vif-route-qubes: \n -> \\n

Make shellcheck happy.
Fix iptables-restore race condition in vif-route-qubes
2018-10-15 06:20:32 +02:00 · 2018-10-15 06:20:25 +02:00 · 2018-10-13 03:33:18 +02:00 · 2018-10-10 02:44:11 +02:00 · 2018-10-10 00:01:15 +02:00 · 2018-10-09 14:54:34 +02:00
346 changed files with 12285 additions and 4815 deletions
--- a/.coveragerc
+++ b/.coveragerc
@ -0,0 +1,3 @@
 [run]
 source = qubesagent
 omit = qubesagent/test*
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,6 @@ deb/*
 *.pyo
 *~
 *.o
 .coverage
 *.egg-info
 __pycache__
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,35 @@
 sudo: required
 dist: trusty
 language: python
 python: '3.5'
 install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder
 script: ~/qubes-builder/scripts/travis-build
 env:
 - DISTS_VM=fc26 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc27 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc28 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc29 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=jessie USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=stretch USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=buster USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=centos7 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 jobs:
  include:
    - python: '3.5'
      install: pip install --quiet -r ci/requirements.txt
      env: TESTS_ONLY=1
      script:
       - ./run-tests
       - shellcheck  $(grep -l '^#!/bin/\(ba\)\?sh' $(git ls-files))
      after_success:
       - codecov
    - stage: deploy
      python: '3.5'
      env: DIST_DOM0=fc25 TESTS_ONLY=
      script: ~/qubes-builder/scripts/travis-deploy
 branches:
  except:
    - /.*_.*/
--- a/429
+++ b/429
@ -4,7 +4,17 @@ VERSION := $(shell cat version)
 DIST ?= fc18
 KDESERVICEDIR ?= /usr/share/kde4/services
 KDE5SERVICEDIR ?= /usr/share/kservices5/ServiceMenus/
 APPLICATIONSDIR ?= /usr/share/applications
 SBINDIR ?= /usr/sbin
 BINDIR ?= /usr/bin
 LIBDIR ?= /usr/lib
 SYSLIBDIR ?= /lib
 PYTHON ?= /usr/bin/python2
 PYTHON_SITEARCH = $(shell python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)')
 PYTHON2_SITELIB = $(shell python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()')
 PYTHON3_SITELIB = $(shell python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())')
 # This makefile uses some bash-isms, make uses /bin/sh by default.
 SHELL = /bin/bash
@ -12,23 +22,23 @@ SHELL = /bin/bash
 help:
 	@echo "make rpms                  -- generate binary rpm packages"
 	@echo "make rpms-vm               -- generate binary rpm packages for VM"
 	@echo "make update-repo-current   -- copy newly generated rpms to qubes yum repo"
 	@echo "make update-repo-current-testing  -- same, but to -current-testing repo"
 	@echo "make update-repo-unstable  -- same, but to -testing repo"
 	@echo "make update-repo-installer -- copy dom0 rpms to installer repo"
 	@echo "make clean                 -- cleanup"
 	@echo "make install-vm            -- install VM related files"
 	@echo ""
 	@echo "You must have lsb_release, rpm-sign and pandoc installed."
 rpms: rpms-vm
 rpms-vm:
 	[ "$$BACKEND_VMM" != "" ] || { echo "error: you must define variable BACKEND_VMM" >&2 ; exit 1 ; }
 	lsb_release >/dev/null 2>&1 || { echo "error: you need lsb_release (package lsb) installed" >&2 ; exit 1 ; }
 	type pandoc >/dev/null 2>&1 || { echo "error: you need pandoc installed" >&2 ; exit 1 ; }
 	type rpmsign >/dev/null 2>&1 || { echo "error: you need rpm-sign installed" >&2 ; exit 1 ; }
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm.spec
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm-doc.spec
-	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm-kernel-placeholder.spec
+	[ "$$SKIP_SIGNING" != "" ] || rpm --addsign \
 	rpm --addsign \
 		$(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION)*.rpm \
-		$(RPMS_DIR)/x86_64/qubes-core-vm-doc-*$(VERSION)*.rpm \
+		$(RPMS_DIR)/x86_64/qubes-core-vm-doc-*$(VERSION)*.rpm
 		$(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*.rpm
 rpms-dom0:
 	@true
@ -37,163 +47,360 @@ clean:
 	make -C misc clean
 	make -C qrexec clean
 	make -C qubes-rpc clean
 	make -C doc clean
 	rm -rf qubesagent/*.pyc qubesagent/__pycache__
 	rm -rf test-packages/__pycache__
 	rm -rf test-packages/qubesagent.egg-info
 	rm -rf __pycache__
 	rm -f .coverage
 all:
 	make -C misc
 	make -C qrexec
 	make -C qubes-rpc
-install-systemd:
+# Dropin Directory
-	install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init $(DESTDIR)/lib/modules-load.d
+SYSTEM_DROPIN_DIR ?= "lib/systemd/system"
-	install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/
+USER_DROPIN_DIR ?= "usr/lib/systemd/user"
 	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/
 	install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/
 	install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/
 	install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)/lib/modules-load.d/
 	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)/lib/modules-load.d/
 	install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/
 	install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/
 	install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/
-install-sysvinit:
+SYSTEM_DROPINS := chronyd.service crond.service
 SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemManager.service
 SYSTEM_DROPINS += getty@tty.service
 SYSTEM_DROPINS += tmp.mount
 SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket
 SYSTEM_DROPINS += systemd-random-seed.service
 SYSTEM_DROPINS += tor.service tor@default.service
 SYSTEM_DROPINS += systemd-timesyncd.service
 SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service
 SYSTEM_DROPINS_NETWORKING += tinyproxy.service
 USER_DROPINS := pulseaudio.service pulseaudio.socket
 # Ubuntu Dropins
 ifeq ($(shell lsb_release -is), Ubuntu)
    # 'crond.service' is named 'cron.service in Debian
    SYSTEM_DROPINS := $(strip $(patsubst crond.service, cron.service, $(SYSTEM_DROPINS)))
    SYSTEM_DROPINS += anacron.service
    SYSTEM_DROPINS += anacron-resume.service
    SYSTEM_DROPINS += netfilter-persistent.service
    SYSTEM_DROPINS += exim4.service
    SYSTEM_DROPINS += avahi-daemon.service
 endif
 # Debian Dropins
 ifeq ($(shell lsb_release -is), Debian)
    # 'crond.service' is named 'cron.service in Debian
    SYSTEM_DROPINS := $(strip $(patsubst crond.service, cron.service, $(SYSTEM_DROPINS)))
    # Wheezy System Dropins
    # Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed
    SYSTEM_DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,))
    # handled by qubes-iptables service now
    SYSTEM_DROPINS += netfilter-persistent.service
    SYSTEM_DROPINS += anacron.service
    SYSTEM_DROPINS += anacron-resume.service
    SYSTEM_DROPINS += exim4.service
    SYSTEM_DROPINS += avahi-daemon.service
 endif
 install-systemd-dropins:
 	# Install system dropins
 	@for dropin in $(SYSTEM_DROPINS); do \
 	    install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\
 	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 	# Install user dropins
 	@for dropin in $(USER_DROPINS); do \
 	    install -d $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d ;\
 	    install -m 0644 vm-systemd/user/$${dropin}.d/*.conf $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 install-systemd-networking-dropins:
 	# Install system dropins
 	@for dropin in $(SYSTEM_DROPINS_NETWORKING); do \
 	    install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\
 	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 install-init:
 	install -d $(DESTDIR)$(LIBDIR)/qubes/init
 	# FIXME: do a source code move vm-systemd/*.sh to init/
 	# since those scripts are shared between sysvinit and systemd.
 	install -m 0755 init/*.sh vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service)
 SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service
 SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES), $(SYSTEMD_ALL_SERVICES))
 install-systemd: install-init
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d
 	install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 install-sysvinit: install-init
 	install -d $(DESTDIR)/etc/init.d
 	install vm-init.d/qubes-sysinit $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-early $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-appvm $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-netvm $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-firewall $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-netwatcher $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-qrexec-agent $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-updates-proxy-forwarder $(DESTDIR)/etc/init.d/
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
-	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
+	install network/qubes-iptables $(DESTDIR)/etc/init.d/
-
+install-rh: install-systemd install-systemd-dropins install-sysvinit
-install-rh: install-systemd install-sysvinit
+	install -D -m 0644 misc/qubes-r4.repo.in $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo
-	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
+	DIST='$(DIST)'; sed -i "s/@DIST@/$${DIST%%[0-9]*}/g" $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo
-
+	install -d $(DESTDIR)$(LIBDIR)/yum-plugins/
-	install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo
+	install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)$(LIBDIR)/yum-plugins/
 	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.gnome.nautilus.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -d $(DESTDIR)/usr/lib/yum-plugins/
 	install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)/usr/lib/yum-plugins/
 	install -D -m 0644 misc/yum-qubes-hooks.conf $(DESTDIR)/etc/yum/pluginconf.d/yum-qubes-hooks.conf
 	install -d -m 755 $(DESTDIR)/etc/pki/rpm-gpg
 	install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/
-	install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf
+	install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)$(LIBDIR)/systemd/system/user@.service.d/90-session-stop-timeout.conf
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
-	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
+	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.qubes
 	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
 	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 	install -D -m 0644 misc/dracut-qubes.conf \
 		$(DESTDIR)/usr/lib/dracut/dracut.conf.d/30-qubes.conf
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
+	install -D -m 0644 misc/dnf-qubes-hooks.py \
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
+		$(DESTDIR)$(PYTHON2_SITELIB)/dnf-plugins/qubes-hooks.py
 	install -D -m 0644 misc/dnf-qubes-hooks.py \
 		$(DESTDIR)$(PYTHON3_SITELIB)/dnf-plugins/qubes-hooks.py
 	install -D -m 0644 misc/dnf-qubes-hooks.conf $(DESTDIR)/etc/dnf/plugins/qubes-hooks.conf
-install-common:
+install-doc:
 	$(MAKE) -C doc install
 install-common: install-doc
 	$(MAKE) -C autostart-dropins install
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 	# force /usr/bin before /bin to have /usr/bin/python instead of /bin/python
 	PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
 	mkdir -p $(DESTDIR)$(SBINDIR)
 	install -d -m 0750 $(DESTDIR)/etc/sudoers.d/
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
 	install -D -m 0440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm
 	install -D -m 0644 misc/20_tcp_timestamps.conf $(DESTDIR)/etc/sysctl.d/20_tcp_timestamps.conf
 	install -d $(DESTDIR)/var/lib/qubes
-	install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
+	install -D misc/xenstore-watch $(DESTDIR)$(BINDIR)/xenstore-watch-qubes
 	install -d $(DESTDIR)/etc/udev/rules.d
 	install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
-	install -d $(DESTDIR)/usr/lib/qubes/
+	install -d $(DESTDIR)$(LIBDIR)/qubes/
-	install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
+	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)$(LIBDIR)/qubes/
-	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
+	install -d -m 0750 $(DESTDIR)/etc/polkit-1/rules.d
-	install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
+	install -D -m 0644 misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
-	install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
+	install -D -m 0644 misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
 	install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
 	install misc/qubes-download-dom0-updates.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 \
 		misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override \
 		misc/20_org.gnome.nautilus.qubes.gschema.override \
 		misc/20_org.mate.NotificationDaemon.qubes.gschema.override \
 		misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override \
 		$(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 2775 -d $(DESTDIR)/var/lib/qubes/dom0-updates
 	install -D -m 0644 misc/qubes-master-key.asc $(DESTDIR)/usr/share/qubes/qubes-master-key.asc
 	install misc/resize-rootfs $(DESTDIR)$(LIBDIR)/qubes/
-	mkdir -p $(DESTDIR)/usr/lib/qubes
+	install misc/close-window $(DESTDIR)$(LIBDIR)/qubes/close-window
-	if [ -r misc/dispvm-dotfiles.$(DIST).tbz ] ; \
+	install misc/upgrades-installed-check $(DESTDIR)$(LIBDIR)/qubes/upgrades-installed-check
-	then \
+	install misc/upgrades-status-notify $(DESTDIR)$(LIBDIR)/qubes/upgrades-status-notify
 		install misc/dispvm-dotfiles.$(DIST).tbz $(DESTDIR)/etc/dispvm-dotfiles.tbz ; \
 	else \
 		install misc/dispvm-dotfiles.tbz $(DESTDIR)/etc/dispvm-dotfiles.tbz ; \
 	fi;
 	install misc/dispvm-prerun.sh $(DESTDIR)/usr/lib/qubes/dispvm-prerun.sh
 	install misc/close-window $(DESTDIR)/usr/lib/qubes/close-window
 	install -m 0644 network/udev-qubes-network.rules $(DESTDIR)/etc/udev/rules.d/99-qubes-network.rules
-	install network/qubes-setup-dnat-to-ns $(DESTDIR)/usr/lib/qubes
+	install -m 0755 network/update-proxy-configs $(DESTDIR)$(LIBDIR)/qubes/
 	install network/qubes-fix-nm-conf.sh $(DESTDIR)/usr/lib/qubes
 	install network/setup-ip $(DESTDIR)/usr/lib/qubes/
 	install network/network-manager-prepare-conf-dir $(DESTDIR)/usr/lib/qubes/
 	install -d $(DESTDIR)/etc/dhclient.d
 	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)/usr/lib/qubes/show-hide-nm-applet.sh
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
-	install -d $(DESTDIR)/$(SBINDIR)
+	install -d $(DESTDIR)$(BINDIR)
-	install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
+	install -m 0755 misc/qubes-session-autostart $(DESTDIR)$(BINDIR)/qubes-session-autostart
-	install network/qubes-netwatcher $(DESTDIR)/$(SBINDIR)/
+	install -m 0755 misc/qvm-features-request $(DESTDIR)$(BINDIR)/qvm-features-request
-
+	install -m 0755 misc/qubes-run-terminal $(DESTDIR)/$(BINDIR)
-	install -d $(DESTDIR)/usr/bin
+	install -D -m 0644 misc/qubes-run-terminal.desktop $(DESTDIR)/$(APPLICATIONSDIR)/qubes-run-terminal.desktop
-
+	install -m 0755 qubes-rpc/qvm-sync-clock $(DESTDIR)$(BINDIR)/qvm-sync-clock
-	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-move-to-vm,qvm-run,qvm-mru-entry} $(DESTDIR)/usr/bin
+	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run-vm} $(DESTDIR)/usr/bin
-	install qubes-rpc/wrap-in-html-if-url.sh $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-copy $(DESTDIR)/usr/bin
-	install qubes-rpc/qvm-copy-to-vm.kde $(DESTDIR)/usr/lib/qubes
+	ln -s qvm-copy-to-vm $(DESTDIR)/usr/bin/qvm-move-to-vm
-	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)/usr/lib/qubes
+	ln -s qvm-copy $(DESTDIR)/usr/bin/qvm-move
-	install qubes-rpc/qvm-move-to-vm.kde $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-move-to-vm.gnome $(DESTDIR)/usr/lib/qubes
+	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-move-to-vm.gnome
-	install qubes-rpc/{vm-file-editor,qfile-agent,qopen-in-vm} $(DESTDIR)/usr/lib/qubes
+	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-copy-to-vm.kde
-	install qubes-rpc/tar2qfile $(DESTDIR)/usr/lib/qubes
+	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-move-to-vm.kde
 	install qubes-rpc/qvm-actions.sh $(DESTDIR)$(LIBDIR)/qubes
 	install -m 0644 misc/uca_qubes.xml $(DESTDIR)$(LIBDIR)/qubes
 	mkdir -p $(DESTDIR)/etc/xdg/xfce4/xfconf/xfce-perchannel-xml
 	install -m 0644 misc/thunar.xml $(DESTDIR)/etc/xdg/xfce4/xfconf/xfce-perchannel-xml
 	install qubes-rpc/xdg-icon $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/{vm-file-editor,qfile-agent,qopen-in-vm} $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qubes-open $(DESTDIR)$(BINDIR)
 	install qubes-rpc/tar2qfile $(DESTDIR)$(LIBDIR)/qubes
 	# Install qfile-unpacker as SUID - because it will fail to receive files from other vm
-	install -m 4755  qubes-rpc/qfile-unpacker $(DESTDIR)/usr/lib/qubes
+	install -m 4755  qubes-rpc/qfile-unpacker $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qrun-in-vm $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qrun-in-vm $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/sync-ntp-clock $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/prepare-suspend $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/prepare-suspend $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qubes-sync-clock $(DESTDIR)$(LIBDIR)/qubes
 	install -m 0644 misc/qubes-suspend-module-blacklist $(DESTDIR)/etc/qubes-suspend-module-blacklist
 	install -d $(DESTDIR)/$(KDESERVICEDIR)
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDESERVICEDIR)
 	install -d $(DESTDIR)/$(KDE5SERVICEDIR)
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDE5SERVICEDIR)
 	install -d $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell} $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.VMRootShell $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.WaitForSession $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.OpenURL $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.DetachPciDevice $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.SuspendPreAll $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.SuspendPostAll $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.WaitForSession $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.DetachPciDevice $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.InstallUpdatesGUI $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.ResizeDisk $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.StartApp $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.PostInstall $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc
-	install -d $(DESTDIR)/usr/share/file-manager/actions
+	install -d $(DESTDIR)/etc/qubes/rpc-config
-	install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions
+	install -m 0644 qubes-rpc/rpc-config.README $(DESTDIR)/etc/qubes/rpc-config/README
 	for config in qubes-rpc/*.config; do \
 		install -m 0644 $$config $(DESTDIR)/etc/qubes/rpc-config/`basename $$config .config`; \
 	done
-	install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run
+	install -d $(DESTDIR)/etc/qubes/suspend-pre.d
-	install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
+	install -m 0644 qubes-rpc/suspend-pre.README $(DESTDIR)/etc/qubes/suspend-pre.d/README
 	install -d $(DESTDIR)/etc/qubes/suspend-post.d
 	install -m 0644 qubes-rpc/suspend-post.README $(DESTDIR)/etc/qubes/suspend-post.d/README
 	install -m 0755 qubes-rpc/suspend-post-qvm-sync-clock.sh \
 		$(DESTDIR)/etc/qubes/suspend-post.d/qvm-sync-clock.sh
 	install -d $(DESTDIR)/etc/qubes/post-install.d
 	install -m 0644 post-install.d/README $(DESTDIR)/etc/qubes/post-install.d/
 	install -m 0755 post-install.d/*.sh $(DESTDIR)/etc/qubes/post-install.d/
 	install -d $(DESTDIR)/usr/share/nautilus-python/extensions
 	install -m 0644 qubes-rpc/*_nautilus.py $(DESTDIR)/usr/share/nautilus-python/extensions
 	install -D -m 0644 misc/dconf-db-local-dpi $(DESTDIR)/etc/dconf/db/local.d/dpi
 	install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)$(BINDIR)/qubes-desktop-run
 	install -d $(DESTDIR)/mnt/removable
 	install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
 	install -d $(DESTDIR)/usr/lib/qubes-bind-dirs.d
 	install -D -m 0644 misc/30_cron.conf $(DESTDIR)/usr/lib/qubes-bind-dirs.d/30_cron.conf
 	install -d $(DESTDIR)/var/run/qubes
 	install -d $(DESTDIR)/home_volatile/user
 	install -d $(DESTDIR)/rw
-install-deb:
+# Networking install target includes:
 # * basic network functionality (setting IP address, DNS, default gateway)
 # * package update proxy client
 install-networking:
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system
 	install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -d $(DESTDIR)$(LIBDIR)/qubes/
 	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
 # Netvm install target includes:
 # * qubes-firewall service (FirewallVM)
 # * DNS redirection setup
 # * proxy service used by TemplateVMs to download updates
 install-netvm:
 	install -D -m 0644 $(SYSTEMD_NETWORK_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -D -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/qubes-iptables
 	install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \
 		$(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
 	mkdir -p $(DESTDIR)$(SBINDIR)
 ifneq ($(SBINDIR),/usr/bin)
 	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
 endif
 	install -D network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes/qubes-setup-dnat-to-ns
 	install -d $(DESTDIR)/etc/dhclient.d
 	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
 	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
 # networkmanager install target allow integration of NetworkManager for Qubes VM:
 # * make connections config persistent
 # * adjust DNS redirections when needed
 # * show/hide NetworkManager applet icon
 install-networkmanager:
 	install -d $(DESTDIR)$(LIBDIR)/qubes/
 	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d
 	install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins install-networking install-networkmanager install-netvm
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
-	sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list
+	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r4.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r4.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
-	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
+	install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
 	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
 	install -d $(DESTDIR)/etc/sysctl.d
 	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
 	install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh
 	install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask
 	install -d $(DESTDIR)/etc/pam.d
 	install -m 0644 misc/pam.d_su.qubes $(DESTDIR)/etc/pam.d/su.qubes
 	install -d $(DESTDIR)/etc/needrestart/conf.d
 	install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf
 	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg
 	install -D -m 0644 misc/apt-conf-70no-unattended $(DESTDIR)/etc/apt/apt.conf.d/70no-unattended
-install-vm: install-rh install-common
+	mkdir -p $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/
 install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins install-networking
 install-netvm: install-systemd-networking-dropins install-networkmanager
 install-vm: install-corevm install-netvm
--- a/Makefile.builder
+++ b/Makefile.builder
@ -1,7 +1,20 @@
 ifeq ($(PACKAGE_SET),vm)
-RPM_SPEC_FILES := rpm_spec/core-vm.spec \
+  RPM_SPEC_FILES := rpm_spec/core-agent.spec
-    rpm_spec/core-vm-doc.spec \
+
-    rpm_spec/core-vm-kernel-placeholder.spec
+  ifneq ($(filter $(DISTRIBUTION), debian qubuntu),)
-ARCH_BUILD_DIRS := archlinux
+    DEBIAN_BUILD_DIRS := debian
-DEBIAN_BUILD_DIRS := debian
+    SOURCE_COPY_IN := source-debian-quilt-copy-in
  endif
  ARCH_BUILD_DIRS := archlinux
 endif
 source-debian-quilt-copy-in: VERSION = $(shell cat $(ORIG_SRC)/version)
 source-debian-quilt-copy-in: ORIG_FILE = "$(CHROOT_DIR)/$(DIST_SRC)/../qubes-core-agent_$(VERSION).orig.tar.gz"
 source-debian-quilt-copy-in:
 	if [ $(DIST) == bionic ] ; then \
 		sed -i /initscripts/d $(CHROOT_DIR)/$(DIST_SRC)/debian/control ;\
 	fi
 	-$(shell $(ORIG_SRC)/debian-quilt $(ORIG_SRC)/series-debian-vm.conf $(CHROOT_DIR)/$(DIST_SRC)/debian/patches)
 # vim: filetype=make
--- a/archlinux/PKGBUILD
+++ b/archlinux/PKGBUILD
@ -1,94 +1,153 @@
-# This is an example PKGBUILD file. Use this as a start to creating your own,
+#!/bin/bash
 # and remove these comments. For more information, see 'man PKGBUILD'.
 # NOTE: Please fill out the license field for your package! If it is unknown,
 # then please put 'unknown'.
 # Maintainer: Olivier Medoc <o_medoc@yahoo.fr>
-pkgname=qubes-vm-core
+# shellcheck disable=SC2034
-pkgver=`cat version`
+pkgname=(qubes-vm-core qubes-vm-networking qubes-vm-keyring)
-pkgrel=18
+pkgver=$(cat version)
 pkgrel=15
 epoch=
 pkgdesc="The Qubes core files for installation inside a Qubes VM."
 arch=("x86_64")
 url="http://qubes-os.org/"
 license=('GPL')
 groups=()
-depends=(qubes-libvchan qubes-vm-utils imagemagick ntp zenity notification-daemon haveged)
+makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc)
 makedepends=(qubes-vm-utils)
 checkdepends=()
 optdepends=()
 provides=()
 conflicts=()
 replaces=()
 backup=()
 options=()
 install=PKGBUILD.install
 changelog=
-source=(PKGBUILD.qubes-ensure-lib-modules.service)
+source=(
    PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook
    PKGBUILD-qubes-pacman-options.conf
    PKGBUILD-qubes-repo-3.2.conf
    PKGBUILD-qubes-repo-4.0.conf
    PKGBUILD-keyring-keys
    PKGBUILD-keyring-trusted
    PKGBUILD-keyring-revoked
 )
 noextract=()
-md5sums=('88f4b3d5b156888a9d38f5bc28702ab8') #generate with 'makepkg -g'
+md5sums=(SKIP)
 build() {
    for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version doc setup.py qubesagent post-install.d; do
        # shellcheck disable=SC2154
        (ln -s "$srcdir/../$source" "$srcdir/$source")
    done
-for source in qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network ; do
+    # Fix for network tools paths
-  (ln -s $srcdir/../$source $srcdir/$source)
+    sed 's:/sbin/ifconfig:ifconfig:g' -i network/*
-done
+    sed 's:/sbin/route:route:g' -i network/*
    sed 's:/sbin/ethtool:ethtool:g' -i network/*
    sed 's:/sbin/ip:ip:g' -i network/*
    sed 's:/bin/grep:grep:g' -i network/*
-# Fix for building with python2
+    # Force running all scripts with python2
-export PYTHON=python2
+    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i misc/*
-sed 's:python:python2:g' -i misc/Makefile
+    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i misc/*
    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i qubes-rpc/*
    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i qubes-rpc/*
-# Fix for network tools paths
+    # Fix for archlinux sbindir
-sed 's:/sbin/ifconfig:ifconfig:g' -i network/*
+    sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
-sed 's:/sbin/route:route:g' -i network/*
+    sed 's:/usr/sbin/qubes-firewall:/usr/bin/qubes-firewall:g' -i vm-systemd/qubes-firewall.service
 sed 's:/sbin/ethtool:ethtool:g' -i network/*
 sed 's:/sbin/ip:ip:g' -i network/*
 sed 's:/bin/grep:grep:g' -i network/*
 # Fix for archlinux sbindir
 sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
 sed 's:/usr/sbin/qubes-netwatcher:/usr/bin/qubes-netwatcher:g' -i vm-systemd/qubes-netwatcher.service
 sed 's:/usr/sbin/qubes-firewall:/usr/bin/qubes-firewall:g' -i vm-systemd/qubes-firewall.service
 for dir in qubes-rpc qrexec misc; do
  (cd $dir; make)
 done
    for dir in qubes-rpc qrexec misc; do
        make -C "$dir"
    done
 }
-package() {
+#This package provides:
-  # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html)
+# * qrexec agent
 # * qubes rpc scripts
 # * core linux tools and scripts
 # * core systemd services and drop-ins
 # * basic network functionality (setting IP address, DNS, default gateway)
 package_qubes-vm-core() {
    depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools
             gnome-packagekit imagemagick fakeroot notification-daemon dconf
             zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject
             python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg
             socat
             )
    optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer qubes-vm-networking qubes-vm-keyring)
    install=PKGBUILD.install
-  (cd qrexec; make install DESTDIR=$pkgdir SBINDIR=/usr/bin)
+    # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html)
    # shellcheck disable=SC2154
    make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib
-  make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin DIST=archlinux
+    PYTHON=python2 make install-corevm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
-  # Change the place for iptable rules to match archlinux standard
+    # Remove things non wanted in archlinux
-  mkdir -p $pkgdir/etc/iptables
+    rm -r "$pkgdir/etc/yum"*
-  mv $pkgdir/etc/sysconfig/iptables $pkgdir/etc/iptables/iptables.rules
+    rm -r "$pkgdir/etc/dnf"*
-  mv $pkgdir/etc/sysconfig/ip6tables $pkgdir/etc/iptables/ip6tables.rules
+    rm -r "$pkgdir/etc/init.d"
    # Remove fedora specific scripts
    rm "$pkgdir/etc/fstab"
-  # Remove things non wanted in archlinux
+    # Install systemd script allowing to automount /lib/modules
-  rm -r $pkgdir/etc/yum*
+    install -m 644 "$srcdir/PKGBUILD.qubes-ensure-lib-modules.service" "${pkgdir}/usr/lib/systemd/system/qubes-ensure-lib-modules.service"
  rm -r $pkgdir/etc/init.d
  # Remove fedora specific scripts
  rm $pkgdir/etc/fstab
-  # Install systemd script allowing to automount /lib/modules
+    # Install pacman hook to update desktop icons
-  install -m 644 $srcdir/PKGBUILD.qubes-ensure-lib-modules.service $pkgdir/lib/systemd/system/qubes-ensure-lib-modules.service
+    mkdir -p "${pkgdir}/usr/share/libalpm/hooks/"
    install -m 644 "$srcdir/PKGBUILD.qubes-update-desktop-icons.hook" "${pkgdir}/usr/share/libalpm/hooks/qubes-update-desktop-icons.hook"
-  # Archlinux specific: enable autologin on tty1
+    # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail)
-  mkdir -p $pkgdir/etc/systemd/system/getty@tty1.service.d/
+    mkdir -p "${pkgdir}/etc/pacman.d"
-  cat <<EOF > $pkgdir/etc/systemd/system/getty@tty1.service.d/autologin.conf
+    install -m 644 "$srcdir/PKGBUILD-qubes-pacman-options.conf" "${pkgdir}/etc/pacman.d/10-qubes-options.conf"
    # Install pacman repository
    release=$(echo "$pkgver" | cut -d '.' -f 1,2)
    echo "Installing repository for release ${release}"
    install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled"
    # Archlinux specific: enable autologin on tty1
    mkdir -p "$pkgdir/etc/systemd/system/getty@tty1.service.d/"
    cat <<EOF > "$pkgdir/etc/systemd/system/getty@tty1.service.d/autologin.conf"
 [Service]
 ExecStart=
 ExecStart=-/usr/bin/agetty --autologin user --noclear %I 38400 linux
 EOF
    # Archlinux packaging guidelines: /var/run is a symlink to a tmpfs. Don't create it
    rm -r "$pkgdir/var/run"
 }
 #This package provides:
 # * proxy service used by TemplateVMs to download updates
 # * qubes-firewall service (FirewallVM)
 #
 #Integration of NetworkManager for Qubes VM:
 # * make connections config persistent
 # * adjust DNS redirections when needed
 # * show/hide NetworkManager applet icon
 #
 package_qubes-vm-networking() {
    pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM"
    depends=(qubes-vm-core "qubes-vm-utils>=3.1.3" python2 ethtool net-tools
             "qubes-db-vm>=3.2.1" networkmanager iptables tinyproxy nftables
             )
    install=PKGBUILD-networking.install
    # shellcheck disable=SC2154
    PYTHON=python2 make install-netvm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
 }
 package_qubes-vm-keyring() {
    pkgdesc="Qubes OS Binary Repository Activation package and Keyring"
    install=PKGBUILD-keyring.install
    # Install keyring (will be activated through the .install file)
    install -dm755 "${pkgdir}/usr/share/pacman/keyrings/"
    install -m0644 PKGBUILD-keyring-keys "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg"
    install -m0644 PKGBUILD-keyring-trusted "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted"
    install -m0644 PKGBUILD-keyring-revoked "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked"
 }
 # vim:set ts=2 sw=2 et:
--- a/archlinux/PKGBUILD-keyring-keys
+++ b/archlinux/PKGBUILD-keyring-keys
@ -0,0 +1,30 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBFM0TnYBCADNyamUtA9e0/oUu4AeAgt1JYDtq3zCQSX7pHpY1zkGtulppSOe
 gkCgW2db+FlKeUNHQ+JX0uv8Ny0SjQBZO0yNxDLfPuqJzM/VjUIdLTJS0FEpxzT1
 Oiz0WRdcbeHtQ8SmEfmRStaB9PTNZ97FogFFONvQ6r/ICNldqfe+Qq72D/p6FqNM
 mW16dZokQEOgJpOb/L7dHNrta1ye8CurrEbXIt7B+4NnUpvzFmnQ+OxsC3AUbvI5
 PbaQyu8ivhoofnpgj66PojlFYMaL8mUaScL2VM5Ljx72zVA5+MUmk8O02O2X8Rdc
 +5boRi2h7oyCASBYK3x+WayaDTNWx3o8+sSdABEBAAG0N09saXZpZXIgTUVET0Mg
 KFF1YmVzLU9TIHNpZ25pbmcga2V5KSA8b19tZWRvY0B5YWhvby5mcj6JAT4EEwEC
 ACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW+jhsBQkHiFDrAAoJECBD
 56zBgzucHCwH/RLCCM1PJ50jEMJg7ZBrwkv5cvKePD1iGhPFOZ1gBtMTYfl7zJO7
 gOuOgQ+TKjfIFM/ijQBFMRmByrQ0ZkGNIqY7JB3shZ5EsCeb7cgyw7hEyj4S3O6e
 K+CVVy4CBAyXILVr/En8xU41K1qQpEiHkvqk0E05sEkYcN4Ggvw5JUNWpZO7fl6I
 tLvTBf5aPqiLqWN08fjdmVJ/5l+LCdMyJxUdsQV0pkzcv9l8ouB/0ig8HikoC+dW
 HuWbk9uj1CU0c4C8tTbOszjKAbEZ5msZ2NUxPM1vqKaac8IbWkSJBqlYFcb3PSMk
 LmFtXN/0hAcf8KbziODQgKcyuEBi3b5d6wy5AQ0EUzROdgEIAOG22xrDqJkCrEx8
 QFnZYSwxV2lI9fDyCT/kaHPa/5YOV/Xa01RLM27UPbV/UKkKN+M6+mFj26e+E25p
 2R/e1Wk9HDrbu7NDXozGcKDlTIAmQ4yjNVb/G1850/SO1vuPDfNzMD81F18XzYCa
 eyUV88HjXTbJSeJAbjWNvTkoMK4wY6PlHfyT0G0i4svfL/mZCGM8KagNouGHuG8s
 5JKwlC1BZnmfDuB4exP7cSNEDWwnBn98rx13DMLkGJu1xGnLqdGJw6WpP4a1IG7A
 9NDE2VetAS/ElMbMqfyuqiAxhtnuGdxstDaU7gW4VMTjAOMtO9LLY20EipsSBUrg
 7U1ync0AEQEAAYkBJQQYAQIADwIbDAUCVvo4nQUJB4hRJAAKCRAgQ+eswYM7nLWy
 CAC6enhJbXKGchqgfh+CeKsvWg97JG8yjW4W/9RL9Vto8ppgNzIKbA7AKgqOiy5l
 TToLaxK+Z1JE72lsWUnALmz1Oa7M7M9J1ptfD8TMj1/D3cj2Lnrg7qTaEEL5Nw+t
 FRNXeUjsuWt+iW7eYiGtI+eSWBokH945Ig32vf88n0t3F8whDRzv5fy1yF35aMRS
 HS5gDJv5t2BnPtehMhr5EOHbUH3UFevA79Hf4bUlOOo7eTTmSPMDcWFUA9MMKoE5
 pkHwoimXiNJy3e8TZ4uSTBH8XcXA/5mYSXbWKBX4Y5JznOBTtkjGsbL7dua3zDbF
 BGNH5RhiY1/bJ+m4zxU8bDWq
 =ofdo
 -----END PGP PUBLIC KEY BLOCK-----
--- a/archlinux/PKGBUILD-keyring-revoked
+++ b/archlinux/PKGBUILD-keyring-revoked
--- a/archlinux/PKGBUILD-keyring-trusted
+++ b/archlinux/PKGBUILD-keyring-trusted
@ -0,0 +1 @@
 D85EE12F967851CCF433515A2043E7ACC1833B9C:4:
--- a/archlinux/PKGBUILD-keyring.install
+++ b/archlinux/PKGBUILD-keyring.install
@ -0,0 +1,18 @@
 post_upgrade() {
 	if usr/bin/pacman-key -l >/dev/null 2>&1; then
 		usr/bin/pacman-key --populate qubesos-vm
 	fi
 	release=$(echo "$1" | cut -d '.' -f 1,2)
 	if ! [ -h /etc/pacman.d/99-qubes-repository-${release}.conf ] ; then
            ln -s /etc/pacman.d/99-qubes-repository-${release}.conf.disabled /etc/pacman.d/99-qubes-repository-${release}.conf 
        fi
 }
 post_install() {
 	if [ -x usr/bin/pacman-key ]; then
 		post_upgrade "$1"
 	fi
 }
--- a/archlinux/PKGBUILD-networking.install
+++ b/archlinux/PKGBUILD-networking.install
@ -0,0 +1,41 @@
 #!/bin/bash
 ## arg 1:  the new package version
 post_install() {
    # Create NetworkManager configuration if we do not have it
    if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
    echo '[main]' > /etc/NetworkManager/NetworkManager.conf
    echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
    echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
    fi
    # Remove ip_forward setting from sysctl, so NM will not reset it
    # Archlinux now use sysctl.d/ instead of sysctl.conf
    #sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
    /usr/lib/qubes/qubes-fix-nm-conf.sh
    # Yum proxy configuration is fedora specific
    #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
    #  echo >> /etc/yum.conf
    #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
    #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
    #fi
    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
        systemctl enable $srv
    done
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 post_upgrade() {
    post_install
 }
 ## arg 1:  the old package version
 post_remove() {
    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
        systemctl disable $srv
    done
 }
--- a/archlinux/PKGBUILD-qubes-pacman-options.conf
+++ b/archlinux/PKGBUILD-qubes-pacman-options.conf
@ -0,0 +1,2 @@
 [options]
 NoUpgrade = etc/pam.d/su-l
--- a/archlinux/PKGBUILD-qubes-repo-3.2.conf
+++ b/archlinux/PKGBUILD-qubes-repo-3.2.conf
@ -0,0 +1,2 @@
 [qubes-r3.2]
 Server = http://olivier.medoc.free.fr/archlinux/current/
--- a/archlinux/PKGBUILD-qubes-repo-4.0.conf
+++ b/archlinux/PKGBUILD-qubes-repo-4.0.conf
@ -0,0 +1,2 @@
 [qubes-r4.0]
 Server = http://olivier.medoc.free.fr/archlinux/current
--- a/archlinux/PKGBUILD.install
+++ b/archlinux/PKGBUILD.install
@ -1,263 +1,401 @@
 #!/bin/bash
 qubes_preset_file="75-qubes-vm.preset"
-remove_ShowIn () {
+###########################
-	if [ -e /etc/xdg/autostart/$1.desktop ]; then
+## Pre-Install functions ##
-		sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop
+###########################
-	fi
+
 update_default_user() {
    # Make sure there is a qubes group
    groupadd --force --system --gid 98 qubes
    # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
    # See https://bugs.archlinux.org/task/31831
    id -u 'user' >/dev/null 2>&1 || {
        useradd --user-group --create-home --shell /bin/bash user
    }
    usermod -a --groups qubes user
 }
 update_xdgstart () {
 # reenable abrt-aplet if disabled by some earlier version of package
 remove_ShowIn abrt-applet.desktop
 # don't want it at all
 for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
 	if [ -e /etc/xdg/autostart/$F.desktop ]; then
 		remove_ShowIn $F
 		echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
 	fi
 done
 # don't want it in DisposableVM
 for F in gcm-apply ; do
 	if [ -e /etc/xdg/autostart/$F.desktop ]; then
 		remove_ShowIn $F
 		echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop
 	fi
 done
 # want it in AppVM only
 for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do
 	if [ -e /etc/xdg/autostart/$F.desktop ]; then
 		remove_ShowIn $F
 		echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop
 	fi
 done
 # remove existing rule to add own later
 for F in gpk-update-icon nm-applet ; do
 	remove_ShowIn $F
 done
 echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || :
 echo 'OnlyShowIn=GNOME;QUBES;' >> /etc/xdg/autostart/nm-applet.desktop || :
 # Enable autostart of notification-daemon when installed
 ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/
 }
 update_qubesconfig () {
 # Create NetworkManager configuration if we do not have it
 if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
 echo '[main]' > /etc/NetworkManager/NetworkManager.conf
 echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
 echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
 fi
 /usr/lib/qubes/qubes-fix-nm-conf.sh
 # Remove ip_forward setting from sysctl, so NM will not reset it
 # Archlinux now use sysctl.d/ instead of sysctl.conf
 # sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
 # Remove old firmware updates link
 if [ -L /lib/firmware/updates ]; then
  rm -f /lib/firmware/updates
 fi
 # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
 if ! grep -q localhost /etc/hosts; then
  cat <<EOF > /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 EOF
 fi
 # Remove most of the udev scripts to speed up the VM boot time
 # Just leave the xen* scripts, that are needed if this VM was
 # ever used as a net backend (e.g. as a VPN domain in the future)
 #echo "--> Removing unnecessary udev scripts..."
 mkdir -p /var/lib/qubes/removed-udev-scripts
 for f in /etc/udev/rules.d/*
 do
    if [ $(basename $f) == "xen-backend.rules" ] ; then
        continue
    fi
    if [ $(basename $f) == "50-qubes-misc.rules" ] ; then
        continue
    fi
    if echo $f | grep -q qubes; then
        continue
    fi
    mv $f /var/lib/qubes/removed-udev-scripts/
 done
 }
 update_systemd() {
 echo "Updating systemd configuration for Qubes..."
 echo "Enabling tty1"
 # Archlinux specific: ensure tty1 is enabled
 rm -f /etc/systemd/system/getty.target.wants/getty\@tty*.service
 systemctl enable getty\@tty1.service
 # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
 if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
 	echo "Fixing pam.d"
 	sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
 	sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
 	sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
 	cp /etc/pam.d/su /etc/pam.d/su-l
 fi
 echo "Enabling qubes specific services"
 for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy qubes-qrexec-agent qubes-ensure-lib-modules; do
  if [ -f /lib/systemd/system/$srv.service ]; then
    if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then
      systemctl enable "$srv"
      # 2> /dev/null
    else
      echo "WARNING: Cannot enable qubes service $srv: unit cannot be installed"
    fi
  else
    echo "WARNING: Cannot enable qubes service $srv: unit does not exists"
  fi
 done
 systemctl enable qubes-update-check.timer 2> /dev/null
 UNITDIR=/lib/systemd/system
 OVERRIDEDIR=/usr/lib/qubes/init
 # Install overriden services only when original exists
 for srv in cups NetworkManager NetworkManager-wait-online ntpd chronyd; do
    if [ -f $UNITDIR/$srv.service ]; then
        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
    fi
    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then
        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/
    fi
    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then
        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
    fi
 done
 # Set default "runlevel"
 rm -f /etc/systemd/system/default.target
 ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
 DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond"
 DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save"
 DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late"
 DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait"
 DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover"
 DISABLE_SERVICES="$DISABLE_SERVICES rngd smartd upower irqbalance colord"
 for srv in $DISABLE_SERVICES; do
    if [ -f /lib/systemd/system/$srv.service ]; then
        if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then
            systemctl disable $srv.service 2> /dev/null
        else
            # forcibly disable
            ln -sf /dev/null /etc/systemd/system/$srv.service
        fi
    fi
 done
 # Disable original service to enable overriden one
 systemctl disable NetworkManager.service 2> /dev/null
 # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
 systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null
 # Enable some services
 ENABLE_SERVICES="iptables ip6tables ip6tables rsyslog ntpd haveged"
 ENABLE_SERVICES="$ENABLE_SERVICES NetworkManager"
 # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
 ENABLE_SERVICES="$ENABLE_SERVICES NetworkManager-dispatcher"
 # Enable cups only when it is real SystemD service
 ENABLE_SERVICES="$ENABLE_SERVICES cups"
 for srv in $ENABLE_SERVICES; do
  if [ -f /lib/systemd/system/$srv.service ]; then
    if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then
      echo "Enabling service $srv"
      systemctl enable "$srv"
      # 2> /dev/null
    fi
  fi
 done
 }
 ## arg 1:  the new package version
 pre_install() {
-  echo "Pre install..."
+    echo "Pre install..."
-  # do this whole %pre thing only when updating for the first time...
+    update_default_user
-  mkdir -p /var/lib/qubes
+    # do this whole %pre thing only when updating for the first time...
-  # Backup fstab / But use archlinux defaults (cp instead of mv)
+    mkdir -p /var/lib/qubes
  if [ -e /etc/fstab ] ; then 
    cp /etc/fstab /var/lib/qubes/fstab.orig
  fi
-  # Add qubes core related fstab entries
+    # Backup fstab / But use archlinux defaults (cp instead of mv)
-  echo "xen	/proc/xen	xenfs	defaults	0 0" >> /etc/fstab
+    if [ -e /etc/fstab ] ; then
        cp /etc/fstab /var/lib/qubes/fstab.orig
    fi
-  # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
+    # Add qubes core related fstab entries
-  # See https://bugs.archlinux.org/task/31831
+    echo "xen	/proc/xen	xenfs	defaults	0 0" >> /etc/fstab
-  useradd --shell /bin/zsh --create-home user
+
    usermod -p '' root
    usermod -L user
 }
 ## arg 1:  the new package version
 post_install() {
 update_xdgstart
 update_qubesconfig
 update_systemd
 # do the rest of %post thing only when updating for the first time...
 # Note: serial console wont work this way on archlinux. Maybe better using systemd ?
 #if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
 #	cp /etc/init/serial.conf /var/lib/qubes/serial.orig
 #fi
 # SELinux is not enabled on archlinux
 # echo "--> Disabling SELinux..."
 # sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
 # mv /etc/selinux/config.processed /etc/selinux/config
 # setenforce 0 2>/dev/null
 mkdir -p /rw
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 post_upgrade() {
 update_xdgstart
 update_systemd
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 pre_upgrade() {
-  # do something here
+    # do something here
-  echo "Pre upgrade..."
+    echo "Pre upgrade..."
    update_default_user
 }
 ###################
 ## Install Hooks ##
 ###################
 configure_notification-daemon() {
    # Enable autostart of notification-daemon when installed
    if [ ! -L /etc/xdg/autostart/notification-daemon.desktop ]; then
        ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/
    fi
 }
 configure_selinux() {
    # SELinux is not enabled on archlinux
    #echo "--> Disabling SELinux..."
    echo "SELINUX not enabled on archlinux. skipped."
    # sed -e s/^SELINUX=.*$/SELINUX=disabled/ -i /etc/selinux/config
    # setenforce 0 2>/dev/null
 }
 ############################
 ## Post-Install functions ##
 ############################
 update_qubesconfig() {
    # Remove old firmware updates link
    if [ -L /lib/firmware/updates ]; then
      rm -f /lib/firmware/updates
    fi
    # convert /usr/local symlink to a mount point
    if [ -L /usr/local ]; then
        rm -f /usr/local
        mkdir /usr/local
        mount /usr/local || :
    fi
    # Fix fstab update to core-agent-linux 4.0.33
    grep -F -q "/rw/usrlocal" /etc/fstab || sed "/\/rw\/home/a\/rw\/usrlocal    \/usr\/local  none    noauto,bind,defaults 0 0" -i /etc/fstab
    #/usr/lib/qubes/update-proxy-configs
    # Archlinux pacman configuration is handled in update_finalize
    if ! [ -r /etc/dconf/profile/user ]; then
        mkdir -p /etc/dconf/profile
        echo "user-db:user" >> /etc/dconf/profile/user
        echo "system-db:local" >> /etc/dconf/profile/user
    fi
    dconf update &> /dev/null || :
    # Location of files which contains list of protected files
    mkdir -p /etc/qubes/protected-files.d
    # shellcheck source=init/functions
    . /usr/lib/qubes/init/functions
    # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
    if ! is_protected_file /etc/hosts ; then
        if ! grep -q localhost /etc/hosts; then
          cat <<EOF > /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 $(hostname)
 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 EOF
        fi
    fi
    # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
    # in the form expected by qubes-sysinit.sh
    if ! is_protected_file /etc/hostname ; then
        for ip in '127\.0\.0\.1' '::1'; do
            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts
                sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts
            else
                echo "${ip} $(hostname)" >> /etc/hosts
            fi
        done
    fi
 }
 ############################
 ## Service Management Functions ##
 ############################
 is_static() {
    [ -f "/usr/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/usr/lib/systemd/system/$1"
 }
 is_masked() {
    if [ ! -L /etc/systemd/system/"$1" ]
    then
        return 1
    fi
    target=$(readlink /etc/systemd/system/"$1" 2>/dev/null) || :
    if [ "$target" = "/dev/null" ]
    then
        return 0
    fi
    return 1
 }
 mask() {
    ln -sf /dev/null /etc/systemd/system/"$1"
 }
 unmask() {
    if ! is_masked "$1"
    then
        return 0
    fi
    rm -f /etc/systemd/system/"$1"
 }
 preset_units() {
    local represet=
    while read -r action unit_name
    do
        if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]
        then
            represet=1
            continue
        fi
        echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue
        [[ -n "$action" && -n "$unit_name" ]] || continue
        if [ "$2" = "initial" ] || [ "$represet" = "1" ]
        then
            if [ "$action" = "disable" ] && is_static "$unit_name"
            then
                if ! is_masked "$unit_name"
                then
                    # We must effectively mask these units, even if they are static.
                    mask "$unit_name"
                fi
            elif [ "$action" = "enable" ] && is_static "$unit_name"
            then
                if is_masked "$unit_name"
                then
                    # We masked this static unit before, now we unmask it.
                    unmask "$unit_name"
                fi
                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            else
                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            fi
        fi
    done < "$1"
 }
 restore_units() {
    grep '^[[:space:]]*[^#;]' "$1" | while read -r action unit_name
    do
        if is_static "$unit_name" && is_masked "$unit_name"
        then
            # If the unit had been masked by us, we must unmask it here.
            # Otherwise systemctl preset will fail badly.
            unmask "$unit_name"
        fi
        systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
    done
 }
 configure_systemd() {
    if [ "$1" -eq 1 ]
    then
        preset_units /usr/lib/systemd/system-preset/$qubes_preset_file initial
        changed=true
    else
        preset_units /usr/lib/systemd/system-preset/$qubes_preset_file upgrade
        changed=true
        # Upgrade path - now qubes-iptables is used instead
        for svc in iptables ip6tables
        do
            if [ -f "$svc".service ]
            then
                systemctl --no-reload preset "$svc".service
                changed=true
            fi
        done
    fi
    if [ "$1" -eq 1 ]
    then
        # First install.
        # Set default "runlevel".
        # FIXME: this ought to be done via kernel command line.
        # The fewer deviations of the template from the seed
        # image, the better.
        rm -f /etc/systemd/system/default.target
        ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
        changed=true
    fi
    # remove old symlinks
    if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]
    then
        rm -f /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service
        changed=true
    fi
    if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]
    then
        rm -f /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service
        changed=true
    fi
    if [ "x$changed" != "x" ]
    then
        systemctl daemon-reload
    fi
 }
 ######################
 ## Archlinux Specific Functions ##
 ######################
 config_prependtomark() {
    FILE=$1
    APPENDBEFORELINE=$2
    APPENDLINE=$3
    grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDBEFORELINE/i$APPENDLINE" -i "$FILE"
 }
 config_appendtomark() {
    FILE=$1
    APPENDAFTERLINE=$2
    APPENDLINE=$3
    grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
 }
 config_cleanupmark() {
    FILE="$1"
    BEGINMARK="$2"
    ENDMARK="$3"
    if grep -F -q "$BEGINMARK" "$FILE"; then
        if grep -F -q "$ENDMARK" "$FILE"; then
            cp "$FILE" "$FILE.qubes-update-orig"
            sed -i -e "/^$BEGINMARK$/,/^$ENDMARK$/{
                /^$ENDMARK$/b
                /^$BEGINMARK$/!d
                }" "$FILE"
            rm -f "$FILE.qubes-update-orig"
        else
            echo "ERROR: found $BEGINMARK marker but not $ENDMARK in $FILE. Please cleanup this file manually."
        fi
    elif grep -F -q "$ENDMARK" "$FILE"; then
        echo "ERROR: found $ENDMARK marker but not $BEGINMARK in $FILE. Please cleanup this file manually."
    fi
 }
 update_finalize() {
    # Archlinux specific: If marker exists, cleanup text between begin and end marker
    QUBES_MARKER="### QUBES CONFIG MARKER ###"
    if grep -F -q "$QUBES_MARKER" /etc/pacman.conf; then
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
        config_cleanupmark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES CONFIG END MARKER ###"
    # Else, add qubes config block marker
    else
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
    fi
    # Include /etc/pacman.d drop-in directory
    config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "Include = /etc/pacman.d/*.conf"
    /usr/lib/qubes/update-proxy-configs
    # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
    # This is required as qubes-gui agent calls xinit with su -l user without initializing properly
    # the user session.
    # pam_unix.so can also be removed from su configuration
    # as system-login (which include system-auth) already gives pam_unix.so
    # with more appropriate parameters (fix the missing nullok parameter)
    if grep -q pam_unix.so /etc/pam.d/su; then
        echo "Fixing pam.d"
 	cp /etc/pam.d/qrexec /etc/pam.d/su-l
    fi
    # Archlinux specific: ensure tty1 is enabled
    rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
    systemctl enable getty\@tty1.service
    systemctl daemon-reload
 }
 ## arg 1:  the new package version
 post_install() {
    update_qubesconfig
    # do the rest of %post thing only when updating for the first time...
    if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
        cp /etc/init/serial.conf /var/lib/qubes/serial.orig
    fi
    chgrp user /var/lib/qubes/dom0-updates
    # Remove most of the udev scripts to speed up the VM boot time
    # Just leave the xen* scripts, that are needed if this VM was
    # ever used as a net backend (e.g. as a VPN domain in the future)
    #echo "--> Removing unnecessary udev scripts..."
    mkdir -p /var/lib/qubes/removed-udev-scripts
    for f in /etc/udev/rules.d/*
    do
        if [ "$(basename "$f")" == "xen-backend.rules" ] ; then
            continue
        fi
        if [ "$(basename "$f")" == "50-qubes-misc.rules" ] ; then
            continue
        fi
        if echo "$f" | grep -q qubes; then
            continue
        fi
        mv "$f" /var/lib/qubes/removed-udev-scripts/
    done
    mkdir -p /rw
    configure_notification-daemon
    configure_selinux
    configure_systemd 0
    update_finalize
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 post_upgrade() {
    update_qubesconfig
    configure_notification-daemon
    configure_selinux
    configure_systemd 1
    update_finalize
 }
 ######################
 ## Remove functions ##
 ######################
 ## arg 1:  the old package version
 pre_remove() {
    # no more packages left
    if [ -e /var/lib/qubes/fstab.orig ] ; then
    mv /var/lib/qubes/fstab.orig /etc/fstab
@ -267,22 +405,42 @@ pre_remove() {
    mv /var/lib/qubes/serial.orig /etc/init/serial.conf
    fi
    if [ "$1" -eq 0 ] ; then
        # Run this only during uninstall.
        # Save the preset file to later use it to re-preset services there
        # once the Qubes OS preset file is removed.
        mkdir -p /run/qubes-uninstall
        cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
        cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
    fi
 }
 ## arg 1:  the old package version
 post_remove() {
    changed=
    if [ -d /run/qubes-uninstall ]
    then
        # We have a saved preset file (or more).
        # Re-preset the units mentioned there.
        restore_units /run/qubes-uninstall/$qubes_preset_file
        rm -rf /run/qubes-uninstall
        changed=true
    fi
    if [ "x$changed" != "x" ]
    then
        systemctl daemon-reload
    fi
    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
    if [ -L /lib/firmware/updates ] ; then
      rm /lib/firmware/updates
    fi
-  for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-qrexec-agent qubes-yum-proxy qubes-ensure-lib-modules; do
+    rm -rf /var/lib/qubes/xdg
    systemctl disable $srv.service
  done
  systemctl disable qubes-update-check.timer
    for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-qrexec-agent; do
        systemctl disable $srv.service
    done
 }
--- a/archlinux/PKGBUILD.qubes-update-desktop-icons.hook
+++ b/archlinux/PKGBUILD.qubes-update-desktop-icons.hook
@ -0,0 +1,11 @@
 [Trigger]
 Type = File
 Operation = Install
 Operation = Upgrade
 Operation = Remove
 Target = usr/share/applications/*.desktop
 [Action]
 Description = Updating the Qubes desktop file App Icons and features...
 When = PostTransaction
 Exec = /etc/qubes-rpc/qubes.PostInstall
--- a/autostart-dropins/Makefile
+++ b/autostart-dropins/Makefile
@ -0,0 +1,6 @@
 DROPINS_DIR = /etc/qubes/autostart
 install:
 	for f in *.desktop; do install -m 0644 -D $$f $(DESTDIR)$(DROPINS_DIR)/$$f.d/30_qubes.conf; done
 	install -m 0644 README.txt $(DESTDIR)$(DROPINS_DIR)/
--- a/autostart-dropins/README.txt
+++ b/autostart-dropins/README.txt
@ -0,0 +1,20 @@
 This directory (/etc/qubes/autostart) is used to override parts of files in
 /etc/xdg/autostart. For each desktop file there, you can create directory named
 after the file plus ".d", then place files there. All such files will be read
 (in lexicographical order) and lines specified there will override respective
 entries in the original file. This can be used for example to enable or disable
 specific application in particular VM type.
 For example, you can extend `/etc/xdg/autostart/gnome-keyring-ssh.desktop` by
 creating `/etc/qubes/autostart/gnome-keyring-ssh.desktop.d/50_user.conf` with:
 ```
 [Desktop Entry]
 OnlyShowIn=X-AppVM;
 ```
 This would mean that `OnlyShowIn` key would be read as `X-AppVM;`, regardless
 of original entry in `/etc/xdg/autostart/gnome-keyring-ssh.desktop`.
 This mechanism overrides only content of /etc/xdg/autostart, files placed in
 ~/.config/autostart are unaffected, so can be used to override settings per-VM
 basis.
--- a/autostart-dropins/deja-dup-monitor.desktop
+++ b/autostart-dropins/deja-dup-monitor.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/gcm-apply.desktop
+++ b/autostart-dropins/gcm-apply.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-DisposableVM;
--- a/autostart-dropins/gnome-keyring-gpg.desktop
+++ b/autostart-dropins/gnome-keyring-gpg.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/gnome-keyring-pkcs11.desktop
+++ b/autostart-dropins/gnome-keyring-pkcs11.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/gnome-keyring-secrets.desktop
+++ b/autostart-dropins/gnome-keyring-secrets.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/gnome-keyring-ssh.desktop
+++ b/autostart-dropins/gnome-keyring-ssh.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/gnome-power-manager.desktop
+++ b/autostart-dropins/gnome-power-manager.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/gnome-screensaver.desktop
+++ b/autostart-dropins/gnome-screensaver.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/gnome-settings-daemon.desktop
+++ b/autostart-dropins/gnome-settings-daemon.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/gnome-sound-applet.desktop
+++ b/autostart-dropins/gnome-sound-applet.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/gpk-update-icon.desktop
+++ b/autostart-dropins/gpk-update-icon.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-UpdateableVM;
--- a/autostart-dropins/gsettings-data-convert.desktop
+++ b/autostart-dropins/gsettings-data-convert.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/autostart-dropins/imsettings-start.desktop
+++ b/autostart-dropins/imsettings-start.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/krb5-auth-dialog.desktop
+++ b/autostart-dropins/krb5-auth-dialog.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/nm-applet.desktop
+++ b/autostart-dropins/nm-applet.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-QUBES
--- a/autostart-dropins/notify-osd.desktop
+++ b/autostart-dropins/notify-osd.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/orca-autostart.desktop
+++ b/autostart-dropins/orca-autostart.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/org.gnome.SettingsDaemon.XSettings.desktop
+++ b/autostart-dropins/org.gnome.SettingsDaemon.XSettings.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-QUBES
--- a/autostart-dropins/pulseaudio-kde.desktop
+++ b/autostart-dropins/pulseaudio-kde.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/pulseaudio.desktop
+++ b/autostart-dropins/pulseaudio.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/restorecond.desktop
+++ b/autostart-dropins/restorecond.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/sealertauto.desktop
+++ b/autostart-dropins/sealertauto.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/spice-vdagent.desktop
+++ b/autostart-dropins/spice-vdagent.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 NotShowIn=X-QUBES;
--- a/autostart-dropins/user-dirs-update-gtk.desktop
+++ b/autostart-dropins/user-dirs-update-gtk.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-AppVM;
--- a/ci/requirements.txt
+++ b/ci/requirements.txt
@ -0,0 +1,6 @@
 # WARNING: those requirements are used only for travis-ci.org
 # they SHOULD NOT be used under normal conditions; use system package manager
 docutils
 pylint
 codecov
 python-daemon
--- a/31
+++ b/31
@ -0,0 +1,31 @@
 #!/bin/bash
 # vim: set ts=4 sw=4 sts=4 et :
 #
 # Given a series.conf file and debian patches directory, patches
 # are copied to debian patch directory
 USAGE="${0} <series.conf> <patchdir>"
 set -e
 set -o pipefail
 DIR="${0%/*}"
 SERIES_CONF="${1}"
 PATCH_DIR="${2}"
 if test $# -lt 2 || [ ! -e "${SERIES_CONF}" ] || [ ! -d "${PATCH_DIR}" ] ; then
 	echo "${USAGE}" >&2
 	exit 1
 fi
 # Clear patch series.conf file
 rm -f "${PATCH_DIR}/series"
 touch "${PATCH_DIR}/series"
 while read -r patch_file
 do
    if [ -e "${DIR}/${patch_file}" ]; then
        echo -e "${patch_file##*/}" >> "${PATCH_DIR}/series"
        cp "${DIR}/${patch_file}" "${PATCH_DIR}"
    fi
 done < "${SERIES_CONF}"
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control
+++ b/debian/control
@ -1,19 +1,175 @@
 Source: qubes-core-agent
 Section: admin
 Priority: extra
-Maintainer: Davíð Steinn Geirsson <david@dsg.is>
+Maintainer: unman <unman@thirdeyesecurity.org>
-Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5)
+Build-Depends:
-Standards-Version: 3.9.3
+    libpam0g-dev,
-Homepage: http://www.qubes-os.org
+    libqrexec-utils-dev,
-Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
+    libqubes-rpc-filecopy-dev (>= 3.1.3),
    libvchan-xen-dev,
    python,
    python-setuptools,
    debhelper,
    quilt,
    libxen-dev,
    pkg-config,
    dh-systemd (>= 1.5),
    dh-python,
    lsb-release,
    xserver-xorg-dev,
    config-package-dev,
    pandoc,
 Standards-Version: 3.9.5
 Homepage: https://www.qubes-os.org
 Vcs-Git: https://github.com/QubesOS/qubes-core-agent-linux
 Package: qubes-core-agent
 Architecture: any
-Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends}
+Depends:
    dconf-cli,
    dmsetup,
    gawk,
    imagemagick,
    init-system-helpers,
    initscripts,
    librsvg2-bin,
    locales,
    ncurses-term,
    psmisc,
    procps,
    util-linux,
    python2.7,
    python-daemon,
    python-qubesdb,
    python-gi,
    python-xdg,
    python-dbus,
    qubes-utils (>= 3.1.3),
    qubes-core-agent-qrexec,
    qubesdb-vm,
    systemd,
    x11-xserver-utils,
    xdg-user-dirs,
    xdg-utils,
    xen-utils-common,
    xenstore-utils,
    xinit,
    xserver-xorg-core,
    ${python:Depends},
    ${shlibs:Depends},
    ${misc:Depends}
 Recommends:
    cups,
    gnome-terminal,
    gnome-themes-standard,
    haveged,
    libnotify-bin,
    locales-all,
    mate-notification-daemon,
    ntpdate,
    system-config-printer,
    qubes-core-agent-nautilus,
    qubes-core-agent-networking,
    qubes-core-agent-network-manager,
    xsettingsd
 Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
 This package includes various daemons necessary for qubes domU support,
 such as qrexec.
-# Unresolved depends that exist in rpm_spec
+Package: qubes-core-agent-qrexec
-#qubes-core-vm-kernel-placeholder, qubes-core-vm,
+Architecture: any
 Depends:
    libvchan-xen,
    ${shlibs:Depends},
    ${misc:Depends}
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes qrexec agent
 Agent part of Qubes RPC system. A daemon responsible for starting processes as
 requested by dom0 or other VMs, according to dom0-enforced policy.
 Package: qubes-core-agent-nautilus
 Architecture: any
 Depends:
    python-nautilus,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes integration for Nautilus
 Nautilus addons for inter-VM file copy/move/open.
 Package: qubes-core-agent-thunar
 Architecture: any
 Depends:
    thunar,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes integration for Thunar
 Thunar addons for inter-VM file copy/move/open.
 Package: qubes-core-agent-dom0-updates
 Architecture: any
 Depends:
    fakeroot,
    yum,
    yum-utils,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Scripts required to handle dom0 updates.
  Scripts required to handle dom0 updates. This will allow to use the VM as
  "Updates VM".
 Package: qubes-core-agent-networking
 Architecture: any
 Depends:
    qubes-core-agent,
    tinyproxy,
    iptables,
    net-tools,
    ethtool,
    socat,
    tinyproxy,
    ${python:Depends},
    ${misc:Depends}
 Suggests:
    nftables,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Networking support for Qubes VM
 This package provides:
  * basic network functionality (setting IP address, DNS, default gateway)
  * proxy service used by TemplateVMs to download updates
  * qubes-firewall service (FirewallVM)
 .
 Note: if you want to use NetworkManager (you do want it in NetVM), install
 also qubes-core-agent-network-manager.
 Package: qubes-core-agent-network-manager
 Architecture: any
 Depends:
    qubes-core-agent-networking,
    libglib2.0-bin,
    network-manager (>= 0.8.1-1),
    network-manager-gnome,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: NetworkManager integration for Qubes VM
 Integration of NetworkManager for Qubes VM:
  * make connections config persistent
  * adjust DNS redirections when needed
  * show/hide NetworkManager applet icon
 Package: qubes-core-agent-passwordless-root
 Architecture: any
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Passwordless root access from normal user
 Configure sudo, PolicyKit and similar tool to not ask for any password when
 switching from user to root. Since all the user data in a VM is accessible
 already from normal user account, there is not much more to guard there. Qubes
 VM is a single user system.
--- a/debian/patches/.gitignore
+++ b/debian/patches/.gitignore
--- a/debian/qubes-core-agent-dom0-updates.install
+++ b/debian/qubes-core-agent-dom0-updates.install
@ -0,0 +1 @@
 usr/lib/qubes/qubes-download-dom0-updates.sh
--- a/debian/qubes-core-agent-nautilus.install
+++ b/debian/qubes-core-agent-nautilus.install
@ -0,0 +1 @@
 usr/share/nautilus-python/extensions/*
--- a/debian/qubes-core-agent-network-manager.install
+++ b/debian/qubes-core-agent-network-manager.install
@ -0,0 +1,7 @@
 etc/NetworkManager/dispatcher.d/30-qubes-external-ip
 etc/NetworkManager/dispatcher.d/qubes-nmhook
 etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 usr/lib/NetworkManager/conf.d/30-qubes.conf
 usr/lib/qubes/network-manager-prepare-conf-dir
 usr/lib/qubes/qubes-fix-nm-conf.sh
 usr/lib/qubes/show-hide-nm-applet.sh
--- a/debian/qubes-core-agent-network-manager.postinst
+++ b/debian/qubes-core-agent-network-manager.postinst
@ -0,0 +1,56 @@
 #!/bin/bash
 # postinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The postinst script may be called in the following ways:
 #   * <postinst> 'configure' <most-recently-configured-version>
 #   * <old-postinst> 'abort-upgrade' <new version>
 #   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
 #     <new-version>
 #   * <postinst> 'abort-remove'
 #   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
 #     <failed-install-package> <version> 'removing'
 #     <conflicting-package> <version>
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 case "${1}" in
    configure)
        # Initial installation of package only
        # ($2 contains version number on update; nothing on initial installation)
        if [ -z "${2}" ]; then
            # Create NetworkManager configuration if we do not have it
            if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
                echo '[main]' > /etc/NetworkManager/NetworkManager.conf
                echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
                echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
            fi
            /usr/lib/qubes/qubes-fix-nm-conf.sh
        fi
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;
    *)
        echo "postinst called with unknown argument \`${1}'" >&2
        exit 1
        ;;
 esac
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@ -0,0 +1,21 @@
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 etc/qubes-rpc/qubes.UpdatesProxy
 etc/qubes/ip6tables.rules
 etc/qubes/ip6tables-enabled.rules
 etc/qubes/iptables.rules
 etc/tinyproxy/tinyproxy-updates.conf
 etc/tinyproxy/updates-blacklist
 etc/udev/rules.d/99-qubes-network.rules
 etc/xen/scripts/vif-qubes-nat.sh
 etc/xen/scripts/vif-route-qubes
 lib/systemd/system/qubes-firewall.service
 lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
 usr/lib/qubes/setup-ip
 usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
 usr/sbin/qubes-firewall
--- a/debian/qubes-core-agent-passwordless-root.displace
+++ b/debian/qubes-core-agent-passwordless-root.displace
@ -0,0 +1,5 @@
 ## This file is part of Qubes OS.
 ## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 /etc/pam.d/su.qubes
--- a/debian/qubes-core-agent-passwordless-root.displace-extension
+++ b/debian/qubes-core-agent-passwordless-root.displace-extension
@ -0,0 +1 @@
 .qubes
--- a/debian/qubes-core-agent-passwordless-root.install
+++ b/debian/qubes-core-agent-passwordless-root.install
@ -0,0 +1,4 @@
 etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 etc/polkit-1/rules.d/00-qubes-allow-all.rules
 etc/pam.d/su.qubes
 etc/sudoers.d/qubes
--- a/debian/qubes-core-agent-passwordless-root.postrm
+++ b/debian/qubes-core-agent-passwordless-root.postrm
@ -0,0 +1,54 @@
 #!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The prerm script may be called in the following ways:
 #   * <postrm> 'remove'
 #   * <postrm> 'purge'
 #   * <old-postrm> 'upgrade' <new-version>
 #   * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
 #
 #     The postrm script is called after the package's files have been removed
 # or replaced. The package whose postrm is being called may have previously been
 # deconfigured and only be "Unpacked", at which point subsequent package changes
 # do not consider its dependencies. Therefore, all postrm actions may only rely
 # on essential packages and must gracefully skip any actions that require the
 # package's dependencies if those dependencies are unavailable.[48]
 #
 #   * <new-postrm> 'failed-upgrade' <old-version>
 #
 #     Called when the old postrm upgrade action fails. The new package will be
 # unpacked, but only essential packages and pre-dependencies can be relied on.
 # Pre-dependencies will either be configured or will be "Unpacked" or
 # "Half-Configured" but previously had been configured and was never removed.
 #
 #   * <new-postrm> 'abort-install'
 #   * <new-postrm> 'abort-install' <old-version>
 #   * <new-postrm> 'abort-upgrade' <old-version>
 #
 #     Called before unpacking the new package as part of the error handling of
 # preinst failures. May assume the same state as preinst can assume.
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "${1}" = "remove" ] ; then
    gpasswd -d user sudo
    if [ "$(passwd -S root|cut -f 2 -d ' ')" = "NP" ]; then
        passwd -l root
    fi
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-passwordless-root.preinst
+++ b/debian/qubes-core-agent-passwordless-root.preinst
@ -0,0 +1,47 @@
 #!/bin/sh
 # preinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The preinst script may be called in the following ways:
 #   * <new-preinst> 'install'
 #   * <new-preinst> 'install' <old-version>
 #   * <new-preinst> 'upgrade' <old-version>
 #
 #     The package will not yet be unpacked, so the preinst script cannot rely
 # on any files included in its package. Only essential packages and
 # pre-dependencies (Pre-Depends) may be assumed to be available.
 # Pre-dependencies will have been configured at least once, but at the time the
 # preinst is called they may only be in an "Unpacked" or "Half-Configured" state
 # if a previous version of the pre-dependency was completely configured and has
 # not been removed since then.
 #
 #
 #  * <old-preinst> 'abort-upgrade' <new-version>
 #
 #    Called during error handling of an upgrade that failed after unpacking the
 # new package because the postrm upgrade action failed. The unpacked files may
 # be partly from the new version or partly missing, so the script cannot rely
 # on files included in the package. Package dependencies may not be available.
 # Pre-dependencies will be at least "Unpacked" following the same rules as
 # above, except they may be only "Half-Installed" if an upgrade of the
 # pre-dependency failed.[46]
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "$1" = "install" ] ; then
    usermod -p '' root
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-qrexec.install
+++ b/debian/qubes-core-agent-qrexec.install
@ -0,0 +1,10 @@
 etc/pam.d/qrexec
 etc/qubes/rpc-config/README
 lib/systemd/system/qubes-qrexec-agent.service
 usr/bin/qrexec-client-vm
 usr/bin/qrexec-fork-server
 usr/lib/qubes/qrexec-agent
 usr/lib/qubes/qrexec-client-vm
 usr/lib/qubes/qrexec_client_vm
 usr/lib/qubes/qubes-rpc-multiplexer
 usr/share/man/man1/qrexec-client-vm.1.gz
--- a/debian/qubes-core-agent-thunar.install
+++ b/debian/qubes-core-agent-thunar.install
@ -0,0 +1,3 @@
 usr/lib/qubes/qvm-actions.sh
 usr/lib/qubes/uca_qubes.xml
 etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
--- a/debian/qubes-core-agent-thunar.postinst
+++ b/debian/qubes-core-agent-thunar.postinst
@ -0,0 +1,58 @@
 #!/bin/bash
 # postinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The postinst script may be called in the following ways:
 #   * <postinst> 'configure' <most-recently-configured-version>
 #   * <old-postinst> 'abort-upgrade' <new version>
 #   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
 #     <new-version>
 #   * <postinst> 'abort-remove'
 #   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
 #     <failed-install-package> <version> 'removing'
 #     <conflicting-package> <version>
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 case "${1}" in
    configure)
        # There is no system-wide Thunar custom actions. There is only a default
        # file and a user file created from the default one. Qubes actions need
        # to be placed after all already defined actions and before </actions>
        # the end of file.
        if [ -f /etc/xdg/Thunar/uca.xml ] ; then
          cp -p /etc/xdg/Thunar/uca.xml /etc/xdg/Thunar/uca.xml.bak
          #shellcheck disable=SC2016
          sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /etc/xdg/Thunar/uca.xml
        fi
        if [ -f /home/user/.config/Thunar/uca.xml ] ; then
          cp -p /home/user/.config/Thunar/uca.xml /home/user/.config/Thunar/uca.xml.bak
          #shellcheck disable=SC2016
          sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /home/user/.config/Thunar/uca.xml
        fi
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;
    *)
        echo "postinst called with unknown argument \`${1}'" >&2
        exit 1
        ;;
 esac
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-thunar.postrm
+++ b/debian/qubes-core-agent-thunar.postrm
@ -0,0 +1,57 @@
 #!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The prerm script may be called in the following ways:
 #   * <postrm> 'remove'
 #   * <postrm> 'purge'
 #   * <old-postrm> 'upgrade' <new-version>
 #   * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
 #
 #     The postrm script is called after the package's files have been removed
 # or replaced. The package whose postrm is being called may have previously been
 # deconfigured and only be "Unpacked", at which point subsequent package changes
 # do not consider its dependencies. Therefore, all postrm actions may only rely
 # on essential packages and must gracefully skip any actions that require the
 # package's dependencies if those dependencies are unavailable.[48]
 #
 #   * <new-postrm> 'failed-upgrade' <old-version>
 #
 #     Called when the old postrm upgrade action fails. The new package will be
 # unpacked, but only essential packages and pre-dependencies can be relied on.
 # Pre-dependencies will either be configured or will be "Unpacked" or
 # "Half-Configured" but previously had been configured and was never removed.
 #
 #   * <new-postrm> 'abort-install'
 #   * <new-postrm> 'abort-install' <old-version>
 #   * <new-postrm> 'abort-upgrade' <old-version>
 #
 #     Called before unpacking the new package as part of the error handling of
 # preinst failures. May assume the same state as preinst can assume.
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "${1}" = "remove" ] ; then
  if [ -f /etc/xdg/Thunar/uca.xml ] ; then
    mv /etc/xdg/Thunar/uca.xml /etc/xdg/Thunar/uca.xml.uninstall
    mv /etc/xdg/Thunar/uca.xml.bak /etc/xdg/Thunar/uca.xml
  fi
  if [ -f /home/user/.config/Thunar/uca.xml ] ; then
    mv /home/user/.config/Thunar/uca.xml /home/user/.config/Thunar/uca.xml.uninstall
    mv /home/user/.config/Thunar/uca.xml.bak /home/user/.config/Thunar/uca.xml
  fi
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent.dirs
+++ b/debian/qubes-core-agent.dirs
@ -0,0 +1,11 @@
 etc/qubes/protected-files.d
 etc/systemd/system
 etc/qubes
 etc/qubes/autostart
 etc/qubes/suspend-post.d
 etc/qubes/suspend-pre.d
 usr/lib/qubes-bind-dirs.d
 lib/modules
 var/lib/qubes
 var/lib/qubes/dom0-updates
 rw
--- a/debian/qubes-core-agent.gsettings-override
+++ b/debian/qubes-core-agent.gsettings-override
@ -0,0 +1,2 @@
 [org.mate.NotificationDaemon]
 theme='slider'
--- a/debian/qubes-core-agent.install
+++ b/debian/qubes-core-agent.install
@ -0,0 +1,147 @@
 etc/X11/xorg-preload-apps.conf
 etc/apt/apt.conf.d/00notify-hook
 etc/apt/apt.conf.d/70no-unattended
 etc/apt/sources.list.d/qubes-r4.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/dconf/db/local.d/dpi
 etc/default/grub.d/30-qubes.cfg
 etc/fstab
 etc/needrestart/conf.d/50_qubes.conf
 etc/profile.d/qt_x11_no_mitshm.sh
 etc/qubes-rpc/qubes.Backup
 etc/qubes-rpc/qubes.DetachPciDevice
 etc/qubes-rpc/qubes.Filecopy
 etc/qubes-rpc/qubes.GetAppmenus
 etc/qubes-rpc/qubes.GetImageRGBA
 etc/qubes-rpc/qubes.InstallUpdatesGUI
 etc/qubes-rpc/qubes.OpenInVM
 etc/qubes-rpc/qubes.OpenURL
 etc/qubes-rpc/qubes.PostInstall
 etc/qubes-rpc/qubes.ResizeDisk
 etc/qubes-rpc/qubes.Restore
 etc/qubes-rpc/qubes.SelectDirectory
 etc/qubes-rpc/qubes.SelectFile
 etc/qubes-rpc/qubes.SetDateTime
 etc/qubes-rpc/qubes.StartApp
 etc/qubes-rpc/qubes.SuspendPost
 etc/qubes-rpc/qubes.SuspendPostAll
 etc/qubes-rpc/qubes.SuspendPre
 etc/qubes-rpc/qubes.SuspendPreAll
 etc/qubes-rpc/qubes.VMShell
 etc/qubes-rpc/qubes.VMRootShell
 etc/qubes-rpc/qubes.WaitForSession
 etc/qubes-rpc/qubes.GetDate
 etc/qubes-suspend-module-blacklist
 etc/qubes/autostart/*
 etc/qubes/post-install.d/README
 etc/qubes/post-install.d/*.sh
 etc/qubes/rpc-config/qubes.OpenInVM
 etc/qubes/rpc-config/qubes.OpenURL
 etc/qubes/rpc-config/qubes.SelectFile
 etc/qubes/rpc-config/qubes.SelectDirectory
 etc/qubes/rpc-config/qubes.StartApp
 etc/qubes/rpc-config/qubes.InstallUpdatesGUI
 etc/qubes/rpc-config/qubes.VMShell+WaitForSession
 etc/qubes/suspend-post.d/README
 etc/qubes/suspend-post.d/*.sh
 etc/qubes/suspend-pre.d/README
 etc/sudoers.d/qt_x11_no_mitshm
 etc/sudoers.d/umask
 etc/sysctl.d/20_tcp_timestamps.conf
 etc/sysctl.d/80-qubes.conf
 etc/systemd/system/haveged.service
 etc/udev/rules.d/50-qubes-misc.rules
 lib/modules-load.d/qubes-core.conf
 lib/systemd/system-preset/75-qubes-vm.preset
 lib/systemd/system/ModemManager.service.d/30_qubes.conf
 lib/systemd/system/NetworkManager-wait-online.service.d/30_qubes.conf
 lib/systemd/system/NetworkManager.service.d/30_qubes.conf
 lib/systemd/system/anacron-resume.service.d/30_qubes.conf
 lib/systemd/system/anacron.service.d/30_qubes.conf
 lib/systemd/system/avahi-daemon.service.d/30_qubes.conf
 lib/systemd/system/chronyd.service.d/30_qubes.conf
 lib/systemd/system/cron.service.d/30_qubes.conf
 lib/systemd/system/cups.path.d/30_qubes.conf
 lib/systemd/system/cups.service.d/30_qubes.conf
 lib/systemd/system/cups.socket.d/30_qubes.conf
 lib/systemd/system/cups-browsed.service.d/30_qubes.conf
 lib/systemd/system/exim4.service.d/30_qubes.conf
 lib/systemd/system/getty@tty.service.d/30_qubes.conf
 lib/systemd/system/netfilter-persistent.service.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.path.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.service.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.socket.d/30_qubes.conf
 lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
 lib/systemd/system/qubes-rootfs-resize.service
 lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service
 lib/systemd/system/qubes-update-check.timer
 lib/systemd/system/qubes-updates-proxy-forwarder@.service
 lib/systemd/system/qubes-updates-proxy-forwarder.socket
 lib/systemd/system/qubes-sync-time.service
 lib/systemd/system/qubes-sync-time.timer
 lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf
 lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf
 lib/systemd/system/tmp.mount.d/30_qubes.conf
 lib/systemd/system/tor.service.d/30_qubes.conf
 lib/systemd/system/tor@default.service.d/30_qubes.conf
 lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf
 usr/bin/qubes-desktop-run
 usr/bin/qubes-open
 usr/bin/qubes-session-autostart
 usr/bin/qubes-run-terminal
 usr/bin/qvm-copy
 usr/bin/qvm-copy-to-vm
 usr/bin/qvm-features-request
 usr/bin/qvm-move
 usr/bin/qvm-move-to-vm
 usr/bin/qvm-open-in-dvm
 usr/bin/qvm-open-in-vm
 usr/bin/qvm-run-vm
 usr/bin/qvm-sync-clock
 usr/bin/xenstore-watch-qubes
 usr/lib/python2.7/dist-packages/qubesagent-*.egg-info/*
 usr/lib/python2.7/dist-packages/qubesagent/*
 usr/lib/qubes-bind-dirs.d/30_cron.conf
 usr/lib/qubes/close-window
 usr/lib/qubes/init/bind-dirs.sh
 usr/lib/qubes/init/control-printer-icon.sh
 usr/lib/qubes/init/functions
 usr/lib/qubes/init/misc-post-stop.sh
 usr/lib/qubes/init/misc-post.sh
 usr/lib/qubes/init/mount-dirs.sh
 usr/lib/qubes/init/qubes-early-vm-config.sh
 usr/lib/qubes/init/qubes-random-seed.sh
 usr/lib/qubes/init/qubes-sysinit.sh
 usr/lib/qubes/init/resize-rootfs-if-needed.sh
 usr/lib/qubes/init/setup-rw.sh
 usr/lib/qubes/init/setup-rwdev.sh
 usr/lib/qubes/prepare-suspend
 usr/lib/qubes/qfile-agent
 usr/lib/qubes/qfile-unpacker
 usr/lib/qubes/qopen-in-vm
 usr/lib/qubes/qubes-sync-clock
 usr/lib/qubes/qrun-in-vm
 usr/lib/qubes/qubes-trigger-sync-appmenus.sh
 usr/lib/qubes/qvm-copy-to-vm.gnome
 usr/lib/qubes/qvm-copy-to-vm.kde
 usr/lib/qubes/qvm-move-to-vm.gnome
 usr/lib/qubes/qvm-move-to-vm.kde
 usr/lib/qubes/resize-rootfs
 usr/lib/qubes/tar2qfile
 usr/lib/qubes/update-proxy-configs
 usr/lib/qubes/upgrades-installed-check
 usr/lib/qubes/upgrades-status-notify
 usr/lib/qubes/vm-file-editor
 usr/lib/qubes/xdg-icon
 usr/lib/systemd/user/pulseaudio.service.d/30_qubes.conf
 usr/lib/systemd/user/pulseaudio.socket.d/30_qubes.conf
 usr/share/glib-2.0/schemas/*
 usr/share/kde4/services/*.desktop
 usr/share/kservices5/ServiceMenus/*.desktop
 usr/share/applications/*.desktop
 usr/share/man/man1/qvm-*
 usr/share/qubes/mime-override/globs
 usr/share/qubes/qubes-master-key.asc
--- a/debian/qubes-core-agent.links
+++ b/debian/qubes-core-agent.links
@ -0,0 +1,3 @@
 ## compatibility symlink
 ## https://github.com/QubesOS/qubes-issues/issues/2191
 /usr/lib/qubes/init/bind-dirs.sh /usr/lib/qubes/bind-dirs.sh
--- a/debian/qubes-core-agent.maintscript
+++ b/debian/qubes-core-agent.maintscript
@ -0,0 +1,2 @@
 rm_conffile /etc/apt/apt.conf.d/00notiy-hook
 rm_conffile /etc/tinyproxy/filter-updates
--- a/debian/qubes-core-agent.postinst
+++ b/debian/qubes-core-agent.postinst
@ -5,7 +5,7 @@
 set -e
-# The postint script may be called in the following ways:
+# The postinst script may be called in the following ways:
 #   * <postinst> 'configure' <most-recently-configured-version>
 #   * <old-postinst> 'abort-upgrade' <new version>
 #   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
@ -19,223 +19,147 @@ set -e
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 # Directory that modified desktop entry config files are stored in
 XDG_CONFIG_QUBES="/usr/share/qubes/xdg"
-# Install overriden services only when original exists
+debug() {
-installOverridenServices() {
+    if [ "${DEBDEBUG}" == "1" ]; then
-    override_dir="${1}"
+        echo -e "$@"
    service="${2}"
    retval=1
    for unit in ${service}; do
        unit="${unit%%.*}"
        unit_name="$(basename ${unit})"
        if [ -f ${unit}.service ]; then
            echo "Installing override for ${unit}.service..."
            cp ${override_dir}/${unit_name}.service /etc/systemd/system/
            retval=0
        fi
        if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then
            echo "Installing override for ${unit}.socket..."
            cp ${override_dir}/${unit_name}.socket /etc/systemd/system/
            retval=0
        fi
        if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then
            echo "Installing override for ${unit}.path..."
            cp ${override_dir}/${unit_name}.path /etc/systemd/system/
            retval=0
        fi
    done
    return ${retval}
 }
 reenableNetworkManager() {
    # Disable original service to enable overriden one
    echo "Disabling original service to enable overriden one..."
    disableSystemdUnits ModemManager.service
    disableSystemdUnits NetworkManager.service
    # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
    echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)"
    systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager"
    echo "Re-enabling original service to enable overriden one..."
    enableSystemdUnits ModemManager.service
    enableSystemdUnits NetworkManager.service
    # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
    echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811"
    enableSystemdUnits NetworkManager-dispatcher.service
 }
 remove_ShowIn() {
    if [ -e "${1}" ]; then
        sed -i '/^\(Not\|Only\)ShowIn/d' "${1}"
    fi
 }
-showIn() {
+is_static() {
-    desktop_entry="${1}"
+    [ -f "/lib/sytemd/system/$1" ] && ! grep -q '^[[].nstall]' "/lib/systemd/system/$1"
-    shown_in="${2}"
+}
    message="${shown_in:-"Shown in All;"}" 
    desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}"
-    # Make sure Qubes autostart directory exists
+is_masked() {
-    mkdir -p "${XDG_CONFIG_QUBES}/autostart"
+    if [ ! -L /etc/systemd/system/"$1" ]
-
+    then
-    # Desktop entry exists, so move to Qubes directory and modify it
+       return 1
    if [ -e "${desktop_entry}" ]; then
        echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..."
        cp -pf "${desktop_entry}" "${desktop_entry_qubes}"
        remove_ShowIn "${desktop_entry_qubes}"
        sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}"
        # Will only be '' if shown in all
        if [ ! "${shown_in}x" == "x" ]; then
            echo "${shown_in}" >> "${desktop_entry_qubes}" || true
        fi
    # Desktop entry must have been removed, so also remove from Qubes directory
    else
        echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..."
        rm -f "${desktop_entry_qubes}"
    fi
    target=$(readlink /etc/systemd/system/"$1" 2>/dev/null || :)
    if [ "$target" = "/dev/null" ]
    then
       return 0
    fi
    return 1
 }
-setArrayAsGlobal() {
+mask() {
-    local array="$1"
+    ln -sf /dev/null /etc/systemd/system/"$1"
    local export_as="$2"
    local code=$(declare -p "$array")
    local replaced="${code/$array/$export_as}"
    eval ${replaced/declare -/declare -g}
 }
-systemdInfo() {
+unmask() {
-    unit=${1}
+    if ! is_masked "$1"
-    return_global_var=${2}
+    then
-
+        return 0
-    declare -A INFO=()
+    fi
-    while read line; do
+    rm -f /etc/systemd/system/"$1"
        INFO[${line%%=*}]="${line##*=}"
    done < <(systemctl show ${unit} 2> /dev/null)
    setArrayAsGlobal INFO $return_global_var
    return ${#INFO[@]}
 }
-displayFailedStatus() {
+preset_units() {
-    action=${1}
+    local represet=
-    unit=${2}
+    while read -r action unit_name
-
+    do
-    # Only display if there are results.  In chroot environmnet there will be 
+        if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]
-    # no results to 'systemctl show' command
+        then
-    systemdInfo ${unit} info || {
+            represet=1
-        echo
+            continue
-        echo "==================================================="
+        fi
-        echo "FAILED: systemd ${action} ${unit}"
+        echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue
-        echo "==================================================="
+        if ! [ -n "$action" ] || ! [ -n "$unit_name" ]; then
-        echo "    LoadState = ${info[LoadState]}"
+            continue
-        echo "    LoadError = ${info[LoadError]}"
+        fi
-        echo "  ActiveState = ${info[ActiveState]}"
+        if [ "$2" = "initial" ] || [ "$represet" = "1" ]
-        echo "     SubState = ${info[SubState]}"
+        then
-        echo "UnitFileState = ${info[UnitFileState]}"
+            if [ "$action" = "disable" ] && is_static "$unit_name"
-        echo
+            then
-    }
+                if ! is_masked "$unit_name"
-}
+                then
-
+                    # We must effectively mask these units, even if they are static.
-# Disable systemd units
+                    deb-systemd-helper mask "${unit_name}" > /dev/null 2>&1 || true
 disableSystemdUnits() {
    for unit in $*; do
        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
            echo "Disabling ${unit}..."
            systemctl is-active ${unit} > /dev/null 2>&1 && {
                systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
            }
            if [ -f /lib/systemd/system/${unit} ]; then
                if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
                else
                    # Forcibly disable
                    echo "Forcibly disabling: ${unit}"
                    ln -sf /dev/null /etc/systemd/system/${unit}
                fi
            elif [ "$action" = "enable" ] && is_static "$unit_name"
            then
                if is_masked "$unit_name"
                then
                    # We masked this static unit before, now we unmask it.
                    deb-systemd-helper unmask "${unit_name}" > /dev/null 2>&1 || true
                fi
                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            else
-                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
+                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            fi
-        } || {
+        fi
-            echo "It appears ${unit} is already disabled!"
+    done < "$1"
-            #displayFailedStatus is-disabled ${unit}
+
-        }
+    systemctl daemon-reload
    done
 }
-# Enable systemd units
+installSerialConf() {
-enableSystemdUnits() {
+    debug "Installing over-ridden serial.conf init script..."
-    for unit in $*; do
+    if [ -e /etc/init/serial.conf ]; then
-        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
+        cp /usr/share/qubes/serial.conf /etc/init/serial.conf
-            echo "It appears ${unit} is already enabled!"
+    fi
            #displayFailedStatus is-enabled ${unit}
        } || {
            echo "Enabling: ${unit}..."
            systemctl enable ${unit} > /dev/null 2>&1 && {
                systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
            } || {
                echo "Could not enable: ${unit}"
                displayFailedStatus enable ${unit}
            }
        }
    done
 }
 # Manually trigger all triggers to automaticatly configure
 triggerTriggers() {
        path="$(readlink -m ${0})"
        triggers="${path/postinst/triggers}"
        awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line
        do
            /bin/bash -c "${0} triggered ${line##* }" || true
        done
 }
 case "${1}" in
    configure)
        # Initial installation of package only
        # ($2 contains version number on update; nothing on initial installation)
        if [ -z "${2}" ]; then
            debug "FIRST INSTALL..."
            # Location of files which contains list of protected files
            # shellcheck source=init/functions
            . /usr/lib/qubes/init/functions
            # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
            # in the form expected by qubes-sysinit.sh
            if ! is_protected_file /etc/hostname ; then
                for ip in '127\.0\.1\.1' '::1'; do
                    if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                        sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
                        sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts || true
                    else
                        echo "${ip//\\/} $(hostname)" >> /etc/hosts || true
                    fi
                done
            fi
            # remove hostname from 127.0.0.1 line (in debian the hostname is by default
            # resolved to 127.0.1.1)
            if ! is_protected_file /etc/hosts ; then
                sed -i "/^127\.0\.0\.1\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
            fi
            # Set default "runlevel"
            rm -f /etc/systemd/system/default.target
            ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
            # Systemd preload-all
            preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial
            # Maybe install overridden serial.conf init script
            installSerialConf
        else
            preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade
        fi
        systemctl reenable haveged
        chgrp user /var/lib/qubes/dom0-updates
        debug "UPDATE..."
        # disable some Upstart services
        for init in plymouth-shutdown \
                    prefdm \
                    splash-manager \
                    start-ttys \
                    tty ; do
-            if [ -e /etc/init/${init}.conf ]; then
+            dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf
                mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
            fi
        done
        dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --rename --add /etc/init/serial.conf
-        # Stops Qt form using the MIT-SHM X11 Shared Memory Extension
+        if [ ! -L /etc/systemd/system/rpcbind.service ]; then
-        echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
+            ln -s /dev/null /etc/systemd/system/rpcbind.service
        chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh
        # Sudo's defualt umask is 077 so set sane default of 022
        # Also don't allow QT to used shared memory to prevent errors
        echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
        echo 'Defaults umask_override' >> /etc/sudoers.d/umask
        chmod 0440 /etc/sudoers.d/umask
        echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
        chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm
        # Create NetworkManager configuration if we do not have it
        if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
            echo '[main]' > /etc/NetworkManager/NetworkManager.conf
            echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
            echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
        fi
        # XXX: Test to see if this will satisify dispatcher dependancy
        if [ ! -e  "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then
            ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service
        fi
        # Remove old firmware updates link
@ -243,135 +167,39 @@ case "${1}" in
            rm -f /lib/firmware/updates
        fi
-        #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
+        # convert /usr/local symlink to a mount point
-        #  echo >> /etc/yum.conf
+        if [ -L /usr/local ]; then
-        #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
+            rm -f /usr/local
-        #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
+            mkdir /usr/local
-        #fi
+            mount /usr/local || :
        # Revert 'Prevent unnecessary updates in VMs':
        #sed -i -e '/^exclude = kernel/d' /etc/yum.conf
        # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
        # in the form expected by qubes-sysinit.sh
        for ip in '127\.0\.1\.1' '::1'; do
            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
                sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
            else
                echo "${ip//\\/} `hostname`" >> /etc/hosts
            fi
        done
        # remove hostname from 127.0.0.1 line (in debian the hostname is by default
        # resolved to 127.0.1.1)
        sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
        chown user:user /home_volatile/user
        #if [ "${1}" !=  1 ] ; then
        #    # do the rest of %post thing only when updating for the first time...
        #    exit 0
        #fi
        if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
            cp /etc/init/serial.conf /var/lib/qubes/serial.orig
        fi
-        # Remove most of the udev scripts to speed up the VM boot time
+        # remove old symlinks
-        # Just leave the xen* scripts, that are needed if this VM was
+        if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]; then
-        # ever used as a net backend (e.g. as a VPN domain in the future)
+            rm /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service
-        #echo "--> Removing unnecessary udev scripts..."
+        fi
-        mkdir -p /var/lib/qubes/removed-udev-scripts
+        if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]; then
-        for f in /etc/udev/rules.d/*
+            rm /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service
-        do
+        fi
            if [ $(basename ${f}) == "xen-backend.rules" ] ; then
                continue
            fi
-            if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
+        if ! dpkg-statoverride --list /var/lib/qubes/dom0-updates >/dev/null 2>&1; then
-                continue
+            dpkg-statoverride --update --add user user 775 /var/lib/qubes/dom0-updates
-            fi
+        fi
-            if echo ${f} | grep -q qubes; then
+        glib-compile-schemas /usr/share/glib-2.0/schemas || true
                continue
            fi
-            mv ${f} /var/lib/qubes/removed-udev-scripts/
+        if ! [ -r /etc/dconf/profile/user ]; then
-        done
+            mkdir -p /etc/dconf/profile
            echo "user-db:user" >> /etc/dconf/profile/user
            echo "system-db:local" >> /etc/dconf/profile/user
        fi
-        # Create /rw directory
+        if [ -x /usr/bin/dconf ]; then
-        mkdir -p /rw
+            dconf update
        fi
-        # XXX: TODO: Needs to be implemented still
+        # tell dom0 about installed updates (applications, features etc)
-        #rm -f /etc/mtab
+        /etc/qubes-rpc/qubes.PostInstall || true
        #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
        #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
        #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
        # Enable Qubes systemd units
        enableSystemdUnits \
            qubes-sysinit.service \
            qubes-misc-post.service \
            qubes-netwatcher.service \
            qubes-network.service \
            qubes-firewall.service \
            qubes-updates-proxy.service \
            qubes-updates-proxy.timer \
            qubes-qrexec-agent.service
        # Set default "runlevel"
        rm -f /etc/systemd/system/default.target
        ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
        # Process all triggers which will set defaults to wanted values
        triggerTriggers
        disableSystemdUnits \
            alsa-store.service \
            alsa-restore.service \
            auditd.service \
            avahi.service \
            avahi-daemon.service \
            backuppc.service \
            cpuspeed.service \
            crond.service \
            fedora-autorelabel.service \
            fedora-autorelabel-mark.service \
            ipmi.service \
            hwclock-load.service \
            hwclock-save.service \
            mdmonitor.service \
            multipathd.service \
            openct.service \
            rpcbind.service \
            mcelog.service \
            fedora-storage-init.service \
            fedora-storage-init-late.service \
            plymouth-start.service \
            plymouth-read-write.service \
            plymouth-quit.service \
            plymouth-quit-wait.service \
            sshd.service \
            tcsd.service \
            sm-client.service \
            sendmail.service \
            mdmonitor-takeover.service \
            rngd smartd.service \
            upower.service \
            irqbalance.service \
            colord.service
        rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
        # Enable other systemd units
        enableSystemdUnits \
            rsyslog.service
        # XXX: TODO: Needs to be implemented still
        # These do not exist on debian; maybe a different package name
        #    iptables.service \
        #    ntpd.service \
        #    ip6tables.service \
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
@ -382,107 +210,16 @@ case "${1}" in
        for trigger in ${2}; do
            case "${trigger}" in
                # Update Qubes App Menus
                /usr/share/applications)
-                    echo "Updating Qubes App Menus..."
+                    debug "Updating Qubes App Menus and advertising features..."
-                    /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
+                    /etc/qubes-rpc/qubes.PostInstall || true
                    ;;
                # Install overriden services only when original exists
                /lib/systemd/system/NetworkManager.service | \
                /lib/systemd/system/NetworkManager-wait-online.service | \
                /lib/systemd/system/ModemManager.service)
                    UNITDIR=/lib/systemd/system
                    OVERRIDEDIR=/usr/lib/qubes/init
                    installOverridenServices "${OVERRIDEDIR}" "${trigger}"
                    if [ $? -eq 0 ]; then
                        reenableNetworkManager
                    fi
                    ;;
                # Enable cups only when it is real Systemd service
                /lib/systemd/system/cups.service)
                    echo "Enabling cups"
                    [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
                    ;;
                # "Enable haveged service"
                /lib/systemd/system/haveged.service)
                    echo "Enabling haveged service"
                    enableSystemdUnits haveged.service
                    ;;
                # Install overridden serial.conf init script
                /etc/init/serial.conf)
-                    echo "Installing over-ridden serial.conf init script..."
+                    installSerialConf
                    if [ -e /etc/init/serial.conf ]; then
                        cp /usr/share/qubes/serial.conf /etc/init/serial.conf
                    fi
                    ;;
                # Disable SELinux"
                /etc/selinux/config)
                    echo "Disabling SELinux..."
                    if [ -e /etc/selinux/config ]; then
                        sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
                        mv /etc/selinux/config.processed /etc/selinux/config
                        setenforce 0 2>/dev/null
                    fi
                    ;;
                # Desktop Entry Modification - Remove existing rules
                /etc/xdg/autostart/gpk-update-icon.desktop | \
                /etc/xdg/autostart/nm-applet.desktop | \
                /etc/xdg/autostart/abrt-applet.desktop | \
                /etc/xdg/autostart/notify-osd.desktop)
                    showIn "${trigger}"
                    ;;
                # Desktop Entry Modification - Not shown in Qubes
                /etc/xdg/autostart/pulseaudio.desktop | \
                /etc/xdg/autostart/deja-dup-monitor.desktop | \
                /etc/xdg/autostart/imsettings-start.desktop | \
                /etc/xdg/autostart/krb5-auth-dialog.desktop | \
                /etc/xdg/autostart/pulseaudio.desktop | \
                /etc/xdg/autostart/restorecond.desktop | \
                /etc/xdg/autostart/sealertauto.desktop | \
                /etc/xdg/autostart/gnome-power-manager.desktop | \
                /etc/xdg/autostart/gnome-sound-applet.desktop | \
                /etc/xdg/autostart/gnome-screensaver.desktop | \
                /etc/xdg/autostart/orca-autostart.desktop)
                    showIn "${trigger}" 'NotShowIn=QUBES;'
                    ;;
                # Desktop Entry Modification - Not shown in in DisposableVM
                /etc/xdg/autostart/gcm-apply.desktop)
                    showIn "${trigger}" 'NotShowIn=DisposableVM;'
                    ;;
                # Desktop Entry Modification - Only shown in AppVM
                /etc/xdg/autostart/gnome-keyring-gpg.desktop | \
                /etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \
                /etc/xdg/autostart/gnome-keyring-secrets.desktop | \
                /etc/xdg/autostart/gnome-keyring-ssh.desktop | \
                /etc/xdg/autostart/gnome-settings-daemon.desktop | \
                /etc/xdg/autostart/user-dirs-update-gtk.desktop | \
                /etc/xdg/autostart/gsettings-data-convert.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;'
                    ;;
                # Desktop Entry Modification - Only shown in Gnome & UpdateableVM
                /etc/xdg/autostart/gpk-update-icon.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;'
                    ;;
                # Desktop Entry Modification - Only shown in Gnome & Qubes
                /etc/xdg/autostart/nm-applet.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;'
                    ;;
                *)
                    echo "postinst called with unknown trigger \`${2}'" >&2
                    exit 1
                    ;;
            esac
        done
        exit 0
--- a/debian/qubes-core-agent.postrm
+++ b/debian/qubes-core-agent.postrm
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
@ -37,17 +37,21 @@ set -e
 # the debian-policy package
 if [ "${1}" = "remove" ] ; then
-    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
+    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas > /dev/null 2>&1 || :
    if [ -L /lib/firmware/updates ]; then
        rm /lib/firmware/updates
    fi
-    for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do
+    for srv in qubes-sysinit qubes-misc-post qubes-network qubes-qrexec-agent; do
        systemctl disable ${srv}.service
    done
 fi
 if [ "$1" = "purge" ]; then
    dpkg-statoverride --remove /var/lib/qubes/dom0-updates || test $? -eq 2
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
--- a/debian/qubes-core-agent.preinst
+++ b/debian/qubes-core-agent.preinst
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # preinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
@ -35,71 +35,45 @@ set -e
 if [ "$1" = "install" ] ; then
    # --------------------------------------------------------------------------
-    # Create required directories
+    # Required groups
    # --------------------------------------------------------------------------
-    mkdir -p /var/lib/qubes
+    groupadd --force --system qubes
-    mkdir -p /lib/modules
+    groupadd --force --system sudo
    #mkdir -p -m 0700 /var/log/xen  # xen-utils-common should do this
    if [ -e /etc/fstab ] ; then 
        mv /etc/fstab /var/lib/qubes/fstab.orig
    fi
    # --------------------------------------------------------------------------
-    # Many Qubes scripts reference /bin/sh expecting the shell to be bash but
+    # User add / modifications
    # in Debian it is dash so some scripts will fail so force an alternate for
    # /bin/sh to be /bin/bash
    # --------------------------------------------------------------------------
-    update-alternatives --force --install /bin/sh sh /bin/bash 999
+    id -u 'user' >/dev/null 2>&1 || {
-
+        useradd --user-group --create-home --shell /bin/bash user
-    # --------------------------------------------------------------------------
+    }
-    # Modules setup
+    id -u 'tinyproxy' >/dev/null 2>&1 || {
-    # --------------------------------------------------------------------------
+        useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy
-    echo "xen_netfront" >> /etc/modules
+    }
    usermod -L -a --groups qubes user
    # --------------------------------------------------------------------------
    # Remove `mesg` from root/.profile?
    # --------------------------------------------------------------------------
    sed -i -e '/^mesg n/d' /root/.profile
    # --------------------------------------------------------------------------
    # Update /etc/fstab
    # --------------------------------------------------------------------------
    cat > /etc/fstab <<EOF
 /dev/mapper/dmroot /         ext4 defaults,noatime 1 1
 /dev/xvdc1 swap              swap    defaults 0 0
 /dev/xvdb /rw                ext4    noauto,defaults,discard 1 2
 /rw/home /home               none    noauto,bind,defaults 0 0
 tmpfs /dev/shm               tmpfs   defaults 0 0
 devpts /dev/pts              devpts  gid=5,mode=620 0 0
 proc /proc                   proc    defaults 0 0
 sysfs /sys                   sysfs   defaults 0 0
 xen /proc/xen                xenfs   defaults 0 0
 /dev/xvdi /mnt/removable     auto    noauto,user,rw 0 0
 /dev/xvdd /lib/modules       ext3    defaults 0 0
 EOF
    # --------------------------------------------------------------------------
    # User add / modifications
    # --------------------------------------------------------------------------
    id -u 'user' || {
        groupadd -f user
        useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
    }
    id -u 'tinyproxy' || {
        groupadd -f tinyproxy
        useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy
    }
    usermod -p '' root
    usermod -L user
    exit 0
 fi
 if [ "$1" = "upgrade" ] ; then
-    exit 0
+    ## Fix static gid issue for in place template upgrades.
    ## https://github.com/QubesOS/qubes-issues/issues/1105
    if grep -q ^qubes:x:98: /etc/group ; then
        if ! grep -q :980: /etc/group ; then
            if groupmod -g 980 qubes ; then
                # make sure that vchan will still work until VM start
                chmod 666 /dev/xen/* /proc/xen/privcmd
                find / -gid 98 ! -type l -exec chgrp --verbose qubes {} \; 2>/dev/null || true
            fi
        fi
    fi
    ## Allow passwordless login for user "user" (when using 'sudo xl console').
    ## https://github.com/QubesOS/qubes-issues/issues/1130
    if grep -q '^user:\!:' /etc/shadow ; then
        passwd user -d >/dev/null || true
    fi
 fi
 # dh_installdeb will replace this with shell code automatically
--- a/debian/qubes-core-agent.prerm
+++ b/debian/qubes-core-agent.prerm
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # prerm script for core-agent-linux
 #
 # see: dh_installdeb(1)
@ -30,18 +30,15 @@ set -e
 # the debian-policy package
 if [ "$1" = "remove" ] ; then
-    # no more packages left
+    for init in plymouth-shutdown \
-    if [ -e /var/lib/qubes/fstab.orig ] ; then
+            prefdm \
-        mv /var/lib/qubes/fstab.orig /etc/fstab
+            splash-manager \
-    fi
+            start-ttys \
            tty ; do
        dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --remove /etc/init/${init}.conf
    done
-    if [ -d /var/lib/qubes/removed-udev-scripts ] ; then
+    dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --remove /etc/init/serial.conf
        mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
    fi
    if [ -e /var/lib/qubes/serial.orig ] ; then
        mv /var/lib/qubes/serial.orig /etc/init/serial.conf
    fi
 fi
 # dh_installdeb will replace this with shell code automatically
--- a/debian/qubes-core-agent.triggers
+++ b/debian/qubes-core-agent.triggers
@ -1,47 +1,2 @@
 interest-noawait /usr/share/applications
 interest-noawait /lib/systemd/system/NetworkManager.service
 interest-noawait /lib/systemd/system/NetworkManager-wait-online.service
 interest-noawait /lib/systemd/system/ModemManager.service
 interest-noawait /etc/init/serial.conf
 interest-noawait /etc/selinux/config
 interest-noawait /lib/systemd/system/cups.service
 interest-noawait /lib/systemd/system/haveged.service
 # Desktop Entry Modification - Remove existing rules
 interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
 interest-noawait /etc/xdg/autostart/nm-applet.desktop
 interest-noawait /etc/xdg/autostart/abrt-applet.desktop
 # Desktop Entry Modification - Not shown in Qubes
 interest-noawait /etc/xdg/autostart/pulseaudio.desktop
 interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop
 interest-noawait /etc/xdg/autostart/imsettings-start.desktop
 interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop
 interest-noawait /etc/xdg/autostart/pulseaudio.desktop
 interest-noawait /etc/xdg/autostart/restorecond.desktop
 interest-noawait /etc/xdg/autostart/sealertauto.desktop
 interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop
 interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop
 interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop
 interest-noawait /etc/xdg/autostart/orca-autostart.desktop
 # Desktop Entry Modification - Not shown in in DisposableVM
 interest-noawait /etc/xdg/autostart/gcm-apply.desktop
 # Desktop Entry Modification - Only shown in AppVM
 interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop
 interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
 interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop
 interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop
 interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop
 interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop
 interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop
 # Desktop Entry Modification - Only shown in Gnome & UpdateableVM
 interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
 # Desktop Entry Modification - Only shown in Gnome & Qubes
 interest-noawait /etc/xdg/autostart/nm-applet.desktop
 # Desktop Entry Modification - Show in all
 interest-noawait /etc/xdg/autostart/notify-osd.desktop
--- a/debian/qubes-core-agent.undisplace
+++ b/debian/qubes-core-agent.undisplace
@ -0,0 +1,2 @@
 # moved to qubes-core-agent-passwordless-root
 /etc/pam.d/su.qubes
--- a/debian/rules
+++ b/debian/rules
@ -3,17 +3,19 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 export PYTHON_PREFIX_ARG=--install-layout=deb
-export DESTDIR=$(shell pwd)/debian/qubes-core-agent
+include /usr/share/dpkg/default.mk
 export DESTDIR=$(shell pwd)/debian/tmp
 %:
-	dh $@ --with systemd
+	dh $@ --with systemd,python2 --with=config-package
 override_dh_auto_build:
 	make all
 override_dh_auto_install:
-	make install-common install-deb install-systemd
+	make install-deb
 	make -C qrexec install
 override_dh_fixperms:
@ -21,3 +23,6 @@ override_dh_fixperms:
 override_dh_systemd_start:
 	dh_systemd_start --no-restart-on-upgrade
 override_dh_install:
 	dh_install --fail-missing
--- a/debian/source/format
+++ b/debian/source/format
@ -1 +1 @@
-3.0 (native)
+3.0 (quilt)
--- a/debian/source/options
+++ b/debian/source/options
@ -0,0 +1,4 @@
 extend-diff-ignore = "(^|/)(.git/.*)$"
 extend-diff-ignore = "(^|/)(deb/.*)$"
 extend-diff-ignore = "(^|/)(pkgs/.*)$"
 extend-diff-ignore = "(^|/)(rpm/.*)$"
--- a/doc/Makefile
+++ b/doc/Makefile
@ -23,7 +23,7 @@ install: manpages
 manpages: $(QVM_DOCS) $(QUBES_DOCS) $(VM_DOCS)
 preview:	$(rst)
-	pandoc -s -f rst -t man $(rst) | groff -mandoc -Tlatin1 | less -R
+	$(PANDOC) $(rst) | groff -mandoc -Tlatin1 | less -R
 clean:
 	rm -f $(VM_DOCS)
--- a/doc/vm-tools/qrexec-client-vm.rst
+++ b/doc/vm-tools/qrexec-client-vm.rst
@ -0,0 +1,85 @@
 ================
 qrexec-client-vm
 ================
 NAME
 ====
 qrexec-client-vm - call Qubes RPC service
 SYNOPSIS
 ========
 | qrexec-client-vm [--buffer-size=*BUFFER_SIZE*] *target_vmname* *service* [*local_program* [*local program arguments*]]
 DESCRIPTION
 ===========
 Call Qubes RPC (aka qrexec) service to a different VM. The service call request
 is sent to dom0, where Qubes RPC policy is evaluated and when it allows the
 call, it is forwarded to appropriate target VM (which may be different than
 requested, if policy says so). Local program (if given) is started only
 when service call is allowed by the policy.
 Remote service can communicate with the caller (``qrexec-client-vm``) using
 stdin/stdout.  When *local_program* is given, its stdin/stdout is connected to
 service stdin/stdout (stderr is not redirected), otherwise - service
 stdin/stdout is connected to those of ``qrexec-client-vm``.
 OPTIONS
 =======
 --buffer-size=*BUFFER_SIZE*
    Optional buffer size for vchan connection. This size is used as minimum
    size for a buffer in each connection direction (read and write).
    Default: 64KiB.
 *target_vmname*
    Name of target VM to which service is requested. Qubes RPC policy may
    ignore this value and redirect call somewhere else.
    This argument, can contain VM name, or one of special values:
    * ``$default`` or empty string - let Qubes RPC policy decide, without giving any preference 
    * ``$dispvm`` - new Disposable VM
    * ``$dispvm:dispvm-template`` - new Disposable VM based on *dispvm-template*
    This field is limited to 31 characters (alphanumeric, plus ``-_.$``).
 *service*
    Requested service. Besides service name, it can contain a service argument
    after ``+`` character. For example ``some.service+argument``.
    This field is limited to 63 characters (alphanumeric, plus ``-_.$+``).
 *local_program*
    Full path to local program to be connected with remote service. Optional.
 *local program arguments*
    Arguments to *local_program*. Optional.
 EXIT STATUS
 ===========
 If service call is allowed by dom0 and ``qrexec-client-vm`` is started without
 *local_program* argument, it reports remote service exit code.
 If service call is allowed by dom0 and ``qrexec-client-vm`` is started with
 *local_program* argument, it reports the local program exit code. There is no
 way to learn exit code of remote service in this case.
 In both cases, if process (local or remote) was terminated by a signal, exit
 status is 128+signal number.
 If service call is denied by dom0, ``qrexec-client-vm`` exit with status 126.
 AUTHORS
 =======
 | Joanna Rutkowska <joanna at invisiblethingslab dot com>
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
--- a/doc/vm-tools/qvm-copy-to-vm.rst
+++ b/doc/vm-tools/qvm-copy-to-vm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-copy-to-vm - copy specified files to specified destination VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-copy-to-vm [--without-progress] dest_vmname file [file]+
--- a/doc/vm-tools/qvm-open-in-dvm.rst
+++ b/doc/vm-tools/qvm-open-in-dvm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-open-in-dvm - open a specified file in disposable VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-open-in-dvm filename
--- a/doc/vm-tools/qvm-open-in-vm.rst
+++ b/doc/vm-tools/qvm-open-in-vm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-open-in-vm - open a specified file in other VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-open-in-vm vmname filename
--- a/doc/vm-tools/qvm-run-vm.rst
+++ b/doc/vm-tools/qvm-run-vm.rst
@ -1,16 +1,14 @@
-=======
+==========
-qvm-run
+qvm-run-vm
-=======
+==========
 NAME
 ====
-qvm-run - run a specified command in a specified VM
+qvm-run-vm - run a specified command in a specified VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
-| qvm-run vmname command [aguments]
+| qvm-run-vm vmname command [aguments]
 OPTIONS
 =======
--- a/init/control-printer-icon.sh
+++ b/init/control-printer-icon.sh
@ -0,0 +1,15 @@
 #!/bin/bash
 # Source Qubes library.
 # shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 if ! is_fully_persistent && test -f /etc/xdg/autostart/print-applet.desktop ; then
 	if qsvc cups ; then
 		# Allow also notification icon
 		sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
 	else
 		# Disable notification icon
 		sed -i -e '/QUBES/!s/^NotShowIn=\(.*\)/NotShowIn=QUBES;\1/' /etc/xdg/autostart/print-applet.desktop
 	fi
 fi
--- a/init/functions
+++ b/init/functions
@ -0,0 +1,188 @@
 #!/bin/bash
 # Location of files which contains list of protected files
 PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 qsvc() {
    # Returns whether a service is enabled.
    # Usage: qsvc <nameofservice>
    #
    # Must only be used after qubes-sysinit has started.
    # See qsvc_early for more information.
    local count=100
    while [ ! -e /var/run/qubes-service-environment ] ; do
        if [ "$count" = "0" ] ; then
            echo "qsvc: Warning: qubes-sysinit has not finished executing yet" >&2
            break
        fi
        sleep 0.1
        count=$(( count - 1 ))
    done
    [ -e /var/run/qubes-service/"$1" ]
 }
 under_systemd() {
    pidof systemd >/dev/null 2>&1
 }
 systemd_version_changed() {
    under_systemd || return
    systemd_pkg_version=$(systemctl --version|head -n 1)
    if dmesg | grep -q "$systemd_pkg_version running in system mode."; then
        return 1
    fi
    return 0
 }
 possibly_run_save_script() {
    ENCODED_SCRIPT=$(qubesdb-read /qubes-save-script)
    if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi
    tmpfile=$(mktemp /tmp/qubes-save-script.XXXXXXXXX)
    echo "$ENCODED_SCRIPT"|base64 -d >"$tmpfile"
    chmod 755 "$tmpfile"
    DISPLAY=:0 su - user -c "$tmpfile"
    ret=$?
    rm -f "$tmpfile"
    return $ret
 }
 have_qubesdb() {
    # Tests whether qubesdb-read exists and can be executed.
    type qubesdb-read >/dev/null 2>&1
 }
 have_qrexec_agent() {
    # Tests whether qrexec-agent exists and can be executed.
    PATH=/usr/lib/qubes type qrexec-agent >/dev/null 2>&1
 }
 qubes_vm_type() {
    qubesdb-read /qubes-vm-type
 }
 is_netvm() {
    [ "$(qubes_vm_type)" = "NetVM" ]
 }
 is_appvm() {
    [ "$(qubes_vm_type)" = "AppVM" ]
 }
 is_proxyvm() {
    [ "$(qubes_vm_type)" = "ProxyVM" ]
 }
 is_templatevm() {
    [ "$(qubes_vm_type)" = "TemplateVM" ]
 }
 is_dispvm() {
    [ "$(qubes_vm_type)" = "DisposableVM" ]
 }
 is_fully_persistent() {
    [ "$(qubesdb-read /qubes-vm-persistence)" = "full" ]
 }
 is_rwonly_persistent() {
    [ "$(qubesdb-read /qubes-vm-persistence)" = "rw-only" ]
 }
 is_updateable() {
    [ "$(qubesdb-read /qubes-vm-updateable)" = "True" ]
 }
 reload_random_seed() {
    local seed
    seed=$(qubesdb-read /qubes-random-seed)
    echo "$seed" | base64 -d > /dev/urandom
    qubesdb-rm /qubes-random-seed
 }
 is_protected_file() {
    grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" "$PROTECTED_FILE_LIST" 2>/dev/null
 }
 umount_retry() {
    local count=5
    while mountpoint -q "$1" ; do
        if umount "$1" ; then break ; fi
        echo "Something prevents unmounting $1:" >&2
        fuser -vmM "$1" >&2
        if [ "$count" = "0" ] ; then
            return 1
        fi
        sleep 5
        count=$(( count - 1 ))
    done
    return 0
 }
 initialize_home() {
    local home_root
    local mode
    #local user
    local uid
    local gid
    local homedir
    local homedirwithouthome
    local pair
    local homedir_uid
    local homedir_gid
    local waitpid
    local waitpids
    home_root="$1"
    mode="$2"
    if [ -z "$home_root" ] ; then
        echo "initialize_home() needs a target home root directory, such as /rw/home, as first parameter" >&2
        return 64
    fi
    if [ "$mode" != "unconditionally" ] && [ "$mode" != "ifneeded" ] ; then
        echo "initialize_home() second parameter must be 'unconditionally' or 'ifneeded'" >&2
        return 64
    fi
    if ! [ -d "$home_root" ] ; then
        echo "initialize_home: populating $home_root" >&2
        mkdir -p "$home_root"
    fi
    # Chown home if users' UIDs have changed - can be the case on template switch.
    for pair in $(getent passwd | awk -F : '/\/home/ { print $1":"$3":"$4":"$6 } ') ; do
        #user=$(echo "$pair" | awk -F : ' { print $1 } ')
        uid=$(echo "$pair" | awk -F : ' { print $2 } ')
        gid=$(echo "$pair" | awk -F : ' { print $3 } ')
        homedir=$(echo "$pair" | awk -F : ' { print $4 } ')
        homedirwithouthome=${homedir#/home/}
        if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then
            echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2
            mkdir -p "$home_root/$homedirwithouthome"
            cp -af -T /etc/skel "$home_root/$homedirwithouthome"
            echo "initialize_home: adjusting permissions $mode on $home_root/$homedirwithouthome" >&2
            chown -R "$uid" "$home_root/$homedirwithouthome" &
            waitpids="$!"
            chgrp -R "$gid" "$home_root/$homedirwithouthome" &
            waitpids="$waitpids $!"
            chmod 700 "$home_root/$homedirwithouthome" &
            waitpids="$waitpids $!"
            for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
        fi
        waitpids=
        homedir_uid=$(stat --format=%u "$home_root/$homedirwithouthome")
        homedir_gid=$(stat --format=%g "$home_root/$homedirwithouthome")
        if [ "$uid" -ne "$homedir_uid" ]; then
            echo "initialize_home: adjusting ownership on $home_root/$homedirwithouthome to $uid" >&2
            find "$home_root/$homedirwithouthome" -uid "$homedir_uid" -print0 | xargs -0 chown "$uid" &
            waitpids="$waitpids $!"
        fi
        if [ "$gid" -ne "$homedir_gid" ]; then
            echo "initialize_home: adjusting groupship on $home_root/$homedirwithouthome to $gid" >&2
            find "$home_root/$homedirwithouthome" -gid "$homedir_gid" -print0 | xargs -0 chgrp "$gid" &
            waitpids="$waitpids $!"
        fi
        for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
    done
 }
--- a/init/resize-rootfs-if-needed.sh
+++ b/init/resize-rootfs-if-needed.sh
@ -0,0 +1,28 @@
 #!/bin/sh
 # Possibly resize root device (partition, filesystem), if underlying device was
 # enlarged.
 set -e
 # if underlying root device is read-only, don't do anything
 if [ "$(blockdev --getro /dev/xvda)" -eq "1" ]; then
    echo "xvda is read-only, not resizing" >&2
    exit 0
 fi
 sysfs_xvda="/sys/class/block/xvda"
 # if root filesystem use already (almost) the whole dis
 non_rootfs_data=$(( 250 * 1024 * 2 ))
 rootfs_size=$(df --output=size / | tail -n 1)
 # convert to 512-byte blocks
 rootfs_size=$(( rootfs_size * 2 ))
 if [ "$(cat "$sysfs_xvda/size")" -lt \
       $(( non_rootfs_data + rootfs_size )) ]; then
   echo "root filesystem already at $rootfs_size blocks" >&2
   exit 0
 fi
 # resize needed, do it
 /usr/lib/qubes/resize-rootfs
--- a/init/setup-rw.sh
+++ b/init/setup-rw.sh
@ -0,0 +1,77 @@
 #!/bin/sh
 dev=/dev/xvdb
 if mountpoint -q /rw ; then
    # This means /rw is mounted now.
    echo "Checking /rw" >&2
    echo "Private device size management: enlarging $dev" >&2
    if content=$(resize2fs "$dev" 2>&1) ; then
        echo "Private device size management: resize2fs of $dev succeeded" >&2
    else
        echo "Private device size management: resize2fs $dev failed:" >&2
        echo "$content" >&2
    fi
    if ! [ -d /rw/config ] ; then
        echo "Virgin boot of the VM: populating /rw/config" >&2
        mkdir -p /rw/config
        touch /rw/config/rc.local
        cat > /rw/config/rc.local <<EOF
 #!/bin/sh
 # This script will be executed at every VM startup, you can place your own
 # custom commands here. This include overriding some configuration in /etc,
 # starting services etc.
 # Example for overriding the whole CUPS configuration:
 #  rm -rf /etc/cups
 #  ln -s /rw/config/cups /etc/cups
 #  systemctl --no-block restart cups
 EOF
        chmod 755 /rw/config/rc.local
        touch /rw/config/qubes-firewall-user-script
        cat > /rw/config/qubes-firewall-user-script <<EOF
 #!/bin/sh
 # This script is called in AppVMs after every firewall update (configuration
 # change, starting some VM etc). This is good place to write own custom
 # firewall rules, in addition to autogenerated ones. Remember that in most cases
 # you'll need to insert the rules at the beginning (iptables -I) for it to be
 # efective.
 EOF
        chmod 755 /rw/config/qubes-firewall-user-script
        touch /rw/config/suspend-module-blacklist
        cat > /rw/config/suspend-module-blacklist <<EOF
 # You can list modules here that you want to be unloaded before going to sleep. This
 # file is used only if the VM has any PCI device assigned. Modules will be
 # automatically re-loaded after resume.
 EOF
    fi
    if ! [ -d /rw/usrlocal ] ; then
        if [ -d /usr/local.orig ] ; then
            echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2
            cp -af /usr/local.orig /rw/usrlocal
        else
            echo "Virgin boot of the VM: creating /rw/usrlocal" >&2
            mkdir -p /rw/usrlocal
        fi
    fi
    echo "Finished checking /rw" >&2
 fi
 # Old Qubes versions had symlink /home -> /rw/home; now we use mount --bind
 if [ -L /home ]; then
    rm /home
    mkdir /home
 fi
 if [ ! -e /var/lib/qubes/first-boot-completed ]; then
    touch /var/lib/qubes/first-boot-completed
 fi
--- a/init/setup-rwdev.sh
+++ b/init/setup-rwdev.sh
@ -0,0 +1,40 @@
 #!/bin/sh
 set -e
 dev=/dev/xvdb
 max_size=1073741824  # check at most 1 GiB
 if [ -e "$dev" ] ; then
    # The private /dev/xvdb device is present.
    # check if private.img (xvdb) is empty - all zeros
    private_size=$(( $(blockdev --getsz "$dev") * 512))
    if [ $private_size -gt $max_size ]; then
        private_size=$max_size
    fi
    if cmp --bytes $private_size "$dev" /dev/zero >/dev/null && { blkid -p "$dev" >/dev/null; [ $? -eq 2 ]; }; then
        # the device is empty, create filesystem
        echo "Virgin boot of the VM: creating private.img filesystem on $dev" >&2
        if ! content=$(mkfs.ext4 -m 0 -q "$dev" 2>&1) ; then
            echo "Virgin boot of the VM: creation of private.img on $dev failed:" >&2
            echo "$content" >&2
            echo "Virgin boot of the VM: aborting" >&2
            exit 1
        fi
        if ! content=$(tune2fs -m 0 "$dev" 2>&1) ; then
            echo "Virgin boot of the VM: marking free space on $dev as usable failed:" >&2
            echo "$content" >&2
            echo "Virgin boot of the VM: aborting" >&2
            exit 1
        fi
    fi
    echo "Private device management: checking $dev" >&2
    if content=$(fsck.ext4 -p "$dev" 2>&1) ; then
        echo "Private device management: fsck.ext4 of $dev succeeded" >&2
    else
        echo "Private device management: fsck.ext4 $dev failed:" >&2
        echo "$content" >&2
    fi
 fi
--- a/misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override
+++ b/misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override
@ -0,0 +1,2 @@
 [org.gnome.desktop.wm.preferences]
 button-layout='appmenu:'
--- a/misc/20_org.gnome.nautilus.qubes.gschema.override
+++ b/misc/20_org.gnome.nautilus.qubes.gschema.override
--- a/misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override
+++ b/misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override
--- a/misc/20_org.mate.NotificationDaemon.qubes.gschema.override
+++ b/misc/20_org.mate.NotificationDaemon.qubes.gschema.override
@ -0,0 +1,2 @@
 [org.mate.NotificationDaemon]
 theme='slider'
--- a/misc/20_tcp_timestamps.conf
+++ b/misc/20_tcp_timestamps.conf
@ -0,0 +1 @@
 net.ipv4.tcp_timestamps=0
--- a/misc/30_cron.conf
+++ b/misc/30_cron.conf
@ -0,0 +1 @@
 binds+=( '/var/spool/cron' )
--- a/misc/50_qubes.conf
+++ b/misc/50_qubes.conf
@ -0,0 +1,2 @@
 $nrconf{override_rc}->{q(^qubes-core-agent-linux)} = 0;
 $nrconf{override_rc}->{q(^qubes-gui-agent)} = 0;
--- a/misc/Makefile
+++ b/misc/Makefile
@ -11,8 +11,21 @@ xenstore-watch: xenstore-watch.o
 	$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
 close-window: close-window.c
 	$(CC) -o $@ $< -lX11
-python:
+python: python2 python3
-	python -m compileall .
+python2:
-	python -O -m compileall .
+	rm -rf py2
 	mkdir -p py2
 	cp *.py py2/
 	python2 -m compileall py2
 	python2 -O -m compileall py2
 # Only some scripts does support python3 for now
 python3:
 	rm -rf py3
 	mkdir -p py3
 	cp dnf-qubes-hooks.py py3/
 	python3 -m compileall py3
 	python3 -O -m compileall py3
 clean:
 	rm -f xenstore-watch *.o *~ *.pyc *.pyo
--- a/misc/RPM-GPG-KEY-qubes-2-primary
+++ b/misc/RPM-GPG-KEY-qubes-2-primary
@ -1,39 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFClJWMBEADyAZgyocTmLQA0VpEXJKNvziKwaRWWrfzHw992okqRH/7wHfLn
 uXZCSeLnFH/u2r7fOearUBajI879YeG8EpQ71wfAybQYGF5ZJWoW4fOEAZKVP8bC
 1z65kKZguPcLfBiOWMAhLd8qxB3Zx5vVBM+8pGZ5ToRYxK6ivNTGOJfkz0GMxWCT
 q7kMhVpd9xO62pNbDYC884lXk/24CMDy9QDAhTiAPIB+6rN74zw0XYHo5BId9SuL
 ougyO3SZObkLOnfaWWEfZGbyFwvZWXigdZ/OPR2EvynBRF/ruJNlmS0EkxGEOMO8
 ASeeik4HblNhdVDgnUG1zsQ6AqS7tKsy/il55gE9teCAnAL7nPLW7YJmnbzdl6nF
 HKiHp7rZ+AtbDjkFpGmcbemvD+9gneUhuCzO8YQygqApdTXlcC5bY14SRyFtVDMp
 wD9XX0cVHyapMAbWedVTXqhcdQ88kWGZ85jHCaFXkl8JyGNsVYMchJF9D8iemgW+
 IhwveVEN+5FA9Mrd9NrlgxxO9+BuOgGUPKuw3425cOI47Z3hwGrKm35poZfKqA3U
 o1Dwz/JbKM7yNXaZeKrj7Sa0zkzMKXff6PRQTZKqnu/ooyOeNziXgulxLMl2qgYg
 ZGijQ/VPwhoaoQtThfyUKc/ttozguAWj5K3Se/BUJJyn0as87RA+8mQD8wARAQAB
 tB5RdWJlcyBPUyBSZWxlYXNlIDIgU2lnbmluZyBLZXmJAjgEEwECACIFAlClJWMC
 GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAxzudQKQORYvqUQAPAMwdFu
 vyR98Q18jzgW6k+5OXNOW53xET+zSZyO/Na7oHC7l8uSOrA8Cu054zeVPzaKMfmr
 9bnmb6pfk73Yd/P5AMWXd7h7xZ27Jwi0lhLmxsjMB1fJEJ/bA65m//PxqgIC9PNT
 alg0yVE66GdHCVsXJA2XFBTuRyJbLphU8dY1kNesHVdW+Msm+prGOrv+FFzTZDxT
 jp87L+xKqTYKgmpphPeM5OzaEj3bOHg3SK1VTVrzRgVVRRKNJKuLIprx5SOpGZxf
 5xoPqqdotR4PbM0HQ2gvWy/JlIntN+btVAvwS7e+gcr15oBVsU6uvVJQERZsBDFV
 dDffkgOgGVimv21zcxj5RKaUYEpBTqkKZaV23iZ6SQPFBhrjNmljDganTe5tioVQ
 mo52s875hYV9VSOLVFOn+pkS0kV5/kFVxoPwHZ+SRKsVcSrRnd9t/et4+VcOCdaC
 jX9rYPVQOP019V94dNQWLHYZDBcUZE6zX3xujH2BY+iw5EtjkNl5flaLw+yEUp1o
 fbPjOgu0oA6qfoeK/3JtV12RnA08yi35fPKEQ45Qx/Rfs3fMNxiTxD9qZIM3rzXD
 nLiNb3cXzqO29iLjhohC17IZrNfSgL81c9NeZ17eKVbUmKicM70BzJyJUvum3bHB
 CvO5f7WECZP8UKiqmT4ys6yIyRz1ZrnaY5O7iQIcBBABAgAGBQJQpScRAAoJEN36
 Gj42h5SUMHYP/2orT2b87YIXkOa1fwnaJtvLbMOisdscCn5kOU+30oQF0HLcCvdT
 3iHokH9qFAr2slFAHDumkXu/iMordpR1lGItwLF1v6+9yHor03p/LP1JcVl/0PDf
 nH4q6P9gQwHjq3RYVOdgYHJsDz2VSbvcsIfODKSxr95TsR1LgYasab4gre64gW3Y
 kS4ao9W3QUeglbcYUbeYR+mbZvzq1yMg2qIrv89cYcXGdJFrIrlc6biD7v1V5pRH
 CbAX9oWNoaUzPeg99w13Adt2e9PBJoq4hhouk87xnBg1QrMnL2ubUHvgTaH28J7U
 V2hAwiCcSUwlY5zLs0QVUr13cfvvbGwHSU4avP15Xzgn1VKv+PRlfXPriU3HgG4R
 td/Fdz7C+sBMwf7lb+fQSqJdJyB9SojHYMdpz3HmYuGJCySgC59iV5LX1i3AWAMo
 7CvFSfqdiKSsHUH4Nl2jnduEcq2Q0uODCXIVcsIlNK/KWEE8CoadKLl55Efdc9JJ
 miiW+iHwyHsPM6pqVV4F2R9IL4Wl8Rveaplbj/+TGGblVVO293VhswUGeOSLbXx2
 xzFkTUWU/OrmVOLj6aqId6EinWB5oGJaiuKgZt66sLTs1niUnIzOmqi7R/dZ2mUf
 QX62MfVWCv8NfkyMhrOft6ggS0Axo4F8fAcIInVXalvs2YScLSWdq54k
 =4+bD
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-2-unstable
+++ b/misc/RPM-GPG-KEY-qubes-2-unstable
@ -1,52 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 mQINBFClIUgBEACp0upqK7inupk52+8PHmIZFbm4lkV7IL2S9b285x579s1qysq7
 az0JMekouPzNCu9MGFzSktIWT2ti6JHsGgXmY2PoCMDnBCubx5/nPA2fial7yoKg
 ZxzpXGb6ZMtx5GOjXgpryUrNukYwORVR/jZS0noDb8rNnbeKi8R0SgaxRTYyJPvB
 ChMl1kVX6R15nHsd43ndkgcgSOGT22f/mxqOka9t2cB3HevfDvEJvz8PMkxRgb3n
 GOHFJRLYNIGmSegMllkMjUhZpu1e7T940WC3TWzJfpTNIo1Dsj0GIhGGniebGn/L
 BvUrmANxQ5rGMjTFOkSb/vKa/w9ss0OECeIL/K4+A6NQTKXLAoKJYA/bx75Dh2dU
 E3H8e4KoYuP3Q1lmLfcU3sX7s/MeszTpYHoUWTKyQXZYJged4ihP/RKz5iHRuAu2
 0fjPdb6RGJYYi/3TDEoVHkkYyL88wETygXeJW2XtBz33ITLyiB3qfxh8eO4tVre2
 QCus0nTpW+dblbfpG1Eb77OJTGlOF3rYx1oEEokochROEstN4bn3fMGMl6zHwBID
 tVNPvnQTjrBj7wksvc4xoJNe6Om0kNB7w58l6tCpa/oknW/N9XbwTgm1CI7lMWKD
 paieqfJbSYifCHEt0uVzsitoV992xZ8PRoooghGhBGWqTOSC3UDvJuajwwARAQAB
 tCdRdWJlcyBPUyBSZWxlYXNlIDIgVW5zdGFibGUgU2lnbmluZyBLZXmJAjgEEwEC
 ACIFAlClIUgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECMUDzj1Me+n
 h7wP/At7TBmp5R9fDVKulLfHM9xDMwNCjmdDcKNwF7xy7c18uzhOpA7ENzgZWTR1
 lkLrr+OlqXVlThzN1YRgvSx0KghSAIf0wuu8eeNKX+r1QFxEtxNrCobzK4ToNTiT
 xuPrycJgJBThj0gfq2jaSYGuhi79HYkgFYiRDOfaTms3hL8+oSq0HmDsu3/JSfse
 LAHiXbNyNvn1vpt09JH40me4RNTN0N3pUm9c5+7G0jwcE8OQZkjS7h04rpjbrDQE
 DHxadqgkwzP4aJm3l3u/OZF7npI16jpCYpV/mWyDbEj047EN/sJjV3KfuN+AdeAT
 9C7HJlGKcobeQztjzJuvzIILuzPewn77d7gua5kezM89nM6TK7T48upizNrCHxbw
 l2Z2DdzHfSHMWYT0LS4JAjvUyuu2iTWkMGmh8r3SrAmUecFk2/bP0A2MTb10z17K
 mzMzRU/u1n5DEsWlHzkXLmHJCKgid0UHuRbPabPWEK3E0yNid9MBkJWMZTFaALx7
 QMdF7QUc/2mEj2ILuNO4V0KHIBVHDwT+SYGXJ+wPY6nHSo5pIeiSWdNpozvKB24y
 8OWc1ST/rA6RaEDajSRMUxEkTtH7rGeueTVMhG8JCWWhmgNeMusg5Jq6OTrSooys
 c6EDJsD44QaHrJUn6fXwOuyAgmzjX9p04fga67npSFoNUm7vuQINBFClIUgBEADQ
 gWsxXqwIpuLVvcaiIo9pvO3wkt2nzXpLr93vzy+0+DTO11ejRDj9fuIA/9h55Yz5
 8snI9+aIKryDedhY+3/iv1izN9tsWyLms1V0xHdKC0RgmBxtJoHyPVdwgDu/86bd
 61zbhZAsaVmtP2vOdRD4dgR8wtTDbKnr9j4S8mRLkPJnjp+9e+H+akVVYbTx+Qki
 l5XU7ogZejZnTaAonK/jMsbIUF2d1iFdvkMr1I9xFqqHTLwO0tmH/ZDP/9jcMnf4
 dmVWDA4ykegn9RY+24YZ0mLaZrkDpvtfUrzxcZnvHuLVfROnQzOcIoP27Ut1v9s6
 A1uLq8zxy8+pyHBi/DPz2ae1/fMDNJnZcdo8qQFY2NzRnzL6SRZ1YBzWR8t8B0m4
 AginEa+/61UNNyXjkHzqqkVPv1EZ01c44MhB1P8/HZXF7YX80c6N2TUuGhH9dVRa
 5S7JWaee8Ib6MT7Nafn/rmLoXPtU5lLzo1SbcEBHbkZXw365BCzp9X+LfesXF9xj
 h4ISrCTcjaE20QoE1cNOsvuiuVK9fRqKsfMxuju0SpvZl5cAGM603WPZBMehbJ8e
 i2J4CXHOr7mF/ecAlTAr08nYuQTEEpAx7ad/BtrmHFa8IqEhsEqBNC7xuzwAuPI7
 xiiO7/KgDyS0mJ8Xm+9DMP/1q/QxT7Z4Ni4x2U+/swARAQABiQIfBBgBAgAJBQJQ
 pSFIAhsMAAoJECMUDzj1Me+nD80P/0HLsF0BfxPgm/raoYS9Cqve6/aP9pHtAODD
 SVGrb//PKAddVqJnsCu0TPbULx0cAYztQHw8n7rAO6iNbrxhOa6kin2vvdO0mVQY
 kl3a/bDyo8rP/xyMS8K4EE2DfCL1HSDAS2r37mzi8RZED2Yj9F0aBgTO7rGhSXWt
 WsDzsPzP46b8mr8BLQ8NfxKlJFpyIq8DwPEasrS5sKXEVXvnY4ZQMa5C2qzg1+LC
 c6lbQHPIOaUnENy9ApBepZT8a09Ol3/2Z75UOe2AM5vynT5iST8fdFJlpI1+Z/hs
 b+ZQ2uoMVW+O1VVtq+20o1WQVu9pORIKIq7wbBsIq6mejCC+KIZ5RDUPehs97+sL
 il546IMqllX0LP40hBM/JP7vZEknYhkGl/HuJyrhaNi8NI4ryrIO8VL2rSx/1eUP
 5Yn7jC5T+7twk6yKnzLZYfAG3F3HMTVrp5QwygBc+xmInwqbgHf4fJgT1WOVelKq
 1wfoF7DYRT7+J5gAJboYOvS4cIqXAgeeslW76jRKbaK0X/Fa06fiRw3vGSEWdr+A
 r4Kv/RAEB5z4da5MT88CB3OtgiJofnsPb+A+TmjTPcmaV2LHH30U/1aD/3RERBHb
 cpKz+AV6MQ/7XpQiusXK14ospdTScEVwruXlCyt0hbqTsijiReNV4lV9nXtfmrEL
 L0XnT71B
 =o46N
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-centos
+++ b/misc/RPM-GPG-KEY-qubes-4-centos
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 mQINBFnOuKQBEACc4uru1ruuHsZAIFFJhkmYVL0I07MlIjA9FC0vwNQA0sq0roJ6
 LElswKLyu9ST8h0qwlqW9RalFxxkhvm0ySvNcWPEayHW2L0izGfD+IH1SUk3QALn
 IudHFd0VYw7REunDgEMfQXvYp1nAQqJ6/e4PrYtIqYfenSYd226/7qBgEJHixeWJ
 XXPoGLSqrsPFzB2KHJRRAJNKB/SFeGd4EHD/LKuxxArAjID+hEo3S53E1xf/G330
 dyEAt5PLsqA0USnWCsREyW7OhW8Bbs02wyYHbOeIt2VM5/GOGJFvGRQC8YsUspBV
 OY3PPMxxmf/8GtORQsTD5BgrtbbZg5mTn3vPi/0LiPIVoyUqLcNY1xLIUtoikhi4
 X5o+37DcRsP720jinXoqqyZPvQlynPAzgJ0i+IIk/8QUp3qQEUm0WXvNamTpluY2
 HPC2dNEW45FnTatMg5mDGf091UdMk6JKXyETRYRWdQfGq+n2BQMO5p6VFMgbzDP9
 I2IYvYnjEi59X7dORGHxYs7LqNGoKL1em8r5NiTS6PhRmw7yQYdrpykFjwZxQvM9
 F+HGIKLd0map8g08Sew0VTZ96OpRWkoMMpveLq0W7Ke4Cgu0t1245rE000r+/sRZ
 l/fg1eSPwVxHHFu8Wj6l4VJiZzi4hSHxOZipNIkfz/SvGvkcgeXGRW7QKQARAQAB
 tCZRdWJlcyBPUyA0IENlbnRPUyBQYWNrYWdlcyBTaWduaW5nIEtleYkCNwQTAQgA
 IQUCWc6/DQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAZIFoR/ePQqjMe
 D/9/L0TK532j4k4ZYgOULnqq6JTN0qvmG8JWiRBjRoc90ksDHcH0JwnceYugN2/K
 eV1Nfrm2SLzbaNFJKLGhktskXKEU6dRe5IHlOfXLCnzTsUlnrV7JQ7RhRd27B5YJ
 2OZ9xukwJMihfvBEGD8u98i1OceyeqB6n4T/vwxeAq0UWd3rbFzrzXNDEVy1+7LV
 4s8NtsnAUOece+njTMtxEZep6SZ3MM9XkhD+WwsKan1kUxq8WdFj5o8N0VojdDBv
 9ZCJLn65F2WLTvyILp8K25KI2uLolk+J6monS6keFsdQ+cjEiqadHcfZruIIC5m5
 XpJ8+VdBj+s22q5b1KXRwkK7j69IgMnDbsEJOvH0gW3Nwvofzim32K5TrPXSGlYe
 5qTNYlzRjEhheBLBsK9iJ17CgEhDSzaU6TZOZIM1MVg/7OY//99WL/h6/+bAMkoq
 aDCOhxDFkoX8lHGjlAMV1JiESNy8Xxnt+J8+j86ugz/TSKToRawKBRCXno0Cycq5
 w/auNLHsXyeyftIOva2H9sLVW7DwvipqiYBGunRE+gqznsX1r0oli1mZrW/JiEfj
 6F5+l8L9+GQi/f2WvBMXKgjqHgyl7MWVWiZ3B3Jy98NzNKgDVxRkrhaXLzjgdQKz
 J3xJNOrHCRPqyH7qq4CbS62nLeaOgEPdmsygcn7VfNYajQ==
 =F3Wg
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-primary
+++ b/misc/RPM-GPG-KEY-qubes-4-primary
@ -0,0 +1,39 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFi9Xv4BEADTkOlBTDmO6DsFJi754ilTFqsluGWleeProuz8Q+bHFlx0Mqtk
 uOUcxIjEWwxhn1qN98dIPYds+mD9Bohamdh+bJYxB/YYj9B2xvURhCpxVlWzzkzt
 i1lPYhj/MR637N9JqIdILmJSBFDxmnuWfQxfsbIsi4lUx5oq6HzIAYXzUzA+0/0a
 c/j0zAm9oBq+pXPad/xkH8ebkNAL0+HbHArBNFzrhVKmi1VskpxurPIYZEcQ0dUu
 n447TM/37y+dzmNYxvSuK2zBPFa9upXsKZEoVaJqksXDdX2YuMsZFiesdieL85w7
 sD1iI6Eqmp5EIZXa8t0/MHTaDrm1tDKJdSu/5zrh0RFh+J73qxJH8lDJqcTVggCe
 Xoasoi1LNg0CIgzVM+zLEDbpNd6mILdXQNHzsU4CP2UFpMxOUUDMEPYSE3WBExWX
 0dBO8QgvTOzqvRWq7TL2jKaprsB/ZXiZief5hOK2QFL6HFEOuFuWLf3tb2+tpJoZ
 LXbXYW+6M+WNRHr9mDg3o6SuZmSwUCOa1FV/i51gqiUHmXEfIGH3iE5WWq2bvUG1
 dhjkzDGPL9fXbCWS6+QARakXRbxslsc4RgMrQR6nLEAuOL7GDaG3c7ldqgfotkal
 5KDB5/1AxYW1TC0JfoKWalYrfXlUJlbHcvDFqHdyljOnoeJ8WVqLNE9hUQARAQAB
 tB5RdWJlcyBPUyBSZWxlYXNlIDQgU2lnbmluZyBLZXmJAjcEEwEIACEFAli9Xv4C
 GwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQGEh5L54nlem9QRAAkaDEfYey
 FoldssIDE/gliYYb7RSYBjs+QrYJQjBxFGXXPgHS5kGMZfMkqVVBc8EtHh41q7gU
 mUIHVbjnKIcYaKLaVl/qb9Jkx+6/NxEYWjNVEMMwPk820QgI1alWrweH7ZuxxGlz
 CzOQsyKZLH3TESEf46CUjv9FHW2nKPAp5qVMzLRlgtquQAdfh7SWau7Kd+WPQOiB
 9cj+j3/yswsrpLmvqJP8trS/aKAhsn2jGrxwSAbdGCzQorJjUy5HLZ6xVIk9yD0T
 +o9cbK4SQSuOHUiA9Z5gA7vuxwOuloDhIm74k2PBWMaUEvx19nIh4XmgGEKNzI6V
 SbR+s+d9ciQ/aC/bXdeeZOpCDaty54D8sKzMi2y15Urycxwpz508LwE6I3Zm0Won
 xMEf5gGR30szgQdh6sJKIqZ2nVDLBg4H1mc4CULhsgViN/vM3Rrj2t4kOwUM30AU
 M49o4JPzY4wvhsAmhIQGl38C8wDkSqPwntRsszpbLgzI3Lsxb00xiPcLR6Y/pviH
 AfHxh/1uYymjD1Fq9u9ylgR6+15qqEYY/uEHr2EQyVvXQ08R1iKkT+v8fufMFUWa
 rJxyB+5v/RPRKvRRi9Xb1HkoiFo3E/bEPYKlGA2colp5iqFYpTUBJYJXyMosgjI+
 mqH0I+V+LuMtlE521YHKg0tsB9GVlfWBS12JAhwEEAECAAYFAljAUaEACgkQ3foa
 PjaHlJR8xw/5AYj/vJNbpnFNYV1jK7AwaEScpGpuDwh+izdGB6eCajynoZMmHSs5
 S3ToygNDo6Tlnh4/Tk7g6nG+eRWdAGghrrz2TXZd0sQX2KJ+m2omT5TZMrwPzM0v
 HcUSAZhW1+nK8miMdvxeOAtY91OaDXwjddii/f420m+9tXwCVKbD+EC83wPpr76r
 sokeOrp5H53CZQ++SbbG7qRmj4uc+VuyXNbAYNDa999Dpm5CW95LgMJ8/YpZbQ9S
 Gk8xlo2DTdBig84yO8Dp9L40KxhIbtpOfLZSWR7OwfMchb2wdt/rRcFsAUPjW7of
 /ZO7lQIPfkdl6cvssoZEjEGZnaxjRzR1b6GtPmlrq8MwUHOZqVizlo9vskuAczYl
 VECk2+D5ZH52GsSbX+C/2DpLUI+o8hLmNDkyBHkz7eOV69lMOzKKsXVyOyrsaLY1
 xNY6JPhMwJVuX8zNW2upETvWs8kr+ZOSvalinvmD6BAQp602PQRnUYDgRxG7GXw+
 z9D/6ea14TjGpQWW+wvRUUpqgs7WKCzjAAPDiqTpLvz5xtSTToW/qQJJn4LO7w3H
 Qo9G00Mruapdmy4nV5lHqsjm817M1vChTq1Q5+4ZPLMBoAndNM6vZAVJzfhhR+zG
 ZFp6oNCNJuSPFd+xN4tczA+aNZgUDDYhcvelFevUubLSjAR3ulfwxns=
 =d8U3
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-unstable
+++ b/misc/RPM-GPG-KEY-qubes-4-unstable
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 mQINBFk/KJsBEADR8mS6Z0NYFnY99BdaYN2Hng2IYIc56qMr+OpdwnriiGZhnd9m
 LyL/HJoFpg+kqdZyI9u31kAzXb2GbaCc75O46T1QckrlTInQns889k43vxRHIZCe
 KhIAakexLI1MynUIZtwB23pSeNrfIpkNMY2VwE6wrY57fSnb3+67/Jj7spVoMekw
 2M6U3cbzB7ijBECmzvRCnF2X0qs0r3qyaneunkCUPHbhM6/EUim722efMzVDu43Z
 XEIC3Vw/ydWk2ulyHEdK8ZZ8OfyiMEWvUFm1yvFDr4jS3Wl0bHYs4kGozlu9xGDz
 MO9966awBW4yCIl5XzIR2qcYdeDZmNysbafOkmcB8ObRkOAZeGjCpJBs0mgpMSfN
 ZXAQFw/COw7yyPH2GLxIOPYLYHzM0XkOPIvl5vl9F2pLT2x9emIR1D8lgqdNMIhW
 4eIcw50jS1TjyBCcS4cgiiCHT+rdSp6u7GpqRfwQNXBHOGHptkLY+VrqwtJ+5ckG
 oMIVKq/cLpHVe5usBiPs8v8uK0ufNvj3NmuAypwNsW49igLBOhIy8s9OjDnGtWfX
 2NU/QXQm/IBAAzXZ0VKPl9U4rAaidpJt991OZ+D2BAwZn2Go/vUPWi6/IqAvaE7g
 vZjBW7Hucpd6h26lEAIdzFqgym6yqCdQxdaOn9pP1qzRplUXqo9DAH2i5QARAQAB
 tCdRdWJlcyBPUyBSZWxlYXNlIDQgVW5zdGFibGUgU2lnbmluZyBLZXmJAjcEEwEI
 ACEFAlk/KJsCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQevnGU3u23ofo
 4g//Tmjw09UAL0uV/Oyjz1C0JBWQ7T7rt63L5KQ2S0DRjEykBJnZ8MPkYb0oXjOh
 SAqhJdA0Exjo+OIyofpLkT/Sjz02qE4auQni9aUYr6IqfLmOaQHkCxq8MNhSyu8s
 T7zTLPcP8JO86U0lWZ0n2k5fAyZKFqKIBQJAOGg1M3W4m0jIhNK5VCNLGCxyDvZJ
 kmh4STQdQWA5pu6dw8ruwhfWUPKXUVJttWWXTJd+MDR5Q/QNNATsK+123zmjqB85
 Wz1H6f4aGXrJGkz8Ize22H+56mxZ/B7ZFRAeKZwH1wXRg8mE33k77aJW0QrIbc7Y
 TVeZBTs38AxiG+0fiFTdZWmknkJ9YEcTMYtYlUrxpqaPjw1x8tLKd/mo/A7yvdo8
 XzvRs04aXVGS65jYS9rA4uTKXJ3q/pKouPLQT4GEcnDWWP63un3Ku6iSVyWWnOS6
 xJbFo1pgoSpNqjVh+oL3qU88nbN7KGaSua9FsAJknKzvzZheLqvrBddEFUvELGwx
 bbXzzwocIISe9m3NZnOMdjAGjmoukwCVFEFeq/9ieLRe5wcbKNg8pogiQRt8Izar
 lsSbtUT0s8X4EmD+61/g6nu8+RcNeYPrWqB4KMbYPiz30qsiP7XoTNVJYDxjU5md
 6watPaYvxmqnXkjdwM4Zpaq3cs3YZcMyqp/y2eus89EmDIY=
 =ShJt
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/apt-conf-70no-unattended
+++ b/misc/apt-conf-70no-unattended
@ -0,0 +1,26 @@
 ## Based on pkg-manager-no-autoupdate by Patrick Schleizer <adrelanos@riseup.net>
 ## https://github.com/Whonix/pkg-manager-no-autoupdate
 ## Disable automatic update check APT::Periodic::Update-Package-Lists
 ## which is the Debian default in /etc/apt/apt.conf.d/10periodic.
 ##
 ## The execution time would be too predictable, thus make us fingerprintable.
 ##
 ## 20noperiodic comes after 10periodic in alphabet so it takes precedence.
 ##
 ## Quoted from the Debian Handbook
 ## http://debian-handbook.info/browse/wheezy/sect.apt-get.html
 ##
 ## "[...] Each directory represents a configuration file which is split over multiple
 ## files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions
 ## for the configuration of APT. APT includes them in alphabetical order, so that the
 ## last ones can modify a configuration element defined in one of the first ones. [...]
 ##
 ## That changes take effect can be verified using:
 ## apt-config dump
 APT::Periodic::Update-Package-Lists "0";
 APT::Periodic::Download-Upgradeable-Packages "0";
 APT::Periodic::AutocleanInterval "0";
 APT::Periodic::Unattended-Upgrade "0";
 APT::Periodic::Enable "0";
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`[qubes-r3.2]`
							`Server = http://olivier.medoc.free.fr/archlinux/current/`
		`@ -0,0 +1,2 @@`
							`[qubes-r4.0]`
							`Server = http://olivier.medoc.free.fr/archlinux/current`
		`@ -0,0 +1,2 @@`
							`[Desktop Entry]`
							`NotShowIn=X-DisposableVM;`
		`@ -0,0 +1,2 @@`
							`[Desktop Entry]`
							`OnlyShowIn=GNOME;X-AppVM;`
		`@ -0,0 +1,2 @@`
							`[Desktop Entry]`
							`OnlyShowIn=GNOME;X-UpdateableVM;`
		`@ -0,0 +1 @@`
							`usr/lib/qubes/qubes-download-dom0-updates.sh`
		`@ -0,0 +1,2 @@`
							`[org.mate.NotificationDaemon]`
							`theme='slider'`
		`@ -0,0 +1,2 @@`
							`rm_conffile /etc/apt/apt.conf.d/00notiy-hook`
							`rm_conffile /etc/tinyproxy/filter-updates`
		`@ -0,0 +1,2 @@`
							`# moved to qubes-core-agent-passwordless-root`
							`/etc/pam.d/su.qubes`
		`@ -0,0 +1,2 @@`
							`[org.gnome.desktop.wm.preferences]`
							`button-layout='appmenu:'`