Planet Hypervisor

Qubes OS R2 rc2, Debian template, SSLed Wiki, BadUSB, and more...

Today we're release the second release candidate (rc2) for Qubes OS R2. There are currently no more open tickets for the final R2 release, and we hope that what we release today is stable enough and so will be identical, or nearly identical, to the final R2 ISO, which we plan to release after the summer holidays. Download and installation instructions are here.After Qubes rc1 release a few months ago we have been hit by a number of problems related to unreliable VM start-ups. The most prevalent problem has been traced down to an upstream bug in systemd, which just...

Announcing Qubes OS Release 2!

Today we're releasing Qubes OS R2! I'm not gonna write about all the cool features in this release because you can find all this in our wiki and previous announcements (R2-beta1, R2-beta2, R2-beta3, R2-rc1, and R2-rc2). Suffice to say that we've come a long way over those 4+ years from a primitive proof of concept to a powerful desktop OS which, I believe, it is today.One of the biggest difficulties we have been facing with Qubes since the very beginning, has been the amount of this extra, not-so-exciting, not directly security-related work, but so much needed to ensure things actually...

Automating backport kernel integration support

I cringe when I see a task which could be automated done manually, but complex tasks are not trivially considered possible to be automated -- to even fathom such possibilities on complex tasks at times you have to divide the work into sub tasks and eventually see if its possible to automate a series of them and which ones cannot be automated. I've had a hunch about about the prospects of fully automating Linux kernel backporting for a while now, over the years a set of advances and practices on the backports project has increased my confidence of these prospects,...

Becoming A Debian Developer

After becoming a DM at Debconf12 in Managua, Nicaragua and entering the NM queue during Debconf13 in Vaumarcus, Switzerland I received the mail about 24 hours too late to officially become a DD during Debconf14 in Portland, USA. Nevertheless it was a very pleasant surprise to find the mail in my INBOX this morning confirming that my account had been created and that I was officially ijc@debian.org. Thanks to everyone who helped/encouraged me along the way! I don't imagine much will change in practice, I intend to remain involved in the kernel and Debian Installer efforts as well as continuing to contribute to the Xen packaging and to maintain qcontrol (both in...

Physical separation vs. Software compartmentalization

Many people believe the Holy Grail of secure isolation is to use two or more physically separate machines. This belief seems so natural, that we often don't give it much thought. After all, what better isolation could we possible get than physical "airgap"?I argue with this point of view in this new paper.I think a good place for in-depth technical discussions around the topics discussed in the paper would be our qubes-devel mailing list.

Hacking on systemd with OpenSUSE

I had recently had no other option but to hack on systemd :*( and found there wasn't any documentation on how to do this on OpenSUSE. Replacing your /sbin/init isn't as simple as it used to be back in the day, eventually I figured things out with a few hiccups but apart from the actual ability to hack and install systemd I also picked up a bit of good best practices you can use to help while testing, and dealt with installing kdbus as I was tired of seeing those pesky warnings from systemd without it. My first assumption that things...

Building and booting vanilla Xen on vanilla Linux with systemd

If you want to do Xen development you should be working with upstream sources, and you should be sending your patches upstream, ASAP, that is before they are even in production. There simply should be no ifs or doubts about this. Doing it any other way is simply detrimental in the long run. I'm new to virtualization but from the architectural look of it I consider kvm a good reaction to virtualization evolution with focus for a clean new architecture that pairs up best with the latest hardware enhancements only. The decision to not support...

Debian Installer ARM64 Dailies

It's taken a while but all of the pieces are finally in place to run successfully through Debian Installer on ARM64 using the Debian ARM64 port. So I'm now running nightly builds locally and uploading them to http://www.hellion.org.uk/debian/didaily/arm64/. If you have CACert in your CA roots then you might prefer the slightly more secure version. Hopefully before too long I can arrange to have them building on one of the project machines and uploaded to somewhere a little more formal like people.d.o or even the regular Debian Installer dailies site. This will have to do for now though. Warning The arm64 port is currently hosted on Debian Ports which only supports the unstable "sid" distribution. This means that...

Colored diffs with mutt

I cannot stand reviewing patches with gmail or any GUI e-mail client. I use mutt. On my last post I explained how you can apply patches directly from within mutt onto a git tree with a few shortcuts without leaving the terminal. This small post provides the next step to allow you to grow a mustache... I mean, get you to enjoy your mutt experience even more when reviewing patches by getting you colored diffs to match the same colors provided to you by good 'ol 'git diff'. Edit your .muttrc file and add these.# Patch syntax highlighting                                                     color   normal ...

Describing the MISO stack at Entrepreneur First

I’m speaking to the Entrepreneur First cohort this morning about the future of resilient, distributed systems and what I’m working on to get us there. Firstly, I’m describing the kinds of solutions we have today, the great things they offer developers as well as the issues they create. This leads into the new toolstack we’re creating, called the MISO stack, and the benefits and trade-offs. I’m spending more time talking about Mirage OS – the ‘M’ in the MISO stack – because the workflow we’ve developed here underpins how we build, deploy and maintain such applications at scale. As an...