Unman's Qubes Live

I am in great need of using a Qubes Live system but want to use some Qubes Live 4.X version (like unman’s) over the older Qubes Live 3.1-alpha.

Disclaimer: Yes I am aware of strict memory/space limitations and potential corruption/data-loss issues of Qubes Live but it would still work well for my purposes and I accept all risks and can take appropriate safety measures when using.

I see that unman has custom 4.0.1 and 3.2 Qubes Live versions available but the download link for 4.0.1 ISO is unfortunately broken (404 Not Found), while the signature file is available and 3.2 ISO + signature is available. Only the link to unman’s 4.0.1 Qubes Live ISO seems to be broken.

https://qubes.3isec.org/Live/
https://qubes.3isec.org/Live/qubes.iso

sha-256 hash:
eec3c6db0915522ffd5429c7c1424c5213925ba614629fd5690a82090ef99ddd qubes.iso

Question: Is there any way I could please get a personal copy of this ISO for testing/usage? Or maybe could the public download link be temporarily/permanently enabled/fixed by unman?

I am also additionally very interested in building a copy of this image from source code after testing the ISO as well as maybe hacking on the code.

Question: Where can I get the source code for unman’s Qubes Live 4.X ISO? Any instructions/tips for building the code?

Question: Are there any plans for a future 4.0.4 or 4.1 Qubes Live image version from unman?

Thanks to unman for any Qubes Live assistance here or anyone else who can help out too!

2 Likes

Is there anything special about Qubes Live which cannot be achieved by installing Qubes on a USB stick?

2 Likes

At one time everyone knew what a “live” system was - it was a system
that booted from floppy/CD and ran entirely in memory.
At some point with USBs, this meaning was lost: I find the current use
meaningless.

Installing Qubes on a USB stick just provides Qubes on a stick. It
boots as normal, writes back to the stick, etc. It’s just Qubes booting
off a USB, and so somewhat slower.
You don’t call an install to a SSD “live”, so why an install on to USB?

Qubes Live runs entirely in memory, so it leaves no fingerprint. It can
run from DVD or USB. It’s portable and amnesic, like TAILS.
There are some deviations from standard Qubes : Tor, but no Whonix - far
too much of a hog; no logging - what would be the point? ; some extra
drivers; Debian based - naturally; no sys-usb.

@qqqlive - I hadnt realised that the 4.0 version had been removed - this
is because I’m working on 4.0.4 and 4.1, and I guess the folk at 3isec
pulled it in anticipation. I’ll see if it can be restored.

4 Likes

Yes running Qubes OS live from RAM memory is the special feature I am in need of, compared to running the OS from any other type of storage drive.

@unman

Yes in the meantime before you build 4.0.4 and 4.1 Qubes Live images, I would love to begin testing out the 4.0.1 Qubes Live image, if you are able to get the web host to restore the ISO download link. Alternatively a temporary one-time download location would be fine for me, if unable to restore the original link.

I am also additionally looking to try out building the Qubes Live image from source code.

Is this the correct code repository for building your Qubes Live image?

I am wondering how to build from the repository…

Is it as simple as copying the sub-contents of the “live” directory into the “qubes-builder” directory and then using the instructions from the following official “Building Qubes OS ISO” documentation page, involving “./setup” script?

Thanks for your assistance on achieving a working Qubes Live setup!

2 Likes

No - that’s a scratch place I use.
The live configuration isnt currently available - I will see if I am
able to make it so.

1 Like

@unman Understood. Thanks for your work on providing Qubes Live to the community. I am looking forward to hopefully using your Qubes Live 4.X ISO and live configuration source code very soon! I will be continuously monitoring this space for any of your provided updates.

1 Like

@unman

Hope you have been well.

I am checking in once again with you regarding the status of Qubes Live R4.

For the past 5 weeks, I have been playing with the older iso versions of Qubes Live 3.X, but would like to jump into the iso and code of a Qubes Live 4.X.

You’re the only one I am aware of who has implemented a Qubes Live 4.X.

Are the good folks at Third Eye Security willing to give their approval to you for releasing their live configuration code to be publicly available or even for limited availability?

I could really use a live version of Qubes 4.X in my workflow ASAP…
Could I now get a copy of the live configuration code for the published 4.0.1 version or later?

I don’t need to wait for a new 4.0.4 version and could make good use of any prior 4.X version.
If need to message privately about it, I could do that too.

Thanks unman!

P.S. I am not a code snob and truly appreciate all unpolished semi-functional code! I’d just love to use it ASAP and tinker with it for customizations. :wink:

1 Like

Closing this discussion for a few days to attempt to understand the situation. I believe it would be unproductive either way to leave it open apologies to anyone who wanted to positively contribute to this discussion.

In the name of the moderation team,

The users @fsfenforcer, @Securitee20001, @Securitee2001 and @Securitee2000 have been permanently suspended as a result of a CoC violation:

  • CoC violation: Trolling, insulting/derogatory comments, and personal or political attacks
  • Justification : Creation of multiple accounts (sock-puppetry) and engaging in aggressive attacks on a community member.
  • Comment: this is not the way to raise such concerns, see Copyleft Compliance Projects - Software Freedom Conservancy:

    “in [GPL] compliance work, initiating and continuing discussions in private demonstrates good faith, provides an opportunity to teach compliance without fear of public reprisal, and offers a chance to fix honest mistakes."

All messages involving mentioned attacks have been removed as will future ones.


The thread will be shortly reopened after a communication from a Qubes Team member.

1 Like

We understand the free software licensing concerns expressed in this thread, and we take them seriously. We are investigating the matter, and we will take appropriate action. Thank you.

2 Likes

Wow. What a wild exchange that took place here. Yuck.

Thank you to @deeplow for stepping in and creating a more healthy environment.

@unman

I understand that you are unable to make certain parts of your Qubes Live distribution available without Third Eye Security first providing permission and that this approval hasn’t been provided yet. I respect this very practical condition.

I am still in great need for running a RAM-based Qubes Live 4.X, as this is such an incredibly useful tool in many computing scenarios and could greatly enhance my workflow.

I am considering now attempting to create at-least a basic functioning version of a Qubes Live 4.X of my own. I probably don’t even need any or many of the newer Qubes 4.X features/tools, but am looking for its foundations to be more up-to-date and secure.

As a meet me half-way measure, @unman since you have been there done that expertise, would you be open to guiding/mentoring me along the path with some basic approaches and coding hurdles in me pursuing the assembling of my own basic Qubes Live system?

I would be very happy to pay this favor forward to the Qubes community.

I understand that a Fedora kickstart is the mechanism needed to build such a live Qubes system?

Thanks unman!

2 Likes

As I’ve been the catalyst for (target of?) this thread, I’d like to
clarify my position. Obviously IANAL.

  1. Listening to screeds of quoted text makes my ears (and brain) hurt.
    Can forum users please summarise and footnote/reference in this sort of case.

  2. Personally, I think it was a shame that the decision was taken to
    exclude some users. The points they raised were interesting.

  3. Fedora is made available under the MIT license.

  4. There are Fedora remixes (like Qubes) that provide packages and isos
    without providing links to GPL sources, links to Fedora sources, or, (in some
    cases), the spec or kickstart files to generate the remix iso. Fedora
    doesn’t comment on this, even for remixes they link to.

  5. GPL2 requires that where a program is distributed in executable form,
    it should be accompanied by the source “on a medium customarily used for
    software interchange”, amongst other options.

  6. The GPL2 FAQ refers to making binaries available by anonymous FTP,
    providing source by the same mechanism, and ensuring that information is
    provided saying where to find the source.

  7. Some years ago, I worked for a company that provided pre-built
    images to download, or already written to disk. Counsel’s opinion was
    that because the binaries were made available as packages from repositories,
    and the source code was also available by the same mechanism, this was
    in accordance with the requirements of GPL2. (I summarise from memory.)

  8. There are many providers of pre-built VM images or isos - very few
    (actually, none I know of), provide links to the source code for GPL
    binaries that are included. Qubes doesn’t, Whonix doesn’t, Virtualboxes
    doesn’t.
    Does it matter? I think not, because of 7 above.
    Any one who wants the source can get it using the same mechanism they
    used to get the binaries.

  9. The binaries included in the Live Images are unaltered from those
    provided in a Fedora distribution, Debian, and Qubes. Source for those
    is available from the relevant repositories. (Pretty sure of this but
    see below.)

  10. There is a sense in which the Qubes compilation has been
    altered. But since Qubes provides a mechanism for building custom
    templates, and custom installer isos, I do not think that those changes
    are significant. and breach Qubes copyright.

  11. I’ve been around the mailing lists and the Forum for a while now.
    I’ve always been happy to help people learn how to customise Qubes.
    I don’t think I have ever before used the phrase “I’ll see if I can make
    it available”.
    That might have made an interested reader ask “Why?”
    True, I’m not noted for littering licenses around, but I signed my
    rights over to Qubes years ago.

  12. The Live images were produced for a 3rd party. They were not
    released outside the organisation.
    Of course, I made them available, but, (as has been made very
    clear to me), I had no right to do so. Neither the third party, or 3isec
    Ltd, gave me permission to do so.
    Even if the Qubes code had been substantially rewritten no one would
    be entitled to the source of those changes - the GPL provisions only
    apply where a work based on a program is published.
    This is explicitly covered in the FAQ.

  13. Licenses are enforced by the copyright holders, and there are many
    involved here. I’ll be happy to take up my position with any one: my
    contact details and PGP key are on the Qubes web site. Pass them on if
    you think there has been a breach of some license or copyright.
    Let’s keep that off the Forum: I’ll post updates if there’s anything
    relevant to say.

It’s getting late, but if anyone can’t find the MIT license used by
Fedora, the GPL2 or the GPL2 FAQ, I’ll post links.

1 Like

Just to clarify. The reason was based on the method, not the points raised. They were accounts created with disposable mails anyways. Nothing preventing the user from creating a new account and engage in meaningful and respectful debate.

3 Likes

I’m not clear on what has been left in the forum, so it might help if I
summarised the points made by those accounts that have been
removed, relating to disk images. (I’ll uses “fsfenforcer” for those
accounts, and “GPL” for GPLv2)

fsfenforcer argued:
Where an image contains free software, there is a requirement to
publish full binary specific code along with it.
The GPL requires directly providing or linking to a full compilation of
binary specific source on the same webpage as the binaries.
The GPL requires publishing of binary specific source code used to
create an .iso binary image so that others are able to freely recreate
the same iso binary as published using the same exact source code used
to build the released image.

I think this is just wrong. Even if the images had been legally
distributed, I think it would be wrong. (Caveat - IANAL)

Fedora is distributed under the MIT license. So remixes of Fedora (like
Qubes) don’t need to provide source code for their images as they are
derived from Fedora.
Where programs included in the image are licensed under another license,
the terms of that license apply to those programs.

If you sell a laptop with Mint installed, (or some other distribution not endorsed
by the FSF), the GPL cannot require publication of all the source code used
to build that image. If this were the case, then there would not be any
distributions the FSF did not endorse.
Developers can pick and choose how much proprietary software they include
in their distribution: there is plenty of proprietary software available
for Linux.
The GPL is clear that it applies to “programs”, and the FAQ is clear
that mere aggregation doesn’t bring a program under the scope of the GPL.

For these reasons, I do not think the GPL can require publication of the
code used to generate a Fedora based image.
What the GPL does mandate is that source should be provided for GPL
programs - I think this is satisfied by the source being available using
the same mechanism used to provide binaries, but maybe not. If not, it
affects thousands of people who release disk images, virtualbox or
VMware images, Qubes templates, and so on. I don’t recall seeing this
discussed at the FSF, or a “hall of shame”, and frankly, it doesn’t seem
to me to be a fight worth having.

What about Qubes?

If you rewrite any part of the Qubes code for your own purposes,
(including for use in an organisation, however large), that’s fine. No
requirement to release program or publish updated source code.
If you adapt Qubes code, and distribute an updated binary, that will
fall within GPL - you have to provide source.
If you write a new program, say a new Qubes Manager, from scratch, then
(probably) no requirement to license under GPL and release source. This
would depend on how closely the new program was tied to Qubes data
structures: it would be arguable. If the new Manager just called existing
programs, almost certainly not within GPL. In this case you could release
the program, retain source, charge for it if you wanted, do what you want.
Those are your freedoms with your code.

Interesting issues, but time consuming.

2 Likes