
Qubes OS 4.0 has been released - andrewdavidwong
https://www.qubes-os.org/news/2018/03/28/qubes-40/
======
lvh
At Latacora, some of us use Qubes in order to get a workable desktop while
also getting clean separation between different client environments. I’ve been
consistently impressed with it. It’s not totally flawless, but it’s easy
enough to learn enough about the model and tooling that you can quickly debug
most issues. Overall this is about as usable as any other XFCE4 desktop, which
is pretty darn good.

------
gigama
Would be happy to use Qubes if I could also get a certified laptop to run it
on. Even after months their hardware requirements page still says
"Unfortunately, there are currently no certified laptops for Qubes R3.x or
R4.x. This page will be updated once certified laptops are available."

Anyone have any insider ETA or recommendations? Prefer a practical/reliable
laptop over some expensive racehorse.

What laptop does Snowden use?

~~~
ttul
[https://en.wikipedia.org/wiki/Epson_HX-20](https://en.wikipedia.org/wiki/Epson_HX-20)

~~~
pjf
Wow, does it run NetBSD? :)

------
xvilka
I wonder if there was any progress on integrating with ReactOS[1].

[1] [https://github.com/QubesOS/qubes-
issues/issues/2809](https://github.com/QubesOS/qubes-issues/issues/2809)

------
craftyguy
Now that most VMs are fully virtualized now on 4.x, how much RAM and disk
space do you need in order to have a usable system? The 'minimum requirements'
they list of 4GB RAM and 32GB hdd wouldn't be enough to run more than a small
handful of VMs.

~~~
mseri
With 8Gb of RAM I have been happily using Qubes 4 in my work workstation since
rc2. I suggest to use the mirage firewall image [1] to save aound a Gb of RAM

The fedora 27 images can easily reach 5Gb of use under heavy load, but in
gneneral I have pretty good performances and I usually have a couple of
throwaway VMs and the main work VM running and dealing with web, co pilations
of various sort and editing.

[1]: [https://github.com/talex5/qubes-mirage-
firewall](https://github.com/talex5/qubes-mirage-firewall)

~~~
craftyguy
Why use Fedora for images and not something leaner, like Arch or Alpine Linux?
(just examples, there are others too)

------
tuxxy
Does anyone know any good guides for installing this on a X1 Carbon Gen 5?

I've been wanting to try this out on my X1, but there isn't really any nuance
when it comes to guides for it. Just a list of problems and what does and
doesn't work.

~~~
GuyPostington
I've been running qubes 4 on an X1 Gen 5 carbon. I can put together a guide
tomorrow. Message me again just in case I forget and do it again on Monday
just in case again.

~~~
tuxxy
Well I can't message you on here, but you should definitely reply to this
comment and post it when you do it!

------
ManlyBread
Is this secure against Spectre/Meltdown?

~~~
xf86alsa
Here's a link to Qubes' security tracker with the updated details about it:
[https://github.com/QubesOS/qubes-
secpack/blob/master/QSBs/qs...](https://github.com/QubesOS/qubes-
secpack/blob/master/QSBs/qsb-037-2018.txt)

------
saganus
How is the GPU pass-through support in this release?

I'd love to use Qubes but I sometimes want to use my GPU for games or other
OpenGL stuff.

Is this already working good or is it still a bit bumpy?

~~~
jstanley
I sometimes use 3d CAD software to design parts for 3D printing. Lack of 3d
acceleration is one of the major hurdles keeping me away from Qubes, although
I have used it and the bits that work well work extremely well. It's a very
promising project.

~~~
saganus
Yeah, I agree it's a very interesting and promising project.

Hopefully this will be improved and then I would definitely make this my daily
OS.

------
TeddyBear060
Houra ! Such a great work... I love the USB applet (at top right once logged
in).

Just plug your device and mount it into one of your VM. Really user friendly
:-)

------
benevol
Qubes OS' virtualization technology is awesome - love the peace of mind it
gives!

------
codetrotter
I've been interested in Qubes OS for a long while, ever since I first heard
about it years ago.

A little while ago I upgraded my desktop and I now have an 8-core Ryzen 7 1700
(that's 16 threads!) and 32 GB of RAM. I installed Kubuntu on it after the
first few results on Google suggested Ubuntu would let me install and use the
proprietary drivers for the graphics card that I bought; a GeForce 1060 GTX
with 6GB VRAM.

Ubuntu is one of my least favorite distros but the promise of easy setup of
Nvidia drivers combined with knowing that a lot of third-parties have Ubuntu
quite high up on the list of distros they try and support with their software
made me pick Ubuntu (well Kubuntu but it's almost the same except at least I
get a Desktop that I think is nice).

Kubuntu works pretty well. Not perfectly but tbh nothing ever really does. One
thing that I find particularly annoying though is that the computer freezes on
boot when I enter the Full-Disk Encryption key unless I boot it in recovery
mode. It became this way after I installed the proprietary Nvidia drivers and
because the regular boot FDE key input is graphical whereas the recovery mode
boot is text only at the FDE key input stage I think it is related to the
Nvidia driver. So not even the thing that primarily made me choose Ubuntu
works quite as well as I'd hoped. There is one graphical glitch that occurs
while I'm on my desktop also but anyway like I said there will always be some
problems, and I won't go into too much detail. Primarily I just wanted to
point out that things aren't perfect currently so Qubes OS need not be perfect
either.

Probably a lot of people on HN have work stations that are even nicer than
this but for me this is such a _monumental_ step up from the computers I have
used to have that it feels like I am sitting in front of a TOP500
Supercomputer that somehow everyone else that had access forgot about and so I
am left with being able to use it all by myself :P

Here are some of the things that my computer _can_ do and that I enjoy being
able to do;

\- Run the most recent stable release of Blender (they add awesome new
features every now and then that are really useful) \- Play video games from
Steam and capture my desktop with OBS Studio while doing so. \- Use Spotify.
\- Use Firefox.

Bunch of other things as well.

Anyhow, I was wondering, can I easily install and use the proprietary Nvidia
drivers with Qubes OS? Can I play video games from Steam, make use of the CUDA
cores for Blender etc, record my desktop with OBS Studio,

Because if so then sign me the heck up :) I would love to run the web browser
in isolation for example. Perhaps even have different "cubes" like for example
have the web browser that I log into my online bank be separate from
everything else, have the browser where I log into YouTube be separate so I
can be signed into Google while not being tracked as much across other sites
at the same time, separate cube for Reddit, separate cube for HN. Not too many
separate cubes but something like that. Speaking of which did anyone set up
firewall rules for this kind of separation so that you don't accidentally
visit sites outside of YouTube in the YouTube-dedicated browser etc?

But yeah first and foremost I would like to know about Blender and Spotify and
Steam and OBS Studio with Qubes OS. Also, full disk encryption and LVM volume
groups. How about ZFS? And what kind of guests can run? Can I run FreeBSD
guests? I have a lot more questions too I think but I can't think of them all
right now and besides too many questions lead to none or just a few getting
answered anyway.

~~~
vermilingua
You cannot. If you have VT-X and VT-d, you _might_ be able to create a Windows
HVM and pass through your GPU, but Qubes official support for this is close to
nil, and success is very dependant on your specific setup. Some cards plainly
won't work, some won't work with given CPU/Mobo combos, etc.

I made my GTX980 work on Arch, and tried on Qubes, but Qubes itself was too
unstable for my daily driver, so I never got it complete.

~~~
codetrotter
That's too bad. Oh well.

~~~
mncharity
Another approach is to run a minimal Arch on metal, and everything else in
VMs. If your motherboard is compatible with GPU passthrough, the dGPU can now
be passed among the VMs without hardware reboot. The GPU performance loss is
minor, but I saw added latency variance when doing VR. I've seen several HN
comments from folks happy with this approach.

------
wpdev_63
Please keep in mind when using Qube OS is that it does NOT protect you if your
hardware is compromised. The NSA and other clandestine agencies have an easy
backdoor to your computer even when running this.

~~~
jstanley
I never understood objections like this.

With a standard Linux system you have vulnerabilities X,Y,Z. With Qubes you
have vulnerability X, so let's comment on Qubes and try to discourage people
from using it because vulnerability X still exists? It's still better than the
alternative!

~~~
colejohnson66
I didn’t read that as discouraging people from using Qubes, but rather as a
reminder than Qubes, like every OS, can’t protect you if your hardware is
compromised.

~~~
irundebian
That's a trivial conclusion and not related to Qubes OS. Every operating
system somehow relies on hardware protection features.

If the ring architecture of processor can be circumvented, the protection of
privileged code (kernel) is harmed. If you can circumvent the MMU's memory
protection, the protection of privileged code is harmed. And if side channel
attacks like Spectre and Meltdown are circumventing protecting features, the
protection of sensitive data is harmed.

Every systems which has claims on security relies on explicit (that would be
better) or implicit assumptions. And every operating systems I know of, at
least implicitly assumes that the hardware isn't compromised.

------
stagbeetle
Hey, this is neat! Unfortunately, after skimming the changelog, it still seems
they're trotting along with Xen, and any "intermediate IT" person would still
be using a bespoke solution.

~~~
jstanley
What do you mean by that? What is "intermediate IT"? And what benefits do you
see of a bespoke compartmentalisation system over Qubes?

~~~
stagbeetle
Hey, sorry for the late reply. I got flagged for "posting too often," and just
gave up after not being able to post this for a few hours:

Qubes is marketed as a VM for the "intermediate IT professional," i.e one that
can setup a server from scratch and mess with configuration settings, even
compile everything he needs from scratch, but not be able to make the informed
decisions needed to harden things by himself.

So, this IT professional could install his own VM, set it up to sandbox his
connections and programs, after reading documents and how-tos.

The benefits for bespoke:

1). Known toolset

This is pretty common in the "real world," where most would take a tool
they're familiar with, than one they're not. In this case it would be the
Linux environment. Why? Because the IT professional is already aware of the
possible holes that he may need to fill and how to do it "correctly." I'm sure
we all have had the experience of trying a new technology, messing up our
first attempts at something decent, but then being able to make something good
after practice. This is the same here. If you already know Qubes, great. If
you don't and you're thinking about using it for your next project, make sure
that project isn't mission critical.

2). Better documentation

Qubes OS is laughably under-documented (to parrot someone else's wording).
With this comes the inability to be as flexible with the massivley-documented
*BSD/Linux environment, limiting your overall productivity, and likewise,
security and privacy. This also means you won't know where possible holes
could develop, stemming from how the sandboxing really works in RT. This is a
mostly solved problem with Unixes. You can harden your setup easily and with
confidence, knowing you'll only be hit by massive zero days, if it all. With
Qubes, you just don't know. Segue:

3). Qubes isn't battle-tested

The Xen debacle showed this. While Linux is not secure in any sense, we know
where those insecurities lie through decades of use and misuse. This isn't the
case for Qubes, which has been around less than Android.

4). Xen

Qubes uses stock Xen, which is not terribly good for security (direct access
to hardware? What are you doing!?). You could better security by compiling
your own version of Xen and removing all of the "niceties" that make Qubes not
horrible to use. Or better yet, get a better hypervisor that's made for
security in mind.

5). "A reasonably secure operating system"

Need I say more?

