Merge branch 'debian'

Conflicts:
	misc/qubes-r2.list.in
	misc/qubes-trigger-sync-appmenus.sh
	network/30-qubes-external-ip
	network/qubes-firewall
	vm-systemd/network-proxy-setup.sh
	vm-systemd/prepare-dvm.sh
	vm-systemd/qubes-sysinit.sh

Makefile

@@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
 
-install-common:
-	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
+	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
+	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
+	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
+
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 
+	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
+	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
+
+install-common:
+	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
+
 	install -d $(DESTDIR)/var/lib/qubes
 
 	install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
 	install -d $(DESTDIR)/etc/udev/rules.d
 	install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
 	install -d $(DESTDIR)/usr/lib/qubes/
-	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
 	install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
 	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
-	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
 	install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 	install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
 	install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
@@ -129,8 +135,6 @@ install-common:
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
@@ -176,7 +180,6 @@ install-common:
 	install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
 
 	install -d $(DESTDIR)/mnt/removable
-	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
 
 	install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
 
@@ -188,5 +191,9 @@ install-deb:
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
 	sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
+	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
+	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
+	install -d $(DESTDIR)/etc/sysctl.d
+	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
 
 install-vm: install-rh install-common

debian/control

@@ -9,8 +9,11 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
 
 Package: qubes-core-agent
 Architecture: any
-Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends}
-Conflicts: qubes-core-agent-linux
+Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends}
+Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
  This package includes various daemons necessary for qubes domU support,
  such as qrexec.
+
+# Unresolved depends that exist in rpm_spec
+#qubes-core-vm-kernel-placeholder, qubes-core-vm,

debian/files

@@ -1 +0,0 @@
-qubes-core-agent_2.1.33_amd64.deb admin extra

debian/qubes-core-agent.postinst

@@ -0,0 +1,504 @@
+#!/bin/bash
+# postinst script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The postint script may be called in the following ways:
+#   * <postinst> 'configure' <most-recently-configured-version>
+#   * <old-postinst> 'abort-upgrade' <new version>
+#   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#     <new-version>
+#   * <postinst> 'abort-remove'
+#   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#     <failed-install-package> <version> 'removing'
+#     <conflicting-package> <version>
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+# Directory that modified desktop entry config files are stored in
+XDG_CONFIG_QUBES="/usr/share/qubes/xdg"
+
+# Install overriden services only when original exists
+installOverridenServices() {
+    override_dir="${1}"
+    service="${2}"
+    retval=1
+
+    for unit in ${service}; do
+        unit="${unit%%.*}"
+        unit_name="$(basename ${unit})"
+        if [ -f ${unit}.service ]; then
+            echo "Installing override for ${unit}.service..."
+            cp ${override_dir}/${unit_name}.service /etc/systemd/system/
+            retval=0
+        fi
+        if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then
+            echo "Installing override for ${unit}.socket..."
+            cp ${override_dir}/${unit_name}.socket /etc/systemd/system/
+            retval=0
+        fi
+        if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then
+            echo "Installing override for ${unit}.path..."
+            cp ${override_dir}/${unit_name}.path /etc/systemd/system/
+            retval=0
+        fi
+    done
+
+    return ${retval}
+}
+
+reenableNetworkManager() {
+    # Disable original service to enable overriden one
+    echo "Disabling original service to enable overriden one..."
+    disableSystemdUnits ModemManager.service
+    disableSystemdUnits NetworkManager.service
+
+    # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
+    echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)"
+    systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager"
+
+    echo "Re-enabling original service to enable overriden one..."
+    enableSystemdUnits ModemManager.service
+    enableSystemdUnits NetworkManager.service
+
+    # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
+    echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811"
+    enableSystemdUnits NetworkManager-dispatcher.service
+}
+
+remove_ShowIn() {
+    if [ -e "${1}" ]; then
+        sed -i '/^\(Not\|Only\)ShowIn/d' "${1}"
+    fi
+}
+
+showIn() {
+    desktop_entry="${1}"
+    shown_in="${2}"
+    message="${shown_in:-"Shown in All;"}" 
+    desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}"
+
+    # Make sure Qubes autostart directory exists
+    mkdir -p "${XDG_CONFIG_QUBES}/autostart"
+
+    # Desktop entry exists, so move to Qubes directory and modify it
+    if [ -e "${desktop_entry}" ]; then
+        echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..."
+        cp -pf "${desktop_entry}" "${desktop_entry_qubes}"
+
+        remove_ShowIn "${desktop_entry_qubes}"
+        sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}"
+
+        # Will only be '' if shown in all
+        if [ ! "${shown_in}x" == "x" ]; then
+            echo "${shown_in}" >> "${desktop_entry_qubes}" || true
+        fi
+
+    # Desktop entry must have been removed, so also remove from Qubes directory
+    else
+        echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..."
+        rm -f "${desktop_entry_qubes}"
+    fi
+}
+
+setArrayAsGlobal() {
+    local array="$1"
+    local export_as="$2"
+    local code=$(declare -p "$array")
+    local replaced="${code/$array/$export_as}"
+    eval ${replaced/declare -/declare -g}
+}
+
+systemdInfo() {
+    unit=${1}
+    return_global_var=${2}
+
+    declare -A INFO=()
+    while read line; do
+        INFO[${line%%=*}]="${line##*=}"
+    done < <(systemctl show ${unit} 2> /dev/null)
+
+    setArrayAsGlobal INFO $return_global_var
+    return ${#INFO[@]}
+}
+
+displayFailedStatus() {
+    action=${1}
+    unit=${2}
+
+    # Only display if there are results.  In chroot environmnet there will be 
+    # no results to 'systemctl show' command
+    systemdInfo ${unit} info || {
+        echo
+        echo "==================================================="
+        echo "FAILED: systemd ${action} ${unit}"
+        echo "==================================================="
+        echo "    LoadState = ${info[LoadState]}"
+        echo "    LoadError = ${info[LoadError]}"
+        echo "  ActiveState = ${info[ActiveState]}"
+        echo "     SubState = ${info[SubState]}"
+        echo "UnitFileState = ${info[UnitFileState]}"
+        echo
+    }
+}
+
+# Disable systemd units
+disableSystemdUnits() {
+    for unit in $*; do
+        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
+            echo "Disabling ${unit}..."
+            systemctl is-active ${unit} > /dev/null 2>&1 && {
+                systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
+            }
+            if [ -f /lib/systemd/system/${unit} ]; then
+                if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
+                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
+                else
+                    # Forcibly disable
+                    echo "Forcibly disabling: ${unit}"
+                    ln -sf /dev/null /etc/systemd/system/${unit}
+                fi
+            else
+                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
+            fi
+        } || {
+            echo "It appears ${unit} is already disabled!"
+            #displayFailedStatus is-disabled ${unit}
+        }
+    done
+}
+
+# Enable systemd units
+enableSystemdUnits() {
+    for unit in $*; do
+        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
+            echo "It appears ${unit} is already enabled!"
+            #displayFailedStatus is-enabled ${unit}
+        } || {
+            echo "Enabling: ${unit}..."
+            systemctl enable ${unit} > /dev/null 2>&1 && {
+                systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
+            } || {
+                echo "Could not enable: ${unit}"
+                displayFailedStatus enable ${unit}
+            }
+        }
+    done
+}
+
+# Manually trigger all triggers to automaticatly configure
+triggerTriggers() {
+        path="$(readlink -m ${0})"
+        triggers="${path/postinst/triggers}"
+
+        awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line
+        do
+            /bin/bash -c "${0} triggered ${line##* }" || true
+        done
+}
+
+case "${1}" in
+    configure)
+        # disable some Upstart services
+        for init in plymouth-shutdown \
+                    prefdm \
+                    splash-manager \
+                    start-ttys \
+                    tty ; do
+            if [ -e /etc/init/${init}.conf ]; then
+                mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
+            fi
+        done
+
+        # Stops Qt form using the MIT-SHM X11 Shared Memory Extension
+        echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
+        chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh
+
+        # Sudo's defualt umask is 077 so set sane default of 022
+        # Also don't allow QT to used shared memory to prevent errors
+        echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
+        echo 'Defaults umask_override' >> /etc/sudoers.d/umask
+        chmod 0440 /etc/sudoers.d/umask
+        echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
+        chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm
+
+        # Create NetworkManager configuration if we do not have it
+        if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
+            echo '[main]' > /etc/NetworkManager/NetworkManager.conf
+            echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
+            echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
+        fi
+        
+        # XXX: Test to see if this will satisify dispatcher dependancy
+        if [ ! -e  "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then
+            ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service
+        fi
+
+        # Remove old firmware updates link
+        if [ -L /lib/firmware/updates ]; then
+            rm -f /lib/firmware/updates
+        fi
+
+        #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
+        #  echo >> /etc/yum.conf
+        #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
+        #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
+        #fi
+
+        # Revert 'Prevent unnecessary updates in VMs':
+        #sed -i -e '/^exclude = kernel/d' /etc/yum.conf
+
+        # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
+        # in the form expected by qubes-sysinit.sh
+        for ip in '127\.0\.1\.1' '::1'; do
+            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
+                sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+                sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+            else
+                echo "${ip//\\/} `hostname`" >> /etc/hosts
+            fi
+        done
+        # remove hostname from 127.0.0.1 line (in debian the hostname is by default
+        # resolved to 127.0.1.1)
+        sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+
+        chown user:user /home_volatile/user
+
+        #if [ "${1}" !=  1 ] ; then
+        #    # do the rest of %post thing only when updating for the first time...
+        #    exit 0
+        #fi
+
+        if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
+            cp /etc/init/serial.conf /var/lib/qubes/serial.orig
+        fi
+
+        # Remove most of the udev scripts to speed up the VM boot time
+        # Just leave the xen* scripts, that are needed if this VM was
+        # ever used as a net backend (e.g. as a VPN domain in the future)
+        #echo "--> Removing unnecessary udev scripts..."
+        mkdir -p /var/lib/qubes/removed-udev-scripts
+        for f in /etc/udev/rules.d/*
+        do
+            if [ $(basename ${f}) == "xen-backend.rules" ] ; then
+                continue
+            fi
+
+            if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
+                continue
+            fi
+
+            if echo ${f} | grep -q qubes; then
+                continue
+            fi
+
+            mv ${f} /var/lib/qubes/removed-udev-scripts/
+        done
+
+        # Create /rw directory
+        mkdir -p /rw
+
+        # XXX: TODO: Needs to be implemented still
+        #rm -f /etc/mtab
+        #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
+        #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
+        #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
+
+        # Enable Qubes systemd units
+        enableSystemdUnits \
+            qubes-sysinit.service \
+            qubes-misc-post.service \
+            qubes-netwatcher.service \
+            qubes-network.service \
+            qubes-firewall.service \
+            qubes-updates-proxy.service \
+            qubes-updates-proxy.timer \
+            qubes-qrexec-agent.service
+
+        # Set default "runlevel"
+        rm -f /etc/systemd/system/default.target
+        ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+
+        # Process all triggers which will set defaults to wanted values
+        triggerTriggers
+
+        disableSystemdUnits \
+            alsa-store.service \
+            alsa-restore.service \
+            auditd.service \
+            avahi.service \
+            avahi-daemon.service \
+            backuppc.service \
+            cpuspeed.service \
+            crond.service \
+            fedora-autorelabel.service \
+            fedora-autorelabel-mark.service \
+            ipmi.service \
+            hwclock-load.service \
+            hwclock-save.service \
+            mdmonitor.service \
+            multipathd.service \
+            openct.service \
+            rpcbind.service \
+            mcelog.service \
+            fedora-storage-init.service \
+            fedora-storage-init-late.service \
+            plymouth-start.service \
+            plymouth-read-write.service \
+            plymouth-quit.service \
+            plymouth-quit-wait.service \
+            sshd.service \
+            tcsd.service \
+            sm-client.service \
+            sendmail.service \
+            mdmonitor-takeover.service \
+            rngd smartd.service \
+            upower.service \
+            irqbalance.service \
+            colord.service
+
+        rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
+
+        # Enable other systemd units
+        enableSystemdUnits \
+            rsyslog.service
+
+        # XXX: TODO: Needs to be implemented still
+        # These do not exist on debian; maybe a different package name
+        #    iptables.service \
+        #    ntpd.service \
+        #    ip6tables.service \
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        exit 0
+        ;;
+
+    triggered)
+        for trigger in ${2}; do
+            case "${trigger}" in
+
+                # Update Qubes App Menus
+                /usr/share/applications)
+                    echo "Updating Qubes App Menus..."
+                    /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
+                    ;;
+
+                # Install overriden services only when original exists
+                /lib/systemd/system/NetworkManager.service | \
+                /lib/systemd/system/NetworkManager-wait-online.service | \
+                /lib/systemd/system/ModemManager.service)
+                    UNITDIR=/lib/systemd/system
+                    OVERRIDEDIR=/usr/lib/qubes/init
+                    installOverridenServices "${OVERRIDEDIR}" "${trigger}"
+                    if [ $? -eq 0 ]; then
+                        reenableNetworkManager
+                    fi
+                    ;;
+
+                # Enable cups only when it is real Systemd service
+                /lib/systemd/system/cups.service)
+                    echo "Enabling cups"
+                    [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
+                    ;;
+
+                # "Enable haveged service"
+                /lib/systemd/system/haveged.service)
+                    echo "Enabling haveged service"
+                    enableSystemdUnits haveged.service
+                    ;;
+
+                # Install overridden serial.conf init script 
+                /etc/init/serial.conf)
+                    echo "Installing over-ridden serial.conf init script..."
+                    if [ -e /etc/init/serial.conf ]; then
+                        cp /usr/share/qubes/serial.conf /etc/init/serial.conf
+                    fi
+                    ;;
+
+                # Disable SELinux"
+                /etc/selinux/config)
+                    echo "Disabling SELinux..."
+                    if [ -e /etc/selinux/config ]; then
+                        sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
+                        mv /etc/selinux/config.processed /etc/selinux/config
+                        setenforce 0 2>/dev/null
+                    fi
+                    ;;
+
+                # Desktop Entry Modification - Remove existing rules
+                /etc/xdg/autostart/gpk-update-icon.desktop | \
+                /etc/xdg/autostart/nm-applet.desktop | \
+                /etc/xdg/autostart/abrt-applet.desktop | \
+                /etc/xdg/autostart/notify-osd.desktop)
+                    showIn "${trigger}"
+                    ;;
+
+                # Desktop Entry Modification - Not shown in Qubes
+                /etc/xdg/autostart/pulseaudio.desktop | \
+                /etc/xdg/autostart/deja-dup-monitor.desktop | \
+                /etc/xdg/autostart/imsettings-start.desktop | \
+                /etc/xdg/autostart/krb5-auth-dialog.desktop | \
+                /etc/xdg/autostart/pulseaudio.desktop | \
+                /etc/xdg/autostart/restorecond.desktop | \
+                /etc/xdg/autostart/sealertauto.desktop | \
+                /etc/xdg/autostart/gnome-power-manager.desktop | \
+                /etc/xdg/autostart/gnome-sound-applet.desktop | \
+                /etc/xdg/autostart/gnome-screensaver.desktop | \
+                /etc/xdg/autostart/orca-autostart.desktop)
+                    showIn "${trigger}" 'NotShowIn=QUBES;'
+                    ;;
+
+                # Desktop Entry Modification - Not shown in in DisposableVM
+                /etc/xdg/autostart/gcm-apply.desktop)
+                    showIn "${trigger}" 'NotShowIn=DisposableVM;'
+                    ;;
+
+                # Desktop Entry Modification - Only shown in AppVM
+                /etc/xdg/autostart/gnome-keyring-gpg.desktop | \
+                /etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \
+                /etc/xdg/autostart/gnome-keyring-secrets.desktop | \
+                /etc/xdg/autostart/gnome-keyring-ssh.desktop | \
+                /etc/xdg/autostart/gnome-settings-daemon.desktop | \
+                /etc/xdg/autostart/user-dirs-update-gtk.desktop | \
+                /etc/xdg/autostart/gsettings-data-convert.desktop)
+                    showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;'
+                    ;;
+
+                # Desktop Entry Modification - Only shown in Gnome & UpdateableVM
+                /etc/xdg/autostart/gpk-update-icon.desktop)
+                    showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;'
+                    ;;
+
+                # Desktop Entry Modification - Only shown in Gnome & Qubes
+                /etc/xdg/autostart/nm-applet.desktop)
+                    showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;'
+                    ;;
+
+                *)
+                    echo "postinst called with unknown trigger \`${2}'" >&2
+                    exit 1
+                    ;;
+            esac
+        done
+        exit 0
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`${1}'" >&2
+        exit 1
+        ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.postrm

@@ -0,0 +1,58 @@
+#!/bin/bash
+# postrm script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The prerm script may be called in the following ways:
+#   * <postrm> 'remove'
+#   * <postrm> 'purge'
+#   * <old-postrm> 'upgrade' <new-version>
+#   * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
+#
+#     The postrm script is called after the package's files have been removed
+# or replaced. The package whose postrm is being called may have previously been
+# deconfigured and only be "Unpacked", at which point subsequent package changes
+# do not consider its dependencies. Therefore, all postrm actions may only rely
+# on essential packages and must gracefully skip any actions that require the
+# package's dependencies if those dependencies are unavailable.[48]
+#
+#   * <new-postrm> 'failed-upgrade' <old-version>
+#
+#     Called when the old postrm upgrade action fails. The new package will be
+# unpacked, but only essential packages and pre-dependencies can be relied on.
+# Pre-dependencies will either be configured or will be "Unpacked" or 
+# "Half-Configured" but previously had been configured and was never removed.
+#
+#   * <new-postrm> 'abort-install'
+#   * <new-postrm> 'abort-install' <old-version>
+#   * <new-postrm> 'abort-upgrade' <old-version>
+#
+#     Called before unpacking the new package as part of the error handling of
+# preinst failures. May assume the same state as preinst can assume.
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "${1}" = "remove" ] ; then
+    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
+
+    if [ -L /lib/firmware/updates ]; then
+        rm /lib/firmware/updates
+    fi
+
+    for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do
+        systemctl disable ${srv}.service
+    done
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.preinst

@@ -0,0 +1,112 @@
+#!/bin/bash
+# preinst script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The preinst script may be called in the following ways:
+#   * <new-preinst> 'install'
+#   * <new-preinst> 'install' <old-version>
+#   * <new-preinst> 'upgrade' <old-version>
+#
+#     The package will not yet be unpacked, so the preinst script cannot rely 
+# on any files included in its package. Only essential packages and 
+# pre-dependencies (Pre-Depends) may be assumed to be available. 
+# Pre-dependencies will have been configured at least once, but at the time the 
+# preinst is called they may only be in an "Unpacked" or "Half-Configured" state
+# if a previous version of the pre-dependency was completely configured and has
+# not been removed since then.
+#
+#
+#  * <old-preinst> 'abort-upgrade' <new-version>
+#
+#    Called during error handling of an upgrade that failed after unpacking the
+# new package because the postrm upgrade action failed. The unpacked files may
+# be partly from the new version or partly missing, so the script cannot rely
+# on files included in the package. Package dependencies may not be available.
+# Pre-dependencies will be at least "Unpacked" following the same rules as
+# above, except they may be only "Half-Installed" if an upgrade of the 
+# pre-dependency failed.[46]
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = "install" ] ; then
+    # --------------------------------------------------------------------------
+    # Create required directories
+    # --------------------------------------------------------------------------
+    mkdir -p /var/lib/qubes
+    mkdir -p /lib/modules
+    #mkdir -p -m 0700 /var/log/xen  # xen-utils-common should do this
+
+    if [ -e /etc/fstab ] ; then 
+        mv /etc/fstab /var/lib/qubes/fstab.orig
+    fi
+
+    # --------------------------------------------------------------------------
+    # Many Qubes scripts reference /bin/sh expecting the shell to be bash but
+    # in Debian it is dash so some scripts will fail so force an alternate for
+    # /bin/sh to be /bin/bash
+    # --------------------------------------------------------------------------
+    update-alternatives --force --install /bin/sh sh /bin/bash 999
+
+    # --------------------------------------------------------------------------
+    # Modules setup
+    # --------------------------------------------------------------------------
+    echo "xen_netfront" >> /etc/modules
+
+    # --------------------------------------------------------------------------
+    # Remove `mesg` from root/.profile?
+    # --------------------------------------------------------------------------
+    sed -i -e '/^mesg n/d' /root/.profile
+
+    # --------------------------------------------------------------------------
+    # Update /etc/fstab
+    # --------------------------------------------------------------------------
+    cat > /etc/fstab <<EOF
+/dev/mapper/dmroot /         ext4 defaults,noatime 1 1
+/dev/xvdc1 swap              swap    defaults 0 0
+
+/dev/xvdb /rw                ext4    noauto,defaults,discard 1 2
+/rw/home /home               none    noauto,bind,defaults 0 0
+
+tmpfs /dev/shm               tmpfs   defaults 0 0
+devpts /dev/pts              devpts  gid=5,mode=620 0 0
+proc /proc                   proc    defaults 0 0
+sysfs /sys                   sysfs   defaults 0 0
+xen /proc/xen                xenfs   defaults 0 0
+
+/dev/xvdi /mnt/removable     auto    noauto,user,rw 0 0
+/dev/xvdd /lib/modules       ext3    defaults 0 0
+EOF
+
+    # --------------------------------------------------------------------------
+    # User add / modifications
+    # --------------------------------------------------------------------------
+    id -u 'user' || {
+        groupadd -f user
+        useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
+    }
+    id -u 'tinyproxy' || {
+        groupadd -f tinyproxy
+        useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy
+    }
+    usermod -p '' root
+    usermod -L user
+    exit 0
+fi
+
+if [ "$1" = "upgrade" ] ; then
+    exit 0
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.prerm

@@ -0,0 +1,54 @@
+#!/bin/bash
+# prerm script for core-agent-linux
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# The prerm script may be called in the following ways:
+#   * <prerm> 'remove'
+#   * <old-prerm> 'upgrade' <new-version>
+#   * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#   * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed> 
+#     <version> [removing conflicting-package version]
+#
+#     The package whose prerm is being called will be at least "Half-Installed".
+# All package dependencies will at least be "Half-Installed" and will have 
+# previously been configured and not removed. If there was no error, all 
+# dependencies will at least be "Unpacked", but these actions may be called in 
+# various error states where dependencies are only "Half-Installed" due to a 
+# partial upgrade.
+#
+#   * <new-prerm> 'failed-upgrade' <old-version>
+#
+#     Called during error handling when prerm upgrade fails. The new package
+# will not yet be unpacked, and all the same constraints as for preinst
+# upgrade apply.
+#
+#    For details, see http://www.debian.org/doc/debian-policy/ or
+# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
+# the debian-policy package
+
+if [ "$1" = "remove" ] ; then
+    # no more packages left
+    if [ -e /var/lib/qubes/fstab.orig ] ; then
+        mv /var/lib/qubes/fstab.orig /etc/fstab
+    fi
+
+    if [ -d /var/lib/qubes/removed-udev-scripts ] ; then
+        mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
+    fi
+
+    if [ -e /var/lib/qubes/serial.orig ] ; then
+        mv /var/lib/qubes/serial.orig /etc/init/serial.conf
+    fi
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+# vim: set ts=4 sw=4 sts=4 et :

debian/qubes-core-agent.triggers

@@ -0,0 +1,47 @@
+interest-noawait /usr/share/applications
+interest-noawait /lib/systemd/system/NetworkManager.service
+interest-noawait /lib/systemd/system/NetworkManager-wait-online.service
+interest-noawait /lib/systemd/system/ModemManager.service
+interest-noawait /etc/init/serial.conf
+interest-noawait /etc/selinux/config
+interest-noawait /lib/systemd/system/cups.service
+interest-noawait /lib/systemd/system/haveged.service
+
+# Desktop Entry Modification - Remove existing rules
+interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
+interest-noawait /etc/xdg/autostart/nm-applet.desktop
+interest-noawait /etc/xdg/autostart/abrt-applet.desktop
+
+# Desktop Entry Modification - Not shown in Qubes
+interest-noawait /etc/xdg/autostart/pulseaudio.desktop
+interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop
+interest-noawait /etc/xdg/autostart/imsettings-start.desktop
+interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop
+interest-noawait /etc/xdg/autostart/pulseaudio.desktop
+interest-noawait /etc/xdg/autostart/restorecond.desktop
+interest-noawait /etc/xdg/autostart/sealertauto.desktop
+interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop
+interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop
+interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop
+interest-noawait /etc/xdg/autostart/orca-autostart.desktop
+
+# Desktop Entry Modification - Not shown in in DisposableVM
+interest-noawait /etc/xdg/autostart/gcm-apply.desktop
+
+# Desktop Entry Modification - Only shown in AppVM
+interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop
+interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
+interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop
+interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop
+interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop
+interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop
+interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop
+
+# Desktop Entry Modification - Only shown in Gnome & UpdateableVM
+interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
+
+# Desktop Entry Modification - Only shown in Gnome & Qubes
+interest-noawait /etc/xdg/autostart/nm-applet.desktop
+
+# Desktop Entry Modification - Show in all
+interest-noawait /etc/xdg/autostart/notify-osd.desktop

misc/Makefile

@@ -10,7 +10,7 @@ all:	xenstore-watch python close-window
 xenstore-watch: xenstore-watch.o
 	$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
 close-window: close-window.c
-	$(CC) -lX11 -o $@ $<
+	$(CC) -o $@ $< -lX11
 python:
 	python -m compileall .
 	python -O -m compileall .

misc/dispvm-prerun.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 apps="evince /usr/libexec/evinced soffice firefox"
 

misc/qubes-r3.list.in

@@ -1,11 +1,11 @@
 # Main qubes updates repository
-#deb http://deb.qubes-os.org/r3/vm @DIST@ main
+#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@ main
 #deb-src http://deb.qubes-os.org/r3/vm @DIST@ main
 
 # Qubes updates candidates repository
-#deb http://deb.qubes-os.org/r3/vm @DIST@-testing main
+#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-testing main
 #deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main
 
 # Qubes experimental/unstable repository
-#deb http://deb.qubes-os.org/r3/vm @DIST@-unstable main
+#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-unstable main
 #deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main

misc/qubes-trigger-sync-appmenus.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-UPDATEABLE=`/usr/bin/qubesdb-read /qubes-vm-updateable`
+UPDATEABLE=`qubesdb-read /qubes-vm-updateable`
 
 if [ "$UPDATEABLE" = "True" ]; then
     /usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus

network/30-qubes-external-ip

@@ -1,8 +1,8 @@
 #!/bin/sh
 if [ x$2 == xup ]; then
 	INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
-	/usr/bin/qubesdb-write /qubes-netvm-external-ip "$INET"
+	qubesdb-write /qubes-netvm-external-ip "$INET"
 fi
 if [ x$2 == xdown ]; then
-	/usr/bin/qubesdb-write /qubes-netvm-external-ip ""
+	qubesdb-write /qubes-netvm-external-ip ""
 fi

network/80-qubes.conf

@@ -0,0 +1 @@
+net.ipv4.ip_forward=1

network/filter-updates

@@ -1,11 +1,19 @@
+# Yum filters
+# -----------------------------------------------------------------------------
 /repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
 /repodata/repomd\.xml$
 \.rpm$
 \.drpm$
 ^mirrors\.fedoraproject\.org:443$
 ^http://mirrors\..*/mirrorlist\?
-\.deb$
-/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$
-/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$
-/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$
-/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$
+
+# Debian filters
+# 
+# Whonix uses sourceforge to host its repos and url can end in:
+# '/' or '/download' or '?.*'
+# -----------------------------------------------------------------------------
+\.deb\(\|\/\|\/download\|\?.*\)$
+/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$

network/network-manager-prepare-conf-dir

@@ -14,6 +14,6 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
 #    unmanaged_devices="$unmanaged_devices;mac:$mac"
 #done
 sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
-sed -i -e "s/^plugins=.*/plugins=keyfile,ifcfg-rh/" /etc/NetworkManager/NetworkManager.conf
+sed -i -e "s/^plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
 
 exit 0

network/qubes-firewall

@@ -34,19 +34,19 @@ while true; do
 	# during the time when the rules are being (re)applied
 	echo "0" > /proc/sys/net/ipv4/ip_forward
 
-	RULES=$(/usr/bin/qubesdb-read $XENSTORE_IPTABLES_HEADER)
-	IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
-	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true`
+	RULES=$(qubesdb-read $XENSTORE_IPTABLES_HEADER)
+	IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
+	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
 
 	for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do
-		RULES=$(/usr/bin/qubesdb-read "$i")
+		RULES=$(qubesdb-read "$i")
 		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
 		if [ -n "$ERRS" ]; then
 			echo "Failed applying rules for $i: $ERRS" >&2
 			OUT="$OUT$ERRS"
 		fi
 	done		
-	/usr/bin/qubesdb-write $XENSTORE_ERROR "$OUT"
+	qubesdb-write $XENSTORE_ERROR "$OUT"
 	if [ -n "$OUT" ]; then
 		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
 	fi

network/qubes-netwatcher

@@ -11,9 +11,9 @@ echo $$ >$PIDFILE
 trap 'exit 0' SIGTERM
 
 while true; do
-	NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :)
+	NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
 	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
-		UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
+		UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
 		# UNTRUSTED_NETCFG is not parsed in any way
 		# thus, no sanitization ready
 		# but be careful when passing it to other shell scripts
@@ -21,11 +21,11 @@ while true; do
 			/sbin/service qubes-firewall stop
 			/sbin/service qubes-firewall start
 			CURR_NETCFG="$UNTRUSTED_NETCFG"
-			/usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
+			xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
 		fi
 
-		/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
+		xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
 	else
-		/usr/bin/xenstore-watch -n 2 qubes-netvm-domid
+		xenstore-watch -n 2 qubes-netvm-domid
 	fi
 done

network/qubes-setup-dnat-to-ns

@@ -10,7 +10,7 @@ addrule()
         fi
 }
 export PATH=$PATH:/sbin:/bin
-source /var/run/qubes/qubes-ns
+. /var/run/qubes/qubes-ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
 iptables -t nat -F PR-QBS
 FIRSTONE=yes

network/setup-ip

@@ -26,14 +26,24 @@ if [ x$ip != x ]; then
 		[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
 	fi
     if [ -f /var/run/qubes-service/network-manager ]; then
-        cat > /etc/sysconfig/network-scripts/ifcfg-$INTERFACE <<__EOF__
-DEVICE=$INTERFACE
-IPADDR=$ip
-NETMASK=255.255.255.255
-NETWORK=$ip
-ONBOOT=yes
-GATEWAYDEV=$INTERFACE
-GATEWAY=$gateway
+        cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__
+[802-3-ethernet]
+duplex=full
+
+[connection]
+id=VM uplink $INTERFACE
+uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
+type=802-3-ethernet
+
+[ipv6]
+method=ignore
+
+[ipv4]
+method=manual
+dns=$gateway;$secondary_dns
+address1=$ip/32,$gateway
+may-fail=false
 __EOF__
+        chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
     fi
 fi

rpm_spec/core-vm.spec

@@ -140,11 +140,11 @@ remove_ShowIn () {
 	fi
 }
 
-# reenable abrt-aplet if disable by some earlier version of package
-remove_ShowIn abrt-applet.desktop
+# reenable if disabled by some earlier version of package
+remove_ShowIn abrt-applet.desktop imsettings-start.desktop
 
 # don't want it at all
-for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
+for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
 	if [ -e /etc/xdg/autostart/$F.desktop ]; then
 		remove_ShowIn $F
 		echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
@@ -213,6 +213,17 @@ if ! grep -q localhost /etc/hosts; then
 EOF
 fi
 
+# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
+# in the form expected by qubes-sysinit.sh
+for ip in '127\.0\.0\.1' '::1'; do
+    if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
+        sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+        sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+    else
+        echo "${ip} `hostname`" >> /etc/hosts
+    fi
+done
+
 if [ "$1" !=  1 ] ; then
 # do the rest of %post thing only when updating for the first time...
 exit 0
@@ -279,7 +290,7 @@ fi
 if [ $1 -eq 0 ] ; then
     /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
-    if [ -l /lib/firmware/updates ]; then
+    if [ -L /lib/firmware/updates ]; then
       rm /lib/firmware/updates
     fi
 fi

vm-systemd/network-proxy-setup.sh

@@ -1,11 +1,11 @@
 #!/bin/sh
 
 # Setup gateway for all the VMs this netVM is serviceing...
-network=$(/usr/bin/qubesdb-read /qubes-netvm-network 2>/dev/null)
+network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
 if [ "x$network" != "x" ]; then
-    gateway=$(/usr/bin/qubesdb-read /qubes-netvm-gateway)
-    netmask=$(/usr/bin/qubesdb-read /qubes-netvm-netmask)
-    secondary_dns=$(/usr/bin/qubesdb-read /qubes-netvm-secondary-dns)
+    gateway=$(qubesdb-read /qubes-netvm-gateway)
+    netmask=$(qubesdb-read /qubes-netvm-netmask)
+    secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
     modprobe netbk 2> /dev/null || modprobe xen-netback
     echo "NS1=$gateway" > /var/run/qubes/qubes-ns
     echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns

vm-systemd/qubes-qrexec-agent.service

@@ -3,6 +3,7 @@ Description=Qubes remote exec agent
 After=qubes-dvm.service
 
 [Service]
+ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn'
 ExecStart=/usr/lib/qubes/qrexec-agent
 StandardOutput=syslog
 

vm-systemd/qubes-sysinit.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # List of services enabled by default (in case of absence of qubesdb entry)
 DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
@@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
 DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup"
 DEFAULT_ENABLED="meminfo-writer"
 
-QDB_READ=/usr/bin/qubesdb-read
-QDB_LS=/usr/bin/qubesdb-multiread
+QDB_READ=qubesdb-read
+QDB_LS=qubesdb-multiread
 
 read_service() {
     $QDB_READ /qubes-service/$1 2> /dev/null
@@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug
 
 # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read
 chmod 666 /proc/xen/xenbus
+
+[ -e /proc/u2mfn ] || modprobe u2mfn
 # Set permissions to files needed to listen at vchan
 chmod 666 /proc/u2mfn
 
@@ -60,14 +62,24 @@ done
 name=`$QDB_READ /name`
 if [ -n "$name" ]; then
     hostname $name
-    sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
+    if [ -e /etc/debian_version ]; then
+        ipv4_localhost_re="127\.0\.1\.1"
+    else
+        ipv4_localhost_re="127\.0\.0\.1"
+    fi
+    sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
+    sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
 fi
 
 timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
 if [ -n "$timezone" ]; then
-    ln -f /usr/share/zoneinfo/$timezone /etc/localtime
-    echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
-    echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
+    cp -p /usr/share/zoneinfo/$timezone /etc/localtime
+    if [ -e /etc/debian_version ]; then
+        echo "$timezone" > /etc/timezone
+    else
+        echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
+        echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
+    fi
 fi
 
 # Prepare environment for other services

vm-systemd/qubes-update-check.service

@@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check
 
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0'
+ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi'