Thank you for that helpful info, @wctaylor, could you tell me how to get Qubes on Purism? I saw on the website of Purism that the machine ships with it on a stick and in my case they were out of sticks and thus refunded me for it, but how do I go about getting the Qubes myself, do you know? Would I have to undo all the work in the shell that @kakaroto has helped me with? I can’t for example install it and then open it up like a VM and use it whenever I like?
Or, maybe there is an alternative that would work. I’ve heard Whonix is also quite safe as operating systems go and is another kind of VM. Perhaps like you said the best thing to do is just check if there is a .deb file for either and if so then download and install?
Hi @OntheMain, you should just go to the Qubes website and follow their instructions here:
You will download the Qubes .iso file (you presumably want Qubes 4.0). You can either click the .iso download link or the torrent download link. The torrent link might download faster, but you’ll need to make sure you have some torrent software installed, like Transmission or Deluge (I believe Transmission is available in the Software center). Otherwise just download the .iso directly.
You will need a USB stick, but I think pretty much any USB stick will do, unless it’s particularly old and doesn’t have a large storage capacity. Keep in mind that the process of making the USB bootable will erase any data on it, so either make sure you have backed up the USB data if you care about it.
All the Coreboot stuff exists at a lower level than the operating system, so I believe you won’t have to redo any of the Coreboot work, but @kakaroto should confirm.
I see you just posted in another thread about not seeing the .deb file. This is because Qubes is another operating system, not a program that one downloads and runs. Think of Qubes/PureOS as alternatives Windows, and .deb files as the Debian-based alternative to .exe files. You want the .iso file, which contains the Qubes operating system.
I will advise some caution - while I have not personally tried doing anything with Qubes, from what I can tell it is not a very beginner friendly system. I would suggest waiting a bit and becoming more familiar with Linux before trying to install Qubes as your main operating system. Nominally, you should think of installing Qubes as replacing PureOS with Qubes - PureOS would be gone (as would all your data on PureOS, unless you’ve backed it up somewhere).
There are ways to install two operating systems on the same computer (Called dual-booting), which involves partitioning the hard drive, so that one operating system lives on one partition, and the other lives on another partition. But this might also be a little more than you want to sink your teeth into right now.
If you want to play with Qubes, I would first suggest using virtual machine software like GNOME Boxes (also available through the software center). This is how one can run one operating system inside another (like the name virtual machine suggests, you basically create a computer within your computer). So you could download the Qubes .iso file, and then install it using GNOME Boxes, and play around with Qubes in there. This would keep your computer safe from any mistakes made during the installation process - you won’t risk deleting PureOS or your data.
Qubes itself works on the principle of having many different virtual machines for compartmentalizing different aspects of the system, so this approach will hopefully also make you more familiar with virtual machines and Qubes and help you feel more comfortable performing the real installation later on.
Not really… I don’t see the point either, I’m already getting paid by Purism to do this sort of thing, and I think the best way to show your appreciation might be to tell others about your experience with the Librems or with the support you’ve received. Thanks anyway though, I appreciate the thought
It depends, I don’t think there would be an issue with actually updating any of the machines to the latest coreboot releases, the difference might be with specific features, like for example when we added IOMMU support for the skylake machines, we had to backport the same feature for broadwell machines. If a feature becomes too complicated to backport it to older machines, we might decide that it’s not worth the effort.
It depends, some software is multiplatform (works for windows, mac and linux), some isn’t. For those that aren’t multiplatform, you’ll find alternatives, you could google " alternative for linux" to find forums or articles or whatever where people talk about good linux alternatives for the specific software you’re looking for. Like @wctaylor said, LibreOffice would be a great (and free) alternative to the Microsoft Office Suite. You could also use Gimp as a great, and free, alternative to PhotoShop, etc…
Purism is the company, Librem is the brand of laptop, and PureOS is the name of the Linux distribution that comes with the Librems. PureOS is based on debian (but without proprietary drivers), so if you get lost, you can always google stuff for debian (like “how to install software on debian” for example) as it will give you more results than saying PureOS. Note that Linux is a free and open source Operating System and there are multiple distributions which is basically a “flavor” of the same linux system. Debian, Fedora, Ubuntu, PureOS, Qubes, are all different distributions of the same Linux system. The default installed applications will be different from one to the other, the default application (like the default media player, or default chat program, etc…) will also be different. For example, in Fedora, the default terminal is Gnome-Terminal, in PureOS it’s Tilix. etc…
Qubes is a linux distribution, so you don’t install a “window’s version”, instead you “install Qubes to replace windows”. Same applies for PureOS, if you install Qubes, you’d be replacing PureOS with Qubes instead.
Considering that you are not experienced with Linux I would tell you to stay away from Qubes (unless you want to learn to use it and that’s really what you want to use). Qubes is very different in the way it works, it’s very complex (I think there’s a lot of documentation though), and when I tried it, I couldn’t stand it for more than 5 minutes because I was just too lost in it. Maybe as a newbie in Linux in general, you won’t find any difference in difficulty in using Qubes versus using regular Linux, but yeah… be aware that the way Qubes functions is fundamentally different from what you may be used to and it was very very difficult for me to use it.
I’d suggest you try it on a live USB first, or install it to a separate hard drive or a VM just to test it out first.
Not really, you updated coreboot, which is your BIOS, that’s independent of any hard drive or OS you have installed, so if you install Qubes, or any other OS, your coreboot version will still remain the same.
Note however that yes, if you install Qubes, it will delete your current installation of PureOS and reformat the hard drive.
Yes, you could do that, but I’m not really into VMs, so I can’t really help you figure out how to do all that. But basically install a virtual machine manager (I used VirtualBox in the past), then install Qubes in that.
Before you decide on playing around with Qubes, I suggest you watch this video which shows you what/how Qubes works, and that should give you a better idea on whether or not you even want to try it.
Thank you again! I’d definitely like to get to know Qubes, so I’ll probably be starting with that. This particular distribution of Linux is much better than I thought Linux would be, to tell you the truth. When I thought or heard Linux, I always thought of guys in their basement going crazy with a system based entirely off of a shell, able to read and use like twenty computer languages. I had no idea it was anything remotely like Mac or PC where you can use a mouse and what not. I know about VMs because of windows and I’ve actually used them before, so I don’t know that it’ll be all that complicated, at least I hope. But the shell is important and I’d like to learn more about it, for sure. Not really sure where to start in terms of learning that side of things, which language to learn, etc.
Anyways, thank you for your help again, much appreciated.
I know you work for Purism and all, it’s just you do a stand-up job and I had hoped you’d be able to be rewarded for going above and beyond like that.
Wow, you really know your stuff. I’ve been inspired to learn more about a computer language for some time but haven’t found the motivation to really follow through. Maybe working with and using Linux will help with that.
Thank you for the explanation, that puts things into perspective. Company, brand name, distribution, nice. You were right to explain it, I did not know that. Why is Ubuntu so popular compared to the others, or is that a misconception on my part? I’ve heard of Fedora, Debian, and of course PureOS and Qubes. I had no idea that they were distributions of the same OS but that said, to me Qubes is considered the king of security, PureOS is used for Librem but other than that I don’t know its differences, and then of course the three previous distributions I only have vague impressions of. You don’t have to waste your time on such of course, I recognize that you have more pressing issues to attend to than letting me know that simple google searches will likely clarify my questions there, but if you have any quick way of summing them up that doesn’t take too much of your time, that’d be interesting to know.
Default applications, also interesting. So the application is the program that serves people in some convenient way but each OS has its own default applications. That is also news to me.
Right on, this sounds consistent with the advice @wctaylor mentioned too. I actually downloaded qubes onto a stick but when I try to open it on PureOS, it doesn’t work. I guess that means I need to leave the stick in and reboot and at the starting up of the system, perhaps I’ll be given the option to boot from the stick? If that is more something that I’d need to check out on Qubes I’ll not steal your time on that of course. Thank you again for the explanation and the advice!
Great, I’ll likely try either Qubes or something like Whonix just to be as safe and unhackable as I can get.
I had heard that Qubes was the best bet but I don’t want to get lost in it either and if you did in just five minutes then I think my best bet will to be to stay with PureOS for now and hopefully learn more about how the system works.
To be honest, the desktop and mouse and what not are far different from what I had expected in hearing about Linux. I don’t know anything about it except for what I’ve heard, and as far as I had known, Linux was really the third option for people who know what they are doing and use computers really seriously, where PC and Mac are more mainstream play-things for people who just consume and don’t really know anything. Whenever I’ve thought of Linux I’ve thought of just… basically hardcore computer geniuses and the like. Funny what one’s impressions can be. Maybe your company and team decided to make PureOS more user-friendly than other Linux distributions and my initial impression was not that far off, lol?
By the way, since installing the update you helped me through, my display flashed earlier on (about five to six times in a row, each flash somewhat like the display was turning off and then back on, where when on, it was all white. It happened when I opened up a new tab in the browser. As well, a little later, the CPU fan, I believe, started spinning really quickly and wouldn’t stop and so I restarted. It kept doing it and so then I turned the computer off entirely, and then once I turned the machine on again, the fan went back to normal). Also, a few times now, I have restarted (not shutdown completely) and in restarting and entering my password, the screen stays black but I can still access those features that are accessible when entering the password, (the shut-off button via the mouse, located in the upper-right hand corner, etc). When that happens, it’s as if the desktop doesn’t load but the password gateway or whatever the name for that part is also goes away, and so the entire screen is just black. The mouse is still viewable though and so when I move it up towards the top of the screen, I can see the part on the right-hand side that allows me to shut down the machine if I want to. And, in fact, I end up having to because otherwise it just never loads and I’m stuck. However, when I shut it off and then start it, it loads as it is intended to. It’s happened a couple times now, as I mentioned, so that’s why I thought I’d bring it up. Unlike the flashes and potential CPU fan glitches I noticed, the start-up glitch seems to happen if I restart. I’ll check again after I post this to be sure and edit if it has gone away.
Edit: it did not glitch after restart. I didn’t shut it down and turn it back on but juts restarted, and so it appears that whatever was causing it has gone away or is more sporadic than assumed. If it persists I’ll let you know.
Excellent, yes I think I’ll try it that way. Thank you for the resource, and again, for your help!!
Basically because a millionaire created it and made sure to promote it extensively. Fedora (used to be called Redhat) was very popular before that because of their business-oriented distribution, but Ubuntu made things easier, they cut down on all the options for users and made it more into a newbie-user-oriented distribution rather than a business-oriented or advanced-user-oriented distribution. Ubuntu itself was based on debian but with less option (Gnome chosen instead of giving the choice of desktop environment to the user, all default apps chosen instead of having the user select what packages they want during the installation of the OS, etc…)
Yes, but it’s not because the others aren’t secure, it’s because of the way Qubes is setup. The security is based on isolating processes, basically every program you open would be in a ‘domain’, so you’d have your chrome browser open with the ‘business domain’ and another chrome window open for ‘personal’ stuff, you’d have your personal files open in your personal domain, and work related (per project even or whatever) open in a separate domain, and basically each domain is its own virtual machine. The security comes from the fact that if you open a .doc file with a virus for example, all it could do is to compromise that virtual machine which wouldn’t contain anything personal. If you open a website on chrome that uses a webkit bug to take control of the machine, they’d only be able to control the virtual machine in which chrome was launched (which would be its own virtual machine without any files on it), so none of your personal or work files are compromised, etc… The difference is that each window is in its own virtual machine, seamlessly, instead of having one window per virtual machine and a desktop in each of those virtual machines and each having their own windows within.
That’s where the security of Qubes is, it’s not because the linux it runs is more secure than the linux in PureOS for example (it might be that it has more security features enabled, I actually don’t know, but it’s probably going to be the same linux kernel on both sides).
That’s also why it makes using Qubes so complicated… oh you’re on gmail and you want to attach a file and send it to your friend, you click the attach button, oups, there are no files, you have to use some method to transfer the file from your ‘personal’ domain (the VM) to the one with chrome, before you can access it, then delete it from that other VM. Anyways that video will give you a really good idea of how it is to be using Qubes.
Like I said before, PureOS is the same as debian but without any of the proprietary drivers. So for example a debian system can be installed on any laptop and it would Just Work, because it comes with drivers for every possible hardware, but if you install PureOS on some other laptop than a Librem, it may or may not work correctly. It will mostly work but maybe you won’t be able to use Wifi because that laptop is using an Intel wireless card which requires proprietary drivers (which debian has but which PureOS doesn’t), or maybe the graphics won’t be accelerated because the machine uses an NVidia graphics card which requires the nvidia proprietary drivers, etc… other than the fact that PureOS doesn’t have any of the proprietary drivers that are required to work on non-librem machines, there should be no differences between PureOS and a regular debian (I might be wrong, I’m not involved in PureOS and I know the PureOS team does a LOT of work, so it can’t be that simple, but I think that’s the main difference basically).
Yeah, like debian would come with IceWeasel for the default browser, which is a rebranding of FireFox (the license of firefox prevents someone from using the brand name Firefox), Fedora would come with Firefox itself. Some other distribution might use Chromium (open source version of Google Chrome), PureOS uses PureBrowser which I think is a rebranded Chromium or Firefox, I’m not sure.
In one distribution the default email application might be Evolution, in another it might be thunderbird, etc… Yes, the application is just the program used to do something (browser, email client, chat application, photo editing, photo viewing, camera capture, word editing, media player, etc…)
Yeah, when it boots, when it shows the Purism logo, it should say “press ESC to choose your boot device” I think, so press ESC key at that moment, and you’ll get to choose which drive to boot from, there should be a new option for the USB drive you have with Qubes, select that and it will boot into it.
They don’t make you “more unhackable”, they just make your data “safer in case you do get compromised” because they compartmentalize where your data is… actually, that’s for Qubes, I don’t know about whonix, never heard of it.
Not really, I don’t think PureOS is any simpler than any of the other mainstream distributions. And yes, Linux used to be that way when I started using it (about 18 years ago), but it stopped being like that maybe 10 or 15 years ago already and actually, using Linux is more user-friendly than Windows or Mac I would say. It’s just different…
If you want something, you open the software center, search what you want, click install and it’s done, with windows at least, you’d have to search for it online, download the installer, then install it manually, then it’s done.
Please do, I won’t answer all that now cause I’m done for the day and it sounded complicated, but if you’re still having issues, let me know and I’ll see what’s up… though it might be the OS itself, not coreboot related. and it might have been a fluke.
Many people new to Linux are fascinated by distributions like Qubes and Kali because they think they are exceptionally safe or a shortcut to becoming a “hacker”. I’ve been using Linux for 20 years and I still prefer distributions that are “newbie freindly” or “just work”. I don’t care for the looks of PureOS so I just install one of the most common and easiest to use distributions, i.e. Linux Mint: https://linuxmint.com/
If you’re not happy with PureOS, I recommend you do the same. Safety ultimately depends on the user - not on the distribution.
Having an easy way to update the BIOS, e.g. from within the old BIOS, would certainly be a nice feature for Librem products, but that’s a different issue.
Thank you, the info on the different distributions is interesting. I’m curious what makes Debian so special that Ubuntu should base itself on it and beat Fedora in the process. Maybe it’ a kind of generic distribution. Another question it looks like I’m going to be researching is what a Gnome is or what it does, since I’ve heard it quite a bit here on the forum, as well as blobs.
I watched the video and as it turns out, Qubes is much more elaborate than I had thought. Looks really cool.
Yeah that make sense. I imagine that right there weakens its integrity not from the point of view of the setup itself but from the pov of the user, since out of convenience and in some cases practicality or even necessity, the user might send him/herself things frequently enough that they introduce weaknesses in their setup. Maybe that means, just like you said, that since its such an airtight system, it’s not designed for everyday use.
Thank you, okay I understand. Yes that is indeed interesting. It sounds like PureOS is thus Debian but retooled not just to run but to run in spite of not having hardware debian was designed to require if to be able to run properly while PureOS is saying that such hardware may well be seriously weak links to security both from the corporate but as well from the world of serious thieves or intruders, too. It’s an amazing achievement. In your opinion, will quantum technologies render present-day cryptography defunct?
Right on, thank you. I may do that or I may start with it inside PureOS just to see how it is. You also mentioned never having heard of whonix, I think it’s developed by a German team. I checked them out and they seem really secure too. What makes a person less prone to hackers getting in their systems if not for all these security measures and what not? That’s amazing that you have so much experience with computers and have gone so deeply into it. I didn’t know that Linux was that old.
That makes a lot of sense. As a newbie, I’ve learned that emails are very easy to underestimate for people who don’t know any better (through phishing attempts, poor password choices, no extra security steps in place; not encrypting; logging into accounts from different machines; allowing email access to different applications, etc.
Are there other precautions that a newbie like me wouldn’t consider? For example something was said earlier on where for example by visiting the wrong website, a kind of webkit could be used to try to gain access and control of the machine used to access the site. Before that was written, I think just a few days ago as an example of some of the appeal of Qubes, I seem to remember, I had never heard of such a thing. Maybe like emails there are certain network-level rules or other behavior or precautions to consider to help ensure safety?
I think you may find this site useful: https://distrowatch.com/
When checking the URL above I realized Mint had just released a new stable version of their Debian edition. I think I’ll stick that on my Librem 15 now.
Hear! Hear!
That is the main reason I switched from Windows completely around 15 years ago. I’m no developer, just a regular user, and Windows was a hassle compared to Linux even back then. Microsoft are just very good at marketing and monopoly creation (lock-in), so many people still think Linux is somehow difficult to use.
Judging by the way you write, I frankly think you have it covered. What’s needed is mostly just common sense. But if you really handle very sensitive information, I think you should hire security experts. Even a professional boxer may need a hired bodyguard in certain situations.
By the way, does anybody have any tips on how to easily encrypt and partition the whole drive before installing an OS? Manjaro does an ok job during installation, but Mint has been lacking in this respect. (This is a bit off-topic, so moderators should feel free to split this post if deemed appropriate.)
do you mind my asking for a little help? The thing is I already have the Qubes on my USB but trying to figure out how to make it into a rebootable USB.
I downloaded Qubes onto the USB already but the Qubes I downloaded is an .iso file given that I use Mac. Also, the USB I have has considerable storage capacity but isn’t one that is formatted out-of-box for rebooting. I looked into it and as far as I can tell I need to reformat it so that Debian can read it? The next step would then be to have the Qubes file placed on there after it’s been so formatted?
To me that means erasing everything on it, formatting it by using the disk utility application to MS-DOS (FAT) and then I have to set the scheme to GUID Partition Map, and once that’s been done, I just click on erase?
But then if that’s the case and it will work for debian (those are instructions I found for Ubuntu from Mac) then after that do I simply put the Qubes file on there and then once I start my Librem up, hit f2 and then use the BIOS to boot from the USB stick?
Thank a bunch(!), it’s just I’m not sure how to go about it and would rather not spend the extra money if I don’t have to, since chances are if I go out and buy a USB stick I’ll end up getting one I don’t really need.
Yes, it’s a fact, not really an opinion, but quantum computers are still pretty far in the future I think (though intel found a way to mass produce them, but it still requires absolute zero temperature for it to work properly).
Well, Chrome uses webkit to render web pages. You can think of it as “chrome is the window with the tabs, the navigation bar, the back/forward buttons, the menus, etc… and webkit is the area inside chrome which actually displays the web content”. Safari (on Mac) uses webkit too (actually, webkit was developped by Apple for Safari) and pretty much anything that has a ‘web view’ or anything like that will be using webkit.
Webkit doesn’t only parse the html to know what to display, but also executes the javascript which makes websites interactive (like when you select text in this forum and it pops a ‘quote’ button, that’s javascript, when you click on it and it pops the reply area, that’s javascript, etc… and well, javascript is code basically, but it’s meant to run ‘sandboxed’, it has limits, it doesn’t give you access to things you shouldn’t have access to (such as local files). However, like any software, it can (and has) bugs, and since it’s so widely used and it’s such a complex thing, it has a ton of bugs and a ton of people sifting through it to find new bugs every day.
Those bugs could allow someone to write code that triggers the bug… it could either crash the browser, or (worse), give the person full native code execution on the machine (so they can do whatever they want). If chrome is running as a user, then you risk your own user (that’s why you’re never supposed to run “user apps” as root).
Note that this is also the method used for most jailbreaking attempts. If you see how the PS4 is currently hacked, or that first 2007 jailbreak of the iphone (and quite a few subsequent ones I’m sure) where you would just go to ‘jailbreakme.com’ on your phone and it would jailbreak the phone, it was because it was using a webkit bug to execute custom code on the phone which would remove the protections it had. Same thing with the nintendo switch, the PS4 or most other gaming consoles.
So anyways, that’s basically what it is. That’s also why you should avoid going to weird/suspicious websites.
Not sure, but from what I hear, archlinux is a “do everything yourself” kind of distro, which is why their wiki is full of all of the information you might need. I’m not sure about the ‘easily’ part, but you’ll probably find the information on how to do it yourself the right way.
I suggest you try https://etcher.io/ as it is very user friendly and will do all of that for you, you just give it the iso file and the usb and it will copy it. Also, no you don’t actually format the drive, the ‘iso’ file itself is a pre-formatted (in the ISO9660 partition type, not FAT) copy of the drive, so you wouldn’t copy the file to the drive, you would copy the file to the USB device itself (thus overwriting all partitions with the iso contents, instead of copying the file into an existing partition). Etcher takes care of all that for you in a user friendly UI, though it’s very easy to do in linux without the need for such UI (it’s complicated to do it without etcher in windows and I’m not sure about mac).
Ok so I tried to boot from the stick but when I turn on the laptop and hit F2 or hold it the screen changes from its regular loading of PureOS to all black with a few lines at the top, one of which says to visit a particular debian link on wiki for missing firmware.
That happens consistently no matter how many times I try to restart while the USB stick is in our out of the port. If I shut down in the middle of starting it and then start it up again, a special page appears automatically prompting me to run the PureOS version or to run a memory test etc. If I access the advanced options therein, no option is given to access the USB stick either.
Also, if I try to access the same menu with no USB stick plugged in but only plug it in when the menu is already loaded, the USB stick is also not detected.
I also tried pressing F1 instaed of F2 and it also doesn’t do anything. Should I for example press it juts one time intead of holding it and or do so with the stick in or out or?
Thank you, sorry for the hassle, I thought it’d be as easy as simply sticking in the USB and hitting F2 and then loading things from there.
I’d assume the problem is the USB stick itself but I followed your direction on Etcher and the USB stick I used worked and plus the BIOS menu doesn’t seem to even be loading when I hit or hold down F2.
When you boot, when you see the purism logo for a second before it tries to boot your OS, it should say “ESC->Boot menu” at the bottom…
So, press the ESC key, not F2 (I also mentioned it before that it should be the ESC key by the way)
Ok so you were right, it was just that easy. The thing is now, I am in the Qubes installation setup and in spite of not having installed anything on the SSD drive that came with the Librem, which is over 112GiB, when I select it as the installation destination, it seems to think that there is basically no space on it left. Do I need to “delete all” and thus the PureOS in order to free up the space on the drive? As far as I can tell the PureOS should not at all take up some 112 GiB and so maybe it’s just the fact that the drive is not the right format or something? I have no idea.
I’d suggest you either use a different hard drive, or to completely erase your existing one (and lose PureOS).
Yes, you aren’t using the full 112GB of your SSD, but your SSD is still partitioned to use the full 112GB. I suggest you read up on how partitions work and why it doesn’t work the way you think it does.