1) Security boundaries in Qubes OS are between domains, not between specific applications within domains.

2) By default all the user domains (AppVMs as we call them) are all based on the same template's filesystem, but that doesn't mean they share the same filesystem! If one domain modifies its /usr/bin/firefox, other domains will _not_ see such change.n

3) You can create more templates with completely different set of programs, and even, the so called, standalone VMs, not based on any template.

4) How you use your domains, how you interpret the color labels, what networking permissions you assign, it's totally up to you.


More reading:

http://wiki.qubes-os.org/trac/wiki/GettingStarted

http://wiki.qubes-os.org/trac/wiki/TemplateImplementatio