vif-route-qubes: \n -> \\n

Make shellcheck happy.
Fix iptables-restore race condition in vif-route-qubes
2018-10-15 06:20:32 +02:00 · 2018-10-15 06:20:25 +02:00 · 2018-10-13 03:33:18 +02:00 · 2018-10-10 02:44:11 +02:00 · 2018-10-10 00:01:15 +02:00 · 2018-10-09 14:54:34 +02:00
280 changed files with 8820 additions and 3610 deletions
--- a/.coveragerc
+++ b/.coveragerc
@ -0,0 +1,3 @@
 [run]
 source = qubesagent
 omit = qubesagent/test*
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,6 @@ deb/*
 *.pyo
 *~
 *.o
 .coverage
 *.egg-info
 __pycache__
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,35 @@
 sudo: required
 dist: trusty
 language: python
 python: '3.5'
 install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder
 script: ~/qubes-builder/scripts/travis-build
 env:
 - DISTS_VM=fc26 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc27 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc28 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=fc29 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=jessie USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=stretch USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=buster USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 - DISTS_VM=centos7 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
 jobs:
  include:
    - python: '3.5'
      install: pip install --quiet -r ci/requirements.txt
      env: TESTS_ONLY=1
      script:
       - ./run-tests
       - shellcheck  $(grep -l '^#!/bin/\(ba\)\?sh' $(git ls-files))
      after_success:
       - codecov
    - stage: deploy
      python: '3.5'
      env: DIST_DOM0=fc25 TESTS_ONLY=
      script: ~/qubes-builder/scripts/travis-deploy
 branches:
  except:
    - /.*_.*/
--- a/332
+++ b/332
@ -4,14 +4,17 @@ VERSION := $(shell cat version)
 DIST ?= fc18
 KDESERVICEDIR ?= /usr/share/kde4/services
 KDE5SERVICEDIR ?= /usr/share/kservices5/ServiceMenus/
 APPLICATIONSDIR ?= /usr/share/applications
 SBINDIR ?= /usr/sbin
 BINDIR ?= /usr/bin
 LIBDIR ?= /usr/lib
 SYSLIBDIR ?= /lib
-PYTHON = /usr/bin/python2
+PYTHON ?= /usr/bin/python2
-PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'`
+PYTHON_SITEARCH = $(shell python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)')
-PYTHON2_SITELIB = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()'`
+PYTHON2_SITELIB = $(shell python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()')
-PYTHON3_SITELIB = `python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())'`
+PYTHON3_SITELIB = $(shell python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())')
 # This makefile uses some bash-isms, make uses /bin/sh by default.
 SHELL = /bin/bash
@ -21,13 +24,19 @@ help:
 	@echo "make rpms-vm               -- generate binary rpm packages for VM"
 	@echo "make clean                 -- cleanup"
 	@echo "make install-vm            -- install VM related files"
 	@echo ""
 	@echo "You must have lsb_release, rpm-sign and pandoc installed."
 rpms: rpms-vm
 rpms-vm:
 	[ "$$BACKEND_VMM" != "" ] || { echo "error: you must define variable BACKEND_VMM" >&2 ; exit 1 ; }
 	lsb_release >/dev/null 2>&1 || { echo "error: you need lsb_release (package lsb) installed" >&2 ; exit 1 ; }
 	type pandoc >/dev/null 2>&1 || { echo "error: you need pandoc installed" >&2 ; exit 1 ; }
 	type rpmsign >/dev/null 2>&1 || { echo "error: you need rpm-sign installed" >&2 ; exit 1 ; }
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm.spec
 	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm-doc.spec
-	rpm --addsign \
+	[ "$$SKIP_SIGNING" != "" ] || rpm --addsign \
 		$(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION)*.rpm \
 		$(RPMS_DIR)/x86_64/qubes-core-vm-doc-*$(VERSION)*.rpm
@ -38,6 +47,12 @@ clean:
 	make -C misc clean
 	make -C qrexec clean
 	make -C qubes-rpc clean
 	make -C doc clean
 	rm -rf qubesagent/*.pyc qubesagent/__pycache__
 	rm -rf test-packages/__pycache__
 	rm -rf test-packages/qubesagent.egg-info
 	rm -rf __pycache__
 	rm -f .coverage
 all:
 	make -C misc
@ -45,21 +60,38 @@ all:
 	make -C qubes-rpc
 # Dropin Directory
-DROPIN_DIR ?= "lib/systemd"
+SYSTEM_DROPIN_DIR ?= "lib/systemd/system"
 USER_DROPIN_DIR ?= "usr/lib/systemd/user"
-SYSTEM_DROPINS := chronyd.service crond.service cups.service cups.path cups.socket ModemManager.service
+SYSTEM_DROPINS := chronyd.service crond.service
-SYSTEM_DROPINS += NetworkManager.service NetworkManager-wait-online.service ntpd.service getty@tty.service
+SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemManager.service
-SYSTEM_DROPINS += tinyproxy.service
+SYSTEM_DROPINS += getty@tty.service
 SYSTEM_DROPINS += tmp.mount
 SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket
 SYSTEM_DROPINS += systemd-random-seed.service
 SYSTEM_DROPINS += tor.service tor@default.service
 SYSTEM_DROPINS += systemd-timesyncd.service
 SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service
 SYSTEM_DROPINS_NETWORKING += tinyproxy.service
 USER_DROPINS := pulseaudio.service pulseaudio.socket
 # Ubuntu Dropins
 ifeq ($(shell lsb_release -is), Ubuntu)
    # 'crond.service' is named 'cron.service in Debian
    SYSTEM_DROPINS := $(strip $(patsubst crond.service, cron.service, $(SYSTEM_DROPINS)))
    SYSTEM_DROPINS += anacron.service
    SYSTEM_DROPINS += anacron-resume.service
    SYSTEM_DROPINS += netfilter-persistent.service
    SYSTEM_DROPINS += exim4.service
    SYSTEM_DROPINS += avahi-daemon.service
 endif
 # Debian Dropins
 ifeq ($(shell lsb_release -is), Debian)
    # Don't have 'ntpd' in Debian
    SYSTEM_DROPINS := $(filter-out ntpd.service, $(SYSTEM_DROPINS))
    # 'crond.service' is named 'cron.service in Debian
    SYSTEM_DROPINS := $(strip $(patsubst crond.service, cron.service, $(SYSTEM_DROPINS)))
@ -69,52 +101,68 @@ ifeq ($(shell lsb_release -is), Debian)
    # handled by qubes-iptables service now
    SYSTEM_DROPINS += netfilter-persistent.service
    SYSTEM_DROPINS += anacron.service
    SYSTEM_DROPINS += anacron-resume.service
    SYSTEM_DROPINS += exim4.service
    SYSTEM_DROPINS += avahi-daemon.service
 endif
 install-systemd-dropins:
 	# Install system dropins
 	@for dropin in $(SYSTEM_DROPINS); do \
-	    install -d $(DESTDIR)/$(DROPIN_DIR)/system/$${dropin}.d ;\
+	    install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\
-	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(DROPIN_DIR)/system/$${dropin}.d/ ;\
+	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 	# Install user dropins
 	@for dropin in $(USER_DROPINS); do \
-	    install -d $(DESTDIR)/$(DROPIN_DIR)/user/$${dropin}.d ;\
+	    install -d $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d ;\
-	    install -m 0644 vm-systemd/user/$${dropin}.d/*.conf $(DESTDIR)/$(DROPIN_DIR)/user/$${dropin}.d/ ;\
+	    install -m 0644 vm-systemd/user/$${dropin}.d/*.conf $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
-install-systemd:
+install-systemd-networking-dropins:
 	# Install system dropins
 	@for dropin in $(SYSTEM_DROPINS_NETWORKING); do \
 	    install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\
 	    install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\
 	done
 install-init:
 	install -d $(DESTDIR)$(LIBDIR)/qubes/init
 	# FIXME: do a source code move vm-systemd/*.sh to init/
 	# since those scripts are shared between sysvinit and systemd.
 	install -m 0755 init/*.sh vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
 	install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service)
 SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service
 SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES), $(SYSTEMD_ALL_SERVICES))
 install-systemd: install-init
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d
-	install -m 0755 vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
+	install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 	install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
 	install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \
 		$(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
-install-sysvinit:
+install-sysvinit: install-init
 	install -d $(DESTDIR)/etc/init.d
 	install vm-init.d/qubes-sysinit $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-early $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-appvm $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-core-netvm $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-firewall $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-netwatcher $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-qrexec-agent $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-updates-proxy-forwarder $(DESTDIR)/etc/init.d/
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
 	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
 	install network/qubes-iptables $(DESTDIR)/etc/init.d/
 install-rh: install-systemd install-systemd-dropins install-sysvinit
-	install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
+	install -D -m 0644 misc/qubes-r4.repo.in $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo
-	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
+	DIST='$(DIST)'; sed -i "s/@DIST@/$${DIST%%[0-9]*}/g" $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo
 	install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.gnome.nautilus.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.mate.NotificationDaemon.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -d $(DESTDIR)$(LIBDIR)/yum-plugins/
 	install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)$(LIBDIR)/yum-plugins/
 	install -D -m 0644 misc/yum-qubes-hooks.conf $(DESTDIR)/etc/yum/pluginconf.d/yum-qubes-hooks.conf
@ -125,8 +173,7 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
-	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
+	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.qubes
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 	install -D -m 0644 misc/dracut-qubes.conf \
@ -138,123 +185,204 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
 		$(DESTDIR)$(PYTHON3_SITELIB)/dnf-plugins/qubes-hooks.py
 	install -D -m 0644 misc/dnf-qubes-hooks.conf $(DESTDIR)/etc/dnf/plugins/qubes-hooks.conf
 install-doc:
 	$(MAKE) -C doc install
-install-common:
+install-common: install-doc
 	$(MAKE) -C autostart-dropins install
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 	# force /usr/bin before /bin to have /usr/bin/python instead of /bin/python
 	PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
 	mkdir -p $(DESTDIR)$(SBINDIR)
 	install -d -m 0750 $(DESTDIR)/etc/sudoers.d/
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
 	install -D -m 0440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm
 	install -D -m 0644 misc/20_tcp_timestamps.conf $(DESTDIR)/etc/sysctl.d/20_tcp_timestamps.conf
 	install -d $(DESTDIR)/var/lib/qubes
-	install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
+	install -D misc/xenstore-watch $(DESTDIR)$(BINDIR)/xenstore-watch-qubes
 	install -d $(DESTDIR)/etc/udev/rules.d
 	install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
 	install -d $(DESTDIR)$(LIBDIR)/qubes/
 	install misc/vusb-ctl.py $(DESTDIR)$(LIBDIR)/qubes/
 	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install -d -m 0750 $(DESTDIR)/etc/polkit-1/rules.d
 	install -D -m 0644 misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 	install -D -m 0644 misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
 	install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
 	install misc/qubes-download-dom0-updates.sh $(DESTDIR)$(LIBDIR)/qubes/
-	install -g user -m 2775 -d $(DESTDIR)/var/lib/qubes/dom0-updates
+	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 \
 		misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override \
 		misc/20_org.gnome.nautilus.qubes.gschema.override \
 		misc/20_org.mate.NotificationDaemon.qubes.gschema.override \
 		misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override \
 		$(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 2775 -d $(DESTDIR)/var/lib/qubes/dom0-updates
 	install -D -m 0644 misc/qubes-master-key.asc $(DESTDIR)/usr/share/qubes/qubes-master-key.asc
 	install misc/resize-rootfs $(DESTDIR)$(LIBDIR)/qubes/
 	if [ -r misc/dispvm-dotfiles.$(DIST).tbz ] ; \
 	then \
 		install misc/dispvm-dotfiles.$(DIST).tbz $(DESTDIR)/etc/dispvm-dotfiles.tbz ; \
 	else \
 		install misc/dispvm-dotfiles.tbz $(DESTDIR)/etc/dispvm-dotfiles.tbz ; \
 	fi;
 	install misc/dispvm-prerun.sh $(DESTDIR)$(LIBDIR)/qubes/dispvm-prerun.sh
 	install misc/close-window $(DESTDIR)$(LIBDIR)/qubes/close-window
 	install misc/upgrades-installed-check $(DESTDIR)$(LIBDIR)/qubes/upgrades-installed-check
 	install misc/upgrades-status-notify $(DESTDIR)$(LIBDIR)/qubes/upgrades-status-notify
 	install -m 0644 network/udev-qubes-network.rules $(DESTDIR)/etc/udev/rules.d/99-qubes-network.rules
 	install network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes
 	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes
 	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
 	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
 	install -d $(DESTDIR)/etc/dhclient.d
 	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
 	install -m 0755 network/update-proxy-configs $(DESTDIR)$(LIBDIR)/qubes/
-
+	install -d $(DESTDIR)$(BINDIR)
-	install -d $(DESTDIR)/$(SBINDIR)
+	install -m 0755 misc/qubes-session-autostart $(DESTDIR)$(BINDIR)/qubes-session-autostart
-	install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
+	install -m 0755 misc/qvm-features-request $(DESTDIR)$(BINDIR)/qvm-features-request
-	install network/qubes-netwatcher $(DESTDIR)/$(SBINDIR)/
+	install -m 0755 misc/qubes-run-terminal $(DESTDIR)/$(BINDIR)
-
+	install -D -m 0644 misc/qubes-run-terminal.desktop $(DESTDIR)/$(APPLICATIONSDIR)/qubes-run-terminal.desktop
-	install -d $(DESTDIR)/usr/bin
+	install -m 0755 qubes-rpc/qvm-sync-clock $(DESTDIR)$(BINDIR)/qvm-sync-clock
-	install -m 0755 misc/qubes-session-autostart $(DESTDIR)/usr/bin/qubes-session-autostart
+	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run-vm} $(DESTDIR)/usr/bin
-
+	install qubes-rpc/qvm-copy $(DESTDIR)/usr/bin
-	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-move-to-vm,qvm-run,qvm-mru-entry} $(DESTDIR)/usr/bin
+	ln -s qvm-copy-to-vm $(DESTDIR)/usr/bin/qvm-move-to-vm
-	install qubes-rpc/wrap-in-html-if-url.sh $(DESTDIR)$(LIBDIR)/qubes
+	ln -s qvm-copy $(DESTDIR)/usr/bin/qvm-move
 	install qubes-rpc/qvm-copy-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-move-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
+	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-move-to-vm.gnome
-	install qubes-rpc/qvm-move-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
+	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-copy-to-vm.kde
 	ln -s qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes/qvm-move-to-vm.kde
 	install qubes-rpc/qvm-actions.sh $(DESTDIR)$(LIBDIR)/qubes
 	install -m 0644 misc/uca_qubes.xml $(DESTDIR)$(LIBDIR)/qubes
 	mkdir -p $(DESTDIR)/etc/xdg/xfce4/xfconf/xfce-perchannel-xml
 	install -m 0644 misc/thunar.xml $(DESTDIR)/etc/xdg/xfce4/xfconf/xfce-perchannel-xml
 	install qubes-rpc/xdg-icon $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/{vm-file-editor,qfile-agent,qopen-in-vm} $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qubes-open $(DESTDIR)/usr/bin
+	install qubes-rpc/qubes-open $(DESTDIR)$(BINDIR)
 	install qubes-rpc/tar2qfile $(DESTDIR)$(LIBDIR)/qubes
 	# Install qfile-unpacker as SUID - because it will fail to receive files from other vm
 	install -m 4755  qubes-rpc/qfile-unpacker $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qrun-in-vm $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/sync-ntp-clock $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/prepare-suspend $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qubes-sync-clock $(DESTDIR)$(LIBDIR)/qubes
 	install -m 0644 misc/qubes-suspend-module-blacklist $(DESTDIR)/etc/qubes-suspend-module-blacklist
 	install -d $(DESTDIR)/$(KDESERVICEDIR)
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDESERVICEDIR)
 	install -d $(DESTDIR)/$(KDE5SERVICEDIR)
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDE5SERVICEDIR)
 	install -d $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell} $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.VMRootShell $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.WaitForSession $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.OpenURL $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.DetachPciDevice $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.SuspendPreAll $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.SuspendPostAll $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.WaitForSession $(DESTDIR)/etc/qubes-rpc
-	install -m 0644 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.DetachPciDevice $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.InstallUpdatesGUI $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.ResizeDisk $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.StartApp $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.PostInstall $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc
 	install -d $(DESTDIR)/etc/qubes/rpc-config
 	install -m 0644 qubes-rpc/rpc-config.README $(DESTDIR)/etc/qubes/rpc-config/README
 	for config in qubes-rpc/*.config; do \
 		install -m 0644 $$config $(DESTDIR)/etc/qubes/rpc-config/`basename $$config .config`; \
 	done
 	install -d $(DESTDIR)/etc/qubes/suspend-pre.d
 	install -m 0644 qubes-rpc/suspend-pre.README $(DESTDIR)/etc/qubes/suspend-pre.d/README
 	install -d $(DESTDIR)/etc/qubes/suspend-post.d
 	install -m 0644 qubes-rpc/suspend-post.README $(DESTDIR)/etc/qubes/suspend-post.d/README
 	install -m 0755 qubes-rpc/suspend-post-qvm-sync-clock.sh \
 		$(DESTDIR)/etc/qubes/suspend-post.d/qvm-sync-clock.sh
 	install -d $(DESTDIR)/etc/qubes/post-install.d
 	install -m 0644 post-install.d/README $(DESTDIR)/etc/qubes/post-install.d/
 	install -m 0755 post-install.d/*.sh $(DESTDIR)/etc/qubes/post-install.d/
 	install -d $(DESTDIR)/usr/share/nautilus-python/extensions
 	install -m 0644 qubes-rpc/*_nautilus.py $(DESTDIR)/usr/share/nautilus-python/extensions
-	install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run
+	install -D -m 0644 misc/dconf-db-local-dpi $(DESTDIR)/etc/dconf/db/local.d/dpi
-	mkdir -p $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
+	install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)$(BINDIR)/qubes-desktop-run
 ifeq ($(shell lsb_release -is), Debian)
 	install -m 0644 misc/xdg.py $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
 else
 	install -m 0644 misc/py2/xdg.py* $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
 endif
 	install -d $(DESTDIR)/mnt/removable
 	install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
 	install -d $(DESTDIR)/usr/lib/qubes-bind-dirs.d
 	install -D -m 0644 misc/30_cron.conf $(DESTDIR)/usr/lib/qubes-bind-dirs.d/30_cron.conf
 	install -d $(DESTDIR)/var/run/qubes
 	install -d $(DESTDIR)/home_volatile/user
 	install -d $(DESTDIR)/rw
-install-deb: install-common install-systemd install-systemd-dropins
+# Networking install target includes:
 # * basic network functionality (setting IP address, DNS, default gateway)
 # * package update proxy client
 install-networking:
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system
 	install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -d $(DESTDIR)$(LIBDIR)/qubes/
 	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
 # Netvm install target includes:
 # * qubes-firewall service (FirewallVM)
 # * DNS redirection setup
 # * proxy service used by TemplateVMs to download updates
 install-netvm:
 	install -D -m 0644 $(SYSTEMD_NETWORK_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -D -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/qubes-iptables
 	install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \
 		$(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
 	mkdir -p $(DESTDIR)$(SBINDIR)
 ifneq ($(SBINDIR),/usr/bin)
 	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
 endif
 	install -D network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes/qubes-setup-dnat-to-ns
 	install -d $(DESTDIR)/etc/dhclient.d
 	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
 	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
 # networkmanager install target allow integration of NetworkManager for Qubes VM:
 # * make connections config persistent
 # * adjust DNS redirections when needed
 # * show/hide NetworkManager applet icon
 install-networkmanager:
 	install -d $(DESTDIR)$(LIBDIR)/qubes/
 	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d
 	install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins install-networking install-networkmanager install-netvm
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
-	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
+	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r4.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r4.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 	install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
 	install -d $(DESTDIR)/etc/sysctl.d
@ -265,6 +393,14 @@ install-deb: install-common install-systemd install-systemd-dropins
 	install -m 0644 misc/pam.d_su.qubes $(DESTDIR)/etc/pam.d/su.qubes
 	install -d $(DESTDIR)/etc/needrestart/conf.d
 	install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf
 	install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg
 	install -D -m 0644 misc/apt-conf-70no-unattended $(DESTDIR)/etc/apt/apt.conf.d/70no-unattended
 	mkdir -p $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/
-install-vm: install-rh install-common
+install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins install-networking
 install-netvm: install-systemd-networking-dropins install-networkmanager
 install-vm: install-corevm install-netvm
--- a/Makefile.builder
+++ b/Makefile.builder
@ -1,6 +1,5 @@
 ifeq ($(PACKAGE_SET),vm)
-  RPM_SPEC_FILES := rpm_spec/core-vm.spec \
+  RPM_SPEC_FILES := rpm_spec/core-agent.spec
  rpm_spec/core-vm-doc.spec
  ifneq ($(filter $(DISTRIBUTION), debian qubuntu),)
    DEBIAN_BUILD_DIRS := debian
@ -13,7 +12,9 @@ endif
 source-debian-quilt-copy-in: VERSION = $(shell cat $(ORIG_SRC)/version)
 source-debian-quilt-copy-in: ORIG_FILE = "$(CHROOT_DIR)/$(DIST_SRC)/../qubes-core-agent_$(VERSION).orig.tar.gz"
 source-debian-quilt-copy-in:
 	if [ $(DIST) == bionic ] ; then \
 		sed -i /initscripts/d $(CHROOT_DIR)/$(DIST_SRC)/debian/control ;\
 	fi
 	-$(shell $(ORIG_SRC)/debian-quilt $(ORIG_SRC)/series-debian-vm.conf $(CHROOT_DIR)/$(DIST_SRC)/debian/patches)
 	tar cfz $(ORIG_FILE) --exclude-vcs --exclude=rpm --exclude=pkgs --exclude=deb --exclude=debian -C $(CHROOT_DIR)/$(DIST_SRC) .
 # vim: filetype=make
--- a/archlinux/PKGBUILD
+++ b/archlinux/PKGBUILD
@ -1,95 +1,153 @@
-# This is an example PKGBUILD file. Use this as a start to creating your own,
+#!/bin/bash
 # and remove these comments. For more information, see 'man PKGBUILD'.
 # NOTE: Please fill out the license field for your package! If it is unknown,
 # then please put 'unknown'.
 # Maintainer: Olivier Medoc <o_medoc@yahoo.fr>
-pkgname=qubes-vm-core
+# shellcheck disable=SC2034
-pkgver=`cat version`
+pkgname=(qubes-vm-core qubes-vm-networking qubes-vm-keyring)
-pkgrel=6
+pkgver=$(cat version)
 pkgrel=15
 epoch=
 pkgdesc="The Qubes core files for installation inside a Qubes VM."
 arch=("x86_64")
 url="http://qubes-os.org/"
 license=('GPL')
 groups=()
-depends=("qubes-vm-utils>=3.1.3" python2 python3 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf pygtk zenity qubes-libvchan qubes-db-vm haveged python2-gobject python2-dbus xdg-utils notification-daemon)
+makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc)
 makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3)
 checkdepends=()
 optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer)
 provides=()
 conflicts=()
 replaces=()
 backup=()
 options=()
 install=PKGBUILD.install
 changelog=
-source=(PKGBUILD.qubes-ensure-lib-modules.service)
+source=(
    PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook
    PKGBUILD-qubes-pacman-options.conf
    PKGBUILD-qubes-repo-3.2.conf
    PKGBUILD-qubes-repo-4.0.conf
    PKGBUILD-keyring-keys
    PKGBUILD-keyring-trusted
    PKGBUILD-keyring-revoked
 )
 noextract=()
-md5sums=('88f4b3d5b156888a9d38f5bc28702ab8') #generate with 'makepkg -g'
+md5sums=(SKIP)
 build() {
    for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version doc setup.py qubesagent post-install.d; do
        # shellcheck disable=SC2154
        (ln -s "$srcdir/../$source" "$srcdir/$source")
    done
-for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network ; do
+    # Fix for network tools paths
-  (ln -s $srcdir/../$source $srcdir/$source)
+    sed 's:/sbin/ifconfig:ifconfig:g' -i network/*
-done
+    sed 's:/sbin/route:route:g' -i network/*
    sed 's:/sbin/ethtool:ethtool:g' -i network/*
    sed 's:/sbin/ip:ip:g' -i network/*
    sed 's:/bin/grep:grep:g' -i network/*
-# Fix for network tools paths
+    # Force running all scripts with python2
-sed 's:/sbin/ifconfig:ifconfig:g' -i network/*
+    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i misc/*
-sed 's:/sbin/route:route:g' -i network/*
+    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i misc/*
-sed 's:/sbin/ethtool:ethtool:g' -i network/*
+    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i qubes-rpc/*
-sed 's:/sbin/ip:ip:g' -i network/*
+    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i qubes-rpc/*
 sed 's:/bin/grep:grep:g' -i network/*
-# Force running all scripts with python2
+    # Fix for archlinux sbindir
-sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i misc/*
+    sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
-sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i misc/*
+    sed 's:/usr/sbin/qubes-firewall:/usr/bin/qubes-firewall:g' -i vm-systemd/qubes-firewall.service
 sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i qubes-rpc/*
 sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i qubes-rpc/*
 # Fix for archlinux sbindir
 sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
 sed 's:/usr/sbin/qubes-netwatcher:/usr/bin/qubes-netwatcher:g' -i vm-systemd/qubes-netwatcher.service
 sed 's:/usr/sbin/qubes-firewall:/usr/bin/qubes-firewall:g' -i vm-systemd/qubes-firewall.service
 for dir in qubes-rpc qrexec misc; do
  (cd $dir; make)
 done
    for dir in qubes-rpc qrexec misc; do
        make -C "$dir"
    done
 }
-package() {
+#This package provides:
 # * qrexec agent
 # * qubes rpc scripts
 # * core linux tools and scripts
 # * core systemd services and drop-ins
 # * basic network functionality (setting IP address, DNS, default gateway)
 package_qubes-vm-core() {
    depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools
             gnome-packagekit imagemagick fakeroot notification-daemon dconf
             zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject
             python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg
             socat
             )
    optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer qubes-vm-networking qubes-vm-keyring)
    install=PKGBUILD.install
    # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html)
    # shellcheck disable=SC2154
    make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib
-  (cd qrexec; make install DESTDIR=$pkgdir SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib)
+    PYTHON=python2 make install-corevm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
  make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib DROPIN_DIR=usr/lib/systemd DIST=archlinux
    # Remove things non wanted in archlinux
-  rm -r $pkgdir/etc/yum*
+    rm -r "$pkgdir/etc/yum"*
-  rm -r $pkgdir/etc/init.d
+    rm -r "$pkgdir/etc/dnf"*
    rm -r "$pkgdir/etc/init.d"
    # Remove fedora specific scripts
-  rm $pkgdir/etc/fstab
+    rm "$pkgdir/etc/fstab"
    # Install systemd script allowing to automount /lib/modules
-  install -m 644 $srcdir/PKGBUILD.qubes-ensure-lib-modules.service ${pkgdir}/usr/lib/systemd/system/qubes-ensure-lib-modules.service
+    install -m 644 "$srcdir/PKGBUILD.qubes-ensure-lib-modules.service" "${pkgdir}/usr/lib/systemd/system/qubes-ensure-lib-modules.service"
    # Install pacman hook to update desktop icons
    mkdir -p "${pkgdir}/usr/share/libalpm/hooks/"
    install -m 644 "$srcdir/PKGBUILD.qubes-update-desktop-icons.hook" "${pkgdir}/usr/share/libalpm/hooks/qubes-update-desktop-icons.hook"
    # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail)
    mkdir -p "${pkgdir}/etc/pacman.d"
    install -m 644 "$srcdir/PKGBUILD-qubes-pacman-options.conf" "${pkgdir}/etc/pacman.d/10-qubes-options.conf"
    # Install pacman repository
    release=$(echo "$pkgver" | cut -d '.' -f 1,2)
    echo "Installing repository for release ${release}"
    install -m 644 "$srcdir/PKGBUILD-qubes-repo-${release}.conf" "${pkgdir}/etc/pacman.d/99-qubes-repository-${release}.conf.disabled"
    # Archlinux specific: enable autologin on tty1
-  mkdir -p $pkgdir/etc/systemd/system/getty@tty1.service.d/
+    mkdir -p "$pkgdir/etc/systemd/system/getty@tty1.service.d/"
-  cat <<EOF > $pkgdir/etc/systemd/system/getty@tty1.service.d/autologin.conf
+    cat <<EOF > "$pkgdir/etc/systemd/system/getty@tty1.service.d/autologin.conf"
 [Service]
 ExecStart=
 ExecStart=-/usr/bin/agetty --autologin user --noclear %I 38400 linux
 EOF
    # Archlinux packaging guidelines: /var/run is a symlink to a tmpfs. Don't create it
-  rm -r $pkgdir/var/run
+    rm -r "$pkgdir/var/run"
 }
 #This package provides:
 # * proxy service used by TemplateVMs to download updates
 # * qubes-firewall service (FirewallVM)
 #
 #Integration of NetworkManager for Qubes VM:
 # * make connections config persistent
 # * adjust DNS redirections when needed
 # * show/hide NetworkManager applet icon
 #
 package_qubes-vm-networking() {
    pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM"
    depends=(qubes-vm-core "qubes-vm-utils>=3.1.3" python2 ethtool net-tools
             "qubes-db-vm>=3.2.1" networkmanager iptables tinyproxy nftables
             )
    install=PKGBUILD-networking.install
    # shellcheck disable=SC2154
    PYTHON=python2 make install-netvm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
 }
 package_qubes-vm-keyring() {
    pkgdesc="Qubes OS Binary Repository Activation package and Keyring"
    install=PKGBUILD-keyring.install
    # Install keyring (will be activated through the .install file)
    install -dm755 "${pkgdir}/usr/share/pacman/keyrings/"
    install -m0644 PKGBUILD-keyring-keys "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg"
    install -m0644 PKGBUILD-keyring-trusted "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted"
    install -m0644 PKGBUILD-keyring-revoked "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked"
 }
 # vim:set ts=2 sw=2 et:
--- a/archlinux/PKGBUILD-keyring-keys
+++ b/archlinux/PKGBUILD-keyring-keys
@ -0,0 +1,30 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBFM0TnYBCADNyamUtA9e0/oUu4AeAgt1JYDtq3zCQSX7pHpY1zkGtulppSOe
 gkCgW2db+FlKeUNHQ+JX0uv8Ny0SjQBZO0yNxDLfPuqJzM/VjUIdLTJS0FEpxzT1
 Oiz0WRdcbeHtQ8SmEfmRStaB9PTNZ97FogFFONvQ6r/ICNldqfe+Qq72D/p6FqNM
 mW16dZokQEOgJpOb/L7dHNrta1ye8CurrEbXIt7B+4NnUpvzFmnQ+OxsC3AUbvI5
 PbaQyu8ivhoofnpgj66PojlFYMaL8mUaScL2VM5Ljx72zVA5+MUmk8O02O2X8Rdc
 +5boRi2h7oyCASBYK3x+WayaDTNWx3o8+sSdABEBAAG0N09saXZpZXIgTUVET0Mg
 KFF1YmVzLU9TIHNpZ25pbmcga2V5KSA8b19tZWRvY0B5YWhvby5mcj6JAT4EEwEC
 ACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW+jhsBQkHiFDrAAoJECBD
 56zBgzucHCwH/RLCCM1PJ50jEMJg7ZBrwkv5cvKePD1iGhPFOZ1gBtMTYfl7zJO7
 gOuOgQ+TKjfIFM/ijQBFMRmByrQ0ZkGNIqY7JB3shZ5EsCeb7cgyw7hEyj4S3O6e
 K+CVVy4CBAyXILVr/En8xU41K1qQpEiHkvqk0E05sEkYcN4Ggvw5JUNWpZO7fl6I
 tLvTBf5aPqiLqWN08fjdmVJ/5l+LCdMyJxUdsQV0pkzcv9l8ouB/0ig8HikoC+dW
 HuWbk9uj1CU0c4C8tTbOszjKAbEZ5msZ2NUxPM1vqKaac8IbWkSJBqlYFcb3PSMk
 LmFtXN/0hAcf8KbziODQgKcyuEBi3b5d6wy5AQ0EUzROdgEIAOG22xrDqJkCrEx8
 QFnZYSwxV2lI9fDyCT/kaHPa/5YOV/Xa01RLM27UPbV/UKkKN+M6+mFj26e+E25p
 2R/e1Wk9HDrbu7NDXozGcKDlTIAmQ4yjNVb/G1850/SO1vuPDfNzMD81F18XzYCa
 eyUV88HjXTbJSeJAbjWNvTkoMK4wY6PlHfyT0G0i4svfL/mZCGM8KagNouGHuG8s
 5JKwlC1BZnmfDuB4exP7cSNEDWwnBn98rx13DMLkGJu1xGnLqdGJw6WpP4a1IG7A
 9NDE2VetAS/ElMbMqfyuqiAxhtnuGdxstDaU7gW4VMTjAOMtO9LLY20EipsSBUrg
 7U1ync0AEQEAAYkBJQQYAQIADwIbDAUCVvo4nQUJB4hRJAAKCRAgQ+eswYM7nLWy
 CAC6enhJbXKGchqgfh+CeKsvWg97JG8yjW4W/9RL9Vto8ppgNzIKbA7AKgqOiy5l
 TToLaxK+Z1JE72lsWUnALmz1Oa7M7M9J1ptfD8TMj1/D3cj2Lnrg7qTaEEL5Nw+t
 FRNXeUjsuWt+iW7eYiGtI+eSWBokH945Ig32vf88n0t3F8whDRzv5fy1yF35aMRS
 HS5gDJv5t2BnPtehMhr5EOHbUH3UFevA79Hf4bUlOOo7eTTmSPMDcWFUA9MMKoE5
 pkHwoimXiNJy3e8TZ4uSTBH8XcXA/5mYSXbWKBX4Y5JznOBTtkjGsbL7dua3zDbF
 BGNH5RhiY1/bJ+m4zxU8bDWq
 =ofdo
 -----END PGP PUBLIC KEY BLOCK-----
--- a/archlinux/PKGBUILD-keyring-revoked
+++ b/archlinux/PKGBUILD-keyring-revoked
--- a/archlinux/PKGBUILD-keyring-trusted
+++ b/archlinux/PKGBUILD-keyring-trusted
@ -0,0 +1 @@
 D85EE12F967851CCF433515A2043E7ACC1833B9C:4:
--- a/archlinux/PKGBUILD-keyring.install
+++ b/archlinux/PKGBUILD-keyring.install
@ -0,0 +1,18 @@
 post_upgrade() {
 	if usr/bin/pacman-key -l >/dev/null 2>&1; then
 		usr/bin/pacman-key --populate qubesos-vm
 	fi
 	release=$(echo "$1" | cut -d '.' -f 1,2)
 	if ! [ -h /etc/pacman.d/99-qubes-repository-${release}.conf ] ; then
            ln -s /etc/pacman.d/99-qubes-repository-${release}.conf.disabled /etc/pacman.d/99-qubes-repository-${release}.conf 
        fi
 }
 post_install() {
 	if [ -x usr/bin/pacman-key ]; then
 		post_upgrade "$1"
 	fi
 }
--- a/archlinux/PKGBUILD-networking.install
+++ b/archlinux/PKGBUILD-networking.install
@ -0,0 +1,41 @@
 #!/bin/bash
 ## arg 1:  the new package version
 post_install() {
    # Create NetworkManager configuration if we do not have it
    if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
    echo '[main]' > /etc/NetworkManager/NetworkManager.conf
    echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
    echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
    fi
    # Remove ip_forward setting from sysctl, so NM will not reset it
    # Archlinux now use sysctl.d/ instead of sysctl.conf
    #sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
    /usr/lib/qubes/qubes-fix-nm-conf.sh
    # Yum proxy configuration is fedora specific
    #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
    #  echo >> /etc/yum.conf
    #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
    #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
    #fi
    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
        systemctl enable $srv
    done
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 post_upgrade() {
    post_install
 }
 ## arg 1:  the old package version
 post_remove() {
    for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do
        systemctl disable $srv
    done
 }
--- a/archlinux/PKGBUILD-qubes-pacman-options.conf
+++ b/archlinux/PKGBUILD-qubes-pacman-options.conf
@ -0,0 +1,2 @@
 [options]
 NoUpgrade = etc/pam.d/su-l
--- a/archlinux/PKGBUILD-qubes-repo-3.2.conf
+++ b/archlinux/PKGBUILD-qubes-repo-3.2.conf
@ -0,0 +1,2 @@
 [qubes-r3.2]
 Server = http://olivier.medoc.free.fr/archlinux/current/
--- a/archlinux/PKGBUILD-qubes-repo-4.0.conf
+++ b/archlinux/PKGBUILD-qubes-repo-4.0.conf
@ -0,0 +1,2 @@
 [qubes-r4.0]
 Server = http://olivier.medoc.free.fr/archlinux/current
--- a/archlinux/PKGBUILD.install
+++ b/archlinux/PKGBUILD.install
@ -1,20 +1,20 @@
 #!/bin/bash
 qubes_preset_file="75-qubes-vm.preset"
 ###########################
 ## Pre-Install functions ##
 ###########################
 update_default_user() {
    # Make sure there is a qubes group
    groupadd --force --system --gid 98 qubes
    # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
    # See https://bugs.archlinux.org/task/31831
    id -u 'user' >/dev/null 2>&1 || {
-	  useradd --user-group --create-home --shell /bin/zsh user
+        useradd --user-group --create-home --shell /bin/bash user
    }
    usermod -a --groups qubes user
 }
 ## arg 1:  the new package version
@ -47,7 +47,6 @@ pre_upgrade() {
    echo "Pre upgrade..."
    update_default_user
 }
 ###################
@ -57,19 +56,17 @@ pre_upgrade() {
 configure_notification-daemon() {
    # Enable autostart of notification-daemon when installed
-    if [ ! -e /etc/xdg/autostart/notification-daemon.desktop ]; then
+    if [ ! -L /etc/xdg/autostart/notification-daemon.desktop ]; then
        ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/
    fi
 }
 configure_selinux() {
    # SELinux is not enabled on archlinux
    #echo "--> Disabling SELinux..."
    echo "SELINUX not enabled on archlinux. skipped."
    # sed -e s/^SELINUX=.*$/SELINUX=disabled/ -i /etc/selinux/config
    # setenforce 0 2>/dev/null
 }
 ############################
@ -77,170 +74,267 @@ configure_selinux() {
 ############################
 update_qubesconfig() {
 	# Create NetworkManager configuration if we do not have it
 	if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
 	echo '[main]' > /etc/NetworkManager/NetworkManager.conf
 	echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
 	echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
 	fi
 	/usr/lib/qubes/qubes-fix-nm-conf.sh
 	# Remove ip_forward setting from sysctl, so NM will not reset it
 	# Archlinux now use sysctl.d/ instead of sysctl.conf
 	#sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
    # Remove old firmware updates link
    if [ -L /lib/firmware/updates ]; then
      rm -f /lib/firmware/updates
    fi
-	# Yum proxy configuration is fedora specific
+    # convert /usr/local symlink to a mount point
-	#if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
+    if [ -L /usr/local ]; then
-	#  echo >> /etc/yum.conf
+        rm -f /usr/local
-	#  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
+        mkdir /usr/local
-	#  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
+        mount /usr/local || :
-	#fi
+    fi
    # Fix fstab update to core-agent-linux 4.0.33
    grep -F -q "/rw/usrlocal" /etc/fstab || sed "/\/rw\/home/a\/rw\/usrlocal    \/usr\/local  none    noauto,bind,defaults 0 0" -i /etc/fstab
    #/usr/lib/qubes/update-proxy-configs
    # Archlinux pacman configuration is handled in update_finalize
    if ! [ -r /etc/dconf/profile/user ]; then
        mkdir -p /etc/dconf/profile
        echo "user-db:user" >> /etc/dconf/profile/user
        echo "system-db:local" >> /etc/dconf/profile/user
    fi
    dconf update &> /dev/null || :
    # Location of files which contains list of protected files
    mkdir -p /etc/qubes/protected-files.d
-	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+    # shellcheck source=init/functions
    . /usr/lib/qubes/init/functions
    # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
-	if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    if ! is_protected_file /etc/hosts ; then
        if ! grep -q localhost /etc/hosts; then
          cat <<EOF > /etc/hosts
-	127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 $(hostname)
-	::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 EOF
        fi
    fi
    # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
    # in the form expected by qubes-sysinit.sh
-	if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    if ! is_protected_file /etc/hostname ; then
        for ip in '127\.0\.0\.1' '::1'; do
            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
-	            sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+                sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts
-	            sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+                sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts
            else
-	            echo "${ip} `hostname`" >> /etc/hosts
+                echo "${ip} $(hostname)" >> /etc/hosts
            fi
        done
    fi
-	# Make sure there is a default locale set so gnome-terminal will start
+}
 	if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
 	    touch /etc/locale.conf
 	    echo "LANG=en_US.UTF-8" >> /etc/locale.conf
 	fi
 	# ... and make sure it is really generated
 	# This line is buggy as LANG can be set to LANG="en_US.UTF-8". The Quotes must be stripped
 	current_locale=`grep LANG /etc/locale.conf|cut -f 2 -d = | tr -d '"'`
 	if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
 	    base=`echo "$current_locale" | cut -f 1 -d .`
 	    charmap=`echo "$current_locale.UTF-8" | cut -f 2 -d .`
 	    [ -n "$charmap" ] && charmap="-f $charmap"
 	    localedef -i $base $charmap $current_locale
 	fi
 ############################
 ## Service Management Functions ##
 ############################
 is_static() {
    [ -f "/usr/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/usr/lib/systemd/system/$1"
 }
 is_masked() {
    if [ ! -L /etc/systemd/system/"$1" ]
    then
        return 1
    fi
    target=$(readlink /etc/systemd/system/"$1" 2>/dev/null) || :
    if [ "$target" = "/dev/null" ]
    then
        return 0
    fi
    return 1
 }
 mask() {
    ln -sf /dev/null /etc/systemd/system/"$1"
 }
 unmask() {
    if ! is_masked "$1"
    then
        return 0
    fi
    rm -f /etc/systemd/system/"$1"
 }
 preset_units() {
    local represet=
    while read -r action unit_name
    do
        if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]
        then
            represet=1
            continue
        fi
        echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue
        [[ -n "$action" && -n "$unit_name" ]] || continue
        if [ "$2" = "initial" ] || [ "$represet" = "1" ]
        then
            if [ "$action" = "disable" ] && is_static "$unit_name"
            then
                if ! is_masked "$unit_name"
                then
                    # We must effectively mask these units, even if they are static.
                    mask "$unit_name"
                fi
            elif [ "$action" = "enable" ] && is_static "$unit_name"
            then
                if is_masked "$unit_name"
                then
                    # We masked this static unit before, now we unmask it.
                    unmask "$unit_name"
                fi
                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            else
                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            fi
        fi
    done < "$1"
 }
 restore_units() {
    grep '^[[:space:]]*[^#;]' "$1" | while read -r action unit_name
    do
        if is_static "$unit_name" && is_masked "$unit_name"
        then
            # If the unit had been masked by us, we must unmask it here.
            # Otherwise systemctl preset will fail badly.
            unmask "$unit_name"
        fi
        systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
    done
 }
 configure_systemd() {
-
+    if [ "$1" -eq 1 ]
-PRESET_FAILED=0
+    then
-
+        preset_units /usr/lib/systemd/system-preset/$qubes_preset_file initial
-if [ $1 -eq 1 ]; then
+        changed=true
-    # Needs to be started two times to deal  with services name changes (systemctl bug?)
+    else
-    echo "Resetting systemd services to defaults presets (PASS 1)"
+        preset_units /usr/lib/systemd/system-preset/$qubes_preset_file upgrade
-    systemctl --no-reload preset-all 2>&1 && PRESET_FAILED=0 || PRESET_FAILED=1
+        changed=true
    echo "Resetting systemd services to defaults presets (PASS 2)"
    systemctl --no-reload preset-all 2>&1 && PRESET_FAILED=0 || PRESET_FAILED=1
 else
    services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-dirs"
    services="$services qubes-netwatcher qubes-network qubes-sysinit"
    services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
    services="$services qubes-random-seed"
    for srv in $services; do
        echo "Enable service defaults for $service"
        systemctl --no-reload preset $srv.service
    done
    systemctl --no-reload preset qubes-update-check.timer
        # Upgrade path - now qubes-iptables is used instead
-    systemctl --no-reload preset iptables.service
+        for svc in iptables ip6tables
-    systemctl --no-reload preset ip6tables.service
+        do
-fi
+            if [ -f "$svc".service ]
-
+            then
-# Set default "runlevel"
+                systemctl --no-reload preset "$svc".service
-rm -f /etc/systemd/system/default.target
+                changed=true
 ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
 grep '^[[:space:]]*[^#;]' /lib/systemd/system-preset/75-qubes-vm.preset | while read action unit_name; do
    case "$action" in
    (disable)
        if [ -f /lib/systemd/system/$unit_name ]; then
            if ! fgrep -q '[Install]' /lib/systemd/system/$unit_name; then
                # forcibly disable
                ln -sf /dev/null /etc/systemd/system/$unit_name
            fi
        done
    fi
-        ;;
+
-    *)
+    if [ "$1" -eq 1 ]
-        # preset-all is not available in fc20; so preset each unit file listed in 75-qubes-vm.preset
+    then
-        if [ $1 -eq 1 -a "${PRESET_FAILED}" -eq 1 ]; then
+        # First install.
-            systemctl --no-reload preset "${unit_name}" > /dev/null 2>&1 || true
+        # Set default "runlevel".
        # FIXME: this ought to be done via kernel command line.
        # The fewer deviations of the template from the seed
        # image, the better.
        rm -f /etc/systemd/system/default.target
        ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
        changed=true
    fi
        ;;
    esac
 done
-systemctl daemon-reload
+    # remove old symlinks
    if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]
    then
        rm -f /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service
        changed=true
    fi
    if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]
    then
        rm -f /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service
        changed=true
    fi
    if [ "x$changed" != "x" ]
    then
        systemctl daemon-reload
    fi
 }
 ######################
 ## Archlinux Specific Functions ##
 ######################
 config_prependtomark() {
-FILE=$1
+    FILE=$1
-APPENDBEFORELINE=$2
+    APPENDBEFORELINE=$2
-APPENDLINE=$3
+    APPENDLINE=$3
-grep -q "$APPENDLINE" "$FILE" || sed "/$APPENDBEFORELINE/i$APPENDLINE" -i "$FILE"
+    grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDBEFORELINE/i$APPENDLINE" -i "$FILE"
 }
 config_appendtomark() {
-FILE=$1
+    FILE=$1
-APPENDAFTERLINE=$2
+    APPENDAFTERLINE=$2
-APPENDLINE=$3
+    APPENDLINE=$3
-grep -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
+    grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
 }
 config_cleanupmark() {
    FILE="$1"
    BEGINMARK="$2"
    ENDMARK="$3"
    if grep -F -q "$BEGINMARK" "$FILE"; then
        if grep -F -q "$ENDMARK" "$FILE"; then
            cp "$FILE" "$FILE.qubes-update-orig"
            sed -i -e "/^$BEGINMARK$/,/^$ENDMARK$/{
                /^$ENDMARK$/b
                /^$BEGINMARK$/!d
                }" "$FILE"
            rm -f "$FILE.qubes-update-orig"
        else
            echo "ERROR: found $BEGINMARK marker but not $ENDMARK in $FILE. Please cleanup this file manually."
        fi
    elif grep -F -q "$ENDMARK" "$FILE"; then
        echo "ERROR: found $ENDMARK marker but not $BEGINMARK in $FILE. Please cleanup this file manually."
    fi
 }
 update_finalize() {
    # Archlinux specific: If marker exists, cleanup text between begin and end marker
    QUBES_MARKER="### QUBES CONFIG MARKER ###"
    if grep -F -q "$QUBES_MARKER" /etc/pacman.conf; then
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
        config_cleanupmark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES CONFIG END MARKER ###"
    # Else, add qubes config block marker
    else
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
        config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
    fi
    # Include /etc/pacman.d drop-in directory
    config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "Include = /etc/pacman.d/*.conf"
    /usr/lib/qubes/update-proxy-configs
    # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
-	if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
+    # This is required as qubes-gui agent calls xinit with su -l user without initializing properly
    # the user session.
    # pam_unix.so can also be removed from su configuration
    # as system-login (which include system-auth) already gives pam_unix.so
    # with more appropriate parameters (fix the missing nullok parameter)
    if grep -q pam_unix.so /etc/pam.d/su; then
        echo "Fixing pam.d"
-		sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
+	cp /etc/pam.d/qrexec /etc/pam.d/su-l
 		sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
 		sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
 		cp /etc/pam.d/su /etc/pam.d/su-l
    fi
    # Archlinux specific: ensure tty1 is enabled
    rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
    systemctl enable getty\@tty1.service
 	# Archlinux specific: Prepare pacman.conf to add qubes specific config
 	QUBES_MARKER="### QUBES CONFIG MARKER ###"
 	config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
 	# Add Qubes setup script markers at the right place (this won't work at the end of pacman.conf)"
 	config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES END ###"
 	config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES BEGIN ###"
    systemctl daemon-reload
 }
 ## arg 1:  the new package version
 post_install() {
    update_qubesconfig
    # do the rest of %post thing only when updating for the first time...
@ -248,6 +342,8 @@ post_install() {
        cp /etc/init/serial.conf /var/lib/qubes/serial.orig
    fi
    chgrp user /var/lib/qubes/dom0-updates
    # Remove most of the udev scripts to speed up the VM boot time
    # Just leave the xen* scripts, that are needed if this VM was
    # ever used as a net backend (e.g. as a VPN domain in the future)
@ -255,19 +351,19 @@ post_install() {
    mkdir -p /var/lib/qubes/removed-udev-scripts
    for f in /etc/udev/rules.d/*
    do
-	    if [ $(basename $f) == "xen-backend.rules" ] ; then
+        if [ "$(basename "$f")" == "xen-backend.rules" ] ; then
            continue
        fi
-	    if [ $(basename $f) == "50-qubes-misc.rules" ] ; then
+        if [ "$(basename "$f")" == "50-qubes-misc.rules" ] ; then
            continue
        fi
-	    if echo $f | grep -q qubes; then
+        if echo "$f" | grep -q qubes; then
            continue
        fi
-	    mv $f /var/lib/qubes/removed-udev-scripts/
+        mv "$f" /var/lib/qubes/removed-udev-scripts/
    done
    mkdir -p /rw
@ -278,15 +374,11 @@ post_install() {
    configure_systemd 0
    update_finalize
 	glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
 }
 ## arg 1:  the new package version
 ## arg 2:  the old package version
 post_upgrade() {
    update_qubesconfig
    configure_notification-daemon
@ -294,10 +386,8 @@ post_upgrade() {
    configure_systemd 1
    update_finalize
 	/usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
 }
 ######################
@ -306,7 +396,6 @@ post_upgrade() {
 ## arg 1:  the old package version
 pre_remove() {
    # no more packages left
    if [ -e /var/lib/qubes/fstab.orig ] ; then
    mv /var/lib/qubes/fstab.orig /etc/fstab
@ -316,12 +405,34 @@ pre_remove() {
    mv /var/lib/qubes/serial.orig /etc/init/serial.conf
    fi
    if [ "$1" -eq 0 ] ; then
        # Run this only during uninstall.
        # Save the preset file to later use it to re-preset services there
        # once the Qubes OS preset file is removed.
        mkdir -p /run/qubes-uninstall
        cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
        cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
    fi
 }
 ## arg 1:  the old package version
 post_remove() {
    changed=
    if [ -d /run/qubes-uninstall ]
    then
        # We have a saved preset file (or more).
        # Re-preset the units mentioned there.
        restore_units /run/qubes-uninstall/$qubes_preset_file
        rm -rf /run/qubes-uninstall
        changed=true
    fi
    if [ "x$changed" != "x" ]
    then
        systemctl daemon-reload
    fi
    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
    if [ -L /lib/firmware/updates ] ; then
      rm /lib/firmware/updates
@ -329,8 +440,7 @@ post_remove() {
    rm -rf /var/lib/qubes/xdg
-    for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-netwatcher qubes-network qubes-qrexec-agent; do
+    for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-qrexec-agent; do
        systemctl disable $srv.service
    done
 }
--- a/archlinux/PKGBUILD.qubes-update-desktop-icons.hook
+++ b/archlinux/PKGBUILD.qubes-update-desktop-icons.hook
@ -0,0 +1,11 @@
 [Trigger]
 Type = File
 Operation = Install
 Operation = Upgrade
 Operation = Remove
 Target = usr/share/applications/*.desktop
 [Action]
 Description = Updating the Qubes desktop file App Icons and features...
 When = PostTransaction
 Exec = /etc/qubes-rpc/qubes.PostInstall
--- a/autostart-dropins/org.gnome.SettingsDaemon.XSettings.desktop
+++ b/autostart-dropins/org.gnome.SettingsDaemon.XSettings.desktop
@ -0,0 +1,2 @@
 [Desktop Entry]
 OnlyShowIn=GNOME;X-QUBES
--- a/ci/requirements.txt
+++ b/ci/requirements.txt
@ -0,0 +1,6 @@
 # WARNING: those requirements are used only for travis-ci.org
 # they SHOULD NOT be used under normal conditions; use system package manager
 docutils
 pylint
 codecov
 python-daemon
--- a/2
+++ b/2
@ -22,7 +22,7 @@ fi
 rm -f "${PATCH_DIR}/series"
 touch "${PATCH_DIR}/series"
-while read patch_file
+while read -r patch_file
 do
    if [ -e "${DIR}/${patch_file}" ]; then
        echo -e "${patch_file##*/}" >> "${PATCH_DIR}/series"
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control
+++ b/debian/control
@ -1,48 +1,52 @@
 Source: qubes-core-agent
 Section: admin
 Priority: extra
-Maintainer: Davíð Steinn Geirsson <david@dsg.is>
+Maintainer: unman <unman@thirdeyesecurity.org>
 Build-Depends:
    libpam0g-dev,
    libqrexec-utils-dev,
    libqubes-rpc-filecopy-dev (>= 3.1.3),
    libvchan-xen-dev,
    python,
    python-setuptools,
    debhelper,
    quilt,
    libxen-dev,
    pkg-config,
    dh-systemd (>= 1.5),
    dh-python,
    lsb-release,
    xserver-xorg-dev,
-    config-package-dev
+    config-package-dev,
    pandoc,
 Standards-Version: 3.9.5
-Homepage: http://www.qubes-os.org
+Homepage: https://www.qubes-os.org
-Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
+Vcs-Git: https://github.com/QubesOS/qubes-core-agent-linux
 Package: qubes-core-agent
 Architecture: any
 Depends:
    dconf-cli,
    dmsetup,
    ethtool,
    fakeroot,
    gawk,
    imagemagick,
    init-system-helpers,
    initscripts,
    iptables,
    librsvg2-bin,
    libvchan-xen,
    locales,
    locales-all,
    ncurses-term,
    net-tools,
    psmisc,
    procps,
    util-linux,
    python2.7,
    python-daemon,
    python-qubesdb,
    python-gi,
    python-xdg,
    python-dbus,
    python-gtk2,
    qubes-utils (>= 3.1.3),
-    sudo,
+    qubes-core-agent-qrexec,
    qubesdb-vm,
    systemd,
    x11-xserver-utils,
    xdg-user-dirs,
@ -51,28 +55,121 @@ Depends:
    xenstore-utils,
    xinit,
    xserver-xorg-core,
-    xserver-xorg-video-dummy,
+    ${python:Depends},
    ${shlibs:Depends},
    ${misc:Depends}
 Recommends:
    cups,
    gnome-packagekit,
    gnome-terminal,
    gnome-themes-standard,
    haveged,
    libnotify-bin,
    locales-all,
    mate-notification-daemon,
    network-manager (>= 0.8.1-1),
    network-manager-gnome,
    ntpdate,
    python-nautilus,
    system-config-printer,
-    tinyproxy,
+    qubes-core-agent-nautilus,
-    xsettingsd,
+    qubes-core-agent-networking,
-    yum,
+    qubes-core-agent-network-manager,
-    yum-utils
+    xsettingsd
-Provides: ${diverted-files}
+Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Conflicts: ${diverted-files}, qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
 This package includes various daemons necessary for qubes domU support,
 such as qrexec.
 Package: qubes-core-agent-qrexec
 Architecture: any
 Depends:
    libvchan-xen,
    ${shlibs:Depends},
    ${misc:Depends}
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes qrexec agent
 Agent part of Qubes RPC system. A daemon responsible for starting processes as
 requested by dom0 or other VMs, according to dom0-enforced policy.
 Package: qubes-core-agent-nautilus
 Architecture: any
 Depends:
    python-nautilus,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes integration for Nautilus
 Nautilus addons for inter-VM file copy/move/open.
 Package: qubes-core-agent-thunar
 Architecture: any
 Depends:
    thunar,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Qubes integration for Thunar
 Thunar addons for inter-VM file copy/move/open.
 Package: qubes-core-agent-dom0-updates
 Architecture: any
 Depends:
    fakeroot,
    yum,
    yum-utils,
    qubes-core-agent-qrexec,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Scripts required to handle dom0 updates.
  Scripts required to handle dom0 updates. This will allow to use the VM as
  "Updates VM".
 Package: qubes-core-agent-networking
 Architecture: any
 Depends:
    qubes-core-agent,
    tinyproxy,
    iptables,
    net-tools,
    ethtool,
    socat,
    tinyproxy,
    ${python:Depends},
    ${misc:Depends}
 Suggests:
    nftables,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: Networking support for Qubes VM
 This package provides:
  * basic network functionality (setting IP address, DNS, default gateway)
  * proxy service used by TemplateVMs to download updates
  * qubes-firewall service (FirewallVM)
 .
 Note: if you want to use NetworkManager (you do want it in NetVM), install
 also qubes-core-agent-network-manager.
 Package: qubes-core-agent-network-manager
 Architecture: any
 Depends:
    qubes-core-agent-networking,
    libglib2.0-bin,
    network-manager (>= 0.8.1-1),
    network-manager-gnome,
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Description: NetworkManager integration for Qubes VM
 Integration of NetworkManager for Qubes VM:
  * make connections config persistent
  * adjust DNS redirections when needed
  * show/hide NetworkManager applet icon
 Package: qubes-core-agent-passwordless-root
 Architecture: any
 Replaces: qubes-core-agent (<< 4.0.0-1)
 Breaks: qubes-core-agent (<< 4.0.0-1)
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Passwordless root access from normal user
 Configure sudo, PolicyKit and similar tool to not ask for any password when
 switching from user to root. Since all the user data in a VM is accessible
 already from normal user account, there is not much more to guard there. Qubes
 VM is a single user system.
--- a/debian/qubes-core-agent-dom0-updates.install
+++ b/debian/qubes-core-agent-dom0-updates.install
@ -0,0 +1 @@
 usr/lib/qubes/qubes-download-dom0-updates.sh
--- a/debian/qubes-core-agent-nautilus.install
+++ b/debian/qubes-core-agent-nautilus.install
@ -0,0 +1 @@
 usr/share/nautilus-python/extensions/*
--- a/debian/qubes-core-agent-network-manager.install
+++ b/debian/qubes-core-agent-network-manager.install
@ -0,0 +1,7 @@
 etc/NetworkManager/dispatcher.d/30-qubes-external-ip
 etc/NetworkManager/dispatcher.d/qubes-nmhook
 etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 usr/lib/NetworkManager/conf.d/30-qubes.conf
 usr/lib/qubes/network-manager-prepare-conf-dir
 usr/lib/qubes/qubes-fix-nm-conf.sh
 usr/lib/qubes/show-hide-nm-applet.sh
--- a/debian/qubes-core-agent-network-manager.postinst
+++ b/debian/qubes-core-agent-network-manager.postinst
@ -0,0 +1,56 @@
 #!/bin/bash
 # postinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The postinst script may be called in the following ways:
 #   * <postinst> 'configure' <most-recently-configured-version>
 #   * <old-postinst> 'abort-upgrade' <new version>
 #   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
 #     <new-version>
 #   * <postinst> 'abort-remove'
 #   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
 #     <failed-install-package> <version> 'removing'
 #     <conflicting-package> <version>
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 case "${1}" in
    configure)
        # Initial installation of package only
        # ($2 contains version number on update; nothing on initial installation)
        if [ -z "${2}" ]; then
            # Create NetworkManager configuration if we do not have it
            if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
                echo '[main]' > /etc/NetworkManager/NetworkManager.conf
                echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
                echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
            fi
            /usr/lib/qubes/qubes-fix-nm-conf.sh
        fi
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;
    *)
        echo "postinst called with unknown argument \`${1}'" >&2
        exit 1
        ;;
 esac
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@ -0,0 +1,21 @@
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 etc/qubes-rpc/qubes.UpdatesProxy
 etc/qubes/ip6tables.rules
 etc/qubes/ip6tables-enabled.rules
 etc/qubes/iptables.rules
 etc/tinyproxy/tinyproxy-updates.conf
 etc/tinyproxy/updates-blacklist
 etc/udev/rules.d/99-qubes-network.rules
 etc/xen/scripts/vif-qubes-nat.sh
 etc/xen/scripts/vif-route-qubes
 lib/systemd/system/qubes-firewall.service
 lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
 usr/lib/qubes/setup-ip
 usr/lib/tmpfiles.d/qubes-core-agent-linux.conf
 usr/sbin/qubes-firewall
--- a/debian/qubes-core-agent-passwordless-root.displace
+++ b/debian/qubes-core-agent-passwordless-root.displace
@ -1,4 +1,4 @@
-## This file is part of Whonix.
+## This file is part of Qubes OS.
 ## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
--- a/debian/qubes-core-agent-passwordless-root.displace-extension
+++ b/debian/qubes-core-agent-passwordless-root.displace-extension
--- a/debian/qubes-core-agent-passwordless-root.install
+++ b/debian/qubes-core-agent-passwordless-root.install
@ -0,0 +1,4 @@
 etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 etc/polkit-1/rules.d/00-qubes-allow-all.rules
 etc/pam.d/su.qubes
 etc/sudoers.d/qubes
--- a/debian/qubes-core-agent-passwordless-root.postrm
+++ b/debian/qubes-core-agent-passwordless-root.postrm
@ -0,0 +1,54 @@
 #!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The prerm script may be called in the following ways:
 #   * <postrm> 'remove'
 #   * <postrm> 'purge'
 #   * <old-postrm> 'upgrade' <new-version>
 #   * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
 #
 #     The postrm script is called after the package's files have been removed
 # or replaced. The package whose postrm is being called may have previously been
 # deconfigured and only be "Unpacked", at which point subsequent package changes
 # do not consider its dependencies. Therefore, all postrm actions may only rely
 # on essential packages and must gracefully skip any actions that require the
 # package's dependencies if those dependencies are unavailable.[48]
 #
 #   * <new-postrm> 'failed-upgrade' <old-version>
 #
 #     Called when the old postrm upgrade action fails. The new package will be
 # unpacked, but only essential packages and pre-dependencies can be relied on.
 # Pre-dependencies will either be configured or will be "Unpacked" or
 # "Half-Configured" but previously had been configured and was never removed.
 #
 #   * <new-postrm> 'abort-install'
 #   * <new-postrm> 'abort-install' <old-version>
 #   * <new-postrm> 'abort-upgrade' <old-version>
 #
 #     Called before unpacking the new package as part of the error handling of
 # preinst failures. May assume the same state as preinst can assume.
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "${1}" = "remove" ] ; then
    gpasswd -d user sudo
    if [ "$(passwd -S root|cut -f 2 -d ' ')" = "NP" ]; then
        passwd -l root
    fi
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-passwordless-root.preinst
+++ b/debian/qubes-core-agent-passwordless-root.preinst
@ -0,0 +1,47 @@
 #!/bin/sh
 # preinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The preinst script may be called in the following ways:
 #   * <new-preinst> 'install'
 #   * <new-preinst> 'install' <old-version>
 #   * <new-preinst> 'upgrade' <old-version>
 #
 #     The package will not yet be unpacked, so the preinst script cannot rely
 # on any files included in its package. Only essential packages and
 # pre-dependencies (Pre-Depends) may be assumed to be available.
 # Pre-dependencies will have been configured at least once, but at the time the
 # preinst is called they may only be in an "Unpacked" or "Half-Configured" state
 # if a previous version of the pre-dependency was completely configured and has
 # not been removed since then.
 #
 #
 #  * <old-preinst> 'abort-upgrade' <new-version>
 #
 #    Called during error handling of an upgrade that failed after unpacking the
 # new package because the postrm upgrade action failed. The unpacked files may
 # be partly from the new version or partly missing, so the script cannot rely
 # on files included in the package. Package dependencies may not be available.
 # Pre-dependencies will be at least "Unpacked" following the same rules as
 # above, except they may be only "Half-Installed" if an upgrade of the
 # pre-dependency failed.[46]
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "$1" = "install" ] ; then
    usermod -p '' root
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-qrexec.install
+++ b/debian/qubes-core-agent-qrexec.install
@ -0,0 +1,10 @@
 etc/pam.d/qrexec
 etc/qubes/rpc-config/README
 lib/systemd/system/qubes-qrexec-agent.service
 usr/bin/qrexec-client-vm
 usr/bin/qrexec-fork-server
 usr/lib/qubes/qrexec-agent
 usr/lib/qubes/qrexec-client-vm
 usr/lib/qubes/qrexec_client_vm
 usr/lib/qubes/qubes-rpc-multiplexer
 usr/share/man/man1/qrexec-client-vm.1.gz
--- a/debian/qubes-core-agent-thunar.install
+++ b/debian/qubes-core-agent-thunar.install
@ -0,0 +1,3 @@
 usr/lib/qubes/qvm-actions.sh
 usr/lib/qubes/uca_qubes.xml
 etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
--- a/debian/qubes-core-agent-thunar.postinst
+++ b/debian/qubes-core-agent-thunar.postinst
@ -0,0 +1,58 @@
 #!/bin/bash
 # postinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The postinst script may be called in the following ways:
 #   * <postinst> 'configure' <most-recently-configured-version>
 #   * <old-postinst> 'abort-upgrade' <new version>
 #   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
 #     <new-version>
 #   * <postinst> 'abort-remove'
 #   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
 #     <failed-install-package> <version> 'removing'
 #     <conflicting-package> <version>
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 case "${1}" in
    configure)
        # There is no system-wide Thunar custom actions. There is only a default
        # file and a user file created from the default one. Qubes actions need
        # to be placed after all already defined actions and before </actions>
        # the end of file.
        if [ -f /etc/xdg/Thunar/uca.xml ] ; then
          cp -p /etc/xdg/Thunar/uca.xml /etc/xdg/Thunar/uca.xml.bak
          #shellcheck disable=SC2016
          sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /etc/xdg/Thunar/uca.xml
        fi
        if [ -f /home/user/.config/Thunar/uca.xml ] ; then
          cp -p /home/user/.config/Thunar/uca.xml /home/user/.config/Thunar/uca.xml.bak
          #shellcheck disable=SC2016
          sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /home/user/.config/Thunar/uca.xml
        fi
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;
    *)
        echo "postinst called with unknown argument \`${1}'" >&2
        exit 1
        ;;
 esac
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent-thunar.postrm
+++ b/debian/qubes-core-agent-thunar.postrm
@ -0,0 +1,57 @@
 #!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
 set -e
 # The prerm script may be called in the following ways:
 #   * <postrm> 'remove'
 #   * <postrm> 'purge'
 #   * <old-postrm> 'upgrade' <new-version>
 #   * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
 #
 #     The postrm script is called after the package's files have been removed
 # or replaced. The package whose postrm is being called may have previously been
 # deconfigured and only be "Unpacked", at which point subsequent package changes
 # do not consider its dependencies. Therefore, all postrm actions may only rely
 # on essential packages and must gracefully skip any actions that require the
 # package's dependencies if those dependencies are unavailable.[48]
 #
 #   * <new-postrm> 'failed-upgrade' <old-version>
 #
 #     Called when the old postrm upgrade action fails. The new package will be
 # unpacked, but only essential packages and pre-dependencies can be relied on.
 # Pre-dependencies will either be configured or will be "Unpacked" or
 # "Half-Configured" but previously had been configured and was never removed.
 #
 #   * <new-postrm> 'abort-install'
 #   * <new-postrm> 'abort-install' <old-version>
 #   * <new-postrm> 'abort-upgrade' <old-version>
 #
 #     Called before unpacking the new package as part of the error handling of
 # preinst failures. May assume the same state as preinst can assume.
 #
 #    For details, see http://www.debian.org/doc/debian-policy/ or
 # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
 # the debian-policy package
 if [ "${1}" = "remove" ] ; then
  if [ -f /etc/xdg/Thunar/uca.xml ] ; then
    mv /etc/xdg/Thunar/uca.xml /etc/xdg/Thunar/uca.xml.uninstall
    mv /etc/xdg/Thunar/uca.xml.bak /etc/xdg/Thunar/uca.xml
  fi
  if [ -f /home/user/.config/Thunar/uca.xml ] ; then
    mv /home/user/.config/Thunar/uca.xml /home/user/.config/Thunar/uca.xml.uninstall
    mv /home/user/.config/Thunar/uca.xml.bak /home/user/.config/Thunar/uca.xml
  fi
 fi
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.
 #DEBHELPER#
 exit 0
 # vim: set ts=4 sw=4 sts=4 et :
--- a/debian/qubes-core-agent.dirs
+++ b/debian/qubes-core-agent.dirs
@ -1,4 +1,11 @@
 etc/qubes/protected-files.d
 etc/systemd/system
 etc/qubes
 etc/qubes/autostart
 etc/qubes/suspend-post.d
 etc/qubes/suspend-pre.d
 usr/lib/qubes-bind-dirs.d
 lib/modules
 var/lib/qubes
 var/lib/qubes/dom0-updates
 rw
--- a/debian/qubes-core-agent.install
+++ b/debian/qubes-core-agent.install
@ -0,0 +1,147 @@
 etc/X11/xorg-preload-apps.conf
 etc/apt/apt.conf.d/00notify-hook
 etc/apt/apt.conf.d/70no-unattended
 etc/apt/sources.list.d/qubes-r4.list
 etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 etc/dconf/db/local.d/dpi
 etc/default/grub.d/30-qubes.cfg
 etc/fstab
 etc/needrestart/conf.d/50_qubes.conf
 etc/profile.d/qt_x11_no_mitshm.sh
 etc/qubes-rpc/qubes.Backup
 etc/qubes-rpc/qubes.DetachPciDevice
 etc/qubes-rpc/qubes.Filecopy
 etc/qubes-rpc/qubes.GetAppmenus
 etc/qubes-rpc/qubes.GetImageRGBA
 etc/qubes-rpc/qubes.InstallUpdatesGUI
 etc/qubes-rpc/qubes.OpenInVM
 etc/qubes-rpc/qubes.OpenURL
 etc/qubes-rpc/qubes.PostInstall
 etc/qubes-rpc/qubes.ResizeDisk
 etc/qubes-rpc/qubes.Restore
 etc/qubes-rpc/qubes.SelectDirectory
 etc/qubes-rpc/qubes.SelectFile
 etc/qubes-rpc/qubes.SetDateTime
 etc/qubes-rpc/qubes.StartApp
 etc/qubes-rpc/qubes.SuspendPost
 etc/qubes-rpc/qubes.SuspendPostAll
 etc/qubes-rpc/qubes.SuspendPre
 etc/qubes-rpc/qubes.SuspendPreAll
 etc/qubes-rpc/qubes.VMShell
 etc/qubes-rpc/qubes.VMRootShell
 etc/qubes-rpc/qubes.WaitForSession
 etc/qubes-rpc/qubes.GetDate
 etc/qubes-suspend-module-blacklist
 etc/qubes/autostart/*
 etc/qubes/post-install.d/README
 etc/qubes/post-install.d/*.sh
 etc/qubes/rpc-config/qubes.OpenInVM
 etc/qubes/rpc-config/qubes.OpenURL
 etc/qubes/rpc-config/qubes.SelectFile
 etc/qubes/rpc-config/qubes.SelectDirectory
 etc/qubes/rpc-config/qubes.StartApp
 etc/qubes/rpc-config/qubes.InstallUpdatesGUI
 etc/qubes/rpc-config/qubes.VMShell+WaitForSession
 etc/qubes/suspend-post.d/README
 etc/qubes/suspend-post.d/*.sh
 etc/qubes/suspend-pre.d/README
 etc/sudoers.d/qt_x11_no_mitshm
 etc/sudoers.d/umask
 etc/sysctl.d/20_tcp_timestamps.conf
 etc/sysctl.d/80-qubes.conf
 etc/systemd/system/haveged.service
 etc/udev/rules.d/50-qubes-misc.rules
 lib/modules-load.d/qubes-core.conf
 lib/systemd/system-preset/75-qubes-vm.preset
 lib/systemd/system/ModemManager.service.d/30_qubes.conf
 lib/systemd/system/NetworkManager-wait-online.service.d/30_qubes.conf
 lib/systemd/system/NetworkManager.service.d/30_qubes.conf
 lib/systemd/system/anacron-resume.service.d/30_qubes.conf
 lib/systemd/system/anacron.service.d/30_qubes.conf
 lib/systemd/system/avahi-daemon.service.d/30_qubes.conf
 lib/systemd/system/chronyd.service.d/30_qubes.conf
 lib/systemd/system/cron.service.d/30_qubes.conf
 lib/systemd/system/cups.path.d/30_qubes.conf
 lib/systemd/system/cups.service.d/30_qubes.conf
 lib/systemd/system/cups.socket.d/30_qubes.conf
 lib/systemd/system/cups-browsed.service.d/30_qubes.conf
 lib/systemd/system/exim4.service.d/30_qubes.conf
 lib/systemd/system/getty@tty.service.d/30_qubes.conf
 lib/systemd/system/netfilter-persistent.service.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.path.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.service.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.socket.d/30_qubes.conf
 lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
 lib/systemd/system/qubes-rootfs-resize.service
 lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service
 lib/systemd/system/qubes-update-check.timer
 lib/systemd/system/qubes-updates-proxy-forwarder@.service
 lib/systemd/system/qubes-updates-proxy-forwarder.socket
 lib/systemd/system/qubes-sync-time.service
 lib/systemd/system/qubes-sync-time.timer
 lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf
 lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf
 lib/systemd/system/tmp.mount.d/30_qubes.conf
 lib/systemd/system/tor.service.d/30_qubes.conf
 lib/systemd/system/tor@default.service.d/30_qubes.conf
 lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf
 usr/bin/qubes-desktop-run
 usr/bin/qubes-open
 usr/bin/qubes-session-autostart
 usr/bin/qubes-run-terminal
 usr/bin/qvm-copy
 usr/bin/qvm-copy-to-vm
 usr/bin/qvm-features-request
 usr/bin/qvm-move
 usr/bin/qvm-move-to-vm
 usr/bin/qvm-open-in-dvm
 usr/bin/qvm-open-in-vm
 usr/bin/qvm-run-vm
 usr/bin/qvm-sync-clock
 usr/bin/xenstore-watch-qubes
 usr/lib/python2.7/dist-packages/qubesagent-*.egg-info/*
 usr/lib/python2.7/dist-packages/qubesagent/*
 usr/lib/qubes-bind-dirs.d/30_cron.conf
 usr/lib/qubes/close-window
 usr/lib/qubes/init/bind-dirs.sh
 usr/lib/qubes/init/control-printer-icon.sh
 usr/lib/qubes/init/functions
 usr/lib/qubes/init/misc-post-stop.sh
 usr/lib/qubes/init/misc-post.sh
 usr/lib/qubes/init/mount-dirs.sh
 usr/lib/qubes/init/qubes-early-vm-config.sh
 usr/lib/qubes/init/qubes-random-seed.sh
 usr/lib/qubes/init/qubes-sysinit.sh
 usr/lib/qubes/init/resize-rootfs-if-needed.sh
 usr/lib/qubes/init/setup-rw.sh
 usr/lib/qubes/init/setup-rwdev.sh
 usr/lib/qubes/prepare-suspend
 usr/lib/qubes/qfile-agent
 usr/lib/qubes/qfile-unpacker
 usr/lib/qubes/qopen-in-vm
 usr/lib/qubes/qubes-sync-clock
 usr/lib/qubes/qrun-in-vm
 usr/lib/qubes/qubes-trigger-sync-appmenus.sh
 usr/lib/qubes/qvm-copy-to-vm.gnome
 usr/lib/qubes/qvm-copy-to-vm.kde
 usr/lib/qubes/qvm-move-to-vm.gnome
 usr/lib/qubes/qvm-move-to-vm.kde
 usr/lib/qubes/resize-rootfs
 usr/lib/qubes/tar2qfile
 usr/lib/qubes/update-proxy-configs
 usr/lib/qubes/upgrades-installed-check
 usr/lib/qubes/upgrades-status-notify
 usr/lib/qubes/vm-file-editor
 usr/lib/qubes/xdg-icon
 usr/lib/systemd/user/pulseaudio.service.d/30_qubes.conf
 usr/lib/systemd/user/pulseaudio.socket.d/30_qubes.conf
 usr/share/glib-2.0/schemas/*
 usr/share/kde4/services/*.desktop
 usr/share/kservices5/ServiceMenus/*.desktop
 usr/share/applications/*.desktop
 usr/share/man/man1/qvm-*
 usr/share/qubes/mime-override/globs
 usr/share/qubes/qubes-master-key.asc
--- a/debian/qubes-core-agent.links
+++ b/debian/qubes-core-agent.links
@ -0,0 +1,3 @@
 ## compatibility symlink
 ## https://github.com/QubesOS/qubes-issues/issues/2191
 /usr/lib/qubes/init/bind-dirs.sh /usr/lib/qubes/bind-dirs.sh
--- a/debian/qubes-core-agent.postinst
+++ b/debian/qubes-core-agent.postinst
@ -22,35 +22,74 @@ set -e
 debug() {
    if [ "${DEBDEBUG}" == "1" ]; then
-        echo -e ""$@""
+        echo -e "$@"
    fi
 }
-systemdPreload() {
+is_static() {
-    # Debian systemd helper does not yet honour preset, therefore use
+    [ -f "/lib/sytemd/system/$1" ] && ! grep -q '^[[].nstall]' "/lib/systemd/system/$1"
-    # systemctl preset on each unit file (not using preset-all either since
+}
    # wheezy does not support it) listed in 75-qubes-vm.preset.
-    systemctl --no-reload preset-all > /dev/null 2>&1 && PRESET_FAILED=0 || PRESET_FAILED=1
+is_masked() {
    if [ ! -L /etc/systemd/system/"$1" ]
    then
       return 1
    fi
    target=$(readlink /etc/systemd/system/"$1" 2>/dev/null || :)
    if [ "$target" = "/dev/null" ]
    then
       return 0
    fi
    return 1
 }
-    # Mask any static unit files that are marked to be disabled
+mask() {
-    grep '^[[:space:]]*[^#;]' /lib/systemd/system-preset/75-qubes-vm.preset | while read action unit_name; do
+    ln -sf /dev/null /etc/systemd/system/"$1"
-        case "${action}" in
+}
-        disable)
+
-            if [ -e "/lib/systemd/system/${unit_name}" ]; then
+unmask() {
-                if ! fgrep -q '[Install]' "/lib/systemd/system/${unit_name}"; then
+    if ! is_masked "$1"
    then
        return 0
    fi
    rm -f /etc/systemd/system/"$1"
 }
 preset_units() {
    local represet=
    while read -r action unit_name
    do
        if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]
        then
            represet=1
            continue
        fi
        echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue
        if ! [ -n "$action" ] || ! [ -n "$unit_name" ]; then
            continue
        fi
        if [ "$2" = "initial" ] || [ "$represet" = "1" ]
        then
            if [ "$action" = "disable" ] && is_static "$unit_name"
            then
                if ! is_masked "$unit_name"
                then
                    # We must effectively mask these units, even if they are static.
                    deb-systemd-helper mask "${unit_name}" > /dev/null 2>&1 || true
                fi
            elif [ "$action" = "enable" ] && is_static "$unit_name"
            then
                if is_masked "$unit_name"
                then
                    # We masked this static unit before, now we unmask it.
                    deb-systemd-helper unmask "${unit_name}" > /dev/null 2>&1 || true
                fi
-            ;;
+                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
-        *)
+            else
-            # preset-all is not available in wheezy; so preset each unit file listed in 75-qubes-vm.preset
+                systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
            if [ "${PRESET_FAILED}" -eq 1 ]; then
                systemctl --no-reload preset "${unit_name}" > /dev/null 2>&1 || true
            fi
-            ;;
+        fi
-        esac
+    done < "$1"
    done
    systemctl daemon-reload
 }
@ -69,48 +108,44 @@ case "${1}" in
        if [ -z "${2}" ]; then
            debug "FIRST INSTALL..."
            # Create NetworkManager configuration if we do not have it
            if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
                echo '[main]' > /etc/NetworkManager/NetworkManager.conf
                echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
                echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
            fi
            /usr/lib/qubes/qubes-fix-nm-conf.sh
            # Location of files which contains list of protected files
-            PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+            # shellcheck source=init/functions
            . /usr/lib/qubes/init/functions
            # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
            # in the form expected by qubes-sysinit.sh
-            if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+            if ! is_protected_file /etc/hostname ; then
                for ip in '127\.0\.1\.1' '::1'; do
                    if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
-                        sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
+                        sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
-                        sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts || true
+                        sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts || true
                    else
-                        echo "${ip//\\/} `hostname`" >> /etc/hosts || true
+                        echo "${ip//\\/} $(hostname)" >> /etc/hosts || true
                    fi
                done
            fi
            # remove hostname from 127.0.0.1 line (in debian the hostname is by default
            # resolved to 127.0.1.1)
-            if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+            if ! is_protected_file /etc/hosts ; then
-                sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
+                sed -i "/^127\.0\.0\.1\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts || true
            fi
            chown user:user /home_volatile/user
            # Set default "runlevel"
            rm -f /etc/systemd/system/default.target
            ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
            # Systemd preload-all
-            systemdPreload
+            preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial
            # Maybe install overridden serial.conf init script
            installSerialConf
        else
            preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade
        fi
        systemctl reenable haveged
        chgrp user /var/lib/qubes/dom0-updates
        debug "UPDATE..."
        # disable some Upstart services
@ -123,17 +158,48 @@ case "${1}" in
        done
        dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --rename --add /etc/init/serial.conf
        if [ ! -L /etc/systemd/system/rpcbind.service ]; then
            ln -s /dev/null /etc/systemd/system/rpcbind.service
        fi
        # Remove old firmware updates link
        if [ -L /lib/firmware/updates ]; then
            rm -f /lib/firmware/updates
        fi
        # convert /usr/local symlink to a mount point
        if [ -L /usr/local ]; then
            rm -f /usr/local
            mkdir /usr/local
            mount /usr/local || :
        fi
        # remove old symlinks
        if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]; then
            rm /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service
        fi
        if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]; then
            rm /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service
        fi
        if ! dpkg-statoverride --list /var/lib/qubes/dom0-updates >/dev/null 2>&1; then
            dpkg-statoverride --update --add user user 775 /var/lib/qubes/dom0-updates
        fi
-        # Update Qubes App Menus
+        glib-compile-schemas /usr/share/glib-2.0/schemas || true
-        /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
+
        if ! [ -r /etc/dconf/profile/user ]; then
            mkdir -p /etc/dconf/profile
            echo "user-db:user" >> /etc/dconf/profile/user
            echo "system-db:local" >> /etc/dconf/profile/user
        fi
        if [ -x /usr/bin/dconf ]; then
            dconf update
        fi
        # tell dom0 about installed updates (applications, features etc)
        /etc/qubes-rpc/qubes.PostInstall || true
        ;;
    abort-upgrade|abort-remove|abort-deconfigure)
@ -145,8 +211,8 @@ case "${1}" in
            case "${trigger}" in
                /usr/share/applications)
-                    debug "Updating Qubes App Menus..."
+                    debug "Updating Qubes App Menus and advertising features..."
-                    /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
+                    /etc/qubes-rpc/qubes.PostInstall || true
                    ;;
                # Install overridden serial.conf init script
--- a/debian/qubes-core-agent.postrm
+++ b/debian/qubes-core-agent.postrm
@ -43,7 +43,7 @@ if [ "${1}" = "remove" ] ; then
        rm /lib/firmware/updates
    fi
-    for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do
+    for srv in qubes-sysinit qubes-misc-post qubes-network qubes-qrexec-agent; do
        systemctl disable ${srv}.service
    done
 fi
--- a/debian/qubes-core-agent.preinst
+++ b/debian/qubes-core-agent.preinst
@ -44,13 +44,12 @@ if [ "$1" = "install" ] ; then
    # User add / modifications
    # --------------------------------------------------------------------------
    id -u 'user' >/dev/null 2>&1 || {
-        useradd --password "" --user-group --create-home --shell /bin/bash user
+        useradd --user-group --create-home --shell /bin/bash user
    }
    id -u 'tinyproxy' >/dev/null 2>&1 || {
        useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy
    }
-    usermod -p '' root
+    usermod -L -a --groups qubes user
    usermod -L -a --groups qubes,sudo user
    # --------------------------------------------------------------------------
    # Remove `mesg` from root/.profile?
--- a/debian/qubes-core-agent.undisplace
+++ b/debian/qubes-core-agent.undisplace
@ -0,0 +1,2 @@
 # moved to qubes-core-agent-passwordless-root
 /etc/pam.d/su.qubes
--- a/debian/rules
+++ b/debian/rules
@ -3,12 +3,13 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 export PYTHON_PREFIX_ARG=--install-layout=deb
 include /usr/share/dpkg/default.mk
-export DESTDIR=$(shell pwd)/debian/qubes-core-agent
+export DESTDIR=$(shell pwd)/debian/tmp
 %:
-	dh $@ --with systemd --with=config-package
+	dh $@ --with systemd,python2 --with=config-package
 override_dh_auto_build:
 	make all
@ -22,3 +23,6 @@ override_dh_fixperms:
 override_dh_systemd_start:
 	dh_systemd_start --no-restart-on-upgrade
 override_dh_install:
 	dh_install --fail-missing
--- a/doc/Makefile
+++ b/doc/Makefile
@ -23,7 +23,7 @@ install: manpages
 manpages: $(QVM_DOCS) $(QUBES_DOCS) $(VM_DOCS)
 preview:	$(rst)
-	pandoc -s -f rst -t man $(rst) | groff -mandoc -Tlatin1 | less -R
+	$(PANDOC) $(rst) | groff -mandoc -Tlatin1 | less -R
 clean:
 	rm -f $(VM_DOCS)
--- a/doc/vm-tools/qrexec-client-vm.rst
+++ b/doc/vm-tools/qrexec-client-vm.rst
@ -0,0 +1,85 @@
 ================
 qrexec-client-vm
 ================
 NAME
 ====
 qrexec-client-vm - call Qubes RPC service
 SYNOPSIS
 ========
 | qrexec-client-vm [--buffer-size=*BUFFER_SIZE*] *target_vmname* *service* [*local_program* [*local program arguments*]]
 DESCRIPTION
 ===========
 Call Qubes RPC (aka qrexec) service to a different VM. The service call request
 is sent to dom0, where Qubes RPC policy is evaluated and when it allows the
 call, it is forwarded to appropriate target VM (which may be different than
 requested, if policy says so). Local program (if given) is started only
 when service call is allowed by the policy.
 Remote service can communicate with the caller (``qrexec-client-vm``) using
 stdin/stdout.  When *local_program* is given, its stdin/stdout is connected to
 service stdin/stdout (stderr is not redirected), otherwise - service
 stdin/stdout is connected to those of ``qrexec-client-vm``.
 OPTIONS
 =======
 --buffer-size=*BUFFER_SIZE*
    Optional buffer size for vchan connection. This size is used as minimum
    size for a buffer in each connection direction (read and write).
    Default: 64KiB.
 *target_vmname*
    Name of target VM to which service is requested. Qubes RPC policy may
    ignore this value and redirect call somewhere else.
    This argument, can contain VM name, or one of special values:
    * ``$default`` or empty string - let Qubes RPC policy decide, without giving any preference 
    * ``$dispvm`` - new Disposable VM
    * ``$dispvm:dispvm-template`` - new Disposable VM based on *dispvm-template*
    This field is limited to 31 characters (alphanumeric, plus ``-_.$``).
 *service*
    Requested service. Besides service name, it can contain a service argument
    after ``+`` character. For example ``some.service+argument``.
    This field is limited to 63 characters (alphanumeric, plus ``-_.$+``).
 *local_program*
    Full path to local program to be connected with remote service. Optional.
 *local program arguments*
    Arguments to *local_program*. Optional.
 EXIT STATUS
 ===========
 If service call is allowed by dom0 and ``qrexec-client-vm`` is started without
 *local_program* argument, it reports remote service exit code.
 If service call is allowed by dom0 and ``qrexec-client-vm`` is started with
 *local_program* argument, it reports the local program exit code. There is no
 way to learn exit code of remote service in this case.
 In both cases, if process (local or remote) was terminated by a signal, exit
 status is 128+signal number.
 If service call is denied by dom0, ``qrexec-client-vm`` exit with status 126.
 AUTHORS
 =======
 | Joanna Rutkowska <joanna at invisiblethingslab dot com>
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
--- a/doc/vm-tools/qvm-copy-to-vm.rst
+++ b/doc/vm-tools/qvm-copy-to-vm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-copy-to-vm - copy specified files to specified destination VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-copy-to-vm [--without-progress] dest_vmname file [file]+
--- a/doc/vm-tools/qvm-open-in-dvm.rst
+++ b/doc/vm-tools/qvm-open-in-dvm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-open-in-dvm - open a specified file in disposable VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-open-in-dvm filename
--- a/doc/vm-tools/qvm-open-in-vm.rst
+++ b/doc/vm-tools/qvm-open-in-vm.rst
@ -6,8 +6,6 @@ NAME
 ====
 qvm-open-in-vm - open a specified file in other VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
 | qvm-open-in-vm vmname filename
--- a/doc/vm-tools/qvm-run-vm.rst
+++ b/doc/vm-tools/qvm-run-vm.rst
@ -1,16 +1,14 @@
-=======
+==========
-qvm-run
+qvm-run-vm
-=======
+==========
 NAME
 ====
-qvm-run - run a specified command in a specified VM
+qvm-run-vm - run a specified command in a specified VM
 :Date:   2012-05-30
 SYNOPSIS
 ========
-| qvm-run vmname command [aguments]
+| qvm-run-vm vmname command [aguments]
 OPTIONS
 =======
--- a/init/control-printer-icon.sh
+++ b/init/control-printer-icon.sh
@ -0,0 +1,15 @@
 #!/bin/bash
 # Source Qubes library.
 # shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
 if ! is_fully_persistent && test -f /etc/xdg/autostart/print-applet.desktop ; then
 	if qsvc cups ; then
 		# Allow also notification icon
 		sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
 	else
 		# Disable notification icon
 		sed -i -e '/QUBES/!s/^NotShowIn=\(.*\)/NotShowIn=QUBES;\1/' /etc/xdg/autostart/print-applet.desktop
 	fi
 fi
--- a/init/functions
+++ b/init/functions
@ -0,0 +1,188 @@
 #!/bin/bash
 # Location of files which contains list of protected files
 PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 qsvc() {
    # Returns whether a service is enabled.
    # Usage: qsvc <nameofservice>
    #
    # Must only be used after qubes-sysinit has started.
    # See qsvc_early for more information.
    local count=100
    while [ ! -e /var/run/qubes-service-environment ] ; do
        if [ "$count" = "0" ] ; then
            echo "qsvc: Warning: qubes-sysinit has not finished executing yet" >&2
            break
        fi
        sleep 0.1
        count=$(( count - 1 ))
    done
    [ -e /var/run/qubes-service/"$1" ]
 }
 under_systemd() {
    pidof systemd >/dev/null 2>&1
 }
 systemd_version_changed() {
    under_systemd || return
    systemd_pkg_version=$(systemctl --version|head -n 1)
    if dmesg | grep -q "$systemd_pkg_version running in system mode."; then
        return 1
    fi
    return 0
 }
 possibly_run_save_script() {
    ENCODED_SCRIPT=$(qubesdb-read /qubes-save-script)
    if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi
    tmpfile=$(mktemp /tmp/qubes-save-script.XXXXXXXXX)
    echo "$ENCODED_SCRIPT"|base64 -d >"$tmpfile"
    chmod 755 "$tmpfile"
    DISPLAY=:0 su - user -c "$tmpfile"
    ret=$?
    rm -f "$tmpfile"
    return $ret
 }
 have_qubesdb() {
    # Tests whether qubesdb-read exists and can be executed.
    type qubesdb-read >/dev/null 2>&1
 }
 have_qrexec_agent() {
    # Tests whether qrexec-agent exists and can be executed.
    PATH=/usr/lib/qubes type qrexec-agent >/dev/null 2>&1
 }
 qubes_vm_type() {
    qubesdb-read /qubes-vm-type
 }
 is_netvm() {
    [ "$(qubes_vm_type)" = "NetVM" ]
 }
 is_appvm() {
    [ "$(qubes_vm_type)" = "AppVM" ]
 }
 is_proxyvm() {
    [ "$(qubes_vm_type)" = "ProxyVM" ]
 }
 is_templatevm() {
    [ "$(qubes_vm_type)" = "TemplateVM" ]
 }
 is_dispvm() {
    [ "$(qubes_vm_type)" = "DisposableVM" ]
 }
 is_fully_persistent() {
    [ "$(qubesdb-read /qubes-vm-persistence)" = "full" ]
 }
 is_rwonly_persistent() {
    [ "$(qubesdb-read /qubes-vm-persistence)" = "rw-only" ]
 }
 is_updateable() {
    [ "$(qubesdb-read /qubes-vm-updateable)" = "True" ]
 }
 reload_random_seed() {
    local seed
    seed=$(qubesdb-read /qubes-random-seed)
    echo "$seed" | base64 -d > /dev/urandom
    qubesdb-rm /qubes-random-seed
 }
 is_protected_file() {
    grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" "$PROTECTED_FILE_LIST" 2>/dev/null
 }
 umount_retry() {
    local count=5
    while mountpoint -q "$1" ; do
        if umount "$1" ; then break ; fi
        echo "Something prevents unmounting $1:" >&2
        fuser -vmM "$1" >&2
        if [ "$count" = "0" ] ; then
            return 1
        fi
        sleep 5
        count=$(( count - 1 ))
    done
    return 0
 }
 initialize_home() {
    local home_root
    local mode
    #local user
    local uid
    local gid
    local homedir
    local homedirwithouthome
    local pair
    local homedir_uid
    local homedir_gid
    local waitpid
    local waitpids
    home_root="$1"
    mode="$2"
    if [ -z "$home_root" ] ; then
        echo "initialize_home() needs a target home root directory, such as /rw/home, as first parameter" >&2
        return 64
    fi
    if [ "$mode" != "unconditionally" ] && [ "$mode" != "ifneeded" ] ; then
        echo "initialize_home() second parameter must be 'unconditionally' or 'ifneeded'" >&2
        return 64
    fi
    if ! [ -d "$home_root" ] ; then
        echo "initialize_home: populating $home_root" >&2
        mkdir -p "$home_root"
    fi
    # Chown home if users' UIDs have changed - can be the case on template switch.
    for pair in $(getent passwd | awk -F : '/\/home/ { print $1":"$3":"$4":"$6 } ') ; do
        #user=$(echo "$pair" | awk -F : ' { print $1 } ')
        uid=$(echo "$pair" | awk -F : ' { print $2 } ')
        gid=$(echo "$pair" | awk -F : ' { print $3 } ')
        homedir=$(echo "$pair" | awk -F : ' { print $4 } ')
        homedirwithouthome=${homedir#/home/}
        if ! test -d "$home_root/$homedirwithouthome" || [ "$mode" = "unconditionally" ] ; then
            echo "initialize_home: populating $mode $home_root/$homedirwithouthome from /etc/skel" >&2
            mkdir -p "$home_root/$homedirwithouthome"
            cp -af -T /etc/skel "$home_root/$homedirwithouthome"
            echo "initialize_home: adjusting permissions $mode on $home_root/$homedirwithouthome" >&2
            chown -R "$uid" "$home_root/$homedirwithouthome" &
            waitpids="$!"
            chgrp -R "$gid" "$home_root/$homedirwithouthome" &
            waitpids="$waitpids $!"
            chmod 700 "$home_root/$homedirwithouthome" &
            waitpids="$waitpids $!"
            for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
        fi
        waitpids=
        homedir_uid=$(stat --format=%u "$home_root/$homedirwithouthome")
        homedir_gid=$(stat --format=%g "$home_root/$homedirwithouthome")
        if [ "$uid" -ne "$homedir_uid" ]; then
            echo "initialize_home: adjusting ownership on $home_root/$homedirwithouthome to $uid" >&2
            find "$home_root/$homedirwithouthome" -uid "$homedir_uid" -print0 | xargs -0 chown "$uid" &
            waitpids="$waitpids $!"
        fi
        if [ "$gid" -ne "$homedir_gid" ]; then
            echo "initialize_home: adjusting groupship on $home_root/$homedirwithouthome to $gid" >&2
            find "$home_root/$homedirwithouthome" -gid "$homedir_gid" -print0 | xargs -0 chgrp "$gid" &
            waitpids="$waitpids $!"
        fi
        for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
    done
 }
--- a/init/resize-rootfs-if-needed.sh
+++ b/init/resize-rootfs-if-needed.sh
@ -0,0 +1,28 @@
 #!/bin/sh
 # Possibly resize root device (partition, filesystem), if underlying device was
 # enlarged.
 set -e
 # if underlying root device is read-only, don't do anything
 if [ "$(blockdev --getro /dev/xvda)" -eq "1" ]; then
    echo "xvda is read-only, not resizing" >&2
    exit 0
 fi
 sysfs_xvda="/sys/class/block/xvda"
 # if root filesystem use already (almost) the whole dis
 non_rootfs_data=$(( 250 * 1024 * 2 ))
 rootfs_size=$(df --output=size / | tail -n 1)
 # convert to 512-byte blocks
 rootfs_size=$(( rootfs_size * 2 ))
 if [ "$(cat "$sysfs_xvda/size")" -lt \
       $(( non_rootfs_data + rootfs_size )) ]; then
   echo "root filesystem already at $rootfs_size blocks" >&2
   exit 0
 fi
 # resize needed, do it
 /usr/lib/qubes/resize-rootfs
--- a/init/setup-rw.sh
+++ b/init/setup-rw.sh
@ -0,0 +1,77 @@
 #!/bin/sh
 dev=/dev/xvdb
 if mountpoint -q /rw ; then
    # This means /rw is mounted now.
    echo "Checking /rw" >&2
    echo "Private device size management: enlarging $dev" >&2
    if content=$(resize2fs "$dev" 2>&1) ; then
        echo "Private device size management: resize2fs of $dev succeeded" >&2
    else
        echo "Private device size management: resize2fs $dev failed:" >&2
        echo "$content" >&2
    fi
    if ! [ -d /rw/config ] ; then
        echo "Virgin boot of the VM: populating /rw/config" >&2
        mkdir -p /rw/config
        touch /rw/config/rc.local
        cat > /rw/config/rc.local <<EOF
 #!/bin/sh
 # This script will be executed at every VM startup, you can place your own
 # custom commands here. This include overriding some configuration in /etc,
 # starting services etc.
 # Example for overriding the whole CUPS configuration:
 #  rm -rf /etc/cups
 #  ln -s /rw/config/cups /etc/cups
 #  systemctl --no-block restart cups
 EOF
        chmod 755 /rw/config/rc.local
        touch /rw/config/qubes-firewall-user-script
        cat > /rw/config/qubes-firewall-user-script <<EOF
 #!/bin/sh
 # This script is called in AppVMs after every firewall update (configuration
 # change, starting some VM etc). This is good place to write own custom
 # firewall rules, in addition to autogenerated ones. Remember that in most cases
 # you'll need to insert the rules at the beginning (iptables -I) for it to be
 # efective.
 EOF
        chmod 755 /rw/config/qubes-firewall-user-script
        touch /rw/config/suspend-module-blacklist
        cat > /rw/config/suspend-module-blacklist <<EOF
 # You can list modules here that you want to be unloaded before going to sleep. This
 # file is used only if the VM has any PCI device assigned. Modules will be
 # automatically re-loaded after resume.
 EOF
    fi
    if ! [ -d /rw/usrlocal ] ; then
        if [ -d /usr/local.orig ] ; then
            echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2
            cp -af /usr/local.orig /rw/usrlocal
        else
            echo "Virgin boot of the VM: creating /rw/usrlocal" >&2
            mkdir -p /rw/usrlocal
        fi
    fi
    echo "Finished checking /rw" >&2
 fi
 # Old Qubes versions had symlink /home -> /rw/home; now we use mount --bind
 if [ -L /home ]; then
    rm /home
    mkdir /home
 fi
 if [ ! -e /var/lib/qubes/first-boot-completed ]; then
    touch /var/lib/qubes/first-boot-completed
 fi
--- a/init/setup-rwdev.sh
+++ b/init/setup-rwdev.sh
@ -0,0 +1,40 @@
 #!/bin/sh
 set -e
 dev=/dev/xvdb
 max_size=1073741824  # check at most 1 GiB
 if [ -e "$dev" ] ; then
    # The private /dev/xvdb device is present.
    # check if private.img (xvdb) is empty - all zeros
    private_size=$(( $(blockdev --getsz "$dev") * 512))
    if [ $private_size -gt $max_size ]; then
        private_size=$max_size
    fi
    if cmp --bytes $private_size "$dev" /dev/zero >/dev/null && { blkid -p "$dev" >/dev/null; [ $? -eq 2 ]; }; then
        # the device is empty, create filesystem
        echo "Virgin boot of the VM: creating private.img filesystem on $dev" >&2
        if ! content=$(mkfs.ext4 -m 0 -q "$dev" 2>&1) ; then
            echo "Virgin boot of the VM: creation of private.img on $dev failed:" >&2
            echo "$content" >&2
            echo "Virgin boot of the VM: aborting" >&2
            exit 1
        fi
        if ! content=$(tune2fs -m 0 "$dev" 2>&1) ; then
            echo "Virgin boot of the VM: marking free space on $dev as usable failed:" >&2
            echo "$content" >&2
            echo "Virgin boot of the VM: aborting" >&2
            exit 1
        fi
    fi
    echo "Private device management: checking $dev" >&2
    if content=$(fsck.ext4 -p "$dev" 2>&1) ; then
        echo "Private device management: fsck.ext4 of $dev succeeded" >&2
    else
        echo "Private device management: fsck.ext4 $dev failed:" >&2
        echo "$content" >&2
    fi
 fi
--- a/misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override
+++ b/misc/20_org.gnome.desktop.wm.preferences.qubes.gschema.override
@ -0,0 +1,2 @@
 [org.gnome.desktop.wm.preferences]
 button-layout='appmenu:'
--- a/misc/20_org.gnome.nautilus.qubes.gschema.override
+++ b/misc/20_org.gnome.nautilus.qubes.gschema.override
--- a/misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override
+++ b/misc/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override
--- a/misc/20_org.mate.NotificationDaemon.qubes.gschema.override
+++ b/misc/20_org.mate.NotificationDaemon.qubes.gschema.override
--- a/misc/30_cron.conf
+++ b/misc/30_cron.conf
@ -0,0 +1 @@
 binds+=( '/var/spool/cron' )
--- a/misc/Makefile
+++ b/misc/Makefile
@ -23,7 +23,7 @@ python2:
 python3:
 	rm -rf py3
 	mkdir -p py3
-	cp dnf-qubes-hooks.py xdg.py py3/
+	cp dnf-qubes-hooks.py py3/
 	python3 -m compileall py3
 	python3 -O -m compileall py3
--- a/misc/RPM-GPG-KEY-qubes-3-primary
+++ b/misc/RPM-GPG-KEY-qubes-3-primary
@ -1,40 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 mQINBFRsmtIBEAC7UgrYFrkPpSxjRoT9OmU0JqYmzLBqzRRdHCtakTdN8pRl/yE/
 zQHvmPnrQ57u45KtxY7EYveWC6RtNEw9IVvyQZp6jGQ05ljhwkNKfxKZcGvT4Qd4
 oCcXdKzGOjsw/mW0saklcrBdm7PiEhQvC0Oc66RreNeZ/2INQALVZLv808KLlNHs
 uK9u/mjrT/A3RpzvFYvVnPJPJFjnYyGM8cVysCez4yeH9nymbLLD73pZyKhSU5Uo
 x3LJKMfIUee0N677Lb45iM+iHW+kcHay3i7tev0xkm08V61ym2YwCJxIpMCvryvK
 h1kScMeAOLsHkZpsqoXuSy8GFz1gKiZFCaiuF+ojRSXcN221Exfz/pF47aMd7Sm3
 0hSQk6Om9DESrzDXm85czq7Taw48NL35nCoPUqNfAP+BknSz79KoNkPDGP9+ps34
 S9o401dygAZToQNTJNuJeZwEVEBykRlsoeR/C9CTsSZMufBGBS9805h31FoZ3ePv
 ITTaZidVWxUnRn4mlcYlfUEniyrmtc8IG0SZQZ+AQu0BgDZ/oV2LsS/g+YbN6qjF
 LczBCWPngXUYvmm0syPdGfPQZJCnvwnEpPoRq+bqknLUN/EzEihbILR9gaO0U/XR
 9+EB796N973+v6HsKxKmfJMqkIXa+PhLvfWVs3ZZnM6USTpA0DYHpvcVIwARAQAB
 tB5RdWJlcyBPUyBSZWxlYXNlIDMgU2lnbmluZyBLZXmJAjgEEwECACIFAlRsmtIC
 GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMsRyh0D+lCCAyUP/jM+dKCC
 WIjTAFzdudJFfznjFjiggI7EdNJYpMd3FP8Gq53qqFH5rvg0fwJjnNGPBpfEjhHM
 TlCNn3M0L6NZbB7PQwUBD332f2QwE4PIcuo1e7c9ySrhdMc0maR5+CcMlJHG6T8Q
 EacL+Xhc91GC2Gi/qMOjE4lo337Y3GLE6WHFRVvqBpI+ovr9LYKP5vQ+InY+uVsP
 LTL7AQVRDZcu4eQdI1HdJ0fYyhx5lJSiPWaM80VBkOgfF6HyGrMcjzWs+9gtYs76
 g6QoEKgu3YuPi1J1JE7d+Un7iYSqrUv3ljSDq2PMlx4vpq+oc1/1qHLyMYpGjmHa
 cQRjPo8bqgZ4vo6BC4Za+SGliLPcN9w0ivjsaGZ2L5PHxJ7kCSJ6SbZUrjWhTZL3
 arWGCFQmYqAY5EkNSWrQePgkCj/5I5YAou39LnREN91KgYDT8bMeED7uQ/fskRns
 Xfbx6ACsU69lLYIqd4HcuhcHWV9lTYtavjLKny71BauLALOve9uHmYX/cweBnt98
 8AWGuIuspvs3kwFJLu5k30m3HUMZPG8lDfN0R9v5eyoNxFc+WNbxHq4fIUXmbGfN
 Jclsn3hzUUS3XBG2G9VDmcf/N82xlwRMDHD78G/+Q3MumQeLtlXirhASQqi3XdXk
 CR5+NjOJZWRYfvk+WbJsshE3sosG2uLHzgs/iQIcBBABAgAGBQJUbJtEAAoJEN36
 Gj42h5SUuVsQAI5QPmqJvnUgUMzoj1gCWW2eJTbxTWs9jALN8JRqPGT4KKe+x5te
 IgYkK056WlxBA73UDcXLQ4dKoqF9J3wMF2O+Ir7C46p+dFS5KTjUj4vaYMgAmshu
 ihZmBChmldQpIYmFvWtdvdanEpaOiblr+AXK1Hd5aJrpBFf5I/EP7iCWeOXc5FzK
 UEZylf8PVmNO3s8uuyWMdGR7cGcukwOONzre9XurO6P8fHfjh+vXeI+5KsJ1Cd2y
 22OWAK0QjtCBLTQ4E6WUM2/FjLU55HB3fdAo4ucd2QgJhf4HuWq6KiLRz74O04o1
 lrqtS3M9GfLmQx/lUF8vIS4jVf8X7/iZY52VCJM5PDoeF0xKTACJ2+emuQfyw0SE
 7AfxCrt35cvXBWAzUN/kLFslQkBI+/FssnUDBYGeU+SkgEfkpuWwRsqfwCITN0I4
 jmwDfa+6PQpMF9lkgF+BanNa8bfroWztmW9dZYp6jyV8/VI5SeG7RYu6TZUeXXoS
 eMIL/d9eIhebLj5syd0BNukZMpI92wnSDWTWxBZFliltOIv6/yC6Bj7UaCyt2JkV
 /xbi+rOiemBS1mPHhV/CAM7sV0TM8xONyVXM4g5eVj0RStFYjc586ZguleNeIfYT
 qDqp/VUKnu6jYNOWS2W/kpenXId22X1TdXcxwm3U3kOc06pygu1fTdDp
 =idYC
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-3-unstable
+++ b/misc/RPM-GPG-KEY-qubes-3-unstable
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 mQINBFRuA2sBEACjOSNmDK6g6vpirgy0mRbRORP44eI0R45JN3oSGgsmCD5jJSTo
 RRUE1RknbK26+bjnsKAKwpP67CA3So/5sa4l7i7G4xJdgVZooM3ZTK7ubQCqkMYB
 h4yYTBAtt7vi6olhKvEkCvhzozcUa4/qW/NuIuTCpF0G0kBUWyqqYQzwtWD5QimE
 6NjbxjuKf0P0KtzUvF2SdNYh87kXUj+6+RcA6VxjsLY3gSWnl+786L4yKUekRjB7
 JvD9yMd1V+U/P1MUamJFyn68Aih6dRi17/ZvHKHY0gj6k6acE34Oy6SDmbwuWWeZ
 jMpSACAHHhWJID0wwrig3ZsxV4lGWoND/n+OSmEyWg4J8dB1thZpoBgjL05prBgC
 oygzwyHlyewVqdtdjMJOSSk34pehQ35lPQ9XqASnF1igQaVTKFxUIg1eoaQMZibd
 dSJzEcwuFUeJ1S22lyUdtaC/WdGb5vvHSEDiOA/3Ll0gpaHm2tor08J0s9C6CD2Q
 irF/FwUu52yO/bNtOkXunX5G2Ua+c49o3D6bvc+mfBY4EVKN5k6URW+vy47gJDbH
 4CVcxgBRoFy8SdAogqf/H/4+UOAR5jo5QLzsRq0mRHRbleLHwyH5PQxF9M73UVgL
 J5OohzOoThyiWbIesjyFw9aiC1Dk9l6ugprPTAS6LPNpxNaByNlpbX/eJQARAQAB
 tCdRdWJlcyBPUyBSZWxlYXNlIDMgVW5zdGFibGUgU2lnbmluZyBLZXmJAjgEEwEC
 ACIFAlRuA2sCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJP+RAmjx3Ot
 WFMP/1y98l3kXaIUIXZFjdtCmiZvFZKETP5S/81Rn32PISSs5TklxWbt6B3rNY67
 ovtK10qJXxarLeu0+IR+UM+AV1R/OvT3qtrJuvbbr0vIyy0RONaapoPIdI2eD2FC
 E/7JTv7KibKSE4nI9W9ZdRboJB1MPigffBR7qAC2ReCGtyKVUWRCKh57aQqbSDkZ
 AruTV1gXbFDusuKh1kQ2zVXFMn9KU98Qv0nKewjndNwnfOk7UFdsTkRCEyHr19wx
 KOuoLH4bfCyV8dEfriM5d6ABjmpv0Olp9XFT5YznoxrsXAjO0aUIBiNYYTk5vRLG
 ixBJGRjruDUzCZ8gIObIEwfAJsJ4LsFZ5LI0csF2uNueeogmNm0LfejyrWBlyRfW
 XdM5WP9vAbWectxNfaW84pPkvAEaer2W+x9ddO+FirTPNgU0M55JxcjKve8XsbuK
 iOA80h8eiMuukn2CDENVG9g7hiui9YzcenQKzmZIYYARWPzSKRyRrMFWrhDjOZ+R
 sG2PKzuJVIatGqhzqjD4CmoMPkVDli9p1ADOJLMJu062D53aWjgVi6DFHt5cZmFx
 rvDPiLqy/uuWWSDaDgX36KEenvwzQLjlEdTrN8a3qiBMxeceLWFLQqAknQnmU19/
 HcyP+lX0FzFFm1yIB/aEQpcXsfJcil0Dg6zAeFbXxdQYWlVm
 =7CDU
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-centos
+++ b/misc/RPM-GPG-KEY-qubes-4-centos
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 mQINBFnOuKQBEACc4uru1ruuHsZAIFFJhkmYVL0I07MlIjA9FC0vwNQA0sq0roJ6
 LElswKLyu9ST8h0qwlqW9RalFxxkhvm0ySvNcWPEayHW2L0izGfD+IH1SUk3QALn
 IudHFd0VYw7REunDgEMfQXvYp1nAQqJ6/e4PrYtIqYfenSYd226/7qBgEJHixeWJ
 XXPoGLSqrsPFzB2KHJRRAJNKB/SFeGd4EHD/LKuxxArAjID+hEo3S53E1xf/G330
 dyEAt5PLsqA0USnWCsREyW7OhW8Bbs02wyYHbOeIt2VM5/GOGJFvGRQC8YsUspBV
 OY3PPMxxmf/8GtORQsTD5BgrtbbZg5mTn3vPi/0LiPIVoyUqLcNY1xLIUtoikhi4
 X5o+37DcRsP720jinXoqqyZPvQlynPAzgJ0i+IIk/8QUp3qQEUm0WXvNamTpluY2
 HPC2dNEW45FnTatMg5mDGf091UdMk6JKXyETRYRWdQfGq+n2BQMO5p6VFMgbzDP9
 I2IYvYnjEi59X7dORGHxYs7LqNGoKL1em8r5NiTS6PhRmw7yQYdrpykFjwZxQvM9
 F+HGIKLd0map8g08Sew0VTZ96OpRWkoMMpveLq0W7Ke4Cgu0t1245rE000r+/sRZ
 l/fg1eSPwVxHHFu8Wj6l4VJiZzi4hSHxOZipNIkfz/SvGvkcgeXGRW7QKQARAQAB
 tCZRdWJlcyBPUyA0IENlbnRPUyBQYWNrYWdlcyBTaWduaW5nIEtleYkCNwQTAQgA
 IQUCWc6/DQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAZIFoR/ePQqjMe
 D/9/L0TK532j4k4ZYgOULnqq6JTN0qvmG8JWiRBjRoc90ksDHcH0JwnceYugN2/K
 eV1Nfrm2SLzbaNFJKLGhktskXKEU6dRe5IHlOfXLCnzTsUlnrV7JQ7RhRd27B5YJ
 2OZ9xukwJMihfvBEGD8u98i1OceyeqB6n4T/vwxeAq0UWd3rbFzrzXNDEVy1+7LV
 4s8NtsnAUOece+njTMtxEZep6SZ3MM9XkhD+WwsKan1kUxq8WdFj5o8N0VojdDBv
 9ZCJLn65F2WLTvyILp8K25KI2uLolk+J6monS6keFsdQ+cjEiqadHcfZruIIC5m5
 XpJ8+VdBj+s22q5b1KXRwkK7j69IgMnDbsEJOvH0gW3Nwvofzim32K5TrPXSGlYe
 5qTNYlzRjEhheBLBsK9iJ17CgEhDSzaU6TZOZIM1MVg/7OY//99WL/h6/+bAMkoq
 aDCOhxDFkoX8lHGjlAMV1JiESNy8Xxnt+J8+j86ugz/TSKToRawKBRCXno0Cycq5
 w/auNLHsXyeyftIOva2H9sLVW7DwvipqiYBGunRE+gqznsX1r0oli1mZrW/JiEfj
 6F5+l8L9+GQi/f2WvBMXKgjqHgyl7MWVWiZ3B3Jy98NzNKgDVxRkrhaXLzjgdQKz
 J3xJNOrHCRPqyH7qq4CbS62nLeaOgEPdmsygcn7VfNYajQ==
 =F3Wg
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-primary
+++ b/misc/RPM-GPG-KEY-qubes-4-primary
@ -0,0 +1,39 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFi9Xv4BEADTkOlBTDmO6DsFJi754ilTFqsluGWleeProuz8Q+bHFlx0Mqtk
 uOUcxIjEWwxhn1qN98dIPYds+mD9Bohamdh+bJYxB/YYj9B2xvURhCpxVlWzzkzt
 i1lPYhj/MR637N9JqIdILmJSBFDxmnuWfQxfsbIsi4lUx5oq6HzIAYXzUzA+0/0a
 c/j0zAm9oBq+pXPad/xkH8ebkNAL0+HbHArBNFzrhVKmi1VskpxurPIYZEcQ0dUu
 n447TM/37y+dzmNYxvSuK2zBPFa9upXsKZEoVaJqksXDdX2YuMsZFiesdieL85w7
 sD1iI6Eqmp5EIZXa8t0/MHTaDrm1tDKJdSu/5zrh0RFh+J73qxJH8lDJqcTVggCe
 Xoasoi1LNg0CIgzVM+zLEDbpNd6mILdXQNHzsU4CP2UFpMxOUUDMEPYSE3WBExWX
 0dBO8QgvTOzqvRWq7TL2jKaprsB/ZXiZief5hOK2QFL6HFEOuFuWLf3tb2+tpJoZ
 LXbXYW+6M+WNRHr9mDg3o6SuZmSwUCOa1FV/i51gqiUHmXEfIGH3iE5WWq2bvUG1
 dhjkzDGPL9fXbCWS6+QARakXRbxslsc4RgMrQR6nLEAuOL7GDaG3c7ldqgfotkal
 5KDB5/1AxYW1TC0JfoKWalYrfXlUJlbHcvDFqHdyljOnoeJ8WVqLNE9hUQARAQAB
 tB5RdWJlcyBPUyBSZWxlYXNlIDQgU2lnbmluZyBLZXmJAjcEEwEIACEFAli9Xv4C
 GwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQGEh5L54nlem9QRAAkaDEfYey
 FoldssIDE/gliYYb7RSYBjs+QrYJQjBxFGXXPgHS5kGMZfMkqVVBc8EtHh41q7gU
 mUIHVbjnKIcYaKLaVl/qb9Jkx+6/NxEYWjNVEMMwPk820QgI1alWrweH7ZuxxGlz
 CzOQsyKZLH3TESEf46CUjv9FHW2nKPAp5qVMzLRlgtquQAdfh7SWau7Kd+WPQOiB
 9cj+j3/yswsrpLmvqJP8trS/aKAhsn2jGrxwSAbdGCzQorJjUy5HLZ6xVIk9yD0T
 +o9cbK4SQSuOHUiA9Z5gA7vuxwOuloDhIm74k2PBWMaUEvx19nIh4XmgGEKNzI6V
 SbR+s+d9ciQ/aC/bXdeeZOpCDaty54D8sKzMi2y15Urycxwpz508LwE6I3Zm0Won
 xMEf5gGR30szgQdh6sJKIqZ2nVDLBg4H1mc4CULhsgViN/vM3Rrj2t4kOwUM30AU
 M49o4JPzY4wvhsAmhIQGl38C8wDkSqPwntRsszpbLgzI3Lsxb00xiPcLR6Y/pviH
 AfHxh/1uYymjD1Fq9u9ylgR6+15qqEYY/uEHr2EQyVvXQ08R1iKkT+v8fufMFUWa
 rJxyB+5v/RPRKvRRi9Xb1HkoiFo3E/bEPYKlGA2colp5iqFYpTUBJYJXyMosgjI+
 mqH0I+V+LuMtlE521YHKg0tsB9GVlfWBS12JAhwEEAECAAYFAljAUaEACgkQ3foa
 PjaHlJR8xw/5AYj/vJNbpnFNYV1jK7AwaEScpGpuDwh+izdGB6eCajynoZMmHSs5
 S3ToygNDo6Tlnh4/Tk7g6nG+eRWdAGghrrz2TXZd0sQX2KJ+m2omT5TZMrwPzM0v
 HcUSAZhW1+nK8miMdvxeOAtY91OaDXwjddii/f420m+9tXwCVKbD+EC83wPpr76r
 sokeOrp5H53CZQ++SbbG7qRmj4uc+VuyXNbAYNDa999Dpm5CW95LgMJ8/YpZbQ9S
 Gk8xlo2DTdBig84yO8Dp9L40KxhIbtpOfLZSWR7OwfMchb2wdt/rRcFsAUPjW7of
 /ZO7lQIPfkdl6cvssoZEjEGZnaxjRzR1b6GtPmlrq8MwUHOZqVizlo9vskuAczYl
 VECk2+D5ZH52GsSbX+C/2DpLUI+o8hLmNDkyBHkz7eOV69lMOzKKsXVyOyrsaLY1
 xNY6JPhMwJVuX8zNW2upETvWs8kr+ZOSvalinvmD6BAQp602PQRnUYDgRxG7GXw+
 z9D/6ea14TjGpQWW+wvRUUpqgs7WKCzjAAPDiqTpLvz5xtSTToW/qQJJn4LO7w3H
 Qo9G00Mruapdmy4nV5lHqsjm817M1vChTq1Q5+4ZPLMBoAndNM6vZAVJzfhhR+zG
 ZFp6oNCNJuSPFd+xN4tczA+aNZgUDDYhcvelFevUubLSjAR3ulfwxns=
 =d8U3
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/RPM-GPG-KEY-qubes-4-unstable
+++ b/misc/RPM-GPG-KEY-qubes-4-unstable
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 mQINBFk/KJsBEADR8mS6Z0NYFnY99BdaYN2Hng2IYIc56qMr+OpdwnriiGZhnd9m
 LyL/HJoFpg+kqdZyI9u31kAzXb2GbaCc75O46T1QckrlTInQns889k43vxRHIZCe
 KhIAakexLI1MynUIZtwB23pSeNrfIpkNMY2VwE6wrY57fSnb3+67/Jj7spVoMekw
 2M6U3cbzB7ijBECmzvRCnF2X0qs0r3qyaneunkCUPHbhM6/EUim722efMzVDu43Z
 XEIC3Vw/ydWk2ulyHEdK8ZZ8OfyiMEWvUFm1yvFDr4jS3Wl0bHYs4kGozlu9xGDz
 MO9966awBW4yCIl5XzIR2qcYdeDZmNysbafOkmcB8ObRkOAZeGjCpJBs0mgpMSfN
 ZXAQFw/COw7yyPH2GLxIOPYLYHzM0XkOPIvl5vl9F2pLT2x9emIR1D8lgqdNMIhW
 4eIcw50jS1TjyBCcS4cgiiCHT+rdSp6u7GpqRfwQNXBHOGHptkLY+VrqwtJ+5ckG
 oMIVKq/cLpHVe5usBiPs8v8uK0ufNvj3NmuAypwNsW49igLBOhIy8s9OjDnGtWfX
 2NU/QXQm/IBAAzXZ0VKPl9U4rAaidpJt991OZ+D2BAwZn2Go/vUPWi6/IqAvaE7g
 vZjBW7Hucpd6h26lEAIdzFqgym6yqCdQxdaOn9pP1qzRplUXqo9DAH2i5QARAQAB
 tCdRdWJlcyBPUyBSZWxlYXNlIDQgVW5zdGFibGUgU2lnbmluZyBLZXmJAjcEEwEI
 ACEFAlk/KJsCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQevnGU3u23ofo
 4g//Tmjw09UAL0uV/Oyjz1C0JBWQ7T7rt63L5KQ2S0DRjEykBJnZ8MPkYb0oXjOh
 SAqhJdA0Exjo+OIyofpLkT/Sjz02qE4auQni9aUYr6IqfLmOaQHkCxq8MNhSyu8s
 T7zTLPcP8JO86U0lWZ0n2k5fAyZKFqKIBQJAOGg1M3W4m0jIhNK5VCNLGCxyDvZJ
 kmh4STQdQWA5pu6dw8ruwhfWUPKXUVJttWWXTJd+MDR5Q/QNNATsK+123zmjqB85
 Wz1H6f4aGXrJGkz8Ize22H+56mxZ/B7ZFRAeKZwH1wXRg8mE33k77aJW0QrIbc7Y
 TVeZBTs38AxiG+0fiFTdZWmknkJ9YEcTMYtYlUrxpqaPjw1x8tLKd/mo/A7yvdo8
 XzvRs04aXVGS65jYS9rA4uTKXJ3q/pKouPLQT4GEcnDWWP63un3Ku6iSVyWWnOS6
 xJbFo1pgoSpNqjVh+oL3qU88nbN7KGaSua9FsAJknKzvzZheLqvrBddEFUvELGwx
 bbXzzwocIISe9m3NZnOMdjAGjmoukwCVFEFeq/9ieLRe5wcbKNg8pogiQRt8Izar
 lsSbtUT0s8X4EmD+61/g6nu8+RcNeYPrWqB4KMbYPiz30qsiP7XoTNVJYDxjU5md
 6watPaYvxmqnXkjdwM4Zpaq3cs3YZcMyqp/y2eus89EmDIY=
 =ShJt
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/apt-conf-70no-unattended
+++ b/misc/apt-conf-70no-unattended
@ -0,0 +1,26 @@
 ## Based on pkg-manager-no-autoupdate by Patrick Schleizer <adrelanos@riseup.net>
 ## https://github.com/Whonix/pkg-manager-no-autoupdate
 ## Disable automatic update check APT::Periodic::Update-Package-Lists
 ## which is the Debian default in /etc/apt/apt.conf.d/10periodic.
 ##
 ## The execution time would be too predictable, thus make us fingerprintable.
 ##
 ## 20noperiodic comes after 10periodic in alphabet so it takes precedence.
 ##
 ## Quoted from the Debian Handbook
 ## http://debian-handbook.info/browse/wheezy/sect.apt-get.html
 ##
 ## "[...] Each directory represents a configuration file which is split over multiple
 ## files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions
 ## for the configuration of APT. APT includes them in alphabetical order, so that the
 ## last ones can modify a configuration element defined in one of the first ones. [...]
 ##
 ## That changes take effect can be verified using:
 ## apt-config dump
 APT::Periodic::Update-Package-Lists "0";
 APT::Periodic::Download-Upgradeable-Packages "0";
 APT::Periodic::AutocleanInterval "0";
 APT::Periodic::Unattended-Upgrade "0";
 APT::Periodic::Enable "0";
--- a/misc/block-snapshot
+++ b/misc/block-snapshot
@ -1,274 +0,0 @@
 #!/bin/bash
 # Usage: block-snapshot add|remove img-file cow-file
 #
 # This creates dm-snapshot device on given arguments
 dir=$(dirname "$0")
 if [ "$1" = "prepare" ] || [ "$1" = "cleanup" ]; then
  . "$dir/xen-hotplug-common.sh"
  command=$1
 else
  . "$dir/block-common.sh"
 fi
 shopt -s nullglob
 if [ -n "$XENBUS_PATH" ]; then
  HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}"
 fi
 get_dev() {
  dev=$1
  if [ -L "$dev" ]; then
    dev=$(readlink -f "$dev") || fatal "$dev link does not exist."
  fi
  if [ -f "$dev" ]; then
    file=$dev
    loopdev=$(losetup -j $file | head -1 | cut -d : -f 1)
    if [ -n "$loopdev" ]; then
      # found existing loop to this file
      echo $loopdev
      return
    fi
    # assign new loop device
    loopdev=$(losetup -f 2>/dev/null || find_free_loopback_dev)
    if [ "$loopdev" = '' ]
    then
      release_lock "block"
      fatal 'Failed to find an unused loop device'
    fi
    do_or_die losetup "$loopdev" "$file"
    echo $loopdev
  else
    test -e "$dev" || fatal "$dev does not exist."
    test -b "$dev" || fatal "$dev is not a block device nor file."
  fi
 }
 get_dm_snapshot_name() {
  base=$1
  cow=$2
  echo snapshot-$(stat -c '%D:%i' "$base")-$(stat -c '%D:%i' "$cow")
 }
 create_dm_snapshot() {
  local base_dev cow_dev base_sz
  dm_devname=$1
  base=$2
  cow=$3
  if [ ! -e /dev/mapper/$dm_devname ]; then
    # prepare new snapshot device
    base_dev=$(get_dev $base)
    cow_dev=$(get_dev $cow)
    base_sz=$(blockdev --getsz $base_dev)
    do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot $base_dev $cow_dev P 256"
  fi
 }
 create_dm_snapshot_origin() {
  local base_dev base_sz
  dm_devname=$1
  base=$2
  if [ ! -e /dev/mapper/$dm_devname ]; then
    # prepare new snapshot-origin device
    base_dev=$(get_dev $base)
    base_sz=$(blockdev --getsz $base_dev)
    do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot-origin $base_dev"
  fi
 }
 t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING')
 case "$command" in
  add)
    case $t in
      snapshot|origin)
        p=$(xenstore_read_default "$XENBUS_PATH/params" 'MISSING')
        if [ "$p" == "MISSING" ]; then
          fatal "Missing device parameters ($t $XENBUS_PATH/params)"
        fi
        base=${p/:*/}
        cow=${p/*:/}
        if [ -L "$base" ]; then
          base=$(readlink -f "$base") || fatal "$base link does not exist."
        fi
        if [ -L "$cow" ]; then
          cow=$(readlink -f "$cow") || fatal "$cow link does not exist."
        fi
        # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin)
        dm_devname=$(get_dm_snapshot_name "$base" "$cow")
        claim_lock "block"
        # prepare snapshot device
        create_dm_snapshot $dm_devname "$base" "$cow"
        if [ "$t" == "snapshot" ]; then
          #that's all for snapshot, store name of prepared device
          xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname"
          echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node"
          write_dev /dev/mapper/$dm_devname
        elif [ "$t" == "origin" ]; then
          # for origin - prepare snapshot-origin device and store its name
          dm_devname=origin-$(stat -c '%D:%i' "$base")
          create_dm_snapshot_origin $dm_devname "$base"
          xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname"
          echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node"
          write_dev /dev/mapper/$dm_devname
        fi
        # Save domain name for template commit on device remove
        domain=$(xenstore_read_default "$XENBUS_PATH/domain" '')
        if [ -z "$domain" ]; then
          domid=$(xenstore_read "$XENBUS_PATH/frontend-id")
          domain=$(xl domname $domid)
        fi
        echo $domain > "$HOTPLUG_STORE-domain"
        release_lock "block"
        exit 0
        ;;
    esac
    ;;
  prepare)
    t=$2
    case $t in
      snapshot|origin)
        p=$3
        base=${p/:*/}
        cow=${p/*:/}
        if [ -L "$base" ]; then
          base=$(readlink -f "$base") || fatal "$base link does not exist."
        fi
        if [ -L "$cow" ]; then
          cow=$(readlink -f "$cow") || fatal "$cow link does not exist."
        fi
        # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin)
        dm_devname=$(get_dm_snapshot_name "$base" "$cow")
        claim_lock "block"
        # prepare snapshot device
        create_dm_snapshot $dm_devname "$base" "$cow"
        if [ "$t" == "snapshot" ]; then
          #that's all for snapshot, store name of prepared device
          echo "/dev/mapper/$dm_devname"
        elif [ "$t" == "origin" ]; then
          # for origin - prepare snapshot-origin device and store its name
          dm_devname=origin-$(stat -c '%D:%i' "$base")
          create_dm_snapshot_origin $dm_devname "$base"
          echo "/dev/mapper/$dm_devname"
        fi
        release_lock "block"
        exit 0
        ;;
    esac
    ;;
  remove|cleanup)
    if [ "$command" = "cleanup" ]; then
      t=$2
    else
      t=$(cat $HOTPLUG_STORE-type 2>/dev/null || echo 'MISSING')
    fi
    case "$t" in
      snapshot|origin)
        if [ "$command" = "cleanup" ]; then
          node=$3
        else
          node=$(cat "$HOTPLUG_STORE-node" 2> /dev/null)
        fi
        if [ -z "$node" ]; then
          #fatal "No device node to remove"
          #Most likely already removed
          exit 0
        fi
        if [ ! -e "$node" ]; then
          fatal "Device $node does not exists"
        fi
        claim_lock "block"
        use_count=$(dmsetup info $node|grep Open|awk '{print $3}')
        # do not remove snapshot if snapshot origin is still present
        if [ "${node/snapshot/}" != "$node" -a -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then
          use_count=1
        fi
        if [ "$use_count" -gt 0 ]; then
          log info "Device $node still in use - not removing"
          release_lock "block"
          exit 0
        fi
        # get list of used (loop) devices
        deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')"
        # if this is origin
        if [ "${node/origin/}" != "$node" ]; then
          # remove unused snapshots
          for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2)-*; do
            use_count=$(dmsetup info $snap|grep Open|awk '{print $3}')
            if [ "$use_count" -eq 0 ]; then
              # unused snapshot - remove it
              deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')"
              log debug "Removing $snap"
              dmsetup remove $snap
            fi
          done
          if [ "$command" = "remove" ]; then
            # Commit template changes
            domain=$(cat "$HOTPLUG_STORE-domain")
            if [ "$domain" ]; then
              # Dont stop on errors
              /usr/bin/qvm-template-commit "$domain" || true
            fi
          fi
        fi
        if [ -e $node ]; then
          log debug "Removing $node"
          dmsetup remove $node
        fi
        # try to free loop devices
        for dev in $deps; do
          if [ -b "$dev" ]; then
            log debug "Removing $dev"
            losetup -d $dev 2> /dev/null || true
          fi
        done
        if [ -n "$HOTPLUG_STORE" ]; then
          rm $HOTPLUG_STORE-*
        fi
        release_lock "block"
        exit 0
        ;;
    esac
    ;;
 esac
 # vim:sw=2:et:
--- a/misc/dconf-db-local-dpi
+++ b/misc/dconf-db-local-dpi
@ -0,0 +1,2 @@
 [org/gnome/desktop/interface]
 scaling-factor=uint32 1
--- a/misc/dconf-profile-user
+++ b/misc/dconf-profile-user
@ -0,0 +1,2 @@
 user-db:user
 system-db:local
--- a/misc/dispvm-dotfiles.tbz
+++ b/misc/dispvm-dotfiles.tbz
--- a/misc/dispvm-prerun.sh
+++ b/misc/dispvm-prerun.sh
@ -1,37 +0,0 @@
 #!/bin/sh
 apps="/usr/libexec/evinced"
 #If user have customized DispVM settings, use its home instead of default dotfiles
 if [ ! -e /home/user/.qubes-dispvm-customized ]; then
 	if [ -e /rw/home/user/.qubes-dispvm-customized ]; then
 		cp -af /rw/home/user /home/
 	else
 		cat /etc/dispvm-dotfiles.tbz | tar -xjf- --overwrite -C /home/user --owner user 2>&1 >/tmp/dispvm-dotfiles-errors.log
 	fi
 fi
 for app in $apps ; do
    echo "Launching: $app..."
    $app >>/tmp/dispvm_prerun_errors.log 2>&1 &
 done
 echo "Sleeping..."
 PREV_IO=0
 while true; do
 	IO=`vmstat -D | awk '/read|write/ {IOs+=$1} END {print IOs}'`
 	if [ $IO -lt $(( $PREV_IO + 50 )) ]; then
 		break;
 	fi
 	PREV_IO=$IO
 	sleep 2
 done
 ps aufwwx > /tmp/dispvm-prerun-proclist.log
 echo "Closing windows..."
 /usr/lib/qubes/close-window `xwininfo -root -children|tail -n +7 |awk '{print $1}'`
 sleep 1
 fuser -vkm /rw
 echo done.
--- a/misc/dnf-qubes-hooks.py
+++ b/misc/dnf-qubes-hooks.py
@ -20,8 +20,10 @@
 #
 from __future__ import absolute_import
 from distutils.version import LooseVersion
 import logging
 import dnf
 import dnf.const
 import subprocess
 PLUGIN_CONF = 'qubes-hooks'
@ -35,7 +37,10 @@ class QubesHooks(dnf.Plugin):
        self.log = logging.getLogger('dnf')
    def transaction(self):
        if LooseVersion(dnf.const.VERSION) < '2.0.0':
            config = self.read_config(self.base.conf, PLUGIN_CONF)
        else:
            config = self.read_config(self.base.conf)
        if config.getboolean('main', 'notify-updates'):
            # Get all updates available _before_ this transaction
@ -56,6 +61,5 @@ class QubesHooks(dnf.Plugin):
                str(len(updates))
            ])
-        if config.getboolean('main', 'sync-appmenus'):
+        self.log.info("Notifying dom0 about installed applications")
-            self.log.info("Sending application list and icons to dom0")
+        subprocess.call(['/etc/qubes-rpc/qubes.PostInstall'])
            subprocess.call(['/usr/lib/qubes/qubes-trigger-sync-appmenus.sh'])
--- a/misc/fstab
+++ b/misc/fstab
@ -1,9 +1,10 @@
 # Accessible filesystems, by reference, are maintained under '/dev/disk'
 # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
 #
-/dev/mapper/dmroot /                       ext4 defaults,noatime        1 1
+/dev/mapper/dmroot /                       ext4 defaults,discard,noatime        1 1
 /dev/xvdb		/rw			auto	noauto,defaults,discard	1 2
 /rw/home        /home       none    noauto,bind,defaults 0 0
 /rw/usrlocal        /usr/local       none    noauto,bind,defaults 0 0
 /dev/xvdc1      swap                    swap    defaults        0 0
 tmpfs                   /dev/shm                tmpfs   defaults,size=1G        0 0
 devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
--- a/misc/grub.qubes
+++ b/misc/grub.qubes
@ -0,0 +1,12 @@
 # make sure to use /dev/mapper/dmroot, not /dev/xvda directly - both have the
 # same fs, including UUID
 GRUB_DISABLE_LINUX_UUID=true
 GRUB_DISABLE_OS_PROBER=true
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX root=/dev/mapper/dmroot console=hvc0 console=tty0"
 # make SWIOTLB smaller - it isn't really needed unless PCI passthrough is used,
 # and even then, 16MB is enough
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX swiotlb=8192"
 # add noresume - to avoid a 30 second hang on Debian HVM boot as it tries to
 # locate swap space for hibernation
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX noresume"
 GRUB_TIMEOUT=0
--- a/misc/qubes-archive-keyring.gpg
+++ b/misc/qubes-archive-keyring.gpg
--- a/misc/qubes-desktop-run
+++ b/misc/qubes-desktop-run
@ -1,6 +1,6 @@
 #!/usr/bin/python
-from qubes.xdg import launch
+from qubesagent.xdg import launch
 import sys
 if __name__ == '__main__':
--- a/misc/qubes-download-dom0-updates.sh
+++ b/misc/qubes-download-dom0-updates.sh
@ -2,11 +2,12 @@
 DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates
 DOIT=0
 GUI=1
 CLEAN=0
 CHECK_ONLY=0
 OPTS="--installroot $DOM0_UPDATES_DIR --config=$DOM0_UPDATES_DIR/etc/yum.conf"
 # DNF uses /etc/yum.repos.d, even when --installroot is specified
 OPTS="$OPTS --setopt=reposdir=$DOM0_UPDATES_DIR/etc/yum.repos.d"
 PKGLIST=
 YUM_ACTION=
@ -15,7 +16,7 @@ export LC_ALL=C
 while [ -n "$1" ]; do
    case "$1" in
        --doit)
-            DOIT=1
+            # ignore
            ;;
        --nogui)
            GUI=0
@ -50,11 +51,11 @@ if [ -z "$YUM_ACTION" ]; then
 fi
 YUM="yum"
-# prefer yum-deprecated over dnf, because of still missing features in dnf (at least --downloaddir)
+if type dnf >/dev/null 2>&1; then
-if type dnf >/dev/null 2>&1 && type yum-deprecated >/dev/null 2>&1; then
+    YUM="dnf --best --allowerasing --noplugins"
-    echo "(Note: dnf will complain that the yum command has been deprecated." >&2
+else
-    echo "This message is safe to ignore.)" >&2
+    # salt in dom0 thinks it's using dnf but we only have yum so need to remove extra options
-    YUM="yum-deprecated"
+    OPTS="${OPTS/--best --allowerasing/}"
 fi
 if ! [ -d "$DOM0_UPDATES_DIR" ]; then
@ -63,7 +64,6 @@ if ! [ -d "$DOM0_UPDATES_DIR" ]; then
 fi
 mkdir -p $DOM0_UPDATES_DIR/etc
 sed -i '/^reposdir\s*=/d' $DOM0_UPDATES_DIR/etc/yum.conf
 if [ -e /etc/debian_version ]; then
    # Default rpm configuration on Debian uses ~/.rpmdb for rpm database (as
@ -76,65 +76,72 @@ rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__*
 rpm --root=$DOM0_UPDATES_DIR --rebuilddb
 if [ "$CLEAN" = "1" ]; then
    # shellcheck disable=SC2086
    $YUM $OPTS clean all
-    rm -f $DOM0_UPDATES_DIR/packages/*
+    rm -f "$DOM0_UPDATES_DIR"/packages/*
    rm -rf "$DOM0_UPDATES_DIR"/var/cache/yum/*
 fi
-if [ "x$PKGLIST" = "x" ]; then
+# just check for updates, but don't download any package
 if [ "x$PKGLIST" = "x" ] && [ "$CHECK_ONLY" = "1" ]; then
    echo "Checking for dom0 updates..." >&2
-    UPDATES_FULL=`$YUM $OPTS check-update`
+    # shellcheck disable=SC2086
    UPDATES_FULL=$($YUM $OPTS check-update)
    check_update_retcode=$?
-    UPDATES_FULL=`echo "$UPDATES_FULL" | grep -v "^Loaded plugins:\|^$"`
+    if [ "$check_update_retcode" -eq 1 ]; then
    if [ $check_update_retcode -eq 1 ]; then
        # Exit here if yum have reported an error. Exit code 100 isn't an
        # error, it's "updates available" info, so check specifically for exit code 1
        exit 1
    fi
-    UPDATES=`echo "$UPDATES_FULL" | grep -v "^Obsoleting\|Could not" | cut -f 1 -d ' '`
+    if [ $check_update_retcode -eq 100 ]; then
-    if [ -z "$UPDATES" -a $check_update_retcode -eq 100 ]; then
+        echo "Available updates: "
-        # save not empty string for below condition (-z "$UPDATES"), but blank
+        echo "$UPDATES_FULL"
-        # to not confuse the user wwith magic strings in messages
+        exit 100
-        UPDATES=" "
+    else
    fi
 else
    PKGS_FROM_CMDLINE=1
 fi
 if [ -z "$PKGLIST" -a -z "$UPDATES" ]; then
        echo "No new updates available"
        if [ "$GUI" = 1 ]; then
            zenity --info --text="No new updates available"
        fi
        exit 0
    fi
 fi
-if [ "$CHECK_ONLY" = "1" ]; then
+# now, we will download something
-    echo "Available updates: "
+YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y --downloadonly"
    echo "$UPDATES_FULL"
    exit 100
 fi
 if [ "$DOIT" != "1" -a "$PKGS_FROM_CMDLINE" != "1" ]; then
    zenity --question --title="Qubes Dom0 updates" \
      --text="There are updates for dom0 available, do you want to download them now?" || exit 0
 fi
 YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y --downloadonly --downloaddir=$DOM0_UPDATES_DIR/packages"
 # check for --downloadonly option - if not supported (Debian), fallback to
 # yumdownloader
 if ! $YUM --help | grep -q downloadonly; then
-    if [ "$YUM_ACTION" != "install" -a "$YUM_ACTION" != "upgrade" ]; then
+    if [ "$YUM_ACTION" = "install" ]; then
-        echo "ERROR: yum version installed in VM `hostname` does not suppport --downloadonly option" >&2
+        YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
    elif [ "$YUM_ACTION" = "upgrade" ]; then
        # shellcheck disable=SC2086
        UPDATES_FULL=$($YUM $OPTS check-update $PKGLIST)
        check_update_retcode=$?
        UPDATES_FULL=$(echo "$UPDATES_FULL" | grep -v "^Loaded plugins:\|^Last metadata\|^$")
        UPDATES=$(echo "$UPDATES_FULL" | grep -v "^Obsoleting\|Could not" | cut -f 1 -d ' ')
        if [ "$check_update_retcode" -eq 0 ]; then
            # exit code 0 means no updates available - regardless of stdout messages
            echo "No new updates available"
            exit 0
        fi
        PKGLIST=$UPDATES
        YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
    elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then
        # those actions do not download any package, so lack of --downloadonly is irrelevant
        YUM_COMMAND="$YUM $YUM_ACTION -y"
    elif [ "$YUM_ACTION" == "reinstall" ]; then
        # this is just approximation of 'reinstall' action...
        # shellcheck disable=SC2086
        PKGLIST=$(rpm --root=$DOM0_UPDATES_DIR -q $PKGLIST)
        YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
    else
        echo "ERROR: yum version installed in VM $(hostname) does not suppport --downloadonly option" >&2
        echo "ERROR: only 'install' and 'upgrade' actions supported ($YUM_ACTION not)" >&2
        if [ "$GUI" = 1 ]; then
            zenity --error --text="yum version too old for '$YUM_ACTION' action, see console for details"
        fi
        exit 1
    fi
    if [ "$YUM_ACTION" = "upgrade" ]; then
        PKGLIST=$UPDATES
    fi
    YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
 fi
 mkdir -p "$DOM0_UPDATES_DIR/packages"
@ -143,20 +150,25 @@ set -e
 if [ "$GUI" = 1 ]; then
    ( echo "1"
    # shellcheck disable=SC2086
    $YUM_COMMAND $OPTS $PKGLIST
    echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
         --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
 else
    # shellcheck disable=SC2086
    $YUM_COMMAND $OPTS $PKGLIST
 fi
-if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then
+find "$DOM0_UPDATES_DIR/var/cache/yum" -name '*.rpm' -print0 |\
    xargs -0 -r ln -f -t "$DOM0_UPDATES_DIR/packages/"
 if ls "$DOM0_UPDATES_DIR"/packages/*.rpm > /dev/null 2>&1; then
    cmd="/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent"
    qrexec_exit_code=0
-    $cmd $DOM0_UPDATES_DIR/packages/*.rpm || { qrexec_exit_code=$? ; true; };
+    $cmd "$DOM0_UPDATES_DIR"/packages/*.rpm || { qrexec_exit_code=$? ; true; };
    if [ ! "$qrexec_exit_code" = "0" ]; then
        echo "'$cmd $DOM0_UPDATES_DIR/packages/*.rpm' failed with exit code ${qrexec_exit_code}!" >&2
-        exit $qrexec_exit_code
+        exit "$qrexec_exit_code"
    fi
 else
    echo "No packages downloaded"
--- a/misc/qubes-master-key.asc
+++ b/misc/qubes-master-key.asc
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 mQINBEu0kPkBEADHOaL53AVx8ECt+vsTFpNv/oyDXXs8dNmMsQhaCQ7BxTu95QKD
 j5S0TiFoXegBwE8YhRg/8sBHOUbmdD1iQHxJSlJc8NYJkctq4KjiyeshquT1mIYx
 wTGSuagX2PbM+Sv6Cuyo/DyhmzIH5dssFH25qnQ/RwednxWMG9qBW2JujDdwlMjB
 1p6u5lzkwECO0Kk8w7rvSMJwPo2FPTpSTcdN7+Yc1i7WEv1fOpNYBfEn76Eck3LP
 dndceRxnErvkEH7K95R1wEOqXxOEjE3BoUqh7q40GDW6bBMV5EauLBgMX4DQRIDE
 uU0NW5Kk29/8RZaZrRXmpVmof1dMYVBWu4wM+Khm3IZ30pUR188jZz+eUhPDieJL
 lN3iRKikSv7Rm9SETmwvvVOpP+RfkfaS6XGu3XfSv1diLy00p6Eh9J6LsfiCRuCI
 svADNHsyFxJkIwEGVkUgvPFCRDY73LQuV5Bt5gutPFVnVS5nM9pwQEBFAha8wB5N
 L+0fq47a1NJFbmKQ5PzOom3qQjee/3ic4wPcf9YtmLOdxukIEXvrGtcMt2kQHC9a
 YypW/AYQB/TxpLP/aXSHiO9bR4hA4au26d6ytsgCZpPVQ5WchYetTVXfcjv6mbCS
 g/QFYx1Ss/lZ2Uao/w7eYdAlvvJ1JBYotuMLuiONReRHGY5I94H8RRju8wARAQAB
 tBhRdWJlcyBNYXN0ZXIgU2lnbmluZyBLZXmJAjgEEwECACIFAku0kPkCGwMGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEN36Gj42h5SU17kP/2sF0pzYETEJykY8
 MTfHpey+eAjP6Ejt2mkasiFMEIZ0mjFt9A/7I4gYgiI1pNRat2icbjK0HmUDSHzo
 LRjCcuP39D5LRdoFMzMzXusHx7pCKkx9rvitOq/p4LN+O6orCJYhHN7Si3LXWYv6
 5HG9iGbeE262myPb43KTBbNF5recwkHZTufNMISGQiSkwFOPRbBX7q2c3/qHjmiw
 RZ16DRSY1xHaV1HVplaDSCIXYcDhWsywB+5iuUFDsZGmfCncR7SZ00eSWpKVB5mp
 P9vlk0Tri28dQWqfd63rDU9ZwxFpZfL+hlhA0W07np6L3yyai+jzaWFY7VsqdOnp
 zBJe8sveMr8SP0QhrGEL0aj/R9XPKgfYm5wlf1qJ/Z/10jJm8D0MTMUxPUI07Hja
 u5lIW7GZKFdI5DWt/JTvy3FJp0yDajaUOc84l5wJKl7cNCmeZH1/oNYkAb+JqqGX
 /VPWEot7fOaqUrHswsE/YKK+9fv/aMY6qjF7qVGAfbd04kAZuPha7/s3USbdiRA7
 aJapZ/mtaUY+P9k1j/dI8sOPpxgl4c6esIBhwe5Sv3HUZc5SZhW3h1ISScvoeYTV
 KLRIi9ELMmsqfESjDhnDbVsqIjL8+kKxegaRXwNxeZoe7EfiL8PKSJMSbaIhXLFC
 QUkIyUJmS9aV8bQN8vheR4JNciA0
 =5mf9
 -----END PGP PUBLIC KEY BLOCK-----
--- a/misc/qubes-r3.list.in
+++ b/misc/qubes-r3.list.in
@ -1,15 +0,0 @@
 # Main qubes updates repository
 deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm @DIST@ main
 #deb-src http://deb.qubes-os.org/r3.1/vm @DIST@ main
 # Qubes updates candidates repository
 #deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm @DIST@-testing main
 #deb-src http://deb.qubes-os.org/r3.1/vm @DIST@-testing main
 # Qubes security updates testing repository
 #deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm @DIST@-securitytesting main
 #deb-src http://deb.qubes-os.org/r3.1/vm @DIST@-securitytesting main
 # Qubes experimental/unstable repository
 #deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm @DIST@-unstable main
 #deb-src http://deb.qubes-os.org/r3.1/vm @DIST@-unstable main
--- a/misc/qubes-r3.repo
+++ b/misc/qubes-r3.repo
@ -1,31 +0,0 @@
 [qubes-vm-r3.1-current]
 name = Qubes OS Repository for VM (updates)
 baseurl = http://yum.qubes-os.org/r3.1/current/vm/fc$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=1
 [qubes-vm-r3.1-current-testing]
 name = Qubes OS Repository for VM (updates-testing)
 baseurl = http://yum.qubes-os.org/r3.1/current-testing/vm/fc$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=0
 [qubes-vm-r3.1-security-testing]
 name = Qubes OS Repository for VM (security-testing)
 baseurl = http://yum.qubes-os.org/r3.1/security-testing/vm/fc$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=0
 [qubes-vm-r3.1-unstable]
 name = Qubes OS Repository for VM (unstable)
 baseurl = http://yum.qubes-os.org/r3.1/unstable/vm/fc$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-unstable
 gpgcheck = 1
 enabled=0
--- a/misc/qubes-r4.list.in
+++ b/misc/qubes-r4.list.in
@ -0,0 +1,33 @@
 # Main qubes updates repository
 deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm @DIST@ main
 #deb-src http://deb.qubes-os.org/r4.0/vm @DIST@ main
 # Qubes updates candidates repository
 #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm @DIST@-testing main
 #deb-src http://deb.qubes-os.org/r4.0/vm @DIST@-testing main
 # Qubes security updates testing repository
 #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm @DIST@-securitytesting main
 #deb-src http://deb.qubes-os.org/r4.0/vm @DIST@-securitytesting main
 # Qubes experimental/unstable repository
 #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm @DIST@-unstable main
 #deb-src http://deb.qubes-os.org/r4.0/vm @DIST@-unstable main
 # Qubes Tor updates repositories
 # Main qubes updates repository
 #deb [arch=amd64] http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@ main
 #deb-src http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@ main
 # Qubes updates candidates repository
 #deb [arch=amd64] http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-testing main
 #deb-src http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-testing main
 # Qubes security updates testing repository
 #deb [arch=amd64] http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-securitytesting main
 #deb-src http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-securitytesting main
 # Qubes experimental/unstable repository
 #deb [arch=amd64] http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-unstable main
 #deb-src http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm @DIST@-unstable main
--- a/misc/qubes-r4.repo.in
+++ b/misc/qubes-r4.repo.in
@ -0,0 +1,35 @@
 [qubes-vm-r4.0-current]
 name = Qubes OS Repository for VM (updates)
 baseurl = https://yum.qubes-os.org/r4.0/current/vm/@DIST@$releasever
 #baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/vm/@DIST@$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=1
 [qubes-vm-r4.0-current-testing]
 name = Qubes OS Repository for VM (updates-testing)
 baseurl = https://yum.qubes-os.org/r4.0/current-testing/vm/@DIST@$releasever
 #baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current-testing/vm/@DIST@$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=0
 [qubes-vm-r4.0-security-testing]
 name = Qubes OS Repository for VM (security-testing)
 baseurl = https://yum.qubes-os.org/r4.0/security-testing/vm/@DIST@$releasever
 #baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/security-testing/vm/@DIST@$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-primary
 skip_if_unavailable=False
 gpgcheck = 1
 enabled=0
 [qubes-vm-r4.0-unstable]
 name = Qubes OS Repository for VM (unstable)
 baseurl = https://yum.qubes-os.org/r4.0/unstable/vm/@DIST@$releasever
 #baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/unstable/vm/@DIST@$releasever
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-unstable
 gpgcheck = 1
 enabled=0
--- a/misc/qubes-run-terminal
+++ b/misc/qubes-run-terminal
@ -0,0 +1,12 @@
 #!/bin/sh
 # Try to find a terminal emulator that's installed and run it.
 for terminal in x-terminal-emulator gnome-terminal xfce4-terminal konsole urxvt rxvt termit terminator Eterm aterm roxterm termite lxterminal mate-terminal terminology st xterm; do
    # bogus warning from ShellCheck < 0.5.0
    # shellcheck disable=SC2039
    if type "$terminal" >/dev/null 2>&1 ; then
        exec "$terminal"
    fi
 done
 echo "ERROR: No suitable terminal found." >&2
--- a/misc/qubes-run-terminal.desktop
+++ b/misc/qubes-run-terminal.desktop
@ -0,0 +1,5 @@
 [Desktop Entry]
 Name=Run Terminal
 Exec=qubes-run-terminal
 Icon=utilities-terminal
 Type=Application
--- a/misc/qubes-serial-login
+++ b/misc/qubes-serial-login
@ -1,6 +1,6 @@
 #!/bin/sh
 if /bin/ls -l /proc/self/fd/0 | grep -q /dev/hvc0 ; then
-	exec su - $2
+	exec su - "$2"
 	exit
 else
 	exec /bin/login "$@"
--- a/misc/qubes-session-autostart
+++ b/misc/qubes-session-autostart
@ -25,7 +25,7 @@ import subprocess
 import sys
 from xdg.DesktopEntry import DesktopEntry
-from qubes.xdg import launch
+from qubesagent.xdg import launch
 import xdg.BaseDirectory
 import os
@ -76,7 +76,7 @@ def process_autostart(environments):
                else:
                    entry = DesktopEntry(entry_path)
                if entry_should_be_started(entry, environments):
-                    launch(entry_path)
+                    launch(entry_path, wait=False)
            except Exception as e:
                print >>sys.stderr, "Failed to process '{}': {}".format(
                    entry_name, str(e)
--- a/misc/qubes-suspend-module-blacklist
+++ b/misc/qubes-suspend-module-blacklist
@ -4,3 +4,5 @@
 ehci_pci
 xhci_pci
 iwldvm
 iwlmvm
--- a/misc/qubes-trigger-sync-appmenus.action
+++ b/misc/qubes-trigger-sync-appmenus.action
@ -1 +0,0 @@
 *:any:/usr/lib/qubes/qubes-trigger-sync-appmenus.sh
--- a/misc/qubes-trigger-sync-appmenus.sh
+++ b/misc/qubes-trigger-sync-appmenus.sh
@ -1,7 +1,9 @@
-#!/bin/sh
+#!/bin/bash
-UPDATEABLE=`qubesdb-read /qubes-vm-updateable`
+# Source Qubes library.
 # shellcheck source=init/functions
 . /usr/lib/qubes/init/functions
-if [ "$UPDATEABLE" = "True" ]; then
+if is_updateable ; then
    /usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus
 fi
--- a/misc/qubes.sudoers
+++ b/misc/qubes.sudoers
@ -25,9 +25,8 @@ user ALL=(ALL) NOPASSWD: ALL
 # and for sure, root/user isolation is not a mitigating factor.
 #
 # Because, really, if somebody could find and exploit a bug in the Xen
-# hypervisor -- so far there has been only one (!) publicly disclosed
+# hypervisor -- as of 2016, there have been only three publicly disclosed
-# exploitable bug in the Xen hypervisor from a VM, found in 2008,
+# exploitable bugs in the Xen hypervisor from a VM -- then it would be
 # incidentally by one of the Qubes developers (RW) -- then it would be
 # highly unlikely that that person couldn't also find a user-to-root
 # escalation in the VM (which as we know from history of UNIX/Linux
 # happens all the time).
--- a/misc/qvm-features-request
+++ b/misc/qvm-features-request
@ -0,0 +1,81 @@
 #!/usr/bin/env python2
 # vim: fileencoding=utf-8
 #
 # The Qubes OS Project, https://www.qubes-os.org/
 #
 # Copyright (C) 2010-2016  Joanna Rutkowska <joanna@invisiblethingslab.com>
 # Copyright (C)      2016  Wojtek Porczyk <woju@invisiblethingslab.com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License along
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 import argparse
 import os
 import subprocess
 import sys
 import qubesdb
 class FeatureRequestAction(argparse.Action):
    '''Action for argument parser that stores a property.'''
    # pylint: disable=redefined-builtin,too-few-public-methods
    def __init__(self,
            option_strings,
            dest='features',
            metavar='NAME=VALUE',
            required=False,
            help='request a feature with the value'):
        super(FeatureRequestAction, self).__init__(option_strings, dest=dest,
            metavar=metavar, nargs='*', required=required, default={},
            help=help)
    def __call__(self, parser, namespace, values, option_string=None):
        for request in values:
            try:
                feature, value = request.split('=', 1)
            except ValueError:
                parser.error(
                    'invalid feature request token: {!r}'.format(request))
            getattr(namespace, self.dest)[feature] = value
 parser = argparse.ArgumentParser(
    description='submit a feature request to the dom0')
 parser.add_argument('--commit',
    action='store_true', default=False,
    help='actually send the request (without it, only make entries in qubesdb)')
 parser.add_argument('features',
    action=FeatureRequestAction)
 def main(args=None):
    args = parser.parse_args(args)
    qdb = qubesdb.QubesDB()
    for feature, value in args.features.items():
        qdb.write('/features-request/' + feature, value)
    if args.commit:
        devnull = os.open(os.devnull, os.O_RDWR)
        subprocess.check_call(
            ['qrexec-client-vm', 'dom0', 'qubes.FeaturesRequest'],
            stdin=devnull, stdout=devnull)
 if __name__ == '__main__':
    sys.exit(main())
--- a/misc/resize-rootfs
+++ b/misc/resize-rootfs
@ -0,0 +1,42 @@
 #!/bin/sh
 set -e
 dm_major=$(printf %x "$(grep device-mapper /proc/devices | cut -f 1 -d ' ')")
 case "$(stat -Lc %t:%T /dev/mapper/dmroot)" in
    ca:0)
        # nothing needed, xvda used directly
        ;;
    ca:3)
        # resize partition table itself
        # use undocumented ---pretend-input-tty (yes, three '-') to
        # force unattended operation, otherwise it aborts on first
        # prompt, even with '-s' option
        echo fix | parted ---pretend-input-tty /dev/xvda print >/dev/null
        # then resize 3rd partition, even though it is mounted
        echo yes 100% | parted ---pretend-input-tty /dev/xvda resizepart 3
        # and reload partition table; prefer partprobe over blockdev
        # --rereadpt, as it works on mounted partitions
        partprobe /dev/xvda
        ;;
    ca:*)
        echo "Unsupported partition layout, resize it manually" >&2
        exit 1
        ;;
    $dm_major:*)
        new_size=$(cat /sys/block/xvda/size)
        ro=$(cat /sys/block/xvda/ro)
        if [ "$ro" -eq 1 ]; then
            new_table="0 $new_size snapshot /dev/xvda /dev/xvdc2 N 16"
        else
            new_table="0 $new_size linear /dev/xvda 0"
        fi
        dmsetup load dmroot --table "$new_table"
        dmsetup resume dmroot
        ;;
    *)
        echo "Unsupported device type for root volume, resize it manually" >&2
        exit 1
        ;;
 esac
 resize2fs /dev/mapper/dmroot
--- a/misc/thunar.xml
+++ b/misc/thunar.xml
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <channel name="thunar" version="1.0">
  <property name="misc-thumbnail-mode" type="string" value="THUNAR_THUMBNAIL_MODE_NEVER"/>
 </channel>
--- a/misc/uca_qubes.xml
+++ b/misc/uca_qubes.xml
@ -0,0 +1,85 @@
 <action>
 	<icon>folder-copy</icon>
 	<name>Copy to VM</name>
 	<unique-id>1507455450991127-4</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh copy %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<directories/>
 	<audio-files/>
 	<image-files/>
 	<other-files/>
 	<text-files/>
 	<video-files/>
 </action>
 <action>
 	<icon>folder-move</icon>
 	<name>Move to VM</name>
 	<unique-id>1507455437157027-3</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh move %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<directories/>
 	<audio-files/>
 	<image-files/>
 	<other-files/>
 	<text-files/>
 	<video-files/>
 </action>
 <action>
 	<icon>document-open</icon>
 	<name>Open in VM</name>
 	<unique-id>1507455471075266-5</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh openvm %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<audio-files/>
 	<image-files/>
 	<other-files/>
 	<text-files/>
 	<video-files/>
 </action>
 <action>
 	<icon>gtk-convert</icon>
 	<name>Convert in DisposableVM</name>
 	<unique-id>1507455488971315-6</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh pdf %F</command>
 	<description></description>
 	<patterns>*.pdf</patterns>
 	<other-files/>
 </action>
 <action>
 	<icon>gtk-convert</icon>
 	<name>Convert in DisposableVM</name>
 	<unique-id>1507455503129941-7</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh img %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<image-files/>
 </action>
 <action>
 	<icon>document-open</icon>
 	<name>Edit in DisposableVM</name>
 	<unique-id>1507455559234996-8</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh opendvm %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<audio-files/>
 	<image-files/>
 	<other-files/>
 	<text-files/>
 	<video-files/>
 </action>
 <action>
 	<icon>document-open</icon>
 	<name>View in DisposableVM</name>
 	<unique-id>1507455559234997-9</unique-id>
 	<command>/usr/lib/qubes/qvm-actions.sh viewdvm %F</command>
 	<description></description>
 	<patterns>*</patterns>
 	<audio-files/>
 	<image-files/>
 	<other-files/>
 	<text-files/>
 	<video-files/>
 </action>
--- a/misc/upgrades-installed-check
+++ b/misc/upgrades-installed-check
@ -9,6 +9,7 @@
 if [ -e /etc/system-release ]; then
   ## Fedora
   # shellcheck disable=SC2034
   yum_output="$(yum -q check-update 2>&1)"
   exit_code="$?"
   [ "$exit_code" -eq 100 ] && echo "false" && exit 0
@ -17,9 +18,18 @@ elif [ -e /etc/debian_version ]; then
   ## Debian
   set -e
   set -o pipefail
-   apt_get_output="$(LANG="C" apt-get -s upgrade 2>&1)"
+   # shellcheck disable=SC2034
   apt_get_update_output="$(apt-get -q update 2>&1)"
   apt_get_upgrade_output="$(LANG="C" apt-get -s upgrade 2>&1)"
   exit_code="$?"
-   echo "$apt_get_output" | awk "/^Inst/{ print $2 }" | [ "$(wc -L)" -eq 0 ] && echo "true" || echo "false"
+   echo "$apt_get_upgrade_output" | awk "/^Inst/{ print $2 }" | [ "$(wc -L)" -eq 0 ] && echo "true" || echo "false"
 elif [ -e /etc/arch-release ]; then
    ## Archlinux
    set -e
    set -o pipefail
    checkupdates_output="$(checkupdates 2>&1)"
    exit_code="$?"
    echo "$checkupdates_output" | grep -qF -- '->' && echo "false" || echo "true"
 else
   echo "Check not implemented for this distribution" >&2
   exit 1
--- a/misc/vusb-ctl.py
+++ b/misc/vusb-ctl.py
@ -1,24 +0,0 @@
 #!/usr/bin/python
 ##
 ## Python script wrapper around xen.util.vusb_util bind_usb_device() and unbind_usb_device() methods
 ## Run as root in usbvm
 ##
 from xen.util import vusb_util
 import sys
 import os
 if len(sys.argv)!=3:
    print 'usage: vusb-ctl <bind|unbind> device'
    sys.exit(1)
 device=sys.argv[2]
 if sys.argv[1] == 'bind':
    vusb_util.bind_usb_device(device)
 elif sys.argv[1] == 'unbind':
    vusb_util.unbind_usb_device(device)
 else:
    print "Invalid command, must be 'bind' or 'unbind'"
    sys.exit(1)
--- a/misc/xdg.py
+++ b/misc/xdg.py
@ -1,20 +0,0 @@
 #!/usr/bin/python
 from gi.repository import Gio
 import sys
 import dbus
 def launch(desktop, *files):
    launcher = Gio.DesktopAppInfo.new_from_filename(desktop)
    if hasattr(launcher, 'get_boolean'):
        activatable = launcher.get_boolean('DBusActivatable')
        if activatable:
            bus = dbus.SessionBus()
            service_id = launcher.get_id()
            # cut the .desktop suffix
            service_id = service_id[:-8]
            bus.start_service_by_name(service_id)
    launcher.launch(files, None)
 if __name__ == "__main__":
    launch(*sys.argv[1:])
--- a/misc/xl-qvm-usb-attach.py
+++ b/misc/xl-qvm-usb-attach.py
@ -1,48 +0,0 @@
 #!/usr/bin/python
 ##
 ## This script is for dom0
 ## The syntax is modelled after "xl block-attach"
 ##
 import sys
 import os
 import xen.lowlevel.xl
 # parse command line
 if (len(sys.argv)<4) or (len(sys.argv)>5):
    print 'usage: xl-qvm-usb-attach.py <frontendvm-xid> <backendvm-device> <frontendvm-device> [<backendvm-xid>]'
    sys.exit(1)
 frontendvm_xid=sys.argv[1]
 backendvm_device=sys.argv[2]
 frontend=sys.argv[3].split('-')
 if len(frontend)!=2:
    print 'Error: frontendvm-device must be in <controller>-<port> format'
    sys.exit(1)
 (controller, port)=frontend
 if len(sys.argv)>4:
    backendvm_xid=int(sys.argv[4])
    backendvm_name=xen.lowlevel.xl.ctx().domid_to_name(backendvm_xid)
 else:
    backendvm_xid=0
 # FIXME: command injection
 os.system("xenstore-write /local/domain/%s/backend/vusb/%s/%s/port/%s '%s'"
 	% (backendvm_xid, frontendvm_xid, controller, port, backendvm_device))
 cmd = "/usr/lib/qubes/vusb-ctl.py bind '%s'" % backendvm_device
 if backendvm_xid == 0:
    os.system("sudo %s" % cmd)
 else:
    from qubes.qubes import QubesVmCollection
    qvm_collection = QubesVmCollection()
    qvm_collection.lock_db_for_reading()
    qvm_collection.load()
    qvm_collection.unlock_db()
    # launch
    qvm_collection.get_vm_by_name(backendvm_name).run(cmd, user="root")
--- a/misc/xl-qvm-usb-detach.py
+++ b/misc/xl-qvm-usb-detach.py
@ -1,49 +0,0 @@
 #!/usr/bin/python
 ##
 ## This script is for dom0
 ## The syntax is modelled after "xl block-attach"
 ## FIXME: should be modelled after block-detach instead
 ##
 import sys
 import os
 import xen.lowlevel.xl
 # parse command line
 if (len(sys.argv)<4) or (len(sys.argv)>5):
    print 'usage: xl-qvm-usb-detach.py <frontendvm-xid> <backendvm-device> <frontendvm-device> [<backendvm-xid>]'
    sys.exit(1)
 frontendvm_xid=sys.argv[1]
 backendvm_device=sys.argv[2]
 frontend=sys.argv[3].split('-')
 if len(frontend)!=2:
    print 'Error: frontendvm-device must be in <controller>-<port> format'
    sys.exit(1)
 (controller, port)=frontend
 if len(sys.argv)>4:
    backendvm_xid=int(sys.argv[4])
    backendvm_name=xen.lowlevel.xl.ctx().domid_to_name(backendvm_xid)
 else:
    backendvm_xid=0
 cmd = "/usr/lib/qubes/vusb-ctl.py unbind '%s'" % backendvm_device
 if backendvm_xid == 0:
    os.system("sudo %s" % cmd)
 else:
    from qubes.qubes import QubesVmCollection
    qvm_collection = QubesVmCollection()
    qvm_collection.lock_db_for_reading()
    qvm_collection.load()
    qvm_collection.unlock_db()
    # launch
    qvm_collection.get_vm_by_name(backendvm_name).run(cmd, user="root")
 # FIXME: command injection
 os.system("xenstore-write /local/domain/%s/backend/vusb/%s/%s/port/%s ''"
 	% (backendvm_xid, frontendvm_xid, controller, port))
--- a/network/30-qubes-external-ip
+++ b/network/30-qubes-external-ip
@ -1,8 +1,8 @@
 #!/bin/sh
-if [ x$2 = xup ]; then
+if [ "x$2" = xup ]; then
-	INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
+	INET=$(/sbin/ip addr show dev "$1" | /bin/grep inet)
 	qubesdb-write /qubes-netvm-external-ip "$INET"
 fi
-if [ x$2 = xdown ]; then
+if [ "x$2" = xdown ]; then
 	qubesdb-write /qubes-netvm-external-ip ""
 fi
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`[qubes-r3.2]`
							`Server = http://olivier.medoc.free.fr/archlinux/current/`
		`@ -0,0 +1,2 @@`
							`[qubes-r4.0]`
							`Server = http://olivier.medoc.free.fr/archlinux/current`
		`@ -0,0 +1 @@`
							`usr/lib/qubes/qubes-download-dom0-updates.sh`
		`@ -0,0 +1,2 @@`
							`# moved to qubes-core-agent-passwordless-root`
							`/etc/pam.d/su.qubes`
		`@ -0,0 +1,2 @@`
							`[org.gnome.desktop.wm.preferences]`
							`button-layout='appmenu:'`
		`@ -0,0 +1,2 @@`
							`[org/gnome/desktop/interface]`
							`scaling-factor=uint32 1`
		`@ -1 +0,0 @@`
			`*:any:/usr/lib/qubes/qubes-trigger-sync-appmenus.sh`