Can anyone explain how the following commands to implement the policy do NOT follow the “Policy files” guidelines outlined in the referenced blog post above?
Install:
echo "qubes.ConnectTCP +4444 @anyvm sys-i2pd allow" | sudo tee -a /etc/qubes/policy.d/30-user-networking.policy
Uninstall:
sudo sed -i 's/qubes.ConnectTCP +4444 @anyvm sys-i2pd allow//g' /etc/qubes/policy.d/30-user-networking.policy
90-default.policy clearly states:
## Do not modify this file, create a new policy file with lower number in the
## filename instead. For example 30-user.policy
Are comments in the absence of investigating the “technical bits” really useful?
Most definitely.
@deeplow Moderate however you see fit (delete this and all my posts if it suits you but I appreciate @cayce contributions.) Watching the devolution of this forum is very disheartening.
I fully agree with @deeplow’s assessment, nothing really bad happened. @cayce got a bit annoyed at @enmus’ rapid feedback and posted some unnecessary personal remarks. That’s why we slowed down the thread and asked @cayce to please stop that. It appears he’s cool with it as is @enmus.
Definitely condescending (in violation of standards)
Discouraging requested contributions to an open source project is about as “bad” as one could imagine
I think there’s some typos here, more like:
No @mod asked such a thing publicly nor privately, nor am I cool with “it” (aka biased moderation valuing FUD, feelings and dis/misinformation above contributions) which leads to a complete wash-out of contributed work. To foster community involvement, either uphold all of the standards for the betterment of the community or none.
Can an individual be expected to take this work effort seriously after reading the overflowing abundance of misguided/misinformed opinions/feelings within a technical thread? Despite being the OP; I sure can’t
If after an entire week of all this dribble, anyone would actually like to use this project, please just post a message in-thread something like: “Hi cayce, I’d like to give it a try” and, I’ll message via PM.
If not, I couldn’t fault you; not sure I’d bother with anyone taking into account all the FUD/dis/misinformation and attempted character assisinations.
Spent the entire day trying this out, shit don’t work unfortunately.
tried installing everything via the script and also tried doing everything on my own following more or less the instructions on the script. it don’t work in both ways, the closest I’ve been to making it work was doing it by myself. But in both cases the connection either timed out or straight up said that it wasn’t possible to reach the website.
I tried all I could but nothing works, my best result with this was a ‘firewalled’ network status that I couldn’t even solve since the next time I restarted the qube i2pd just stays on ‘unknown’ network status.
I hope someone is able to figure this shit out cause I certainly can’t.
concept should work in theory but I think some firewall changes happened during recent times both in qubes or the i2p project and it doesn’t work anymore, even just trying to start it out inside a whonix workstation doesn’t work anymore.
Sounds to me like you aren’t giving the i2p daemon enough time to set up the required tunnels … you just need to wait for sometime for them to be established.
Hello there sorry for not having answered before, still trying to take time away from screen.
It is syntactically correct, where the suggestion in doc above is to put all user policies (that might conflict with each other), if possible, under 30-user.policy instead of another policy file.
Logic there, as for recent whonix debates for which policy file shoukd be modified/created is that not all users will think of checking in other lower numbered down files, where 30-user.policy should be used if possible (and relevant), otherwise creating confusion (as seen in the past on why things don’t work and where users only check under 30-user.policy).
And to be honest, I would have to check Qubes internals to know which one of 30-user.policy or 30-user-networking.policy would be applied first, since they share the same number (30). I think this will lead to problems in the future if not already for some users.
I know, I know, I should test this. As of now I haven’t neither tested unman’s either but will try in the future both for sure.
I just am in love with public RPM spec files and associated rpms and repos for this. So convenient and so easy to understand and follow flow of deployment, application and learning. You don’t like it? Just uninstall RPM, delete appvm and parent template.
so let me get this right, this DOESN’T allow me to chain netvm’s to the i2p netvm, correct? I’ve been looking for a way to make an i2p netvm for aaaaaaages
Hi @cayce
Great to see your contribution. Well, I haven’t yet seen it - is it still
private?
I’ve only skimmed this thread - the (literal) noise has made it
difficult for me to pick out what’s important.
If I understand - you have produced an i2p proxy with a nice GUI
control. My simple solution was set to provide an i2p node - the in.sh
script can be used to allow inbound traffic to pass through the qubes
networking stack.
It would be great if we could combine these and package them to provide
a simple means of installing and setting up an i2p node available to
other qubes.
If you can give me access to your repo that would be good.
PM me if you want to discuss off list.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
@cayce I glanced the through code. It is nice and simple. Haven’t actually tried it out on my actual system yet.
A couple of things:
Would you consider switching to using Fedora instead of Debian? For one, Qubes defaults to using Fedora for most of its VMs. And two, Debian has a habit of shipping extremely old/EOL packages which isn’t ideal for security. It shouldn’t be too hard to just convert this to Fedora.
I see that you are doing make install for i2pd-qt. The problem with this is that updating i2pd-qt will then need to be done manually instead of being done automatically by the qubes updater. There are a couple of potential workaround for this:
Package i2pd-qt using something like COPR or OBS and install the packages instead. I understand that this is a lot of extra work and might be out of scope, and you then would also need to be a package maintainer.
Use the Flatpak package and add a systemd service to automatically update it. This would require just using a normal VM for sys-i2pd rather than a disposable VM, as we would not want the updates to disappear every reboot. Since sys-i2pd will always be on, we can be reasonably sure that the custom systemd service will keep everything up to date.
Debian just hasn’t been the same since Ian left us. I really hope that he’s in a better place …
I’m not terribly impressed with fedora either, my current preference is nixOS. That said, I likely will not bother with a fedora based version because IMO it’s a moot point, this is a service qube based on a minimal template. If one’s threat model is so sharp as to need to defend against unpatched debian 0-dayz, this is not the correct solution. Despite falling off IMO, debian still patches quickly.
You’re right, it wouldn’t be too hard @ all since, I’ve taken the time to do the hard bits. If anyone needs a fedora version, I’ll be happy to work on it after donations have been made.
The GUI project is an official i2p project thus, in due time, it’ll be added to the official i2p repo. At that time, I’ll modify the project to leverage the repo/binary package. I’m not planning to package anything unless someone wants to make contributions to do so.
Regarding flatpak’s, I’m not a fan nor would any hackery to create “auto-updating” be worth-while IMO as, it would be outside of the Qubes update mechanism so, not very different from the build approach.
I spent the day with this user on PM and, it turned out the project was working as expected but, the user was not being patient enough to allow the necessary tunnels to be created.
Fact is, both onion & garlic routing have been fielding serious blows lately so, I advise anyone trying to use this project or any i2p projects to check the latest sub-reddit to verify status/expectations.
Instead of confirming success/misunderstanding here ...
They went ahead and posted a “how-to” install i2pd
).
I really hope that he’s in a better place …