From 1fc7bc98beca642e75942c603beefa48c8698e31 Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Mon, 24 Apr 2017 14:06:01 +0000
Subject: [PATCH 001/125] Create w3m.md

How to reduce the fingerprint of the text-based web browser w3m.
---
 configuration/w3m.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 configuration/w3m.md

diff --git a/configuration/w3m.md b/configuration/w3m.md
new file mode 100644
index 00000000..29198ad2
--- /dev/null
+++ b/configuration/w3m.md
@@ -0,0 +1,35 @@
+---
+layout: doc
+title: Reducing the fingerprint of the text-based web browser w3m
+permalink: /doc/w3m/
+redirect_from:
+- /en/doc/mutt/
+- /doc/W3m/
+- /wiki/W3m/
+---
+
+Reducing the fingerprint of the text-based web browser w3m
+====
+
+[w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.'
+
+You can reduce the [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled.
+
+**BEWARE: As very few people use w3m for browsing chances are high that you will still be the only person with this fingerprint on your adversary's radar. Also, I am nothing but a wannabe security expert, so do not rely on my advise for anything critical.**
+
+Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TempVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
+
+* Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
+* Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
+
+		accept_language en-US,en;q=0.5
+		accept_encoding gzip, deflate
+		accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+Testing the settings on <https://browserprint.info> (<https://panopticlick.eff.org> does not work) returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.* Thus by using these settings (and browsing through a torified connection) you will be distinguishable from TBB users, but, if my assumptions are correct, not from me. That is, whoever uses these settings will have the same fingerprint as anyone else using w3m with the same configuration, but for the time being I am probably the only one. (According to Browserprint.info only I have this fingerprint.)
+
+PS: You still need to delete cookies manually (`~/.w3m/cookie`) if you are not running w3m in a DispVM anyway. If you set w3m to not accept cookies, its fingerprint will change. (You can configure w3m to not use store cookies or accept new ones (or both), but the setting `use_cookie` seems to really mean `accept_cookie` and vice-versa, so maybe it is best to delete them manually for now.)
+
+* * *
+
+\* Does someone know how to fix this?

From 016f87759908360dca0c367570c83ac5e3dfe6d8 Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Mon, 24 Apr 2017 14:09:14 +0000
Subject: [PATCH 002/125] Add link to yet-to-be-accepted w3m.md

---
 doc.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc.md b/doc.md
index 3ac75eb4..fcb07669 100644
--- a/doc.md
+++ b/doc.md
@@ -151,6 +151,7 @@ Configuration Guides
  * [Managing VM kernel](/doc/managing-vm-kernel/)
  * [Salt management stack](/doc/salt/)
  * [Adding SSD storage cache](https://groups.google.com/d/msgid/qubes-users/a08359c9-9eb0-4d1a-ad92-a8a9bc676ea6%40googlegroups.com)
+ * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/)
 
 
 Customization Guides

From 4d0252cfd510c71e910795a722ff0da943b1df3c Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Fri, 28 Apr 2017 12:02:40 +0000
Subject: [PATCH 003/125] Rewrite to make clearer what is does and does not

---
 configuration/w3m.md | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/configuration/w3m.md b/configuration/w3m.md
index 29198ad2..4eeb3908 100644
--- a/configuration/w3m.md
+++ b/configuration/w3m.md
@@ -5,28 +5,35 @@ permalink: /doc/w3m/
 redirect_from:
 - /en/doc/mutt/
 - /doc/W3m/
-- /wiki/W3m/
+- /wiki/W3m/t
 ---
 
 Reducing the fingerprint of the text-based web browser w3m
 ====
 
+TL;DR: You can reduce the amount w3m tells about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy.
+
 [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.'
 
-You can reduce the [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled.
+You can reduce the browser [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled.
 
-**BEWARE: As very few people use w3m for browsing chances are high that you will still be the only person with this fingerprint on your adversary's radar. Also, I am nothing but a wannabe security expert, so do not rely on my advise for anything critical.**
-
-Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TempVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
+Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
 
 * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
+
+	(By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick have this value.)
+
 * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
 
 		accept_language en-US,en;q=0.5
 		accept_encoding gzip, deflate
 		accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+		
+	(These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above the w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.)
+	
+Testing these settings on <https://browserprint.info> returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's language settings or other specifics about it that could be contained in the HTTP_ACCEPT headers. And even if the browser you use may well be *inferred* from your fingerprint, it will not be explicitly stated in the User-Agent header.
 
-Testing the settings on <https://browserprint.info> (<https://panopticlick.eff.org> does not work) returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.* Thus by using these settings (and browsing through a torified connection) you will be distinguishable from TBB users, but, if my assumptions are correct, not from me. That is, whoever uses these settings will have the same fingerprint as anyone else using w3m with the same configuration, but for the time being I am probably the only one. (According to Browserprint.info only I have this fingerprint.)
+**Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.**
 
 PS: You still need to delete cookies manually (`~/.w3m/cookie`) if you are not running w3m in a DispVM anyway. If you set w3m to not accept cookies, its fingerprint will change. (You can configure w3m to not use store cookies or accept new ones (or both), but the setting `use_cookie` seems to really mean `accept_cookie` and vice-versa, so maybe it is best to delete them manually for now.)
 

From bac57503a3bb0e5f15de2073c9d7c5a494615bfc Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Fri, 28 Apr 2017 12:59:50 +0000
Subject: [PATCH 004/125] Minor edit.

---
 configuration/w3m.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/configuration/w3m.md b/configuration/w3m.md
index 4eeb3908..76c7e6d4 100644
--- a/configuration/w3m.md
+++ b/configuration/w3m.md
@@ -11,17 +11,17 @@ redirect_from:
 Reducing the fingerprint of the text-based web browser w3m
 ====
 
-TL;DR: You can reduce the amount w3m tells about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy.
+TL;DR: You can reduce the amount of information w3m gives about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy.
 
 [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.'
 
-You can reduce the browser [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled.
+You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by making it (the fingerprint) more like that of the Tor Browser Bunde (TBB) with JavaScript disabled.
 
 Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
 
 * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
 
-	(By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick have this value.)
+	By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick has this value.
 
 * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
 
@@ -29,9 +29,9 @@ Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m
 		accept_encoding gzip, deflate
 		accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 		
-	(These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above the w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.)
+	These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.
 	
-Testing these settings on <https://browserprint.info> returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's language settings or other specifics about it that could be contained in the HTTP_ACCEPT headers. And even if the browser you use may well be *inferred* from your fingerprint, it will not be explicitly stated in the User-Agent header.
+Testing these settings on <https://browserprint.info> returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's locale settings or other specifics about it in the HTTP_ACCEPT headers. And while it may be inferred from your fingerprint that you use w3m, it is not be explicitly stated in the User-Agent header.
 
 **Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.**
 

From 0eab70bd636983a43aa490fa1d5422de4c81c02d Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Tue, 2 May 2017 21:13:41 +0000
Subject: [PATCH 005/125] Supplemented missing step; some rephrasing.

---
 building/building-archlinux-template.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/building/building-archlinux-template.md b/building/building-archlinux-template.md
index a6b9948c..0f463ccb 100644
--- a/building/building-archlinux-template.md
+++ b/building/building-archlinux-template.md
@@ -77,7 +77,7 @@ redirect_from:
 <br>
 <br>
 
-## 4:   Downloading and verifying the "Qubes Automated Build System"
+## 4: Downloading and verifying the integrity the "Qubes Automated Build System"
 
 * Import the Qubes master key
 
@@ -98,9 +98,10 @@ redirect_from:
 
 * Copy your gpg keyrings to your local copy of the repository. (Otherwise you will be asked to download the keys again.)
 
-      # Assuming qubes-builder is in your home directory
-      cp .gnupg/pubring.gpg qubes-builder/keyrings/git/
-      cp .gnupg/trustdb.gpg qubes-builder/keyrings/git/
+      # Execute the following commands in your home directory.
+      # It is assumed that the path to the repository is '~/qubes-builder'.
+      mkdir -p qubes-builder/keyrings/git 
+      cp -t qubes-builder/keyrings/git/ .gnupg/pubring.gpg .gnupg/trustdb.gpg
 
 * Verify the integrity of the downloaded repository. The last line should read `gpg: Good signature from`...
 

From 6d5a7e426e76c1e9327160b31a8122e1a3ac0e57 Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Tue, 9 May 2017 13:39:49 +0000
Subject: [PATCH 006/125] Minor edits.

---
 configuration/w3m.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/configuration/w3m.md b/configuration/w3m.md
index 76c7e6d4..9586ef40 100644
--- a/configuration/w3m.md
+++ b/configuration/w3m.md
@@ -5,7 +5,7 @@ permalink: /doc/w3m/
 redirect_from:
 - /en/doc/mutt/
 - /doc/W3m/
-- /wiki/W3m/t
+- /wiki/W3m/
 ---
 
 Reducing the fingerprint of the text-based web browser w3m
@@ -15,13 +15,11 @@ TL;DR: You can reduce the amount of information w3m gives about itself and the e
 
 [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.'
 
-You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by making it (the fingerprint) more like that of the Tor Browser Bunde (TBB) with JavaScript disabled.
-
-Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
+You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) by applying the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. (If you have not run w3m yet, you might need to copy the config file from elsewhere.) You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`).
 
 * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
 
-	By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick has this value.
+	By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the Tor Browser Bundle (TBB). One in fourteen browsers finderprinted by Panopticlick has this value.
 
 * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
 

From d13f2a150b61080c0defdb64c56c697da69e6a70 Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Tue, 9 May 2017 13:41:04 +0000
Subject: [PATCH 007/125] Moved how-to to a more fitting section.

---
 doc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc.md b/doc.md
index fcb07669..807a1177 100644
--- a/doc.md
+++ b/doc.md
@@ -124,6 +124,7 @@ Privacy Guides
  * [TorVM](/doc/torvm/)
  * [Martus](/doc/martus/)
  * [Signal](/doc/signal/)
+ * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/)
 
 
 Configuration Guides
@@ -151,7 +152,6 @@ Configuration Guides
  * [Managing VM kernel](/doc/managing-vm-kernel/)
  * [Salt management stack](/doc/salt/)
  * [Adding SSD storage cache](https://groups.google.com/d/msgid/qubes-users/a08359c9-9eb0-4d1a-ad92-a8a9bc676ea6%40googlegroups.com)
- * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/)
 
 
 Customization Guides

From db13ef5a33bfddc33a6ad148bf18f040e1d6367f Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 11 May 2017 18:48:59 +1000
Subject: [PATCH 008/125] Various minor spelling and grammar fixes

---
 basics_user/doc-guidelines.md                 |  2 +-
 basics_user/user-faq.md                       |  6 ++--
 building/building-archlinux-template.md       |  2 +-
 common-tasks/backup-restore.md                |  4 +--
 common-tasks/dispvm.md                        |  2 +-
 common-tasks/full-screen-mode.md              |  2 +-
 common-tasks/managing-appvm-shortcuts.md      |  6 ++--
 common-tasks/software-update-dom0.md          |  2 +-
 common-tasks/software-update-vm.md            | 28 +++++++++----------
 common-tasks/tips-and-tricks.md               |  8 +++---
 common-tasks/usb.md                           |  8 +++---
 configuration/assigning-devices.md            |  6 ++--
 configuration/config-files.md                 |  2 +-
 configuration/disk-trim.md                    |  2 +-
 configuration/external-audio.md               |  4 +--
 configuration/http-filtering-proxy.md         |  6 ++--
 configuration/managing-vm-kernel.md           | 10 +++----
 configuration/network-bridge-support.md       |  8 +++---
 configuration/network-printer.md              |  2 +-
 configuration/postfix.md                      |  4 +--
 configuration/resize-disk-image.md            |  8 +++---
 configuration/resize-root-disk-image.md       |  6 ++--
 configuration/salt.md                         |  4 +--
 hardware/certified-laptops.md                 |  2 +-
 installing/live-usb.md                        |  6 ++--
 installing/upgrade/upgrade-to-r3.0.md         |  2 +-
 installing/version-scheme.md                  |  8 +++---
 managing-os/hvm.md                            |  4 +--
 managing-os/netbsd.md                         |  2 +-
 managing-os/pentesting/blackarch.md           |  4 +--
 managing-os/pentesting/kali.md                |  2 +-
 managing-os/pentesting/ptf.md                 |  6 ++--
 managing-os/templates/archlinux.md            | 28 +++++++++----------
 .../templates/debian/upgrade-8-to-9.md        |  2 +-
 managing-os/templates/fedora-minimal.md       |  2 +-
 .../templates/fedora/upgrade-20-to-21.md      |  2 +-
 .../templates/fedora/upgrade-21-to-23.md      |  2 +-
 .../templates/fedora/upgrade-23-to-24.md      |  2 +-
 managing-os/windows/windows-appvms.md         |  6 ++--
 privacy/anonymizing-your-mac-address.md       |  2 +-
 privacy/whonix-install.md                     |  6 ++--
 releases/1.0/release-notes.md                 |  2 +-
 security-info/security-pack.md                |  4 +--
 security/security-guidelines.md               |  2 +-
 security/split-bitcoin.md                     |  2 +-
 security/yubi-key.md                          | 24 ++++++++--------
 services/dvm-impl.md                          |  2 +-
 system/security-critical-code.md              |  2 +-
 troubleshooting/updating-debian-and-whonix.md |  4 +--
 49 files changed, 131 insertions(+), 131 deletions(-)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index c9d91852..bcd8e0ec 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -43,7 +43,7 @@ documentation change will be reviewed before it's published to the web. This
 allows us to maintain quality control and protect our users.
 
 As mentioned above, we keep all the documentation in a dedicated [Git
-repository][qubes-doc] hosted on [GitHub]. Thanks to GitHub interface, you can
+repository][qubes-doc] hosted on [GitHub]. Thanks to the GitHub interface, you can
 edit the documentation even if you don't know Git at all! The only thing you
 need is a GitHub account, which is free.
 
diff --git a/basics_user/user-faq.md b/basics_user/user-faq.md
index 254b4342..0ea2d4c0 100644
--- a/basics_user/user-faq.md
+++ b/basics_user/user-faq.md
@@ -291,9 +291,9 @@ Open a terminal and run `sudo yum install linux-firmware` in the TemplateVM upon
 
 ### Can I install Qubes OS together with other operating system (dual-boot/multi-boot)?
 
-You shouldn't do that, because it pose a security risk for your Qubes OS installation. 
+You shouldn't do that, because it poses a security risk for your Qubes OS installation.
 But if you understand the risk and accept it, read [documentation on multibooting](/doc/multiboot/). 
-It starts with explanation what is wrong with using such setup.
+It starts with explaining what is wrong with using such a setup.
 
 Common Problems
 ---------------
@@ -438,7 +438,7 @@ The encrypted partitions are identified and the user is prompted for password on
 
 A fully encrypted drive does not appear in Nautilus.
 
-The work round is to manually decrypt and mount the drive:
+The workaround is to manually decrypt and mount the drive:
 
 1. attach usb device to qube - it should be attached as /dev/xvdi or similar.
 2. sudo cryptsetup open /dev/xvdi bk --type luks
diff --git a/building/building-archlinux-template.md b/building/building-archlinux-template.md
index 540713b8..60a8d8a2 100644
--- a/building/building-archlinux-template.md
+++ b/building/building-archlinux-template.md
@@ -361,7 +361,7 @@ redirect_from:
 The `qubes-mgmt-salt` repo is not currently forked under the marmarek user on
 GitHub, to whom the above instructions set the `GIT_PREFIX`.  As Archlinux is
 not yet supported by mgmt-salt, simply leave it out of the build (when building
-the Archlinux template on it's own) by appending the following to your `override.conf` file:
+the Archlinux template on its own) by appending the following to your `override.conf` file:
 
 `BUILDER_PLUGINS := $(filter-out mgmt-salt,$(BUILDER_PLUGINS))`
 
diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 0b2ecaa7..c5fbe9b7 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -81,7 +81,7 @@ Emergency Backup Recovery without Qubes
 
 The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
-For emergency restore of backup created on Qubes R2 or newer take a look [here](/doc/backup-emergency-restore-v3/). For backups created on earlier Qubes version, take a look [here](/doc/backup-emergency-restore-v2/).
+For emergency restore of backup created on Qubes R2 or newer take a look [here](/doc/backup-emergency-restore-v3/). For backups created on earlier Qubes versions, take a look [here](/doc/backup-emergency-restore-v2/).
 
 
 Migrating Between Two Physical Machines
@@ -96,7 +96,7 @@ Here are some things to consider when selecting a passphrase for your backups:
 
  * If you plan to store the backup for a long time or on third-party servers, you should make sure to use a very long, high-entropy passphrase. (Depending on the decryption passphrase you use for your system drive, this may necessitate selecting a stronger passphrase. If your system drive decryption passphrase is already sufficiently strong, it may not.)
  * An adversary who has access to your backups may try to substitute one backup for another. For example, when you attempt to retrieve a recent backup, the adversary may instead give you a very old backup containing a compromised VM. If you're concerned about this type of attack, you may wish to use a different passphrase for each backup, e.g., by appending a number or date to the passphrase.
- * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong). On the othe hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
+ * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong). On the other hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
 
 Notes
 -----
diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 18560ff8..8a775172 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -18,7 +18,7 @@ A Disposable VM (DispVM) is a lightweight VM that can be created quickly and whi
 
 By default a Disposable VM will inherit the NetVM and firewall settings of the ancestor VM, that is the VM it is launched from. Thus if an AppVM uses sys-net as NetVM (instead of, say, sys-whonix), any DispVM launched from this AppVM will also have sys-net as its NetVM. You can change this behaviour for individual VMs: in the Qubes Manager open VM Settings for the VM in question and go to the "Advanced" tab. Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Meny inherits the NetVM of a so-called internal TempVM, the *[DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).* By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Meny; only changing the DVM Template's own NetVM does.
+A Disposable VM launched from the Start Menu inherits the NetVM of a so-called internal TempVM, the *[DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).* By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 
 Once a DispVM has been created it will appear in the Qubes Manager with the name "dispX", and NetVM and firewall rules can be set as for a normal VM.
 
diff --git a/common-tasks/full-screen-mode.md b/common-tasks/full-screen-mode.md
index b0fef0cc..e5542918 100644
--- a/common-tasks/full-screen-mode.md
+++ b/common-tasks/full-screen-mode.md
@@ -24,7 +24,7 @@ If one allowed one of the VMs to "own" the full screen, e.g. to show a movie on
 Secure use of full screen mode
 ------------------------------
 
-However, it is possible to deal with full screen mode in a secure way assuming there are mechanisms that can be used at any time to show the full desktop, and which cannot be intercepted by the VM. An example of such q mechanism is the KDE's "Present Windows" and "Desktop Grid" effects, which are similar to Mac's "Expose" effect, and which can be used to immediately detect potential "GUI forgery", as they cannot be intercepted by any of the VM (as the GUID never passes down the key combinations that got consumed by KDE Window Manager), and so the VM cannot emulate those. Those effects are enabled by default in KDE once Compositing gets enabled in KDE (System Settings -\> Desktop -\> Enable Desktop Effects), which is recommended anyway. By default they are triggered by Ctrl-F8 and Ctrl-F9 key combinations, but can also be reassigned to other shortcuts.
+However, it is possible to deal with full screen mode in a secure way assuming there are mechanisms that can be used at any time to show the full desktop, and which cannot be intercepted by the VM. An example of such a mechanism is the KDE's "Present Windows" and "Desktop Grid" effects, which are similar to Mac's "Expose" effect, and which can be used to immediately detect potential "GUI forgery", as they cannot be intercepted by any of the VM (as the GUID never passes down the key combinations that got consumed by KDE Window Manager), and so the VM cannot emulate those. Those effects are enabled by default in KDE once Compositing gets enabled in KDE (System Settings -\> Desktop -\> Enable Desktop Effects), which is recommended anyway. By default they are triggered by Ctrl-F8 and Ctrl-F9 key combinations, but can also be reassigned to other shortcuts.
 Another option is to use Alt+Tab for switching windows. This shortcut is also handled by dom0.
 
 Enabling full screen mode for select VMs
diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index e289ae79..9c8ec8f2 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -15,11 +15,11 @@ For ease of use Qubes aggregates shortcuts to applications that are installed in
 
 ![dom0-menu.png"](/attachment/wiki/ManagingAppVmShortcuts/dom0-menu.png)
 
-To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs does this automatically):
+To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs do this automatically):
 
 `qvm-sync-appmenus vmname`
 
-After that, select the *Add more shortcuts* entry in VM's submenu to customize which applications are shown:
+After that, select the *Add more shortcuts* entry in the VM's submenu to customize which applications are shown:
 
 ![dom0-appmenu-select.png"](/attachment/wiki/ManagingAppVmShortcuts/dom0-appmenu-select.png)
 
@@ -45,4 +45,4 @@ For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. In Wi
 What if my application has not been automatically included in the list of available apps?
 -----------------------------------------------------------------------------------------
 
-You can manually create new entries in the "available applications" list of shortcuts. See [Signal](/doc/signal/) for a worked example of creating a new menu item for a Chrome .desktop shortcut.
+You can manually create new entries in the "available applications" list of shortcuts. See [Signal](/doc/signal/) for a working example of creating a new menu item for a Chrome .desktop shortcut.
diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md
index 74d14336..7ebef52d 100644
--- a/common-tasks/software-update-dom0.md
+++ b/common-tasks/software-update-dom0.md
@@ -14,7 +14,7 @@ Updating software in dom0
 Why would one want to update software in dom0?
 ----------------------------------------------
 
-Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the 3rd party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in Qubes 2.0.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
+Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the 3rd party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan to move the disk backends to an untrusted domain in a future Qubes release) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
 
 However, we anticipate some other situations in which updating dom0 software might be necessary or desirable:
 
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index b205980a..45492d6b 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -20,7 +20,7 @@ In addition to saving on the disk space, and reducing domain creation time, anot
 
 The default template is called **fedora-14-x64** in Qubes R1 and **fedora-20-x64** in Qubes R2.
 
-The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home` or `/usr/local` then it will disappear after the AppVM reboot (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally install software in the TemplateVM, not in AppVMs.**
+The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home` or `/usr/local` then it will disappear after the AppVM reboot (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.**
 
 Unlike VM private filesystems, the template VM root filesystem does not support discard, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
 
@@ -33,7 +33,7 @@ In order to permanently install new software, you should:
 
 -   Install/update software as usual (e.g. using yum, or the dedicated GUI application). Then, shutdown the template VM,
 
--   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You will restart others whenever this will be convenient to you.
+-   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You can restart others whenever this will be convenient to you.
 
 Testing repositories
 --------------------
@@ -115,19 +115,19 @@ As the TemplateVM is used for creating filesystems for other AppVMs, where you a
 
 There are several ways to deal with this problem:
 
--   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and as we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
+-   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
 
 -   Use *standalone VMs* (see below) for installation of untrusted software packages.
 
--   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somehow less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
+-   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somewhat less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
 
 Some popular questions:
 
 -   So, why should we actually trust Fedora repos -- it also contains large amount of 3rd party software that might buggy, right?
 
-As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
+As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
 
--   But why trusting Fedora?
+-   But why trust Fedora?
 
 Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
 
@@ -140,11 +140,11 @@ Standalone VMs
 
 Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on its own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
 
-Sometime it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
+Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
 
--   VMs used for development (devel environments requires a lot of \*-devel packages and specific devel tools)
+-   VMs used for development (devel environments require a lot of \*-devel packages and specific devel tools)
 
--   VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages form less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
+-   VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
 
 In order to create a standalone VM you can use a command line like this (from console in Dom0):
 
@@ -168,14 +168,14 @@ qvm-create <vmname> --template <templatename> --label <label>
 Temporarily allowing networking for software installation
 ---------------------------------------------------------
 
-Some 3rd party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access 3rd party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decided by themselves whether such 3rd party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
+Some 3rd party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access 3rd party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decide by themselves whether such 3rd party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
 
 Updates proxy
 -------------
 
-Updates proxy is a service which filter http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
+Updates proxy is a service which filters http access to allow access to only something that looks like a yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
 
-The proxy is running in selected VMs (by default all the NetVMs (1)) and intercept traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allows that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure yum to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
+The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure yum to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
 
 (1) Services tab -\> "qubes-yum-proxy" entry; check qvm-service manual for details
 
@@ -185,13 +185,13 @@ The proxy is running in selected VMs (by default all the NetVMs (1)) and interce
 
 ### Technical details
 
-1.  Updates proxy: It is running as "qubes-yum-proxy" service. Startup script of this service setup firewall rule to intercept proxy traffic:
+1.  Updates proxy: It is running as "qubes-yum-proxy" service. Startup script of this service sets up the firewall rule to intercept proxy traffic:
 
     ~~~
     iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
     ~~~
 
-1.  VM using the proxy service Startup script (qubes-misc-post service) configure yum using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
+1.  VM using the proxy service Startup script (qubes-misc-post service) configures yum using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
 
     ~~~
     proxy=http://10.137.255.254:8082/
diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 64673eee..81938023 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -10,9 +10,9 @@ This section provides user suggested tips that aim to increase Qubes OS usabilit
 
 Opening links in your preferred AppVM
 -------------------------------------
-To increase both security and usability you can set an AppVM so that it automatically opens any link in an different AppVM of your choice. You can do this for example in the email AppVM, in this way you avoid to make mistakes like opening links in it. to learn more you can check [security guidelines](/doc/security-guidelines/) and [security goals](/security/goals/).
+To increase both security and usability you can set an AppVM so that it automatically opens any link in an different AppVM of your choice. You can do this for example in the email AppVM, in this way you avoid to make mistakes like opening links in it. To learn more you can check [security guidelines](/doc/security-guidelines/) and [security goals](/security/goals/).
 
-The command `qvm-open-in-vm` lets you open a document or a URL in another VM, it takes two parameters: vmname and filename.
+The command `qvm-open-in-vm` lets you open a document or a URL in another VM. It takes two parameters: vmname and filename.
 
 For example, if you launch this command from your email AppVM:
 
@@ -20,7 +20,7 @@ For example, if you launch this command from your email AppVM:
 
 it will open duckduckgo.com in the `untrusted` AppVM (after you confirmed the request).
 
-If you want this to happen automatically you can creatte a .desktop file that advertises itself as a handler for http/https links, and then setting this as your default browser.
+If you want this to happen automatically you can create a .desktop file that advertises itself as a handler for http/https links, and then set this as your default browser.
 
 Open a text editor and copy and paste this into it:
 
@@ -46,7 +46,7 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have a not so trusted enviroment, for example a Windows VM, an application that track and report it's usage or you simply want to protect your data.
+Suppose that you have in a not so trusted enviroment, for example a Windows VM, an application that track and report its usage, or you simply want to protect your data.
 
 Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index dfddc3ed..6411199b 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -110,7 +110,7 @@ opt to create a USB qube during installation. This also occurs automatically if
 you choose to [create a USB qube] using the `qubesctl` method, which is the
 first pair of steps in the linked section.)
 
-**Warning** USB keyboard cannot be used to type the disk passphrase
+**Warning** A USB keyboard cannot be used to type the disk passphrase
 if USB controllers were hidden from dom0. Before hiding USB controllers
 make sure your laptop keyboard is not internally connected via USB
 (by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
@@ -319,10 +319,10 @@ Attaching a single USB device to a qube (USB passthrough)
 ---------------------------------------------------------
 
 Starting with Qubes 3.2, it is possible to attach a single USB device to any
-Qube. While this is useful feature, it should be used with care, because there
+Qube. While this is a useful feature, it should be used with care, because there
 are [many security implications][usb-challenges] from using USB devices and USB
 passthrough will **expose your target qube** for most of them. If possible, use 
-method specific for particular device type (for example block devices described
+a method specific for particular device type (for example block devices described
 above), instead of this generic one.
 
 To use this feature, you need to install `qubes-usb-proxy` package in the
@@ -355,7 +355,7 @@ When you finish, detach the device:
     sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
     sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
 
-This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our our Project Ideas [here][project-page].
+This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our Project Ideas [here][project-page].
 
 
 [mass-storage]: https://en.wikipedia.org/wiki/USB_mass_storage_device_class
diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 6aa8278a..e676e742 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,7 +58,7 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want assign a certain [USB] device to a VM (by attaching the whole
+If you want to assign a certain [USB] device to a VM (by attaching the whole
 USB controller), you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 
@@ -66,7 +66,7 @@ controller. First, check to which USB bus the device is connected:
 lsusb
 ~~~
 
-For example, I want assign a broadband modem to the netvm. In the out put of
+For example, I want to assign a broadband modem to the netvm. In the output of
 `lsusb` it can be listed as something like this. (In this case, the device isn't
 fully identified):
 
@@ -76,7 +76,7 @@ Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
 
 The device is connected to USB bus \#3. Then check which other devices are
 connected to the same bus, since *all* of them will be assigned to the same VM.
-Now is the time to find right USB controller:
+Now is the time to find the right USB controller:
 
 ~~~
 readlink /sys/bus/usb/devices/usb3
diff --git a/configuration/config-files.md b/configuration/config-files.md
index d83c2a19..dc59d50c 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -40,7 +40,7 @@ problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 
-Also take a look at [bind-dirs][/doc/bind-dirs] for instruction how to easily
+Also take a look at [bind-dirs](/doc/bind-dirs) for instruction how to easily
 modify arbitrary system file in AppVM and have those changes persistent.
 
 GUI and audio configuration in dom0
diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index cbb67259..97e38cb5 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -10,7 +10,7 @@ redirect_from:
 
 VMs have already TRIM enabled by default, but dom0 doesn't. There are some security implications (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but IMO not very serious.
 
-To enable TRIM in dom0 you need:
+To enable TRIM in dom0 you need to:
 
 1.  Get your LUKS device UUID:
 
diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 27f05ae7..43618955 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -38,9 +38,9 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
 
-If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding an other line at the beginning:
+If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding another line at the beginning:
 
 ~~~
 pactl unload-module module-udev-detect
diff --git a/configuration/http-filtering-proxy.md b/configuration/http-filtering-proxy.md
index e695d025..8bb0751b 100644
--- a/configuration/http-filtering-proxy.md
+++ b/configuration/http-filtering-proxy.md
@@ -31,10 +31,10 @@ prevents websites that use DNS-based load balancers from working
 unless the user reloads the firewall rules (which re-resolve the DNS
 names) whenever the balancer transfer her session to another IP. Third
 the initial setup of the rules is complicated as the firewall drops
-the connection silently. As a workaround on can use browser's network
+the connection silently. As a workaround one can use browser's network
 console to see what is blocked, but this is time-consuming and one can
 trivially miss some important cases like including in the firewall
-white list sites for OCSP SSL certificate verification.
+white-list sites for OCSP SSL certificate verification.
 
 These drawbacks can be mitigated if one replaces iptable-based rules
 with a filtering HTTP proxy. The following describes how to setup
@@ -94,7 +94,7 @@ Setup
         name.ip-address-of-app-vm
 
    The name part before the dot can be arbitrary. For convenience one can
-   use AppVm name here, but this is not required. It is important to get
+   use AppVM name here, but this is not required. It is important to get
    ip address part right as this is what the control script uses to
    determine for which AppVM to apply the proxy rules. One can check the
    IP address of AppVM in Qubes VM manager in the VM settings dialog, see
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 6748228f..4f4c675a 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -49,7 +49,7 @@ updatevm          : sys-firewall
 Installing different kernel using Qubes kernel package
 ----------------------------------
 
-VM kernels are packages by Qubes team in `kernel-qubes-vm` packages. Generally system will keep the 3 newest available versions. You can list them with the `rpm` command:
+VM kernels are packages by Qubes team in `kernel-qubes-vm` packages. Generally the system will keep the 3 newest available versions. You can list them with the `rpm` command:
 
 ~~~
 [user@dom0 ~]$ rpm -qa 'kernel-qubes-vm*'
@@ -58,7 +58,7 @@ kernel-qubes-vm-3.18.16-3.pvops.qubes.x86_64
 kernel-qubes-vm-3.18.17-4.pvops.qubes.x86_64
 ~~~
 
-If you want more recent version, you can check `qubes-dom0-unstable` repository. As the name suggest, keep in
+If you want a more recent version, you can check `qubes-dom0-unstable` repository. As the name suggests, keep in
 mind that those packages may be less stable than the default ones.
 
 Checking available versions in `qubes-dom0-unstable` repository:
@@ -212,7 +212,7 @@ This is possible thanks to PV GRUB2 - GRUB2 running in the VM. To make it happen
 
 1. Install PV GRUB2 in dom0 - package is named `grub2-xen`.
 2. Install kernel in the VM. As with all VM software installation - this needs to be done in TemplateVM (of StandaloneVM if you are using one).
-3. Set VM kernel to `pvgrub2` value. You can use `pvgrub2` in selected VMs, not necessary all of them, even when it's template has kernel installed. You can still use dom0-provided kernel for selected VMs.
+3. Set VM kernel to `pvgrub2` value. You can use `pvgrub2` in selected VMs, not necessary all of them, even when its template has kernel installed. You can still use dom0-provided kernel for selected VMs.
 
 **WARNING: When using kernel from within VM, `kernelopts` parameter is ignored.**
 
@@ -230,7 +230,7 @@ In Fedora based VM, you need to install `qubes-kernel-vm-support` package. This
 package include required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create it's configuration. Note: you don't need actual
+need some GRUB tools to create its configuration. Note: you don't need actual
 grub bootloader as it is provided by dom0. But having one also shouldn't harm.
 
 ~~~
@@ -268,7 +268,7 @@ In Debian based VM, you need to install `qubes-kernel-vm-support` package. This
 package include required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create it's configuration. Note: you don't need actual
+need some GRUB tools to create its configuration. Note: you don't need actual
 grub bootloader as it is provided by dom0. But having one also shouldn't harm.
 
 ~~~
diff --git a/configuration/network-bridge-support.md b/configuration/network-bridge-support.md
index b8f74377..cf86bc56 100644
--- a/configuration/network-bridge-support.md
+++ b/configuration/network-bridge-support.md
@@ -42,12 +42,12 @@ First, retrieve the attachment of this Wifi article in dom0. Then apply the thre
 
 Finally restart the qubes manager GUI.
 
-A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enabled the Bridge option and restart your AppVM.
+A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enable the Bridge option and restart your AppVM.
 
 NetVM patch (Qubes R2B2)
 ------------------------
 
-You need to modify manually the NetVM iptable script inside the NetVM. The reason is that by default the NetVM only accept traffic coming from network interfaces called vif\* (in our case, we will use an additional interface called bridge0. The second reason is that all trafic is NATed by default. In our case, we want to forward traffic from the bridge interface without modifying it, while NATing traffic coming from vif\* interfaces.
+You need to modify manually the NetVM iptable script inside the NetVM. The reason is that by default the NetVM only accepts traffic coming from network interfaces called vif\* (in our case, we will use an additional interface called bridge0. The second reason is that all trafic is NATed by default. In our case, we want to forward traffic from the bridge interface without modifying it, while NATing traffic coming from vif\* interfaces.
 
 Modify manually the Template you use for your NetVM (not the NetVM itself). This is by default fedora-x86\_64. Edit the file /etc/sysconfig/iptables. You need to modify two parts of the file.
 
@@ -95,7 +95,7 @@ This requires:
 
 Note: A wireless interface cannot be bridged.
 
-The bridge edition GUI is somehow buggy as it does not remember all the parameter you setup. You can fix it by editing manually the files in /etc/NetworkManager/system-connections/. Here is one example for these files:
+The bridge edition GUI is somewhat buggy as it does not remember all the parameters you set up. You can fix it by editing manually the files in /etc/NetworkManager/system-connections/. Here is one example for these files:
 
 -   Bridge-DHCP
 
@@ -137,7 +137,7 @@ Note: Do not forget to put stp=false if you bridge only eth0 because sending BPD
     slave-type=bridge
     ~~~
 
-If you do not manager to start your bridge, you can start it manually from a NetVM terminal:
+If you do not manage to start your bridge, you can start it manually from a NetVM terminal:
 
 ~~~
 $ nmcli con up id bridge0-eth0
diff --git a/configuration/network-printer.md b/configuration/network-printer.md
index 26bd4879..d0d1628a 100644
--- a/configuration/network-printer.md
+++ b/configuration/network-printer.md
@@ -27,7 +27,7 @@ In order to mitigate this risk, one might consider creating a custom template (i
 
 However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
 
-Additionally, the printer drivers as well as CUPS application itself, might be buggy and might got exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
+Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
 
 Steps to configure a network printer in a template VM
 ----------------------------------------------------------
diff --git a/configuration/postfix.md b/configuration/postfix.md
index 0c0884b9..4aae8d09 100644
--- a/configuration/postfix.md
+++ b/configuration/postfix.md
@@ -99,14 +99,14 @@ alias_maps = hash:/etc/aliases
 @localhost your.mail@example.com
 ~~~
 
-`/usr/local/etc/postfix/sender_relay`. This is important file. Put there all your SMTP servers. Pay attention to port (smtp/submission). Square brackets have their special meaning, they are almost certainly needed. For more info consult Postfix manual.
+`/usr/local/etc/postfix/sender_relay`. This is an important file. Put all your SMTP servers there. Pay attention to port (smtp/submission). Square brackets have their special meaning, they are almost certainly needed. For more info consult Postfix manual.
 
 ~~~
 your.mail@exmaple.com         [mail.example.com]:submission
 your.other@mail.com         [smtp.mail.com]:smtp
 ~~~
 
-`/usr/local/etc/postfix/saslpass`. Here you put passwords to above mentioned servers. It depends on provider if you need to put whole email as username or just the part before `@`.
+`/usr/local/etc/postfix/saslpass`. Here you put passwords to above mentioned servers. It depends on your provider if you need to put whole email as username or just the part before `@`.
 
 ~~~
 [mail.example.com]:submission     your.mail:y0urP4ssw0rd
diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 6458b7f3..c89780ab 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -34,7 +34,7 @@ The basic idea is to:
 1.  Shrink filesystem on the private disk image.
 2.  Then shrink the image.
 
-Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibility is to interrupt its normal startup by adding `rd.break` kernel option:
+Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibilities is to interrupt its normal startup by adding `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
@@ -63,7 +63,7 @@ Now you can resize the image:
 truncate -s <new-desired-size> /var/lib/qubes/appvms/<vm-name>/private.img
 ~~~
 
-**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will loose your data!** Then reset kernel options back to default:
+**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will lose your data!** Then reset kernel options back to default:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts default
@@ -75,8 +75,8 @@ Done.
 
 If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use.
 
-1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
-2.  Sanity check: verify that none of loop device are pointing at this template root.img: `sudo losetup -a`
+1.  Make sure that all the VMs based on this template are powered off (including netvms etc).
+2.  Sanity check: verify that none of the loop devices are pointing at this template root.img: `sudo losetup -a`
 3.  Resize root.img file using `truncate -s <desired size>` (the root.img path can be obtained from qvm-prefs).
 4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
 5.  Start the template.
diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index bee7272f..0006bb19 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,7 +11,7 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
-The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
+The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have its own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
 
 ### Resize a StandaloneVM Root Image
 
@@ -27,7 +27,7 @@ Then start Terminal for this StandaloneVM and run:
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the StandaloneVM and you will have extended the size of it's `root.img`
+Shutdown the StandaloneVM and you will have extended the size of its `root.img`
 
 
 ### Resize a TemplateVM Root Image
@@ -51,4 +51,4 @@ to do!`.
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the TemplateVM and you will have extended the size of it's `root.img`.
+Shutdown the TemplateVM and you will have extended the size of its `root.img`.
diff --git a/configuration/salt.md b/configuration/salt.md
index 76128d86..4cb64973 100644
--- a/configuration/salt.md
+++ b/configuration/salt.md
@@ -227,7 +227,7 @@ malicious target VM.
 
 ## Writing your own configuration
 
-Let's start with quick example:
+Let's start with a quick example:
 
     my new and shiny vm:
       qvm.present:
@@ -304,7 +304,7 @@ You can set properties of existing domain:
         - netvm: sys-firewall
 
 Note that `name:` is a matcher, ie. it says the domain which properties will be
-manipulated is called `salt-test2`. The implies that you currently cannot rename
+manipulated is called `salt-test2`. This implies that you currently cannot rename
 domains this way.
 
 ### qvm.service
diff --git a/hardware/certified-laptops.md b/hardware/certified-laptops.md
index f8a53e4f..bce9b75f 100644
--- a/hardware/certified-laptops.md
+++ b/hardware/certified-laptops.md
@@ -15,7 +15,7 @@ getting your company's hardware Qubes-certified, please see the [Hardware
 Certification] page.
 
 We aim to partner with a few select computer makers to ensure that Qubes is
-compatible with them and new users have clear path towards getting started
+compatible with them and new users have a clear path towards getting started
 with Qubes if they desire. We look for these makers to be as diverse as possible
 in terms of geography, cost, and availability.
 
diff --git a/installing/live-usb.md b/installing/live-usb.md
index 6e629962..a94cbb7a 100644
--- a/installing/live-usb.md
+++ b/installing/live-usb.md
@@ -29,7 +29,7 @@ traditional Linux distros don't have to bother with:
    version, sorry.
 2. We discovered that the Fedora liveusb-create does *not* verify signatures on
    downloaded packages. We have temporarily fixed that by creating a local repo,
-   verifying the signatures manually (ok, with a script ;) and then building
+   verifying the signatures manually (ok, with a script ;) ) and then building
    from there. Sigh.
 3. We had to solve the problem of Qubes too easily triggering an Out Of Memory
    condition in Dom0 when running as Live OS.
@@ -65,7 +65,7 @@ Live USB variant:
    A nice variant of this persistence option, especially for frequent
    travelers, would be to augment our backup tools so that it was
    possible to create a LiveUSB-hosted backups of select VMs. One could then
-   pick a few of their VMs, necessary for a specific travel, back them to a
+   pick a few of their VMs, necessary for a specific trip, back them up to a
    LiveUSB stick, and take this stick when traveling to a hostile country (not
    risking taking other, more sensitive ones for the travel). This should make
    life a bit simpler
@@ -90,7 +90,7 @@ expectations accordingly.)
 3. Currently there is no "install to disk" option. We will be adding this
    in the future.
 4. The amount of "disk" space is limited by the amount of RAM the laptop
-   has. This has a side effect of e.g. not being able to restore (even few) VMs
+   has. This has a side effect of e.g. not being able to restore (even a few) VMs
    from a large Qubes backup blob.
 5. It's easy to generate Out Of Memory (OOM) in Dom0 by creating lots of VMs
    which are writing a lot into the VMs filesystem.
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 35c6c8fd..223fd63c 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-When for some reason you did not upgraded all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somehow more complicated. This can be a case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be a case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/installing/version-scheme.md b/installing/version-scheme.md
index 447611ff..f538ec78 100644
--- a/installing/version-scheme.md
+++ b/installing/version-scheme.md
@@ -17,7 +17,7 @@ From now on, it will be as follows.
 Qubes distributions and products
 --------------------------------
 
-We intend to make it easy to make a remix of qubes, targeting another
+We intend to make it easy to make a remix of Qubes, targeting another
 hypervisor or isolation provider. We may also create commercial products
 intended for specific circumstances. There is one distinguished distribution
 called **Qubes OS**. All source code for it is available for download under GPL
@@ -28,13 +28,13 @@ Release version
 ---------------
 
 Qubes OS as a whole is released from time to time. Version scheme for all
-releases is modeled after Linux kernel version numbers. When announcing new
+releases is modeled after Linux kernel version numbers. When announcing a new
 release, we decide on the major.minor version (like `3.0`) and release
 `3.0-rc1`. When we feel that enough progress has been made, we put `3.0-rc2`
 and so on. All these versions are considered unstable and not ready for
 production. You may ask for support on mailing lists (specifically
 **qubes-devel**), but it is not guaranteed (you may for example get answer
-„update to newer `-rc`”). Public ISO image may or may not be available.
+“update to newer `-rc`”). Public ISO image may or may not be available.
 
 When enough development has been made, we announce the first stable version,
 like e.g. `3.0.0` (i.e. without `-rc`). This version is considered stable and
@@ -46,7 +46,7 @@ bugfixes as `3.0.1`, `3.0.2` and so on, while new features come into the next
 release e.g. `3.1-rcX`.
 
 Tickets in the tracker are sorted out by release major.minor, such as `3.0`,
-`3.1` (trac calls this „milestone”).
+`3.1` (trac calls this “milestone”).
 
 Release schedule
 ----------------
diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index f1724823..1f68ec87 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -48,7 +48,7 @@ The above command assumes the installation ISO was transferred to Dom0 (copied u
 qvm-start win7 --cdrom=/dev/cdrom
 ~~~
 
-Next the VM will start booting from the attached CDROM device (which in the example above just happens to be a Windows 7 installation disk). Depending on the OS that is being installed in the VM one might be required to start the VM several times (as is the case with Windows 7 installations), because whenever the installer wants to "reboot the system" it actually shutdowns the VM and Qubes won't automatically start it.  Several invocations of qvm-start command (as shown above) might be needed.
+Next the VM will start booting from the attached CDROM device (which in the example above just happens to be a Windows 7 installation disk). Depending on the OS that is being installed in the VM one might be required to start the VM several times (as is the case with Windows 7 installations), because whenever the installer wants to "reboot the system" it actually shuts down the VM and Qubes won't automatically start it.  Several invocations of qvm-start command (as shown above) might be needed.
 
 [![r2b1-win7-installing.png](/attachment/wiki/HvmCreate/r2b1-win7-installing.png)](/attachment/wiki/HvmCreate/r2b1-win7-installing.png)
 
@@ -170,7 +170,7 @@ Cloning HVM domains
 
 Just like normal AppVMs, the HVM domains can also be cloned either using a command-line `qvm-clone` command or via manager's 'Clone VM' option in the right-click menu.
 
-The cloned VM will get identical root and private image and will essentially be an identical of the original VM except that it will get a different MAC address for the networking interface:
+The cloned VM will get identical root and private images and will essentially be identical to the original VM except that it will get a different MAC address for the networking interface:
 
 ~~~
 [joanna@dom0 ~]$ qvm-prefs win7
diff --git a/managing-os/netbsd.md b/managing-os/netbsd.md
index 5b4977e0..8b655ec2 100644
--- a/managing-os/netbsd.md
+++ b/managing-os/netbsd.md
@@ -9,7 +9,7 @@ How to Create a NetBSD VM
 
 1. Create a StandaloneVM with the default template.
 2. Replace `vmlinuz` with the `netbsd-INSTALL_XEN3_DOMU` kernel.
-3. During setup, chose to install on the `xbd1` hard disk.
+3. During setup, choose to install on the `xbd1` hard disk.
 4. Attach the CD to the VM.
 5. Configure the networking.
 6. Optionally enable SSHD during the post-install configuration.
diff --git a/managing-os/pentesting/blackarch.md b/managing-os/pentesting/blackarch.md
index f02575e6..ff3396dd 100644
--- a/managing-os/pentesting/blackarch.md
+++ b/managing-os/pentesting/blackarch.md
@@ -10,9 +10,9 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
-Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.  
+Please keep in mind that using such a VM or VMs based on the template for security and privacy critical tasks is not recommended.  
 
 How to Create a BlackArch VM
 ============================
diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md
index e87dad3c..422c580c 100644
--- a/managing-os/pentesting/kali.md
+++ b/managing-os/pentesting/kali.md
@@ -10,7 +10,7 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
 Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.
 
diff --git a/managing-os/pentesting/ptf.md b/managing-os/pentesting/ptf.md
index 0e3cb216..7c85b169 100644
--- a/managing-os/pentesting/ptf.md
+++ b/managing-os/pentesting/ptf.md
@@ -10,7 +10,7 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
 Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.
 
@@ -21,7 +21,7 @@ How to create Penetration Testers Framework (PTF) VM
 
 PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine." (source [PTF Readme](https://github.com/trustedsec/ptf/blob/master/README.md))
 
-**Note** PTF works on Debian testing as well as on Debian 8. PTF itself works with Debian 8, but the software tools will have missing dependencies. Metasploit for examples requires a newer Ruby version than Debian 8 has in the repositories. Therefor the best way to install PTF is by upgrading a Debian 8 into Debian testing with additional Kali repositories. Instead of installing the tools from Kali, PTF will install and update the newest tools.
+**Note** PTF works on Debian testing as well as on Debian 8. PTF itself works with Debian 8, but the software tools will have missing dependencies. Metasploit for example requires a newer Ruby version than Debian 8 has in the repositories. Therefore the best way to install PTF is by upgrading a Debian 8 into Debian testing with additional Kali repositories. Instead of installing the tools from Kali, PTF will install and update the newest tools.
 
 Create Debian Based Penetration Testers Framework (PTF) Template
 ----------------------------------------------------------------
@@ -108,7 +108,7 @@ possible to do sudo ptf/ptf
                     [*] Exiting PTF - the easy pentest platform creation framework.
                     sudo msfconsole
 
-5. Create a AppVMs based on the `ptf` template
+5. Create an AppVM based on the `ptf` template
 
     - (Optional) Attach necessary devices
 
diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 3bb15f2f..d7ac945b 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -53,18 +53,18 @@ In order to keep the template as small and simple as possible, default installed
 * Some font packages to keep good user experience
 * leafpad: a note pad
 * xfce4-terminal: a terminal
-* thunar: a file browser that support mounting usb keys
+* thunar: a file browser that supports mounting usb keys
 * firefox: web browser
 * thunderbird: a mail browser
 * evince: a document viewer
 
-Note that Archlinux does not install GUI packages by default as this decision is left to users. This packages have only been selected to have a usable template.
+Note that Archlinux does not install GUI packages by default as this decision is left to users. These packages have only been selected to have a usable template.
 
 ## Updating a Qubes-3.1 Archlinux Template
 
-If you decide to use binary packages but that you where using a Qubes-3.1 Template, your can follow these instructions to enable Qubes 3.2 agents.
+If you decide to use binary packages but that you were using a Qubes-3.1 Template, you can follow these instructions to enable Qubes 3.2 agents.
 
-You can use a template that you built for Qubes 3.1 in Qubes 3.2. The qrexec and gui agent functionnalities should still be working so that you can at least open a terminal.
+You can use a template that you built for Qubes 3.1 in Qubes 3.2. The qrexec and gui agent functionalities should still be working so that you can at least open a terminal.
 
 In order to enable binary packages for Qubes 3.2, add the following lines to the end of /etc/pacman.conf
 
@@ -76,22 +76,22 @@ Server = http://olivier.medoc.free.fr/archlinux/current/
 You should then follow the instruction related to pacman-key in order to sign the binary packages PGP key. With the key enabled, a pacman update will update qubes agents:
 ` # pacman -Suy `
 
-The two line that have just been added to /etc/pacman.conf should then be removed as they have been included in the qubes-vm-core update in the file `/etc/pacmand.d/99-qubes-repository-3.2.conf`
+The two lines that have just been added to /etc/pacman.conf should then be removed as they have been included in the qubes-vm-core update in the file `/etc/pacmand.d/99-qubes-repository-3.2.conf`
 
 ## Known Issues
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-In case archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
+In the case of archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
 
-In this case, the gui-agent-linux component of Qubes-OS needs to be rebuild using these last xorg-server or pulseaudio libraries. You can try to rebuilt it yourself or wait for a new qubes-vm-gui package to be available.
+In this case, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
 
-### qubes-vm is apparently starting properly (green dot) however graphical applications do not appears to work
+### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 
-They are multiple potential reasons. Some of them are described in the following issues:
+They are multiple potential reasons. Some of them are described in the following issue:
 * https://github.com/QubesOS/qubes-issues/issues/2612
 
-In issue 2612, check that the option `noauto` is present for all lines in /etc/fstab related to /rw or /home. This bug can appears if you come from an old Archlinux Template (pre February 2017).
+In issue 2612, check that the option `noauto` is present for all lines in /etc/fstab related to /rw or /home. This bug can appear if you come from an old Archlinux Template (pre February 2017).
 
 ## Debugging a broken VM
 
@@ -101,7 +101,7 @@ In order to identify the issue, you should start by getting a console access to
 
 * Or by running in dom0 `sudo xl console yourbrokenvm`
 
-Starts by trying to run a GUI application such as xfce4-terminal in order to identify any error message.
+Start by trying to run a GUI application such as xfce4-terminal in order to identify any error message.
 
 Then you can check potential broken systemd service by running the following command inside the broken vm: `systemctl | grep fail`.
 
@@ -112,7 +112,7 @@ Finally, errors related to the GUI agent can be found inside the VM in `/home/us
 ## Packages manager wrapper
 
 
-Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages.
+Powerpill is a full Pacman wrapper that not only gives easy proxy configuration but further offers numerous other advantages.
 
 Please check out:
 
@@ -121,7 +121,7 @@ Please check out:
 [XYNE's (dev) Powerpill](http://xyne.archlinux.ca/projects/powerpill/)
 
 
-**Important Note:** As you are working in a template vm, by default, you will have to open network access to the template to download files manually, except for package managed which should be handled by the Qubes proxy. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services through the same window.  Remember to change it back if you choose the later route.  Actions needing network access will be noted with (needs network access)
+**Important Note:** As you are working in a template vm, by default, you will have to open network access to the template to download files manually, except for managed packages which should be handled by the Qubes proxy. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services through the same window.  Remember to change it back if you choose the later route.  Actions needing network access will be noted with (needs network access)
 
 <br>
 <br>
@@ -134,7 +134,7 @@ Please check out:
 
 *   **$ sudo nano -w /etc/pacman.conf**
         
-* Below is the output of a correct pacman.conf file  Make the changes so your file matches this one or rename the original and create a new one and copy and paste this text into it.  Text should be justified left in the file.  The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos.  Also to add the repo (at the end) for the Powerpill package.
+* Below is the output of a correct pacman.conf file  Make the changes so your file matches this one or rename the original and create a new one and copy and paste this text into it.  Text should be justified left in the file.  The changes from your default are to make gpg signing mandatory for packages but not required for DBs for the archlinux repos.  Also to add the repo (at the end) for the Powerpill package.
 
 
 <br>
diff --git a/managing-os/templates/debian/upgrade-8-to-9.md b/managing-os/templates/debian/upgrade-8-to-9.md
index e8db7255..0b564055 100644
--- a/managing-os/templates/debian/upgrade-8-to-9.md
+++ b/managing-os/templates/debian/upgrade-8-to-9.md
@@ -116,7 +116,7 @@ Additional Information
 ----------------------
 
 It should be noted that Debian 9 (Stretch) is currently marked testing and
-should be treat as such. For projects that need absolute stability, upgrading
+should be treated as such. For projects that need absolute stability, upgrading
 may not be the best option.
 
 Debian Stretch packages were first made available in the Qubes R3.1 repositories.
diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md
index 433e6e5c..325cbc88 100644
--- a/managing-os/templates/fedora-minimal.md
+++ b/managing-os/templates/fedora-minimal.md
@@ -29,7 +29,7 @@ The download may take a while depending on your connection speed.
 Duplication and first steps
 ---------------------------
 
-It is higly recommended to clone the original template, and make any changes in the clone instead of the original template. The following command clones the template. Replace `your-new-clone` with your desired name.
+It is highly recommended to clone the original template, and make any changes in the clone instead of the original template. The following command clones the template. Replace `your-new-clone` with your desired name.
 
 ~~~
 [user@dom0 ~]$ qvm-clone fedora-24-minimal your-new-clone
diff --git a/managing-os/templates/fedora/upgrade-20-to-21.md b/managing-os/templates/fedora/upgrade-20-to-21.md
index 402a022d..46e1b3a9 100644
--- a/managing-os/templates/fedora/upgrade-20-to-21.md
+++ b/managing-os/templates/fedora/upgrade-20-to-21.md
@@ -202,7 +202,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size](/doc/resize-disk-image/).
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`. It should be easy to
diff --git a/managing-os/templates/fedora/upgrade-21-to-23.md b/managing-os/templates/fedora/upgrade-21-to-23.md
index 0353de2c..075ffa13 100644
--- a/managing-os/templates/fedora/upgrade-21-to-23.md
+++ b/managing-os/templates/fedora/upgrade-21-to-23.md
@@ -185,7 +185,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size](/doc/resize-disk-image/).
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`. It should be easy to
diff --git a/managing-os/templates/fedora/upgrade-23-to-24.md b/managing-os/templates/fedora/upgrade-23-to-24.md
index 73b7b8af..9c95da15 100644
--- a/managing-os/templates/fedora/upgrade-23-to-24.md
+++ b/managing-os/templates/fedora/upgrade-23-to-24.md
@@ -215,7 +215,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size][resize-disk-image].
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`.
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index c43487b9..43712c6a 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -124,14 +124,14 @@ Qubes allows HVM VMs to share a common root filesystem from a select Template VM
 qvm-create --hvm-template win7-x64-template -l green
 ~~~
 
-... and install Windows OS (or other OS) into this template the same way as you would install it into a normal HVM -- please see [this page](/doc/hvm-create/) instructions. However, it would make lots of sense to store the `C:\Users` directory on the 2nd disk which is automatically exposed by Qubes to all HVMs. This 2nd disk is backed by the `private.img` file in the AppVMs' and is not reset upon AppVMs reboot, so the user's directories and profiles would survive the AppVMs reboot, unlike the "root" filesystem which will be reverted to the "golden image" from the Template VM automatically. To facilitate such separation of user profiles, Qubes Windows Tools provide an option to automatically move `C:\Users` directory to the 2nd disk backed by `private.img`. It's a selectable feature of the installer, enabled by default. If that feature is selected during installation, completion of the process requires two reboots:
+... and install Windows OS (or other OS) into this template the same way as you would install it into a normal HVM -- please see instructions on [this page](/doc/hvm-create/). However, it would make lots of sense to store the `C:\Users` directory on the 2nd disk which is automatically exposed by Qubes to all HVMs. This 2nd disk is backed by the `private.img` file in the AppVMs' and is not reset upon AppVMs reboot, so the user's directories and profiles would survive the AppVMs reboot, unlike the "root" filesystem which will be reverted to the "golden image" from the Template VM automatically. To facilitate such separation of user profiles, Qubes Windows Tools provide an option to automatically move `C:\Users` directory to the 2nd disk backed by `private.img`. It's a selectable feature of the installer, enabled by default. If that feature is selected during installation, completion of the process requires two reboots:
 
 -   The private disk is initialized and formatted on the first reboot after tools installation. It can't be done **during** the installation because Xen mass storage drivers are not yet active.
 -   User profiles are moved to the private disk on the next reboot after the private disk is initialized. Reboot is required because the "mover utility" runs very early in the boot process so OS can't yet lock any files in there. This can take some time depending on the profiles' size and because the GUI agent is not yet active dom0/Qubes Manager may complain that the AppVM failed to boot. That's a false alarm (you can increase AppVM's default boot timeout using `qvm-prefs`), the VM should appear "green" in Qubes Manager shortly after.
 
-It also makes sense to disable Automatic Updates for all the template-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide setting are stored in the root filesystem (which holds the system-wide registry hives). Then, periodically check for updates in the Template VM and the changes will be carried over to any child AppVMs.
+It also makes sense to disable Automatic Updates for all the template-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide settings are stored in the root filesystem (which holds the system-wide registry hives). Then, periodically check for updates in the Template VM and the changes will be carried over to any child AppVMs.
 
-Once the template has been created and installed it is easy to create AppVMs based on:
+Once the template has been created and installed it is easy to create AppVMs based on it:
 
 ~~~
 qvm-create --hvm <new windows appvm name> --template <name of template vm> --label <label color>
diff --git a/privacy/anonymizing-your-mac-address.md b/privacy/anonymizing-your-mac-address.md
index b59c6ada..44d28405 100644
--- a/privacy/anonymizing-your-mac-address.md
+++ b/privacy/anonymizing-your-mac-address.md
@@ -149,7 +149,7 @@ macspoof-enp0s0  meminfo-writer   updates-proxy-setup
 ~~~
 
 Now, also within the TemplateVM, type the following commands for each hardware device that you want to randomize a MAC 
-addresses for
+address for
 
 ~~~
 sudo systemctl enable macspoof@wlp0s1
diff --git a/privacy/whonix-install.md b/privacy/whonix-install.md
index d8f1cd6f..70e854a6 100644
--- a/privacy/whonix-install.md
+++ b/privacy/whonix-install.md
@@ -19,7 +19,7 @@ Using privacy and anonymization tools like Whonix is not a magical solution that
 * Do you think nobody can eavesdrop on your communications because you are using Tor?
 * Do you know how Whonix works?
 
-If you answered no, have a look at the [about](https://www.whonix.org/wiki/About), [warning](https://www.whonix.org/wiki/Warning) and [do not](https://www.whonix.org/wiki/DoNot) pages (on the Whonix website) to make sure Whonix is the right tool for you and you understand  it's limitations.
+If you answered no, have a look at the [about](https://www.whonix.org/wiki/About), [warning](https://www.whonix.org/wiki/Warning) and [do not](https://www.whonix.org/wiki/DoNot) pages (on the Whonix website) to make sure Whonix is the right tool for you and you understand its limitations.
 
 ---
 
@@ -37,7 +37,7 @@ After doing this, you should see two new TemplateVMs in the VM Manager called `w
 
 ### Enabling AppArmor
 
-This is an optional security enhancement (for testers-only). If you’re technical & interested, see [Enabling AppArmor](/doc/privacy/customizing-whonix/).
+This is an optional security enhancement (for testers-only). If you’re technical and interested, see [Enabling AppArmor](/doc/privacy/customizing-whonix/).
 
 ### Configuring Whonix VMs
 
@@ -57,7 +57,7 @@ Great. You should be all done installing Whonix into Qubes. Use these two Templa
 
 ### Running Applications
 
-To start an application in the **Whonix-Workstation AppVM** that you created, launch it like any other- open the `Qubes App Launcher` and then select an app such as `Privacy Browser` which will then launch the Tor Browser
+To start an application in the **Whonix-Workstation AppVM** that you created, launch it like any other- open the `Qubes App Launcher` and then select an app such as `Privacy Browser` which will then launch the Tor Browser.
 
 ### Advanced Information
 
diff --git a/releases/1.0/release-notes.md b/releases/1.0/release-notes.md
index 993516ab..7743684b 100644
--- a/releases/1.0/release-notes.md
+++ b/releases/1.0/release-notes.md
@@ -16,7 +16,7 @@ Known issues
 
 -   Installer might not support some USB keyboards (\#230). This seems to include all the Mac Book keyboards (most PC laptops have PS2 keyboards and are not affected).
 
--   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somehow ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
+-   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somewhat ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
 
 -   Some keyboard layout set by KDE System Settings can cause [keyboard not working at all](https://groups.google.com/group/qubes-devel/browse_thread/thread/77d076b65dda7226). If you hit this issue, you can switch to console (by console login option) and manually edit `/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf` (and `/etc/sysconfig/keyboard`) and place correct keyboard layout settings (details in linked thread). You can check if specific keyboard layout settings are proper using `setxkbmap` tool.
 
diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index f875f679..390f4a36 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    somehow minimize these consequences with this canary thing.
+    somewhat minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.
@@ -254,7 +254,7 @@ verifying its contents, and reading them.
     good.)
 
 The same procedures can be applied to any directory or file in the
-`qubes-secpack`. Two methods of verification (signed Git tags and deatched PGP
+`qubes-secpack`. Two methods of verification (signed Git tags and detached PGP
 signatures) are provided to ensure that the system is robust (e.g., against a
 potential failure in Git tag-based verification) and to give users more options
 to verify the files.
diff --git a/security/security-guidelines.md b/security/security-guidelines.md
index 1bfa6551..d317a14b 100644
--- a/security/security-guidelines.md
+++ b/security/security-guidelines.md
@@ -58,7 +58,7 @@ Observing Security Contexts
 Each VM is assigned a specific colour for its window borders. These borders are how Qubes displays the **security context** of applications and data so that users can be easily aware of this at all times. Be sure to check the colour of window borders before taking any action, particularly if it affects the security of your system. [See this blog post for more information](https://blog.invisiblethings.org/2011/05/21/app-oriented-ui-model-and-its-security.html).
 
 Always remember that any "red" window can draw "green" password prompts. 
-Don't let yourself be tricked into entering credentials designated to one qube into a forged input boxes rendered by another.
+Don't let yourself be tricked into entering credentials designated to one qube into a forged input box rendered by another.
 For XFCE users (which is the default desktop environment on QubesOS) it would be wise to manually move the more trusted window so that it is not displayed on top of a less trusted one, but rather over the trusted Dom0 wallpaper. 
 If you use KDE, it has a helpful feature called **Expose-like effect** that is activated in System Tools -\> System Settings -\> Desktop Effects -\> All Effects -\> Desktop Grid Present Windows. 
 Performing these steps makes it easier to tell the difference between when you're being phished and when you're genuinely being asked for credentials.
diff --git a/security/split-bitcoin.md b/security/split-bitcoin.md
index bb284fa0..cfabf994 100644
--- a/security/split-bitcoin.md
+++ b/security/split-bitcoin.md
@@ -48,7 +48,7 @@ Important Notes
 * The private keys (xpriv) should never be moved outside of `offline-bitcoin`.
 * For copying out the public keys (xpub), Qubes provides two secure, convenient
   methods: the [inter-VM clipboard] and [inter-VM file copy] tools. Compared to
-  traditional physically air-gapped machines, these tools makes it very easy to
+  traditional physically air-gapped machines, these tools make it very easy to
   copy out public keys.
 
 [inter-VM clipboard]: /doc/copy-paste/
diff --git a/security/yubi-key.md b/security/yubi-key.md
index a01fff13..1635f181 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -24,23 +24,23 @@ package. This package does not support sharing the same key slot with other
 applications (it will deny further authentications if you try).
 
 Contrary to instruction there, currently there is no binary packages in Qubes
-repository and you need to compile it yourself. This can change in the future.
+repository and you need to compile it yourself. This might change in the future.
 
 Challenge-reponse mode
 ----------------------
 
 In this mode, your YubiKey will generate response based on secret key, and
 random challenge (instead of counter). This means that it isn't possible to
-generate response in advance even when someone get access to your YubiKey. This
-makes reasonably safe to use the same YubiKey for other services (also in
+generate response in advance even if someone gets access to your YubiKey. This
+makes it reasonably safe to use the same YubiKey for other services (also in
 challenge-response mode).
 
-Same as in OTP case, you will need to setup your YubiKey, choose separate
+Same as in OTP case, you will need to set up your YubiKey, choose separate
 password (other than your login password!) and apply the configuration.
 
-To use this mode you need:
+To use this mode you need to:
 
-1. Configure your YubiKey for challenge-reponse HMAC-SHA1 mode, for example
+1. Configure your YubiKey for challenge-response HMAC-SHA1 mode, for example
    [following this
    tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/)
 2. Install `ykpers` package in template on which your USB VM is based.
@@ -93,31 +93,31 @@ password associated with YubiKey. If you configured so, YubiKey will request
 confirmation by pressing button on it (it will blink).
 When everything is ok, your screen will be unlocked.
 
-In any case you can still use your login password, but do it in secure location
+In any case you can still use your login password, but do it in a secure location
 where no one can snoop your password.
 
 Locking the screen when YubiKey is removed
 ------------------------------------------
 
 You can setup your system to automatically lock the screen when you unplug
-YubiKey. This will require creating simple qrexec service which will expose
-ability to lock the screen to your USB VM, and then adding udev hook to
+YubiKey. This will require creating a simple qrexec service which will expose
+the ability to lock the screen to your USB VM, and then adding udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
-  with simple command to lock the screen. In case of xscreensaver (used in Xfce)
+  with a simple command to lock the screen. In case of xscreensaver (used in Xfce)
   it would be:
 
         DISPLAY=:0 xscreensaver-command -lock
 
-2. Allow your USB VM to call that service. Assuming that its named `sys-usb` it
+2. Allow your USB VM to call that service. Assuming that it's named `sys-usb` it
 would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
 
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
 persistent across VM restarts. For example name the file
-`/rw/config/yubikey.rules`. Write there single line:
+`/rw/config/yubikey.rules`. Write there a single line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index 3ed33a49..659073af 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -32,7 +32,7 @@ Preparing a savefile is done by */usr/lib/qubes/qubes\_prepare\_saved\_domain.sh
 8.  the domain is saved via *xl save*
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-*qubes\_prepare\_saved\_domain.sh* script is somehow lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+*qubes\_prepare\_saved\_domain.sh* script is somewhat lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
diff --git a/system/security-critical-code.md b/system/security-critical-code.md
index 7fd9a5d2..95a353c1 100644
--- a/system/security-critical-code.md
+++ b/system/security-critical-code.md
@@ -48,7 +48,7 @@ Additionally when we consider attacks that originate through a compromised netwo
 Buggy Code vs. Back-doored Code Distinction
 -------------------------------------------
 
-There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somehow trusted, while all others could be not.
+There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somewhat trusted, while all others could be not.
 
 The above means that we must trust at least some of the vendors (not all, of course, but at least those few that provide the apps that we use in the most critical domains). In practice in Qubes OS we trust the software provided by Fedora project. This software is signed by Fedora distribution keys and so it is also critical that the tools used in domains for software updates (yum and rpm) be trusted.
 
diff --git a/troubleshooting/updating-debian-and-whonix.md b/troubleshooting/updating-debian-and-whonix.md
index a14f8561..39091d1f 100644
--- a/troubleshooting/updating-debian-and-whonix.md
+++ b/troubleshooting/updating-debian-and-whonix.md
@@ -58,7 +58,7 @@ Sometimes if you see a message such as:
 Could not resolve 'security.debian.org'
 ~~~
 
-It helps to running the following command:
+It helps to run the following command:
 
 ~~~
 nslookup security.debian.org
@@ -135,4 +135,4 @@ Be careful. If the updated file isn't coming from Whonix specific package (some
 How could you find out if the file is coming from a Whonix specific package or not?
 
 * Whonix specific packages are sometimes called `whonix-...`. In the example above it's saying `Setting up ifupdown ...`, so the file isn't coming from a Whonix specific package. In this case, you should press `n` as advised in the paragraph above.
-* If the package name does include `whonix-...`, it's a Whonix specific package. In that case, your safest bet should be pressing `y`, but then you would loose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use [Whonix modular flexible .d style configuration folders](https://www.whonix.org/wiki/Whonix_Configuration_Files).
+* If the package name does include `whonix-...`, it's a Whonix specific package. In that case, your safest bet should be pressing `y`, but then you would lose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use [Whonix modular flexible .d style configuration folders](https://www.whonix.org/wiki/Whonix_Configuration_Files).

From 2f369c1309080cb1691cf5441ca4c3d46c38c599 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Fri, 12 May 2017 10:12:02 +1000
Subject: [PATCH 009/125] more minor typo/grammar fixes

---
 building/development-workflow.md              |  2 +-
 building/qubes-builder-details.md             |  4 +-
 common-tasks/managing-appvm-shortcuts.md      |  2 +-
 common-tasks/software-update-vm.md            |  2 +-
 common-tasks/usb.md                           |  2 +-
 configuration/managing-vm-kernel.md           |  4 +-
 customization/bind-dirs.md                    |  6 +-
 customization/dark-theme.md                   |  8 +--
 customization/dispvm-customization.md         |  2 +-
 .../fedora-minimal-template-customization.md  | 26 ++++----
 customization/language-localization.md        |  2 +-
 .../windows-template-customization.md         | 20 +++---
 debugging/vm-interface.md                     |  2 +-
 installing/upgrade/upgrade-to-r3.0.md         |  2 +-
 managing-os/windows/windows-appvms.md         |  2 +-
 reference/dom0-tools/qvm-run.md               |  2 +-
 reference/glossary.md                         |  2 +-
 releases/3.1/release-notes.md                 |  2 +-
 security/yubi-key.md                          |  4 +-
 services/qrexec2.md                           |  2 +-
 services/qrexec3.md                           | 62 +++++++++----------
 system/gui.md                                 |  2 +-
 troubleshooting/install-nvidia-driver.md      | 20 +++---
 troubleshooting/macbook-troubleshooting.md    | 20 +++---
 troubleshooting/nvidia-troubleshooting.md     |  6 +-
 troubleshooting/out-of-memory.md              |  4 +-
 troubleshooting/sony-vaio-tinkering.md        |  6 +-
 troubleshooting/thinkpad-troubleshooting.md   |  2 +-
 troubleshooting/uefi-troubleshooting.md       | 10 +--
 29 files changed, 115 insertions(+), 115 deletions(-)

diff --git a/building/development-workflow.md b/building/development-workflow.md
index 4ddce81f..3f9b2fcd 100644
--- a/building/development-workflow.md
+++ b/building/development-workflow.md
@@ -419,7 +419,7 @@ Remember to also import gpg public key using `rpm --import`.
 
 ### Deb packages - Apt repo
 
-Steps are mostly the same as in case of yum repo. Only details differs:
+Steps are mostly the same as in the case of yum repo. The only details that differ:
 
  - use [linux-deb] instead of [linux-yum] as a base - both in source and target VM
  - use different `update_repo.sh` script in source VM (below)
diff --git a/building/qubes-builder-details.md b/building/qubes-builder-details.md
index 735c4cc5..48e5e7d6 100644
--- a/building/qubes-builder-details.md
+++ b/building/qubes-builder-details.md
@@ -33,8 +33,8 @@ Variables for Windows build:
 -   `WIN_SIGN_CMD` Command used to sign resulting binaries. Note that default value is *sign.bat*. If you don't want to sign binaries, specify some placeholder here (eg. *true*). Check existing components (eg. vmm-xen-windows-pvdrivers) for example scripts. This command will be run with certain environment variables:
     -   `CERT_FILENAME` Path to key file (pfx format)
     -   `CERT_PASSWORD` Key password
-    -   `CERT_PUBLIC_FILENAME` Certificate path in case of self-signed cert
-    -   `CERT_CROSS_CERT_FILENAME` Certificate path in case of correct autheticode cert
+    -   `CERT_PUBLIC_FILENAME` Certificate path in the case of self-signed cert
+    -   `CERT_CROSS_CERT_FILENAME` Certificate path in the case of correct autheticode cert
     -   `SIGNTOOL` Path to signtool
 -   `WIN_PACKAGE_CMD` Command used to produce installation package (msi or msm). Default value is *wix.bat*, similar to above - use *true* if you don't want this command.
 -   `WIN_OUTPUT_HEADERS` Directory (relative to `WIN_SOURCE_SUBDIRS` element) with public headers of the package - for use in other components.
diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index 9c8ec8f2..237d9368 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -33,7 +33,7 @@ What about applications in DispVMs?
 Behind the scenes
 -----------------
 
-The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in the case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
 
 Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
 Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 45492d6b..c1e1a716 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -204,7 +204,7 @@ Note on treating AppVM's root filesystem non-persistency as a security feature
 
 As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots. In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM. This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
 
-However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistency, in case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
+However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistency, in the case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
 
 One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM. But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there). Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem. However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
 
diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 6411199b..9d267aed 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -307,7 +307,7 @@ steps:
       brackets by `qvm-block` command
     * `phy:/dev/sda` - physical path at which device appears in source qube
       (just after source qube name in `qvm-block` output)
-    * `backend=sys-usb` - name of source qube, can be omitted in case of dom0
+    * `backend=sys-usb` - name of source qube, can be omitted in the case of dom0
     * `xvdi` - "frontend" device name (listed at the end of line in `qvm-block`
       output)
 
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 4f4c675a..6166337b 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -144,7 +144,7 @@ possible to use VM kernel, which is not packaged by Qubes team. This includes:
 
 To prepare such VM kernel, you need to install `qubes-kernel-vm-support`
 package in dom0 and also have matching kernel headers installed (`kernel-devel`
-package in case of Fedora kernel package). You can install required stuff using `qubes-dom0-update`:
+package in the case of Fedora kernel package). You can install required stuff using `qubes-dom0-update`:
 
 ~~~
 [user@dom0 ~]$ sudo qubes-dom0-update qubes-kernel-vm-support kernel-devel
@@ -326,7 +326,7 @@ When starting the VM you can safely ignore any warnings about a missing module '
 
 ### Troubleshooting
 
-In case of problems, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
+In the event of a problem, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
 GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
 expires) - for example in separate dom0 terminal window.
 
diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index 8ce2c986..8fc01a62 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -8,7 +8,7 @@ redirect_from:
 
 # How to make any file in a TemplateBasedVM persistent using bind-dirs #
 
-## What is bind-dirs? ##
+## What are bind-dirs? ##
 
 With [bind-dirs](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/vm-systemd/bind-dirs.sh)
 any arbitrary files or folders can be made persistent in TemplateBasedVMs.
@@ -49,7 +49,7 @@ Multiple entries are possible, each on a separate line.
 
 6. Done.
 
-If you added for example folder `/var/lib/tor` to the `binds` variable, from now any files within that folder would persist reboots. If you added for example file `/etc/tor/torrc` to the `binds` variable, from now any modifications to that file would persist reboots.
+If you added for example folder `/var/lib/tor` to the `binds` variable, from now on any files within that folder will persist reboots. If you added for example file `/etc/tor/torrc` to the `binds` variable, from now on any modifications to that file will persist reboots.
 
 ## Other Configuration Folders ##
 
@@ -89,7 +89,7 @@ For example, if you wanted to make `/var/lib/tor` non-persistant in `sys-whonix`
 binds=( "${binds[@]/'/var/lib/tor'}" )
 ~~~
 
-(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is recommended against, since such changes get lost when that file is changed in the package on upgrades.)
+(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is not recommended, since such changes get lost when that file is changed in the package on upgrades.)
 
 ## Discussion ##
 
diff --git a/customization/dark-theme.md b/customization/dark-theme.md
index 5599a848..1c046bb3 100644
--- a/customization/dark-theme.md
+++ b/customization/dark-theme.md
@@ -70,7 +70,7 @@ This is the result after applying the steps described here.
 
         ![result black Qubes Manager](/attachment/wiki/Dark-Theme/kde-black-qubes-manager.png)
 
-**Note:** Chaning the `Window Decorations` from `Plastik for Qubes` will remove the border color and the VM name. The problem with `Plastik for Qubes` is, that it does not overwrite the background and text color for Minimize, Maximize and Close buttons. The three button are therefor hard to read.
+**Note:** Changing the `Window Decorations` from `Plastik for Qubes` will remove the border color and the VM name. The problem with `Plastik for Qubes` is, that it does not overwrite the background and text color for Minimize, Maximize and Close buttons. The three button are therefore hard to read.
 
 Dark XCFE in Dom0
 -----------------
@@ -109,7 +109,7 @@ This is the result after applying the steps described here.
 Dark App VM, Template VM, Standalone VM, HVM (Linux Gnome)
 ==========================================================
 
-Almost all Qubes VM's are based on the Gnome desktop. Therefor the description below is focused on the Gnome Desktop Environment.
+Almost all Qubes VM's are based on the Gnome desktop. Therefore the description below is focused on the Gnome Desktop Environment.
 
 Using "Gnome-Tweak-Tool"
 ------------------------
@@ -120,7 +120,7 @@ The advantage of creating a dark themed Template VM is, that each AppVM which is
 
 1. Start VM
 
-    **Note:** In case of App VM start the Template on which the AppVM is based on.
+    **Note:** In the case of App VM start the Template on which the AppVM is based on.
 
 2. Install `Gnome-Tweak-Tool`
 
@@ -174,7 +174,7 @@ Manually works for Debian, Fedora and Archlinux.
 
 1. Start VM
 
-    **Note:** In case of App VM start the Template on which the AppVM is based on.
+    **Note:** In the case of App VM start the Template on which the AppVM is based on.
 
 2. Enable `Global Dark Theme`
 
diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 9c3be657..ff59dcc0 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -49,7 +49,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 
diff --git a/customization/fedora-minimal-template-customization.md b/customization/fedora-minimal-template-customization.md
index 0a186f67..94f05e1b 100644
--- a/customization/fedora-minimal-template-customization.md
+++ b/customization/fedora-minimal-template-customization.md
@@ -17,7 +17,7 @@ Template installation
 
 *Note*: the template may not start in Qubes R3 when using kernel 3.19 (unstable). In this case, switch the AppVM or TemplateVM to the kernel 3.18.
 
-*Note*: If you have doubts about a set of tool or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That the (QubesOS?) template philosophy.
+*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (QubesOS?) template philosophy.
 
 Standard tools installation
 ================
@@ -27,9 +27,9 @@ Administration (documented)
 
 sudo pciutils vim-minimal less tcpdump telnet psmisc nmap nmap-ncat usbutils
 
-*Notes*: nmap can be used to discover a network (nmap -sP [network]), especially if you are inside a Microsoft network, because your AppVM will be protected/NATted behind Qubes firewall (microsoft / home network are heavily using autodiscovery technologies which require to be in the same local network (no firewall/no NAT), eg: your printer.
+*Notes*: nmap can be used to discover a network (nmap -sP [network]), especially if you are inside a Microsoft network, because your AppVM will be protected/NATted behind Qubes firewall (Microsoft / home network are heavily using autodiscovery technologies which require to be in the same local network (no firewall/no NAT), eg: your printer).
 
-Some recommendation here: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to allow temporarily the Qubes Firewall if you are inside a TemplateVM.
+Some recommendation here: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipment: nmap -sP 192.168.1.-. Don't forget to temporarily allow traffic via the Qubes Firewall if you are inside a TemplateVM.
 
 Administration (undocumented)
 -------------------------------------------------
@@ -77,7 +77,7 @@ Search for a VPN package for your particular vpn solution
 
 OR
 
-For manual handling of VPN (and because NetworkManager is not available in proxyVMs, check the Qubes-users mail threads on google group
+For manual handling of VPN (and because NetworkManager is not available in proxyVMs, check the Qubes-users mail threads on google group)
 
 (cprise started a good one on openvpn: [OPENVPNSETUP] "[qubes-users] OpenVPN Setup, Revisited Again!")
 
@@ -95,11 +95,11 @@ Manual operations
 
 - Don't forget to restart your TemplateVM or only the cups service when you installed cups (systemctl start cups)
 
-- First you need to search for your printer. If you don't know its name or IP, search for it using nmap: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to allow temporarily the Qubes Firewall if you are inside a TemplateVM.
+- First you need to search for your printer. If you don't know its name or IP, search for it using nmap: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to temporarily allow traffic via the Qubes Firewall if you are inside a TemplateVM.
 
 - Once you identified your printer, run system-config-printer GUI to install your printer
 
-- You man need to cancel the operation to install more adapted printer drivers (eg: if the driver cannot be found automatically). Use yum search printername to find potential drivers (eg yum search photosmart)
+- You may need to cancel the operation to install more adapted printer drivers (eg: if the driver cannot be found automatically). Use yum search printername to find potential drivers (eg yum search photosmart)
 
 GUI recommendations
 =============
@@ -135,13 +135,13 @@ Miscellaneous packages
 GUI themes
 -----------------
 
-Managing GUI theme / appearance is often complex because when you do not want to depends on a specific desktop system.
+Managing GUI theme / appearance is often complex because when you do not want to depend on a specific desktop system.
 
 For this reason, we need to customize themes for each GUI framework that our application depends on.
 
 This often includes GTK2, GTK3 (which us a different configuration/themes than GTK2), Qt.
 
-The apparance of Windows can only be changed in dom0, however, the appearance of all buttons, menus, icons, widgets are specific to each AppVM.
+The appearance of Windows can only be changed in dom0, however, the appearance of all buttons, menus, icons, widgets are specific to each AppVM.
 
 ### Packages
 
@@ -155,7 +155,7 @@ You can check your currently installed theme packages (to eventually remove them
 
 ### Tweaking theme and appearance
 
-First you can get an insight of installed Gtk theme and see how it will appears using lxappearance.
+First you can get an insight of installed Gtk theme and see how it will appear using lxappearance.
 
 I recommend not applying settings using lxappearance (do not click on apply) because it will create multiple configuration files.
 
@@ -176,12 +176,12 @@ Cleaning the whole dconf settings is also possible by removing the following fil
 rm ~/.config/dconf/user
 ~~~
 
-*Note*: lxappearance only have effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
+*Note*: lxappearance only has an effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
              However, it is very lightweight and can be used to identify the name and look of themes you are interested in.
              Once you have the name, you can apply it using gsetting command line or gconf-editor.
 
-*Note*: if you really want a GUI theme editor, you can install gnome-tweak-tools, but this tool have a lot
-            of gnome dependencies (~150MB of dependencies). Eventually install it and uninstall it as soon as you changed your theme.
+*Note*: if you really want a GUI theme editor, you can install gnome-tweak-tools, but this tool has a lot
+            of gnome dependencies (~150MB of dependencies). You can install it and uninstall it as soon as you change your theme.
 
 #### Testing notes
 
@@ -258,7 +258,7 @@ Getting an uniform look for Qt & GTK is not achieved yet. A good source is on th
 Two case:
 
 1. You installed packages of the theme you selected both for Qt, GTK2 and GTK3.
-    (eg: Adwaita which is the default theme. I did not found another cross framework theme on fedora default packages).
+    (eg: Adwaita which is the default theme. I have not found another cross framework theme on fedora default packages).
 
 2. You want to use the GTK theme you selected for Qt but there is no qt package.
     In this case QGtkStyle will take precedence and convert the style automatically.
diff --git a/customization/language-localization.md b/customization/language-localization.md
index 81f327fb..fa95faf5 100644
--- a/customization/language-localization.md
+++ b/customization/language-localization.md
@@ -18,7 +18,7 @@ How to set up pinyin input in Qubes
 
 2. Close and shut down the TemplateVM. 
 
-3. Restart an AppVM which based on the template you installed `ibus-pinyin` and open a terminal.
+3. Restart an AppVM which is based on the template you installed `ibus-pinyin` in, and open a terminal.
  
 4. Run `ibus-setup`
 
diff --git a/customization/windows-template-customization.md b/customization/windows-template-customization.md
index 78387a09..1503b063 100644
--- a/customization/windows-template-customization.md
+++ b/customization/windows-template-customization.md
@@ -25,14 +25,14 @@ Only keep:
 
 *Note*: Windows search is recommended because it is a nightmare to find something in menus if it is not enabled (it removes the search bar from the start menu, from the explorer, and from the control panel).
 
-*Note*: Unselecting windows media, .Net and Internet Explorer will uninstall these components. on a new install it is generally old versions anyway and it will be quicker to install directly the new versions later.
+*Note*: Unselecting windows media, .Net and Internet Explorer will uninstall these components. On a new install they are generally old versions anyway and it will be quicker to install directly the new versions later.
 
 Windows services
 ---------------------------
 
 Disable the following services that are not required or have no sense in a VM context:
 
- * Base Filtering Engine (only required if your want to use Microsoft IPSEC)
+ * Base Filtering Engine (only required if you want to use Microsoft IPSEC)
  * DHCP Client
  * Function Discovery Provider Host
 
@@ -53,7 +53,7 @@ Disable the following services that are not required or have no sense in a VM co
 Windows update
 --------------------------
 
-I recommend disabling windows update (Never Check for Update) because checking for updates will start every time you start an AppVM if you don't started your template after some days.
+I recommend disabling windows update (Never Check for Update) because checking for updates will start every time you start an AppVM if you haven't started your template in a while.
 
 Running windows update is also apparently IO hungry.
 
@@ -64,8 +64,8 @@ System properties
 
 Right click on computer and go to Properties > Advanced > Performances:
 
- * If your don't care about visual effect, in Visual Effect select "Adjust for best performance"
- * I personally tweak the page file size to win some place on my root.
+ * If you don't care about visual effect, in Visual Effect select "Adjust for best performance"
+ * I personally tweak the page file size to win some space on my root.
 
     In Advanced>Performances>Advanced tab, change Virtual memory:
 
@@ -75,16 +75,16 @@ Right click on computer and go to Properties > Advanced > Performances:
         4. click on set
         5. click on drive d:
         6. select customer size
-        7. use an initial size of 500 and a max size of 1000. If the page file is too small, you will notify a low memory pop up when working on windows. In this case, it often means that you should extend your AppVM RAM.
+        7. use an initial size of 500 and a max size of 1000. If the page file is too small, you will notice a low memory pop up when working on windows. In this case, it often means that you should extend your AppVM RAM.
 
  * System Protection
 
-    Here you can disable Shadow Folder because it has little sense in case of Qubes because
+    Here you can disable Shadow Folder because it has little sense in the case of Qubes because
 
-      * we do backup regularly of AppVMs/TemplateVMs;
+      * we do regular backups of AppVMs/TemplateVMs;
       * we can revert at least one template change if we break something.
 
-    Select drives where system protection is enabled and click Configure. "Turn of system protection" "Delete all restore points"
+    Select drives where system protection is enabled and click Configure. "Turn off system protection" "Delete all restore points"
 
  * Remote
 
@@ -157,7 +157,7 @@ Manual tasks that can/should be started in the template
 
             > mv root.img.clean root.img
 
-    * If don't managed to fill the free space with zeros, you can follow the following  *unsafe* undocumented procedure
+    * If it doesn't manage to fill the free space with zeros, you can follow the following *unsafe* undocumented procedure
 
         1. from dom0, go to /var/lib/templates-vm/yourtemplate
         2. check the partitioning to identify the filesystem offset of root.img
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index 8524737b..bfb19458 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -175,7 +175,7 @@ Other Qrexec services installed by default:
   `tar2qfile` utility to do the conversion
 - `qubes.SelectDirectory`, `qubes.SelectFile` - services which should show
   file/directory selection dialog and return (to stdout) a single line
-  containing selected path, or nothing in case of cancellation
+  containing selected path, or nothing in the case of cancellation
 - `qubes.SuspendPre` - service called in every VM with PCI device attached just
   before system suspend
 - `qubes.SuspendPost` - service called in every VM with PCI device attached just
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 223fd63c..341eaba6 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be a case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be the case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index 43712c6a..bb1bbf4e 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -102,7 +102,7 @@ Also, the inter-VM services work as usual -- e.g. to request opening a document
 [user@work ~]$ qvm-open-in-vm work-win7 https://invisiblethingslab.com
 ~~~
 
-... just like in case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
+... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
 
 Inter-VM file copy and clipboard works for Windows AppVMs the same way as for Linux AppVM (except that we don't provide a command line wrapper, `qvm-copy-to-vm` in Windows VMs) -- to copy files from Windows AppVMs just right-click on the file in Explorer, and choose: Send To-\> Other AppVM.
 
diff --git a/reference/dom0-tools/qvm-run.md b/reference/dom0-tools/qvm-run.md
index eb7e8b8c..e24d6c8e 100644
--- a/reference/dom0-tools/qvm-run.md
+++ b/reference/dom0-tools/qvm-run.md
@@ -43,7 +43,7 @@ Run command in a VM as a specified user
 Use tray notifications instead of stdout
 
 --all  
-Run command on all currently running VMs (or all paused, in case of --unpause)
+Run command on all currently running VMs (or all paused, in the case of --unpause)
 
 --exclude=EXCLUDE\_LIST  
 When --all is used: exclude this VM name (might be repeated)
diff --git a/reference/glossary.md b/reference/glossary.md
index 817c7190..214662b2 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -32,7 +32,7 @@ A user-friendly term for a [VM](#vm) in Qubes OS.
 
  * "Qube" is an informal term intended to make it easier for less technical users to understand Qubes OS and learn how to use it. In technical discussions, the other, more precise terms defined on this page are to be preferred.
 
- * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the referent is a collection of qubes or [Qubes OS](#qubes-os).
+ * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the reference is a collection of qubes or [Qubes OS](#qubes-os).
 
 Domain
 ------
diff --git a/releases/3.1/release-notes.md b/releases/3.1/release-notes.md
index 657f06f3..3a116e11 100644
--- a/releases/3.1/release-notes.md
+++ b/releases/3.1/release-notes.md
@@ -32,7 +32,7 @@ Known issues
 
 * Some icons in the Qubes Manager application might not be drawn correctly when using the Xfce4 environment in Dom0. If this bothers you, please use the KDE environment instead.
 
-* USB mouse (in case of USB VM) does not work at first system startup (just after completing firstboot). Workaround: restart the system.
+* USB mouse (in the case of USB VM) does not work at first system startup (just after completing firstboot). Workaround: restart the system.
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+3.1%22+label%3Abug)
 
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 1635f181..77f512a3 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -105,7 +105,7 @@ the ability to lock the screen to your USB VM, and then adding udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
-  with a simple command to lock the screen. In case of xscreensaver (used in Xfce)
+  with a simple command to lock the screen. In the case of xscreensaver (used in Xfce)
   it would be:
 
         DISPLAY=:0 xscreensaver-command -lock
@@ -131,7 +131,7 @@ persistent across VM restarts. For example name the file
 
 If you use KDE, the command(s) in first step would be different:
 
-        # In case of USB VM being autostarted, it will not have direct access to D-Bus
+        # In the case of USB VM being autostarted, it will not have direct access to D-Bus
         # session bus, so find its address manually:
         kde_pid=`pidof kdeinit4`
         export `cat /proc/$kde_pid/environ|grep -ao 'DBUS_SESSION_BUS_ADDRESS=[[:graph:]]*'`
diff --git a/services/qrexec2.md b/services/qrexec2.md
index d9f7bdc6..6fc85e9c 100644
--- a/services/qrexec2.md
+++ b/services/qrexec2.md
@@ -127,7 +127,7 @@ Whenever a RPC request for service named "XYZ" is received, the first line
 in `/etc/qubes-rpc/policy/XYZ` that matches the actual `srcvm`/`destvm` is
 consulted to determine whether to allow RPC, what user account the program
 should run in target VM under, and what VM to redirect the execution to. If
-the policy file does not exits, user is prompted to create one *manually*;
+the policy file does not exist, user is prompted to create one *manually*;
 if still there is no policy file after prompting, the action is denied.
 
 On the target VM, the `/etc/qubes-rpc/XYZ` must exist, containing the file
diff --git a/services/qrexec3.md b/services/qrexec3.md
index bb8b6a92..92e87989 100644
--- a/services/qrexec3.md
+++ b/services/qrexec3.md
@@ -140,7 +140,7 @@ whether to allow rpc, what user account the program should run in target VM
 under, and what VM to redirect the execution to. Note that if the request is
 redirected (`target=` parameter), policy action remains the same - even if
 there is another rule which would otherwise deny such request. If the policy
-file does not exits, user is prompted to create one; if still there is no
+file does not exist, user is prompted to create one; if still there is no
 policy file after prompting, the action is denied.
 
 In the target VM, the `/etc/qubes-rpc/RPC_ACTION_NAME` must exist, containing
@@ -152,7 +152,7 @@ In the src VM, one should invoke the client via:
     /usr/lib/qubes/qrexec-client-vm target_vm_name RPC_ACTION_NAME rpc_client_path client arguments
 
 Note that only stdin/stdout is passed between rpc server and client --
-notably, no command line argument are passed. Source VM name is specified by
+notably, no command line arguments are passed. Source VM name is specified by
 `QREXEC_REMOTE_DOMAIN` environment variable. By default, stderr of client
 and server is logged to respective `/var/log/qubes/qrexec.XID` files.
 It is also possible to call service without specific client program - in which
@@ -162,17 +162,17 @@ case server stdin/out will be connected with the terminal:
 
 Be very careful when coding and adding a new rpc service. Unless the
 offered functionality equals full control over the target (it is the case
-with e.g. `qubes.VMShell` action), any vulnerability in a rpc server can
+with e.g. `qubes.VMShell` action), any vulnerability in an rpc server can
 be fatal to Qubes security. On the other hand, this mechanism allows to
 delegate processing of untrusted input to less privileged (or disposable)
 AppVMs, thus wise usage of it increases security.
 
 ### Extra keywords available in Qubes 4.0 and later
 
-**This section is about not yet released version, some details may change**
+**This section is about a not-yet-released version, some details may change**
 
 In Qubes 4.0, target VM can be specified also as `$dispvm:DISP_VM`, which is
-very similar to `$dispvm` but force using particular VM (`DISP_VM`) as a base
+very similar to `$dispvm` but forces using a particular VM (`DISP_VM`) as a base
 VM to be started as Disposable VM. For example:
 
     anon-whonix $dispvm:anon-whonix-dvm allow
@@ -180,7 +180,7 @@ VM to be started as Disposable VM. For example:
 Adding such policy itself will not force usage of this particular `DISP_VM` -
 it will only allow it when specified by the caller. But `$dispvm:DISP_VM` can
 also be used as target in request redirection, so _it is possible_ to force
-particular `DISP_VM` usage, when caller didn't specified it:
+particular `DISP_VM` usage, when caller didn't specify it:
 
     anon-whonix $dispvm allow,target=$dispvm:anon-whonix-dvm
 
@@ -189,52 +189,52 @@ VM (`default_dispvm` VM property, which itself defaults to global
 `default_dispvm` property).
 Also note that the request will be allowed (`allow` action) even if there is no
 second rule allowing calls to `$dispvm:anon-whonix-dvm`, or even if
-there is a rule explicitly denying it. This is because the redirection happen
+there is a rule explicitly denying it. This is because the redirection happens
 _after_ considering the action.
 
 ### Service argument in policy
 
 Sometimes just service name isn't enough to make reasonable qrexec policy. One
-example of such situation is [qrexec-based USB
+example of such a situation is [qrexec-based USB
 passthrough](https://github.com/qubesos/qubes-issues/issues/531) - using just
-service name it isn't possible to express policy "allow access to device X and
-deny to others". It isn't also feasible to create separate service for every
+service name isn't possible to express the policy "allow access to device X and
+deny to others". It also isn't feasible to create a separate service for every
 device...
 
-For this reason, starting with Qubes 3.2, it is possible to specify service
-argument, which will be subject to policy. Besides above example of USB
-passthrough, service argument can make many service policies more fine-grained
+For this reason, starting with Qubes 3.2, it is possible to specify a service
+argument, which will be subject to policy. Besides the above example of USB
+passthrough, a service argument can make many service policies more fine-grained
 and easier to write precise policy with "allow" and "deny" actions, instead of
 "ask" (offloading additional decisions to the user). And generally the less
-choices user must make, the lower chance to make a mistake.
+choices the user must make, the lower the chance to make a mistake.
 
-The syntax is simple: when calling service, add an argument to the service name
+The syntax is simple: when calling a service, add an argument to the service name
 separated with `+` sign, for example:
 
     /usr/lib/qubes/qrexec-client-vm target_vm_name RPC_ACTION_NAME+ARGUMENT
 
-Then create policy as usual, including argument
-(`/etc/qubes-rpc/policy/RPC_ACTION_NAME+ARGUMENT`). If policy for specific
-argument is not set (file does not exist), then default policy for this service
+Then create a policy as usual, including the argument
+(`/etc/qubes-rpc/policy/RPC_ACTION_NAME+ARGUMENT`). If the policy for the specific
+argument is not set (file does not exist), then the default policy for this service
 is loaded (`/etc/qubes-rpc/policy/RPC_ACTION_NAME`).
 
-In target VM (when the call is allowed) service file will searched as:
+In target VM (when the call is allowed) the service file will searched as:
 
  - `/etc/qubes-rpc/RPC_ACTION_NAME+ARGUMENT`
  - `/etc/qubes-rpc/RPC_ACTION_NAME`
 
 In any case, the script will receive `ARGUMENT` as its argument and additionally as
 `QREXEC_SERVICE_ARGUMENT` environment variable. This means it is also possible
-to install different script for particular service argument.
+to install a different script for a particular service argument.
 
-See below for example service using argument.
+See below for an example service using an argument.
 
 ### Revoking "Yes to All" authorization ###
 
 Qubes RPC policy supports "ask" action. This will prompt the user whether given
-RPC call should be allowed. That prompt window has also "Yes to All" option,
-which will allow the action and add new entry to the policy file, which will
-unconditionally allow further calls for given service-srcVM-dstVM tuple.
+RPC call should be allowed. That prompt window also has a "Yes to All" option,
+which will allow the action and add a new entry to the policy file, which will
+unconditionally allow further calls for the given service-srcVM-dstVM tuple.
 
 In order to remove such authorization, issue this command from a dom0 terminal
 (for `qubes.Filecopy` service):
@@ -247,7 +247,7 @@ the "Yes to All" results.
 
 ### Qubes RPC example ###
 
-We will show the necessary files to create rpc call that adds two integers
+We will show the necessary files to create an rpc call that adds two integers
 on the target and returns back the result to the invoker.
 
  * rpc client code (`/usr/bin/our_test_add_client`):
@@ -281,11 +281,11 @@ and we should get "3" as answer, after dom0 allows it.
 
 ### Qubes RPC example - with argument usage ###
 
-We will show the necessary files to create rpc call that reads specific file
-from predefined directory on the target. Besides really naive storage, it may
-be very simple password manager.
-Additionally in this example simplified workflow will be used - server code
-placed directly in service definition file (in `/etc/qubes-rpc` directory). And
+We will show the necessary files to create an rpc call that reads a specific file
+from a predefined directory on the target. Besides really naive storage, it may
+be a very simple password manager.
+Additionally, in this example a simplified workflow will be used - server code
+placed directly in the service definition file (in `/etc/qubes-rpc` directory). And
 no separate client script will be used.
 
  * rpc server code (*/etc/qubes-rpc/test.File*)
@@ -297,7 +297,7 @@ no separate client script will be used.
          exit 1
        fi
        # service argument is already sanitized by qrexec framework and it is
-       # quaranted to not contain any space or /, so no need for additional path
+       # guaranteed to not contain any space or /, so no need for additional path
        # sanitization
        cat "/home/user/rpc-file-storage/$argument"
 
diff --git a/system/gui.md b/system/gui.md
index 6a365b03..ceee7e42 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -43,7 +43,7 @@ Window content updates implementation
 
 Typical remote desktop applications, like *vnc*, pass information on all changed window content in-band (say, over tcp). 
 As that channel has limited throughput, this impacts video performance. 
-In case of Qubes, *qubes_gui* does not transfer all changed pixels via vchan. Instead, for each window, upon its creation or size change, *qubes_gui*
+In the case of Qubes, *qubes_gui* does not transfer all changed pixels via vchan. Instead, for each window, upon its creation or size change, *qubes_gui*
 
 -   asks *qubes_drv* driver for the list of physical memory frames that hold the composition buffer of a window
 -   passes this information via `MFNDUMP` message to *qubes_guid* in dom0
diff --git a/troubleshooting/install-nvidia-driver.md b/troubleshooting/install-nvidia-driver.md
index f3b946e5..cc287745 100644
--- a/troubleshooting/install-nvidia-driver.md
+++ b/troubleshooting/install-nvidia-driver.md
@@ -18,9 +18,9 @@ Proprietary (NVIDIA/AMD) drivers are known to be sometimes highly problematic, o
 Radeon driver support is prebaked in the Qubes kernel (v4.4.14-11) but only versions 4000-9000 give or take.
 Support for newer cards is limited until AMDGPU support in the 4.5+ kernel, which isn't released yet for Qubes. 
 
-Built in Intel graphics, Radeon graphics (between that 4000-9000 range), and perhaps some prebaked NVIDIA card support that i don't know about. Those are your best bet for great Qubes support.
+Built in Intel graphics, Radeon graphics (between that 4000-9000 range), and perhaps some prebaked NVIDIA card support that I don't know about. Those are your best bet for great Qubes support.
 
-If you do happen to get proprietary drivers working on your Qubes system (via installing them). Please take the time to go to the 
+If you do happen to get proprietary drivers working on your Qubes system (via installing them), please take the time to go to the
 [Hardware Compatibility List (HCL)](https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports )
 Add your computer, graphics card, and installation steps you did to get everything working.
 
@@ -39,14 +39,14 @@ yumdownloader --source nvidia-kmod
 
 ### Build kernel package
 
-You will need at least kernel-devel (matching your Qubes dom0 kernel), rpmbuild tool and kmodtool, and then you can use it to build package:
+You will need at least kernel-devel (matching your Qubes dom0 kernel), rpmbuild tool and kmodtool, and then you can use it to build the package:
 
 ~~~
 yum install kernel-devel rpm-build kmodtool
 rpmbuild --nodeps -D "kernels `uname -r`" --rebuild nvidia-kmod-260.19.36-1.fc13.3.src.rpm
 ~~~
 
-In above command replace `uname -r` with kernel version from your Qubes dom0. If everything went right, you have now complete packages with nvidia drivers for Qubes system. Transfer them to dom0 (e.g. using a USB stick) and install (using standard "yum install /path/to/file"). 
+In the above command, replace `uname -r` with kernel version from your Qubes dom0. If everything went right, you have now complete packages with nvidia drivers for the Qubes system. Transfer them to dom0 (e.g. using a USB stick) and install (using standard "yum install /path/to/file").
 
 Then you need to disable nouveau (normally it is done by install scripts from nvidia package, but unfortunately it isn't compatible with Qubes...):
 
@@ -92,13 +92,13 @@ You will need:
 -   kernel-devel package installed
 -   gcc, make, etc
 
-This installation must be done manually, because nvidia-installer refused to install it on Xen kernel. Firstly ensure that kernel-devel package installed all needed files. This should consists of:
+This installation must be done manually, because nvidia-installer refused to install it on Xen kernel. Firstly ensure that kernel-devel package installed all needed files. This should consist of:
 
 -   */usr/src/kernels/2.6.34.1-12.xenlinux.qubes.x86\_64*
 -   */lib/modules/2.6.34.1-12.xenlinux.qubes.x86\_64/build* symlinked to the above directory
 -   */usr/src/kernels/2.6.34.1-12.xenlinux.qubes.x86\_64/arch/x64/include/mach-xen* should be present (if not - take it from kernel sources)
 
-If all the files are not there correct the errors manually. To build kernel module, enter *NVIDIA-Linux-x86\_64-260.19.44/kernel* directory and execute:
+If all the files are not there correct the errors manually. To build the kernel module, enter *NVIDIA-Linux-x86\_64-260.19.44/kernel* directory and execute:
 
 ~~~
 make
@@ -120,7 +120,7 @@ Add *rdblacklist=nouveau* option to /boot/grub/menu.lst (at the end of line cont
 
 ### Configure Xorg
 
-After all, you should configure Xorg to use nvidia driver. You can use *nvidia-xconfig* or do it manually:
+Finally, you should configure Xorg to use nvidia driver. You can use *nvidia-xconfig* or do it manually:
 
 ~~~
 X -configure
@@ -143,7 +143,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Using the anaconda installer interface, switch to the "shell" TTY (ALT-F2), and use `ip a` command to display the IP addresses.
 3. Using the Connect to the IP (remember the :1) using a VNC viewer.
 4. Follow the installation UI. 
-   * Since this won't be a usable install, skipping LUKS encryption is an option which will simplify this troubelshooting process. 
+   * Since this won't be a usable install, skipping LUKS encryption is an option which will simplify this troubleshooting process.
    * Do *not* reboot at the end of the installation.
 5. Once the installation completes, use the local VGA console switch to TTY2 via ALT-F2
    * Switch to the chroot of the newly-installed system via `chroot /mnt/sysinstall`
@@ -152,7 +152,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Exit out of the chroot environment (`exit` or CTRL-D)
 6. Reboot
 
-*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as excercise to the user.
+*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as exercise to the user.
 
 ## Gather initial `dmesg` output
 If all is well, the newly-installed Qubes OS instance should allow for user root to log in. 
@@ -166,7 +166,7 @@ Run `dmesg > dmesg.nomodeset.out` to gather an initial dmesg output.
 4. Blindly log in as user root
 5. Blindly run `dmesg > dmesg.out`
 6. Blindly run `reboot` (this will also serve to confirm that logging in as root, and running commands blindly is possible rather than, say, the kernel having hung or some such).
-   * Should this step fail, perhaps by the time step #3 was underaken, the OS hasn't finished coming up yet. Please retry, possibly with a different TTY (say, 3 or 4 - so CTRL-ALT-F3?)
+   * Should this step fail, perhaps by the time step #3 was undertaken, the OS hasn't finished coming up yet. Please retry, possibly with a different TTY (say, 3 or 4 - so CTRL-ALT-F3?)
 
 ## Exfiltrate the dmesg outputs
 Allow the system to boot normally, log in as user root, and sneakernet the files off the system for analysis, review, bug logging, et cetera.
diff --git a/troubleshooting/macbook-troubleshooting.md b/troubleshooting/macbook-troubleshooting.md
index e59c1648..2391d7e2 100644
--- a/troubleshooting/macbook-troubleshooting.md
+++ b/troubleshooting/macbook-troubleshooting.md
@@ -118,7 +118,7 @@ Results:
 * SD card access: OK (tested at dom0)
 * Lid-close suspend: OK
 * Wifi: +10%-20% ICMP packet loss when comparing with OSX (have similar rates
-  with tails Linux, more tests are required)
+  with Tails Linux, more tests are required)
 
 ### References
 
@@ -151,7 +151,7 @@ Bad news: still some minor issue to investigate.
 For the time being, my setup is just for testing purposes and help to bypass some blocking issues: do not use it in production or on machine where security is a concern!
 I hope to improve it as soon as possible.
 
-During my nigths trying to get Qubes OS working, I faced tow main and blocking issues:
+During my nights trying to get Qubes OS working, I faced two main and blocking issues:
 *   no boot, due to empty xen.cfg file
 *   system freeze, due to Broadcom BCM43602 wifi card
 
@@ -180,29 +180,29 @@ For security reasons, you should install Qubes using the whole disk. I preferred
 Download and prepare a USB with Qubes 3.2
 
 You can install Qubes using BIOS or UEFI:
-*  BIOS/CSM/Legacy: I have not been able to install using legagy, but I did not spent a lot of time on it.
-*  UEFI plain: grub menu appears, but any gave me a quick flash and returned the main menu. I can boot it manually fixing the grub.cfg file, adding commands linuexefi and initrdefi, pointing proper files in /efi/boot. After boot, I end up with not root file system.
+*  BIOS/CSM/Legacy: I have not been able to install using legagy, but I did not spend a lot of time on it.
+*  UEFI plain: grub menu appears, but any gave me a quick flash and returned the main menu. I can boot it manually fixing the grub.cfg file, adding commands linuexefi and initrdefi, pointing proper files in /efi/boot. After boot, I end up with no root file system.
 *  UEFI, using rEFInd: I have been successful, despite some issues to be fixed manually, after installation completion
    * download [rEFInd] refind-bin-0.10.4.zip: this file is not signed, so decide if you trust it or not. SHA1 sum is 3d69c23b7d338419e5559a93cd6ae3ec66323b1e  
-   * unzip it and run installer, which install rEFIind on the internal SSD
+   * unzip it and run installer, which installs rEFIind on the internal SSD
    * if installation fails due to SIP, reboot in recovery mode, open a terminal and issue command
    ~~~
    crsutil disable
    ~~~
    * reboot and you will see some icons
    * choose Boot EFI\BOOT\xen.efi from ANACONDA
-   * after a will the graphical installer is up and running, with keyboard and touchpad working
+   * after a while the graphical installer is up and running, with keyboard and touchpad working
 
 ### 3. Installation
 
-*  As a general rule, keep the default values proposed during installation: you will change them later on
+*  As a general rule, keep the default values proposed during installation: you can change them later on
 *  Keep English, as language, locale
 *  My macbook has a US keyboard, so I cannot say what happens if you change keyboard layout
 *  DO NOT CHANGE the timezone, because it will trigger the wifi card, leading to a system freeze
 *  Choose the "installation destination": do not change anything and press DONE button
 *  Insert your password for Full Disk Encryption
 *  If you do not already have free space on internal SSD disk, you will be prompted to reclaim some space: 
-*  If you shrunk OSX partition, disk utility left an empy partition: delete useless partition (eg: if you shrunk OSX parition, diskutil  created an empty partition)
+*  If you shrunk OSX partition, disk utility left an empy partition: delete useless partition (eg: if you shrunk OSX parition, diskutil created an empty partition)
 *  Press on "reclaim space"
 *  Press on "begin installation"
 *  create your user and password
@@ -285,7 +285,7 @@ You can fix this issue, killing audio support with this quick workaround:
 
 ### 7. Fix system freezes due to Broadcom BCM43602
 
-*  If you experiences a system freeze, during VM setup, force a reboot and press OPTION key. 
+*  If you experience a system freeze, during VM setup, force a reboot and press OPTION key.
    *  You will reach grub shell
    ~~~
    configfile /EFI/qubes/grub.cfg
@@ -316,7 +316,7 @@ qvm-start sys-net
 xl pci-attach sys-net 04:00.0
 ~~~
 
-This latest steps are required to launch sys-net with wifi access. They can be automated in a custom systemd service
+These latest steps are required to launch sys-net with wifi access. They can be automated in a custom systemd service
 
    
 
diff --git a/troubleshooting/nvidia-troubleshooting.md b/troubleshooting/nvidia-troubleshooting.md
index ffbadb1e..af54891a 100644
--- a/troubleshooting/nvidia-troubleshooting.md
+++ b/troubleshooting/nvidia-troubleshooting.md
@@ -95,7 +95,7 @@ nouveau E[ PGRAPH][0000:01:00.0] init failed, -16
 
 Tip: In case you only have an external monitor it is advised to attach it directly to a connector of the motherboard if it is present, this should ensure that you're using the integrated graphics card instead of the nvidia graphics card.
 
-If you're seeing this error than that means another graphics card (most likely an integrated one) acted as failsafe. Disabling nouveau has the consequences of disabling nvidia support all together. 
+If you're seeing this error then that means another graphics card (most likely an integrated one) acted as failsafe. Disabling nouveau has the consequences of disabling nvidia support altogether.
 
  1. Verify that that GRUB Boot Menu is displaying, you should be presented with two options and a progressbar/timer than goes rather fast.
 
@@ -116,7 +116,7 @@ If you're seeing this error than that means another graphics card (most likely a
     
     It is not an exact copy as it may differ from system to system.
 
-    Please note: chose the module that starts with `vmlinux`!
+    Please note: choose the module that starts with `vmlinux`!
 
  5. Press the left/right arrow keys to position the cursor at the end of kernel options line, after `rhgb quiet` in this case.
 
@@ -126,7 +126,7 @@ If you're seeing this error than that means another graphics card (most likely a
     nouveau.modeset=0 rd.driver.blacklist=nouveau video=vesa:off
     ~~~
 
-    This will tempororarily disable nouveau until boot.
+    This will temporarily disable nouveau until next boot.
 
  7. Press either the F10 key or Ctrl+X to start the boot process.
 
diff --git a/troubleshooting/out-of-memory.md b/troubleshooting/out-of-memory.md
index 4ea235a9..9021512b 100644
--- a/troubleshooting/out-of-memory.md
+++ b/troubleshooting/out-of-memory.md
@@ -35,7 +35,7 @@ sudo yum clean all
 qvm-remove <VMname>
 ~~~
 
-With this method you lose one VM data, but it'll more securely work.
+With this method you lose the data of one VM, but it'll more reliably work.
 
 1.  Decrease filesystem safety margin (5% by default):
 
@@ -43,5 +43,5 @@ With this method you lose one VM data, but it'll more securely work.
 sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root
 ~~~
 
-1.  Remove some unneeded files in dom0 home (if you have one, most likely no).
+1.  Remove some unneeded files in dom0 home (if you have any, most likely no).
 
diff --git a/troubleshooting/sony-vaio-tinkering.md b/troubleshooting/sony-vaio-tinkering.md
index 45d4c4a7..b029f01a 100644
--- a/troubleshooting/sony-vaio-tinkering.md
+++ b/troubleshooting/sony-vaio-tinkering.md
@@ -24,11 +24,11 @@ If you think you are ready to reflash you BIOS, here are the instructions that w
 
 [http://forum.notebookreview.com/sony/473226-insyde-hacking-new-vaio-z-advanced-menu-bios.html](http://forum.notebookreview.com/sony/473226-insyde-hacking-new-vaio-z-advanced-menu-bios.html)
 
-**WARNING**: We take absolutely no responsibility that the BIOS relflashing instructions given at the referenced forum are 1) valid, 2) non-malicious, and 3) work at all. Do this step on your own risk. Keep in mind that reflashing your BIOS might yield your system unusable. If you don't feel like taking this risk (which is a reasonable state of mind), look for a different notebook, or ask Sony Support to enable this option for you.
+**WARNING**: We take absolutely no responsibility that the BIOS relflashing instructions given at the referenced forum are 1) valid, 2) non-malicious, and 3) work at all. Do this step at your own risk. Keep in mind that reflashing your BIOS might yield your system unusable. If you don't feel like taking this risk (which is a reasonable state of mind), look for a different notebook, or ask Sony Support to enable this option for you.
 
-In practice I have downloaded the BIOS-patching tools, run them in a VM on a BIOS image i extracted from my laptop, diffed the two versions, and concluded that it doesn't *seem* malicious, and then bravely applied tha patched image. If you don't know what are you doing, just get a different laptop, really!
+In practice I have downloaded the BIOS-patching tools, run them in a VM on a BIOS image I extracted from my laptop, diffed the two versions, and concluded that it doesn't *seem* malicious, and then bravely applied tha patched image. If you don't know what are you doing, just get a different laptop, really!
 
-On a side note, we should notice that allowing anybody to reflash the BIOS is really a bad idea from the security point of view (Hello Evil Maids!). Shame on you, Sony!
+On a side note, we should note that allowing anybody to reflash the BIOS is really a bad idea from a security point of view (Hello Evil Maids!). Shame on you, Sony!
 
 Getting the touchpad working during installation
 ------------------------------------------------
diff --git a/troubleshooting/thinkpad-troubleshooting.md b/troubleshooting/thinkpad-troubleshooting.md
index 4e5ed82b..33a1aa1c 100644
--- a/troubleshooting/thinkpad-troubleshooting.md
+++ b/troubleshooting/thinkpad-troubleshooting.md
@@ -26,7 +26,7 @@ solved by adding `i915.enable_rc6=0` as a kernel parameter to
 ## Instructions for getting your Lenovo Thinkpad X201 & X200 laptop working with Qubes/Linux ##
 
 For being able to boot the installer from USB, you have to disable VT-d in the BIOS.
-Enter the BIOS by hitting F1, go to Config - CPU and then disable there VT-d.
+Enter the BIOS by hitting F1, go to Config - CPU and then disable VT-d there.
 
 After the installation, you have to set a startup-parameter for Xen, to be able to activate VT-d again:
 
diff --git a/troubleshooting/uefi-troubleshooting.md b/troubleshooting/uefi-troubleshooting.md
index 46b19886..123e2670 100644
--- a/troubleshooting/uefi-troubleshooting.md
+++ b/troubleshooting/uefi-troubleshooting.md
@@ -15,7 +15,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
 
 01. In GRUB menu<sup id="a1-1">[1](#f1)</sup>, select "Troubleshoot", then "Boot from device", then press `e`.
 02. At the end of `chainloader` line add `/mapbs /noexitboot`.
-03. Perform installation normally, but not reboot system at the end yet.
+03. Perform installation normally, but don't reboot the system at the end yet.
 04. Go to `tty2` (Ctrl-Alt-F2).
 05. Enable `/mapbs /noexitboot` on just installed system. This step differs between Qubes releases:
    
@@ -36,7 +36,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
 
         Boot0001* Qubes HD(1,0,00000000...0,0x0,0x0)/File(\EFI\qubes\xen.efi)p.l.a.c.e.h.o.l.d.e.r. ./.m.a.p.b.s. ./.n.o.e.x.i.t.b.o.o.t.
 
-    then try passing `/dev/sda1` or `/dev/nvme0n1p1` or whatever is your EFI partition instead of `/dev/sda` and `-p 1`.
+    then try passing `/dev/sda1` or `/dev/nvme0n1p1` or whatever your EFI partition is instead of `/dev/sda` and `-p 1`.
 
 10. Now you can reboot the system by issuing `reboot` command.
 
@@ -48,7 +48,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
         noexitboot=1
 
     **Note:** You must add these parameters on two separate new lines (one
-    paramater on each line) at the end of each section that includes a kernel
+    parameter on each line) at the end of each section that includes a kernel
     line (i.e., all sections except the first one, since it doesn't have a
     kernel line).
 
@@ -63,7 +63,7 @@ Some Dell systems and probably others have [another bug in UEFI firmware](http:/
 
 1. In GRUB menu<sup id="a1-2">[1](#f1)</sup> press `e`.
 2. At the end of `chainloader` line add `-- efi=attr=uc`.
-3. Perform installation normally, but not reboot system at the end yet.
+3. Perform installation normally, but don't reboot the system at the end yet.
 4. Go to `tty2` (Ctrl-Alt-F2).
 5. Execute:
 
@@ -98,7 +98,7 @@ Qubes-specific EFI configuration. In such a case you need to finish those parts
 manually. You can do that just after installation (switch to `tty2` with
 Ctrl-Alt-F2), or booting from installation media in "Rescue a Qubes system" mode.
 
-1. Examine `/boot/efi/EFI/qubes` (if using Qubes installation media, it's in `/mnt/sysimage/boot/efi/EFI/qubes`). You should see there 4 files:
+1. Examine `/boot/efi/EFI/qubes` (if using Qubes installation media, it's in `/mnt/sysimage/boot/efi/EFI/qubes`). You should see 4 files there:
 
     - xen.cfg (empty, size 0)
     - xen-(xen-version).efi

From c5f4957ee2d9d6bfc5bffc6906dfa2b926d69257 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Fri, 12 May 2017 15:58:22 +1000
Subject: [PATCH 010/125] more minor typo/grammar fixes

---
 basics_dev/coding-style.md          |  8 ++++----
 basics_dev/style-guide.md           |  2 +-
 basics_dev/usability-ux.md          |  6 +++---
 basics_user/reporting-bugs.md       |  2 +-
 common-tasks/software-update-vm.md  |  4 ++--
 configuration/config-files.md       |  4 ++--
 configuration/managing-vm-kernel.md |  6 +++---
 configuration/multiboot.md          |  2 +-
 debugging/vm-interface.md           | 18 +++++++++---------
 security/yubi-key.md                |  2 +-
 services/qmemman.md                 |  4 ++--
 system/gui.md                       |  4 ++--
 system/storage-pools.md             | 12 ++++++------
 13 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index c7a18b80..b506db81 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -97,7 +97,7 @@ General programming style guidelines
     }
     ~~~
 
--   Do **not** use comments to disable code fragments. In a production code there should really be no commented or disabled code fragments. If you really, really have a good reason to retain some fragment of unused code, use \#if or \#ifdef to disable it, e.g.:
+-   Do **not** use comments to disable code fragments. In production code there should really be no commented or disabled code fragments. If you really, really have a good reason to retain some fragment of unused code, use \#if or \#ifdef to disable it, e.g.:
 
     ~~~
     #if 0
@@ -130,7 +130,7 @@ Source Code management (Git) guidelines
     -   This creates natural boundaries between different code blocks, enforcing proper interfaces, and easing independent development to be conducted on various code parts at the same time, without the fear of running into conflicts.
     -   By maintaining relatively small git repositories, it is easy for new developers to understand the code and contribute new patches, without the need to understand all the other code.
     -   Code repositories represent also licensing boundaries. So, e.g. because `core-agent-linux` and `core-agent-windows` are maintained in two different repositories, it is possible to have the latter under a proprietary, non-GPL license, while keeping the former fully open source.
-    -   We have drastically changes the layout and naming of the code repositories shortly after Qubes OS R2 Beta 2 release. For details on the current code layout, please read [this article](https://blog.invisiblethings.org/2013/03/21/introducing-qubes-odyssey-framework.html).
+    -   We have drastically changed the layout and naming of the code repositories shortly after Qubes OS R2 Beta 2 release. For details on the current code layout, please read [this article](https://blog.invisiblethings.org/2013/03/21/introducing-qubes-odyssey-framework.html).
 
 Commit message guidelines
 -------------------------
@@ -165,7 +165,7 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
--   Use another variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
+-   Use equivalent variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
 
 Python-specific guidelines
 --------------------------
@@ -178,7 +178,7 @@ C and C++ specific guidelines
 -   Do not place code in `*.h` files.
 -   Use `const` whenever possible, e.g. in function arguments passed via pointers.
 -   Do not mix procedural and objective code together -- if you write in C++, use classes and objects.
--   Think about classes hierarchy, before start implementing specific methods.
+-   Think about classes hierarchy, before starting to implement specific methods.
 
 Bash-specific guidelines
 ------------------------
diff --git a/basics_dev/style-guide.md b/basics_dev/style-guide.md
index 160e8666..32f0259a 100644
--- a/basics_dev/style-guide.md
+++ b/basics_dev/style-guide.md
@@ -68,7 +68,7 @@ Currently, all the icons on the Qubes-OS.org website are generated using [FontAw
 
 ## Logos
 
-The following is a collection of various sizes & versions of the Qubes logo used both in the OS itself and on our website. All of these files are licensed GPLv2 and the source can be [downloaded here](https://github.com/QubesOS/qubes-artwork).
+The following is a collection of various sizes and versions of the Qubes logo used both in the OS itself and on our website. All of these files are licensed GPLv2 and the source can be [downloaded here](https://github.com/QubesOS/qubes-artwork).
 
 <div class="styleguide">
 {% for logo in site.data.styleguide.logos %}
diff --git a/basics_dev/usability-ux.md b/basics_dev/usability-ux.md
index b8762d0e..03747bd0 100644
--- a/basics_dev/usability-ux.md
+++ b/basics_dev/usability-ux.md
@@ -44,7 +44,7 @@ In making software easy to use, it is crucial to be mindful of [cognitive load](
 
 ## Easy to Understand
 
-There will always be the need to communicate things to users. In these cases, an interface should aim to make this information easy to understand. The following are simple guides to help achieve this - none these are absolute maxims!
+There will always be the need to communicate things to users. In these cases, an interface should aim to make this information easy to understand. The following are simple guides to help achieve this - none of these are absolute maxims!
 
 <div class="focus">
   <i class="fa fa-times"></i> <strong>Avoid Acronyms</strong>
@@ -82,7 +82,7 @@ Technical words are usually more accurate, but they often *only* make sense to t
 - `savefile`
 - `qrexec-daemon`
 
-These are all terms that have at some point showed up in users' notification messages. Each term is very specific, but requires the user to understand virtualization to interpet.
+These are all terms that have at some point showed up in users' notification messages. Each term is very specific, but requires the user to understand virtualization to interpret.
 
 <div class="focus">
   <i class="fa fa-check"></i> <strong> Use Common Concepts</strong>
@@ -195,7 +195,7 @@ There are many cases where a user wants to perform an action on more than one fi
 3. Select proper file
 4. Complete task on file
 
-That subtle act of clicking through a file system can prove to be significant if a user needs to open more than a couples files in the same directory. We can alleviate some of the work by changing the process:
+That subtle act of clicking through a file system can prove to be significant if a user needs to open more than a couple files in the same directory. We can alleviate some of the work by changing the process:
 
 1. Click on `Open File` from a menu or button
 2. Remember last open folder/file system
diff --git a/basics_user/reporting-bugs.md b/basics_user/reporting-bugs.md
index 7cd31084..6cc8f78c 100644
--- a/basics_user/reporting-bugs.md
+++ b/basics_user/reporting-bugs.md
@@ -74,7 +74,7 @@ How to submit a report on GitHub
 We track all bugs in the [qubes-issues] tracker on GitHub.
 
 When you file a new issue, you should be sure to include the version of Qubes
-your'e using, as well as versions of related software packages. If your issue is
+you're using, as well as versions of related software packages. If your issue is
 related to hardware, provide as many details as possible about the hardware,
 which could include using command-line tools such as `lspci`.
 If you're reporting a bug in a package that is in a [testing] repository, please reference the appropriate issue in the [updates-status] repository.
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index c1e1a716..1bd3f567 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -125,7 +125,7 @@ Some popular questions:
 
 -   So, why should we actually trust Fedora repos -- it also contains large amount of 3rd party software that might buggy, right?
 
-As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
+As far as the template's compromise is concerned, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
 
 -   But why trust Fedora?
 
@@ -138,7 +138,7 @@ Not quite. Dom0 compromise is absolutely fatal, and it leads to Game Over<sup>TM
 Standalone VMs
 --------------
 
-Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on its own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
+Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
 
 Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
 
diff --git a/configuration/config-files.md b/configuration/config-files.md
index dc59d50c..66b53df3 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -40,8 +40,8 @@ problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 
-Also take a look at [bind-dirs](/doc/bind-dirs) for instruction how to easily
-modify arbitrary system file in AppVM and have those changes persistent.
+Also take a look at [bind-dirs](/doc/bind-dirs) for instructions on 
+how to easily modify arbitrary system files in AppVM and have those changes persist.
 
 GUI and audio configuration in dom0
 ===================================
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 6166337b..39d2eb05 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -227,7 +227,7 @@ sudo qubes-dom0-update grub2-xen
 ### Installing kernel in Fedora VM
 
 In Fedora based VM, you need to install `qubes-kernel-vm-support` package. This
-package include required additional kernel module and initramfs addition
+package includes required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
 need some GRUB tools to create its configuration. Note: you don't need actual
@@ -240,7 +240,7 @@ sudo yum install qubes-kernel-vm-support grub2-tools
 Then install whatever kernel you want. If you are using distribution kernel
 package (`kernel` package), initramfs and kernel module should be handled
 automatically, but you need to ensure you have `kernel-devel` package for the
-same kernel version installed. If you are using manually build kernel, you need
+same kernel version installed. If you are using a manually built kernel, you need
 to handle this on your own. Take a look at `dkms` and `dracut` documentation.
 Especially `dkms autoinstall` command may be useful.
 
@@ -265,7 +265,7 @@ start kernel configured within VM.
 ### Installing kernel in Debian VM
 
 In Debian based VM, you need to install `qubes-kernel-vm-support` package. This
-package include required additional kernel module and initramfs addition
+package includes required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
 need some GRUB tools to create its configuration. Note: you don't need actual
diff --git a/configuration/multiboot.md b/configuration/multiboot.md
index 3cba4ec7..d33152a5 100644
--- a/configuration/multiboot.md
+++ b/configuration/multiboot.md
@@ -178,7 +178,7 @@ If you install Qubes without making any backups beforehand, don't worry.
 If you didn't overwrite the original partitions, then it is usually
 possible to recover your old systems relatively easily, as described above.
 
-If you decided to use a shared /boot and *dont* have backups of your previous
+If you decided to use a shared /boot and *don't* have backups of your previous
 grub config, it is quite easy to fix this.  
 This example may help.  
 
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index bfb19458..507909db 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -32,7 +32,7 @@ QubesDB
      - `none` - none
 -   `/qubes-timezone - name of timezone based on dom0 timezone. For example `Europe/Warsaw`
 -   `/qubes-keyboard` - keyboard layout based on dom0 layout. Its syntax is suitable for `xkbcomp` command (after expanding escape sequences like `\n` or `\t`). This is meant only as some default value, VM can ignore this option and choose its own keyboard layout (this is what keyboard setting from Qubes Manager does). This entry is created as part of gui-daemon initialization (so not available when gui-daemon disabled, or not started yet).
--   `/qubes-debug-mode` - flag whether VM have debug mode enabled (qvm-prefs setting). One of `1`, `0`
+-   `/qubes-debug-mode` - flag whether VM has debug mode enabled (qvm-prefs setting). One of `1`, `0`
 -   `/qubes-service/SERVICE_NAME` - subtree for VM services controlled from dom0 (using qvm-service command or Qubes Manager). One of `1`, `0`. Note that not every service will be listed here, if entry is missing, it means "use VM default". List of currently supported services is in [qvm-service man page](/wiki/Dom0Tools/QvmService)
 -   `/qubes-netmask` - network mask (only when VM has netvm set); currently hardcoded "255.255.255.0"
 -   `/qubes-ip - IP address for this VM (only when VM has netvm set)
@@ -50,7 +50,7 @@ QubesDB
 QubesDB is also used to configure firewall in ProxyVMs. Rules are stored in
 separate key for each target VM. Entries:
 
-- `/qubes-iptables` - control entry - dom0 writing `reload` here signal `qubes-firewall` service to reload rules
+- `/qubes-iptables` - control entry - dom0 writing `reload` here signals `qubes-firewall` service to reload rules
 - `/qubes-iptables-header` - rules not related to any particular VM, should be applied before domains rules
 - `/qubes-iptables-domainrules/NNN` - rules for domain `NNN` (arbitrary number)
 in `iptables-save` format. Rules are self-contained - fill `FORWARD` iptables
@@ -59,7 +59,7 @@ final default action (`DROP`/`ACCEPT`)
 
 VM after applying rules may signal some error, writing a message to
 `/qubes-iptables-error` key. This does not exclude any other way of
-communicating problem - like a popup.
+communicating problems - like a popup.
 
 #### Firewall rules in 4.x ####
 
@@ -84,7 +84,7 @@ by space. Order of those pairs in a single rule is undefined. QubesDB enforces
 a limit on a single entry length - 3072 bytes.
 Possible options for a single rule:
 
- - `action`, values: `accept`, `drop`; this is present it every rule
+ - `action`, values: `accept`, `drop`; this is present in every rule
  - `dst4`, value: destination IPv4 address with a mask; for example: `192.168.0.0/24`
  - `dst6`, value: destination IPv6 address with a mask; for example: `2000::/3`
  - `dstname`, value: DNS hostname of destination host
@@ -100,7 +100,7 @@ Possible options for a single rule:
 Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
 `dstname`, `specialtarget` can be used in a single rule.
 
-If tool applying firewall encounter any parse error (unknown option, invalid
+If tool applying firewall encounters any parse error (unknown option, invalid
 value etc), it should drop all the traffic coming from that `SOURCE_IP`,
 regardless of properly parsed rules.
 
@@ -117,7 +117,7 @@ Example valid rules:
 -   `memory/meminfo` (**xenstore**) - used memory (updated by qubes-meminfo-writer), input information for qmemman;
     - Qubes 3.x format: 6 lines (EOL encoded as `\n`), each in format "FIELD: VALUE kB"; fields: `MemTotal`, `MemFree`, `Buffers`, `Cached`, `SwapTotal`, `SwapFree`; meaning the same as in `/proc/meminfo` in Linux.
     - Qubes 4.0+ format: used memory size in the VM, in kbytes
--   `/qubes-block-devices` - list of block devices exposed by this VM, each device (subdirectory) should be named in a way that VM can attach the device based on it. Each should contain those entries:
+-   `/qubes-block-devices` - list of block devices exposed by this VM, each device (subdirectory) should be named in a way that VM can attach the device based on it. Each should contain these entries:
     -   `desc` - device description (ASCII text)
     -   `size` - device size in bytes
     -   `mode` - default connection mode; `r` for read-only, `w` for read-write
@@ -130,7 +130,7 @@ Qubes RPC
 
 Services called by dom0 to provide some VM configuration:
 
--   `qubes.SetMonitorLayout` - provide list of monitors, one in a line, each line contains four numbers: `width height X Y width_mm height_mm` (physical dimensions - `width_mm` and `height_mm` - are optional)
+-   `qubes.SetMonitorLayout` - provide list of monitors, one per line. Each line contains four numbers: `width height X Y width_mm height_mm` (physical dimensions - `width_mm` and `height_mm` - are optional)
 -   `qubes.WaitForSession` - called to wait for full VM startup
 -   `qubes.GetAppmenus` - receive appmenus from given VM (template); TODO: describe format here
 -   `qubes.GetImageRGBA` - receive image/application icon. Protocol:
@@ -172,7 +172,7 @@ Other Qrexec services installed by default:
 - `qubes.Restore` - retrieve Qubes backup. The service receives backup location
   entered by the user (one line, terminated by '\n'), then should output backup
   archive in [qfile format](/doc/qfilecopy/) (core-agent-linux component contains
-  `tar2qfile` utility to do the conversion
+  `tar2qfile` utility to do the conversion)
 - `qubes.SelectDirectory`, `qubes.SelectFile` - services which should show
   file/directory selection dialog and return (to stdout) a single line
   containing selected path, or nothing in the case of cancellation
@@ -199,7 +199,7 @@ abstraction. This will change in the future. Those tools are:
 - `gpk-update-viewer` - called by Qubes Manager to display available updates in a TemplateVM
 - `systemctl start qubes-update-check.timer` (and similarly stop) - called when enabling/disabling updates checking in given VM (`qubes-update-check` [qvm-service](/doc/qubes-service/))
 
-Additionally automatic tests extensively calls various commands directly in VMs. We do not plan to change that.
+Additionally automatic tests extensively call various commands directly in VMs. We do not plan to change that.
 
 GUI protocol
 ------------
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 77f512a3..1bba22ba 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -26,7 +26,7 @@ applications (it will deny further authentications if you try).
 Contrary to instruction there, currently there is no binary packages in Qubes
 repository and you need to compile it yourself. This might change in the future.
 
-Challenge-reponse mode
+Challenge-response mode
 ----------------------
 
 In this mode, your YubiKey will generate response based on secret key, and
diff --git a/services/qmemman.md b/services/qmemman.md
index 471acb95..356ddbf5 100644
--- a/services/qmemman.md
+++ b/services/qmemman.md
@@ -23,7 +23,7 @@ The [tmem](https://oss.oracle.com/projects/tmem/) project provides a "pseudo-RAM
 
 Therefore, in Qubes another solution is used. There is the *qmemman* dom0 daemon. All VMs report their memory usage (via xenstore) to *qmemman*, and it makes decisions on whether to balance memory across domains. The actual mechanism to add/remove memory from a domain (*xc.domain\_set\_target\_mem*) is already supported by both PV Linux guests and Windows guests (the latter via PV drivers).
 
-Similarly, when there is need for Xen free memory (for instance, in order to create a new VM), traditionally the memory is obtained from dom0 only. When *qmemman* is running, it offers interface to obtain memory from all domains.
+Similarly, when there is need for Xen free memory (for instance, in order to create a new VM), traditionally the memory is obtained from dom0 only. When *qmemman* is running, it offers an interface to obtain memory from all domains.
 
 To sum up, *qmemman* pros and cons. Pros:
 
@@ -34,7 +34,7 @@ To sum up, *qmemman* pros and cons. Pros:
 Cons:
 
 -   the algorithm to calculate the memory requirement for a domain is necessarily simple, and may not closely reflect reality
--   *qmemman* is notified by a VM about memory usage change not more often than 10 times per seconds (to limit CPU overhead in VM). Thus, there can be up to 0.1s delay until qmemman starts to react to the new memory requirements
+-   *qmemman* is notified by a VM about memory usage change not more often than 10 times per second (to limit CPU overhead in VM). Thus, there can be up to 0.1s delay until qmemman starts to react to the new memory requirements
 -   it takes more time to obtain free Xen memory, as all participating domains need to instructed to yield memory
 
 Interface
diff --git a/system/gui.md b/system/gui.md
index ceee7e42..dadfa01a 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -73,7 +73,7 @@ Security markers on dom0 windows
 
 It is important that user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
 
-In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has a *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
+In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has an *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
 
 Clipboard sharing implementation
 --------------------------------
@@ -81,7 +81,7 @@ Clipboard sharing implementation
 Certainly, it would be insecure to allow AppVM to read/write the clipboards of other AppVMs unconditionally. 
 Therefore, the following mechanism is used:
 
--   there is a "qubes clipboard" in dom0 - its contents is stored in a regular file in dom0.
+-   there is a "qubes clipboard" in dom0 - its contents are stored in a regular file in dom0.
 -   if user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
 -   user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
 
diff --git a/system/storage-pools.md b/system/storage-pools.md
index 250ec1c2..c4129208 100644
--- a/system/storage-pools.md
+++ b/system/storage-pools.md
@@ -7,31 +7,31 @@ permalink: /doc/storage-pools/
 Storage Pools in Qubes
 ======================
 
-Qubes OS R 3.2 introduced the concept of storage drivers & pools.  This feature
+Qubes OS R3.2 introduced the concept of storage drivers and pools.  This feature
 was a first step towards a saner storage API, which is heavily rewritten in R4.
 A storage driver provides a way to store VM images in a Qubes OS system.
 Currently, the default driver is `xen` which is the default way of storing
 volume images as files in a directory tree like `/var/lib/qubes/`.
 
-A pool storage driver can be identified either by the driver name with the
+A storage pool driver can be identified either by the driver name with the
 `driver` key or by the class name like this:
 `class=qubes.storage.xen.XenStorage`. Because R3.2 doesn't use Python
 `setup_hooks`, to actually use a short driver name for a custom storage driver,
 you have to patch `qubes-core-admin`. You can use the `class` config key
 instead, when your class is accessible by `import` in Python.
 
-A pool (in R3.2) is a configuration information which can be referenced when
+A pool (in R3.2) is configuration information which can be referenced when
 creating a new VM. Each pool is saved in `storage.conf`. It has a name, a
 storage driver and some driver specific configuration attached.
 
-When installed, the system has, as you can see from the content of
+When installed, the system has, as you can see from the contents of
 `/etc/qubes/storage.conf`, a pool named `default`. It uses the driver `xen`. The
 default pool is special in R3.2. It will add `dir_path=/var/lib/qubes`
 configuration value from `defaults[pool_config]`, if not overwritten.
 
 
 Currently the only supported driver out of the box is `xen`. The benefit of
-pools (besides that you can write an own storage driver e.g. for Btrfs) in R3.2
+pools (besides that you can write your own storage driver e.g. for Btrfs) in R3.2
 is that you can store your domains in multiple places.
 
 You can add a pool to `storage.conf` like this:
@@ -42,7 +42,7 @@ driver=xen
 dir_path=/opt/qubes-vm
 ```
 
-Now, when creating a new VM on the command-line, a you may pass the `-Pfoo`
+Now, when creating a new VM on the command-line, you may pass the `-Pfoo`
 argument to `qvm-create` to have the VM images stored in pool `foo`. See also
 `qvm-create --help`.
 

From 22340ee8d9c969a22919de665f454d909bda8bbf Mon Sep 17 00:00:00 2001
From: ubestemt <u+gh@bestemt.no>
Date: Tue, 16 May 2017 11:39:29 +0000
Subject: [PATCH 011/125] Missing word.

---
 building/building-archlinux-template.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/building/building-archlinux-template.md b/building/building-archlinux-template.md
index 0f463ccb..0601548b 100644
--- a/building/building-archlinux-template.md
+++ b/building/building-archlinux-template.md
@@ -77,7 +77,7 @@ redirect_from:
 <br>
 <br>
 
-## 4: Downloading and verifying the integrity the "Qubes Automated Build System"
+## 4: Downloading and verifying the integrity of the "Qubes Automated Build System"
 
 * Import the Qubes master key
 

From d3855827f1860ba8c20482d037378e1f2e231abc Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:43:11 +1000
Subject: [PATCH 012/125] More typo/grammar/re-wording from @jpouellet's review

---
 basics_dev/coding-style.md                     |  2 --
 common-tasks/software-update-vm.md             |  2 +-
 common-tasks/tips-and-tricks.md                |  2 +-
 configuration/assigning-devices.md             |  6 +++---
 configuration/external-audio.md                |  2 +-
 configuration/managing-vm-kernel.md            |  6 +++---
 configuration/network-bridge-support.md        |  2 +-
 configuration/resize-disk-image.md             |  2 +-
 customization/bind-dirs.md                     |  2 +-
 customization/dark-theme.md                    |  6 +++---
 customization/dispvm-customization.md          |  2 +-
 .../fedora-minimal-template-customization.md   |  4 ++--
 .../windows-template-customization.md          |  4 ++--
 debugging/vm-interface.md                      |  2 +-
 installing/upgrade/upgrade-to-r3.0.md          |  2 +-
 managing-os/templates/archlinux.md             |  4 ++--
 managing-os/windows/windows-appvms.md          |  2 +-
 reference/glossary.md                          |  2 +-
 releases/1.0/release-notes.md                  |  2 +-
 security-info/security-pack.md                 |  2 +-
 security/yubi-key.md                           | 18 +++++++++---------
 services/dvm-impl.md                           | 18 +++++++++---------
 system/gui.md                                  |  8 ++++----
 troubleshooting/install-nvidia-driver.md       |  2 +-
 troubleshooting/out-of-memory.md               |  4 ++--
 25 files changed, 53 insertions(+), 55 deletions(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index b506db81..82d635f5 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -165,8 +165,6 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
--   Use equivalent variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
-
 Python-specific guidelines
 --------------------------
 
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 1bd3f567..bbb189ac 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -119,7 +119,7 @@ There are several ways to deal with this problem:
 
 -   Use *standalone VMs* (see below) for installation of untrusted software packages.
 
--   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somewhat less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
+-   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
 
 Some popular questions:
 
diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 81938023..4b244f3e 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -46,7 +46,7 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have in a not so trusted enviroment, for example a Windows VM, an application that track and report its usage, or you simply want to protect your data.
+Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that track and report its usage, or you simply want to protect your data.
 
 Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index e676e742..2998b9b6 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,15 +58,15 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want to assign a certain [USB] device to a VM (by attaching the whole
-USB controller), you need to figure out which PCI device is the right
+If you want to assign a certain USB device to a VM by attaching the whole
+USB controller, you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 
 ~~~
 lsusb
 ~~~
 
-For example, I want to assign a broadband modem to the netvm. In the output of
+For example, I want to assign a broadband modem to the NetVM. In the output of
 `lsusb` it can be listed as something like this. (In this case, the device isn't
 fully identified):
 
diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 43618955..3d25a87b 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -38,7 +38,7 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember your selection.
 
 If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding another line at the beginning:
 
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 39d2eb05..70859eb2 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -326,9 +326,9 @@ When starting the VM you can safely ignore any warnings about a missing module '
 
 ### Troubleshooting
 
-In the event of a problem, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
-GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
-expires) - for example in separate dom0 terminal window.
+In the event of a problem, you can access the VM console (using `sudo xl console VMNAME` in dom0) to access
+the GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
+expires) - for example in a separate dom0 terminal window.
 
 In any case you can later access VM logs (especially VM console log (`guest-VMNAME.log`). 
 
diff --git a/configuration/network-bridge-support.md b/configuration/network-bridge-support.md
index cf86bc56..4df4c5f0 100644
--- a/configuration/network-bridge-support.md
+++ b/configuration/network-bridge-support.md
@@ -42,7 +42,7 @@ First, retrieve the attachment of this Wifi article in dom0. Then apply the thre
 
 Finally restart the qubes manager GUI.
 
-A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enable the Bridge option and restart your AppVM.
+An option is available in the AppVM Settings to enable setting the NetVM in bridge mode. For a bridged AppVM, you should then select a NetVM instead of a FirewallVM/  ProxyVM, enable the Bridge option, and restart your AppVM.
 
 NetVM patch (Qubes R2B2)
 ------------------------
diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index c89780ab..a4e4b28f 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -75,7 +75,7 @@ Done.
 
 If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use.
 
-1.  Make sure that all the VMs based on this template are powered off (including netvms etc).
+1.  Make sure that all the VMs based on this template are shut down (including netvms etc).
 2.  Sanity check: verify that none of the loop devices are pointing at this template root.img: `sudo losetup -a`
 3.  Resize root.img file using `truncate -s <desired size>` (the root.img path can be obtained from qvm-prefs).
 4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index 8fc01a62..c9769927 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -89,7 +89,7 @@ For example, if you wanted to make `/var/lib/tor` non-persistant in `sys-whonix`
 binds=( "${binds[@]/'/var/lib/tor'}" )
 ~~~
 
-(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is not recommended, since such changes get lost when that file is changed in the package on upgrades.)
+(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is strongly discouraged, since such changes get lost when that file is changed in the package on upgrades.)
 
 ## Discussion ##
 
diff --git a/customization/dark-theme.md b/customization/dark-theme.md
index 1c046bb3..18bd84e9 100644
--- a/customization/dark-theme.md
+++ b/customization/dark-theme.md
@@ -109,7 +109,7 @@ This is the result after applying the steps described here.
 Dark App VM, Template VM, Standalone VM, HVM (Linux Gnome)
 ==========================================================
 
-Almost all Qubes VM's are based on the Gnome desktop. Therefore the description below is focused on the Gnome Desktop Environment.
+Almost all Qubes VMs use default applications based on the GTK toolkit. Therefore the description below is focused on tools from the Gnome Desktop Environment.
 
 Using "Gnome-Tweak-Tool"
 ------------------------
@@ -120,7 +120,7 @@ The advantage of creating a dark themed Template VM is, that each AppVM which is
 
 1. Start VM
 
-    **Note:** In the case of App VM start the Template on which the AppVM is based on.
+    **Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
 
 2. Install `Gnome-Tweak-Tool`
 
@@ -174,7 +174,7 @@ Manually works for Debian, Fedora and Archlinux.
 
 1. Start VM
 
-    **Note:** In the case of App VM start the Template on which the AppVM is based on.
+    **Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
 
 2. Enable `Global Dark Theme`
 
diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index ff59dcc0..fa3525c1 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -49,7 +49,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVM's settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 
diff --git a/customization/fedora-minimal-template-customization.md b/customization/fedora-minimal-template-customization.md
index 94f05e1b..f8a7cb90 100644
--- a/customization/fedora-minimal-template-customization.md
+++ b/customization/fedora-minimal-template-customization.md
@@ -17,7 +17,7 @@ Template installation
 
 *Note*: the template may not start in Qubes R3 when using kernel 3.19 (unstable). In this case, switch the AppVM or TemplateVM to the kernel 3.18.
 
-*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (QubesOS?) template philosophy.
+*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (Qubes OS?) template philosophy.
 
 Standard tools installation
 ================
@@ -176,7 +176,7 @@ Cleaning the whole dconf settings is also possible by removing the following fil
 rm ~/.config/dconf/user
 ~~~
 
-*Note*: lxappearance only has an effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
+*Note*: lxappearance only has an effect on gtk3 themes so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
              However, it is very lightweight and can be used to identify the name and look of themes you are interested in.
              Once you have the name, you can apply it using gsetting command line or gconf-editor.
 
diff --git a/customization/windows-template-customization.md b/customization/windows-template-customization.md
index 1503b063..ecaffa23 100644
--- a/customization/windows-template-customization.md
+++ b/customization/windows-template-customization.md
@@ -62,10 +62,10 @@ Of course I recommend starting the template regularly and checking manually for
 System properties
 ---------------------------
 
-Right click on computer and go to Properties > Advanced > Performances:
+Right click on computer and go to Properties > Advanced > Performance:
 
  * If you don't care about visual effect, in Visual Effect select "Adjust for best performance"
- * I personally tweak the page file size to win some space on my root.
+ * I personally tweak the page file size to gain some space on my root.
 
     In Advanced>Performances>Advanced tab, change Virtual memory:
 
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index 507909db..106eefc9 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -199,7 +199,7 @@ abstraction. This will change in the future. Those tools are:
 - `gpk-update-viewer` - called by Qubes Manager to display available updates in a TemplateVM
 - `systemctl start qubes-update-check.timer` (and similarly stop) - called when enabling/disabling updates checking in given VM (`qubes-update-check` [qvm-service](/doc/qubes-service/))
 
-Additionally automatic tests extensively call various commands directly in VMs. We do not plan to change that.
+Additionally, automatic tests extensively run various commands directly in VMs. We do not plan to change that.
 
 GUI protocol
 ------------
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 341eaba6..bc43ba2f 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be the case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be more complicated. This can be the case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index d7ac945b..423eeea1 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -82,9 +82,9 @@ The two lines that have just been added to /etc/pacman.conf should then be remov
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-In the case of archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
+Upgrading pulseaudio or xorg-server to a newer major version will break the Qubes GUI agent. Avoid upgrading these packages until such time that a future version of the GUI agent addresses this issue.
 
-In this case, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
+Specifically, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
 
 ### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index bb1bbf4e..98f1c1f5 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -102,7 +102,7 @@ Also, the inter-VM services work as usual -- e.g. to request opening a document
 [user@work ~]$ qvm-open-in-vm work-win7 https://invisiblethingslab.com
 ~~~
 
-... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
+... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked whether to allow or deny the operation.
 
 Inter-VM file copy and clipboard works for Windows AppVMs the same way as for Linux AppVM (except that we don't provide a command line wrapper, `qvm-copy-to-vm` in Windows VMs) -- to copy files from Windows AppVMs just right-click on the file in Explorer, and choose: Send To-\> Other AppVM.
 
diff --git a/reference/glossary.md b/reference/glossary.md
index 214662b2..817c7190 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -32,7 +32,7 @@ A user-friendly term for a [VM](#vm) in Qubes OS.
 
  * "Qube" is an informal term intended to make it easier for less technical users to understand Qubes OS and learn how to use it. In technical discussions, the other, more precise terms defined on this page are to be preferred.
 
- * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the reference is a collection of qubes or [Qubes OS](#qubes-os).
+ * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the referent is a collection of qubes or [Qubes OS](#qubes-os).
 
 Domain
 ------
diff --git a/releases/1.0/release-notes.md b/releases/1.0/release-notes.md
index 7743684b..71421512 100644
--- a/releases/1.0/release-notes.md
+++ b/releases/1.0/release-notes.md
@@ -16,7 +16,7 @@ Known issues
 
 -   Installer might not support some USB keyboards (\#230). This seems to include all the Mac Book keyboards (most PC laptops have PS2 keyboards and are not affected).
 
--   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somewhat ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
+-   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
 
 -   Some keyboard layout set by KDE System Settings can cause [keyboard not working at all](https://groups.google.com/group/qubes-devel/browse_thread/thread/77d076b65dda7226). If you hit this issue, you can switch to console (by console login option) and manually edit `/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf` (and `/etc/sysconfig/keyboard`) and place correct keyboard layout settings (details in linked thread). You can check if specific keyboard layout settings are proper using `setxkbmap` tool.
 
diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index 390f4a36..00cd2d40 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    somewhat minimize these consequences with this canary thing.
+    minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 1bba22ba..e3541218 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -23,19 +23,19 @@ This can be configured using
 package. This package does not support sharing the same key slot with other
 applications (it will deny further authentications if you try).
 
-Contrary to instruction there, currently there is no binary packages in Qubes
+Contrary to instruction there, currently there is no binary package in the Qubes
 repository and you need to compile it yourself. This might change in the future.
 
 Challenge-response mode
 ----------------------
 
-In this mode, your YubiKey will generate response based on secret key, and
+In this mode, your YubiKey will generate a response based on the secret key, and
 random challenge (instead of counter). This means that it isn't possible to
-generate response in advance even if someone gets access to your YubiKey. This
+generate a response in advance even if someone gets access to your YubiKey. This
 makes it reasonably safe to use the same YubiKey for other services (also in
 challenge-response mode).
 
-Same as in OTP case, you will need to set up your YubiKey, choose separate
+Same as in the OTP case, you will need to set up your YubiKey, choose a separate
 password (other than your login password!) and apply the configuration.
 
 To use this mode you need to:
@@ -43,7 +43,7 @@ To use this mode you need to:
 1. Configure your YubiKey for challenge-response HMAC-SHA1 mode, for example
    [following this
    tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/)
-2. Install `ykpers` package in template on which your USB VM is based.
+2. Install the `ykpers` package in template on which your USB VM is based.
 3. Create `/usr/local/bin/yubikey-auth` script:
 
        #!/bin/sh
@@ -99,9 +99,9 @@ where no one can snoop your password.
 Locking the screen when YubiKey is removed
 ------------------------------------------
 
-You can setup your system to automatically lock the screen when you unplug
+You can setup your system to automatically lock the screen when you unplug your
 YubiKey. This will require creating a simple qrexec service which will expose
-the ability to lock the screen to your USB VM, and then adding udev hook to
+the ability to lock the screen to your USB VM, and then adding a udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
@@ -116,8 +116,8 @@ would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
-persistent across VM restarts. For example name the file
-`/rw/config/yubikey.rules`. Write there a single line:
+persis across VM restarts. For example name the file
+`/rw/config/yubikey.rules`. Add the following line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index 659073af..dad75ac9 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -14,34 +14,34 @@ DisposableVM implementation in Qubes
 DisposableVM image preparation
 ------------------------------
 
-DisposableVM is not started like other VMs, by executing equivalent of *xl create* - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
+DisposableVM is not started like other VMs, by executing equivalent of `xl create` - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
 
-Preparing a savefile is done by */usr/lib/qubes/qubes\_prepare\_saved\_domain.sh* script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
+Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
 
-1.  APPVM is started by *qvm-start*
+1.  APPVM is started by `qvm-start`
 2.  xenstore key `/local/domain/appvm_domain_id/qubes_save_request` is created
 3.  if prerun script was specified, copy it to `qubes_save_script` xenstore key
 4.  wait for the `qubes_used_mem` key to appear
-5.  (in APPVM) APPVM boots normally, up to the point in */etc/init.d/qubes\_core* script when the presence of `qubes_save_request` key is tested. If it exists, then
+5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes\_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
     1.  (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster.
     2.  (in APPVM) the amount of used memory is stored to `qubes_used_mem` xenstore key
     3.  (in APPVM) busy-waiting for `qubes_restore_complete` xenstore key to appear
 
 6.  when `qubes_used_mem` key appears, the domain memory is reduced to this amount, to make the savefile smaller.
 7.  APPVM private image is detached
-8.  the domain is saved via *xl save*
+8.  the domain is saved via `xl save`
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-*qubes\_prepare\_saved\_domain.sh* script is somewhat lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+The `qubes\_prepare\_saved\_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes\_prepare\_saved\_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
 
-Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the *qfile-daemon-dvm* program is executed; it executes */usr/lib/qubes/qubes\_restore* program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
+Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes\_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
 
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
-3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the */etc/xen/scripts/block* script to bypass some redundant checks and execute as fast as possible.
+3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the `/etc/xen/scripts/block` script to bypass some redundant checks and execute as fast as possible.
 4.  execute "xl restore" in order to restore a domain.
 5.  create the same xenstore keys as normally created when AppVM boots (e.g. `qubes_ip`)
 6.  create the `qubes_restore_complete` xenstore key. This allows the boot process in DisposableVM to continue.
@@ -53,4 +53,4 @@ Validating the DisposableVM savefile
 
 DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files.
 
-Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in *qfilexchgd* daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at */var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh*. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
+Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
diff --git a/system/gui.md b/system/gui.md
index dadfa01a..ed100843 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -71,7 +71,7 @@ To sum up, this solution has the following benefits:
 Security markers on dom0 windows
 --------------------------------
 
-It is important that user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
+It is important that the user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
 
 In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has an *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
 
@@ -82,10 +82,10 @@ Certainly, it would be insecure to allow AppVM to read/write the clipboards of o
 Therefore, the following mechanism is used:
 
 -   there is a "qubes clipboard" in dom0 - its contents are stored in a regular file in dom0.
--   if user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
--   user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
+-   if the user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
+-   the user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
 
-This way, user can quickly copy clipboards between AppVMs. 
+This way, the user can quickly copy clipboards between AppVMs. 
 This action is fully controlled by the user, it cannot be triggered/forced by any AppVM.
 
 *qubes_gui* and *qubes_guid* code notes
diff --git a/troubleshooting/install-nvidia-driver.md b/troubleshooting/install-nvidia-driver.md
index cc287745..8ad37c17 100644
--- a/troubleshooting/install-nvidia-driver.md
+++ b/troubleshooting/install-nvidia-driver.md
@@ -152,7 +152,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Exit out of the chroot environment (`exit` or CTRL-D)
 6. Reboot
 
-*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as exercise to the user.
+*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as an exercise to the user.
 
 ## Gather initial `dmesg` output
 If all is well, the newly-installed Qubes OS instance should allow for user root to log in. 
diff --git a/troubleshooting/out-of-memory.md b/troubleshooting/out-of-memory.md
index 9021512b..ee2d2fb0 100644
--- a/troubleshooting/out-of-memory.md
+++ b/troubleshooting/out-of-memory.md
@@ -35,7 +35,7 @@ sudo yum clean all
 qvm-remove <VMname>
 ~~~
 
-With this method you lose the data of one VM, but it'll more reliably work.
+With this method you lose the data of one VM, but it'll work more reliably.
 
 1.  Decrease filesystem safety margin (5% by default):
 
@@ -43,5 +43,5 @@ With this method you lose the data of one VM, but it'll more reliably work.
 sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root
 ~~~
 
-1.  Remove some unneeded files in dom0 home (if you have any, most likely no).
+1.  Remove some unneeded files in dom0 home (if you have any, most likely not).
 

From f3953c147405c668eddc0792d1b63df49d4be2e6 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:53:05 +1000
Subject: [PATCH 013/125] More typo/grammar/re-wording from @jpouellet's review

---
 common-tasks/tips-and-tricks.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 4b244f3e..23b721c8 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -46,9 +46,9 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that track and report its usage, or you simply want to protect your data.
+Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that tracks and reports its usage, or you simply want to protect your data.
 
-Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
+Start the Windows TemplateVM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
 
 Credit: [Joanna Rutkovska](https://twitter.com/rootkovska/status/832571372085850112)

From 585884365cf40ee36d3a69b2d6477610122fdc1c Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:55:35 +1000
Subject: [PATCH 014/125] reinstate USB link removed accidentally

---
 configuration/assigning-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 2998b9b6..e0518b72 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,7 +58,7 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want to assign a certain USB device to a VM by attaching the whole
+If you want to assign a certain [USB] device to a VM by attaching the whole
 USB controller, you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 

From ffa81770a75ff30f5fb04ef2f64713b2356553bf Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:10:11 +1000
Subject: [PATCH 015/125] reinstate 'somehow'

---
 security-info/security-pack.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index 00cd2d40..e6d34238 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    minimize these consequences with this canary thing.
+    somehow minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.

From 3ab0832ba73f2a0ed7335ccb179f1e969416c919 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:14:49 +1000
Subject: [PATCH 016/125] fix my own spelling mistake...

---
 security/yubi-key.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/yubi-key.md b/security/yubi-key.md
index e3541218..d5b3a946 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -116,7 +116,7 @@ would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
-persis across VM restarts. For example name the file
+persist across VM restarts. For example name the file
 `/rw/config/yubikey.rules`. Add the following line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"

From 013aa5083c92be3a32f612453155b277dfb24005 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:16:38 +1000
Subject: [PATCH 017/125] underscores do not need to be backslash-escaped
 inside backticks

---
 services/dvm-impl.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index dad75ac9..dbb38af1 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -16,13 +16,13 @@ DisposableVM image preparation
 
 DisposableVM is not started like other VMs, by executing equivalent of `xl create` - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
 
-Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
+Preparing a savefile is done by `/usr/lib/qubes/qubes_prepare_saved_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
 
 1.  APPVM is started by `qvm-start`
 2.  xenstore key `/local/domain/appvm_domain_id/qubes_save_request` is created
 3.  if prerun script was specified, copy it to `qubes_save_script` xenstore key
 4.  wait for the `qubes_used_mem` key to appear
-5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes\_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
+5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
     1.  (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster.
     2.  (in APPVM) the amount of used memory is stored to `qubes_used_mem` xenstore key
     3.  (in APPVM) busy-waiting for `qubes_restore_complete` xenstore key to appear
@@ -32,12 +32,12 @@ Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh
 8.  the domain is saved via `xl save`
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-The `qubes\_prepare\_saved\_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes\_prepare\_saved\_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+The `qubes_prepare_saved_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes_prepare_saved_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
 
-Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes\_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
+Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
 
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
@@ -53,4 +53,4 @@ Validating the DisposableVM savefile
 
 DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files.
 
-Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
+Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.

From 15388d2d615e76ddef44aa403a68e6b9ed1341f7 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:50:45 +1000
Subject: [PATCH 018/125] reinstate coding style variable line. Fix outlier
 command formatting in DisposableVM doc

---
 basics_dev/coding-style.md | 2 ++
 services/dvm-impl.md       | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index 82d635f5..4e9640ff 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -165,6 +165,8 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
+-   Use others variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
+
 Python-specific guidelines
 --------------------------
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index dbb38af1..246580a6 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -42,7 +42,7 @@ Normally, disposable VM is created when qubes rpc request with target *\$dispvm*
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
 3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the `/etc/xen/scripts/block` script to bypass some redundant checks and execute as fast as possible.
-4.  execute "xl restore" in order to restore a domain.
+4.  execute `xl restore` in order to restore a domain.
 5.  create the same xenstore keys as normally created when AppVM boots (e.g. `qubes_ip`)
 6.  create the `qubes_restore_complete` xenstore key. This allows the boot process in DisposableVM to continue.
 

From 47eb48bc868be4e4014071dca2fdab16a19bb6e8 Mon Sep 17 00:00:00 2001
From: NoobyNiceDev <33202028+NoobyNiceDev@users.noreply.github.com>
Date: Sun, 29 Oct 2017 17:38:37 +0100
Subject: [PATCH 019/125] Warning Win10 Created usb

On windows 10 machines created install USB drives can't accomplish media test. According to Issue 2051.
---
 installing/installation-guide.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/installing/installation-guide.md b/installing/installation-guide.md
index e0b97bbd..10a111ce 100644
--- a/installing/installation-guide.md
+++ b/installing/installation-guide.md
@@ -76,6 +76,9 @@ partition (e.g., `/dev/sda1`).
 On Windows, you can use the [Rufus] tool. Be sure to select "DD image" mode (you
 need to do that **after** selecting the Qubes ISO):
 
+**Warning:** If you do that on Windows 10, you can only install Qubes without 
+MediaTest, which isn't recommended. 
+
 <img src="/attachment/wiki/InstallationGuide/rufus-main-boxed.png" height="350">
 
 Before proceeding with the installation, you are encouraged to first read all

From 0d7b1875e8aa385c41df6e09cbf30d6f720cd782 Mon Sep 17 00:00:00 2001
From: ptitdoc <ptitdoc@free.fr>
Date: Sun, 19 Nov 2017 09:31:57 +0100
Subject: [PATCH 020/125] Archlinux documentation update for Qubes-4.0

Update Archlinux documentation as discussed in the following pull requests:
https://github.com/QubesOS/qubes-core-agent-linux/pull/67
https://github.com/QubesOS/qubes-core-agent-linux/pull/66
---
 managing-os/templates/archlinux.md | 44 ++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 3bb15f2f..5bd465aa 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -32,22 +32,23 @@ A prebuilt template is available only for Qubes 3.2. Before Qubes 3.2, it should
 
 ## Binary packages activation
 
-The update repository is disabled when you install (signed) template package. You can however choose to trust it by registering it into pacman.
+The Qubes update repository is disabled by default in the Archlinux template. You can however choose to trust it by registering it into pacman.
 
-Enable the repository by running the following command:
+Since November 2017, an activation package is present in the template. The update repository can thus be activated by running the following command inside the template:
 
-    # mv /etc/pacman.d/99-qubes-repository-3.2.disabled /etc/pacman.d/99-qubes-repository-3.2.conf
+    # pacman -sU /etc/pacman.d/qubes-vm-keyring*.pkg.tar.xz
+    
+It should be noted to this command will create a trust for packages provided by [Olivier Médoc](mailto:o_medoc@yahoo.fr) and signed by the PGP key above.
 
-Then you need to install and sign the public GPG key of the package maintainer (note that accessing to GPG servers requires to temporarily disable the firewall in your template):
+If the qubes-vm-keyring package is not present in `/etc/pacman.d/`, please refer to the section #Activating binary packages manually.
 
-    # pacman-key --recv-key 2043E7ACC1833B9C
-    # pacman-key --finger 2043E7ACC1833B9C
- 
-If the fingerprint is correct, you can then sign the key:
+## Optional Qubes packages
 
-    # pacman-key --lsign-key 2043E7ACC1833B9C
+Several Qubes packages are not necessarilly installed by default in the Archlinux Template. These packages can be installed to add additional functionnalities to the template:
+* `qubes-vm-networking`: Contains Qubes tools and dependencies required to use the template as a NetVM/ProxyVM
+* `qubes-vm-pulseaudio`: Contains Pulseaudio agent enabling sound support in the template
 
-## Default packages
+## Default template packages
 
 In order to keep the template as small and simple as possible, default installed package have been arbitrarily selected based on multiple subjective criterias that however essentially include libraries dependencies. This packages are:
 * Some font packages to keep good user experience
@@ -60,6 +61,28 @@ In order to keep the template as small and simple as possible, default installed
 
 Note that Archlinux does not install GUI packages by default as this decision is left to users. This packages have only been selected to have a usable template.
 
+## Activating binary packages manually
+
+Enable the repository by running the following command:
+
+    # rm /etc/pacman.d/99-qubes-repository-3.2.conf
+    # ln -s /etc/pacman.d/99-qubes-repository-3.2.disabled /etc/pacman.d/99-qubes-repository-3.2.conf
+
+Then you need to install and sign the public GPG key of the package maintainer (note that accessing to GPG servers requires to temporarily disable the firewall in your template):
+
+    # pacman-key --recv-key 2043E7ACC1833B9C
+    # pacman-key --finger 2043E7ACC1833B9C
+ 
+If the fingerprint is correct, you can then sign the key:
+
+    # pacman-key --lsign-key 2043E7ACC1833B9C
+
+## Updating a Qubes-3.2 Archlinux Template
+
+Because of changes in the Qubes-4.0 partition layout, and usage of XEN HVMs instead of pv-guests. It is not straightforward to update a Qubes-3.2 template to Qubes-4.0.
+
+For this reason, it is recommended to start from a new template in Qubes-4.0.
+
 ## Updating a Qubes-3.1 Archlinux Template
 
 If you decide to use binary packages but that you where using a Qubes-3.1 Template, your can follow these instructions to enable Qubes 3.2 agents.
@@ -111,7 +134,6 @@ Finally, errors related to the GUI agent can be found inside the VM in `/home/us
 
 ## Packages manager wrapper
 
-
 Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages.
 
 Please check out:

From c2a9f16967c5e51b6ea609b19aae5bf8a7932188 Mon Sep 17 00:00:00 2001
From: ptitdoc <ptitdoc@free.fr>
Date: Sun, 19 Nov 2017 14:35:59 +0100
Subject: [PATCH 021/125] Fix failed travis check (typo)

---
 managing-os/templates/archlinux.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 5bd465aa..c3b40e8f 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -44,7 +44,7 @@ If the qubes-vm-keyring package is not present in `/etc/pacman.d/`, please refer
 
 ## Optional Qubes packages
 
-Several Qubes packages are not necessarilly installed by default in the Archlinux Template. These packages can be installed to add additional functionnalities to the template:
+Several Qubes packages are not necessarily installed by default in the Archlinux Template. These packages can be installed to add additional functionnalities to the template:
 * `qubes-vm-networking`: Contains Qubes tools and dependencies required to use the template as a NetVM/ProxyVM
 * `qubes-vm-pulseaudio`: Contains Pulseaudio agent enabling sound support in the template
 

From 227f3ba87779378667ce55f4cb78199b74d7a82e Mon Sep 17 00:00:00 2001
From: ptitdoc <ptitdoc@free.fr>
Date: Sun, 19 Nov 2017 15:53:18 +0100
Subject: [PATCH 022/125] Properly use markdown for package names.

---
 managing-os/templates/archlinux.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index c3b40e8f..87beb977 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -46,7 +46,7 @@ If the qubes-vm-keyring package is not present in `/etc/pacman.d/`, please refer
 
 Several Qubes packages are not necessarily installed by default in the Archlinux Template. These packages can be installed to add additional functionnalities to the template:
 * `qubes-vm-networking`: Contains Qubes tools and dependencies required to use the template as a NetVM/ProxyVM
-* `qubes-vm-pulseaudio`: Contains Pulseaudio agent enabling sound support in the template
+* `qubes-vm-pulseaudio`: Contains `Pulseaudio` agent enabling sound support in the template
 
 ## Default template packages
 

From d4ab4aa524c0e9edce68efe7f0ab01b21fed9e51 Mon Sep 17 00:00:00 2001
From: Yassine Ilmi <yilmi@users.noreply.github.com>
Date: Sat, 13 Jan 2018 11:00:04 +0000
Subject: [PATCH 023/125] Custom "kernel" key in xen.cfg on USB install media

Reviewing the HCL a lot of reporters had to install in legacy mode because UEFI mode would fail. For various reports, they used custom kernel parameters by changing the grub entry. This is frequent for recent hardware or some configurations (dual gpu,...).

With this procedure a user can perform UEFI install with custom kernel parameters
---
 troubleshooting/uefi-troubleshooting.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/troubleshooting/uefi-troubleshooting.md b/troubleshooting/uefi-troubleshooting.md
index 46b19886..a5f74ca1 100644
--- a/troubleshooting/uefi-troubleshooting.md
+++ b/troubleshooting/uefi-troubleshooting.md
@@ -7,6 +7,19 @@ permalink: /doc/uefi-troubleshooting/
 Troubleshooting UEFI related problems
 ========================================
 
+Change installer kernel parameters in UEFI
+---------------------
+
+If you've installed successfully in legacy mode but had to change some kernel parameters for it to work, you should try installing in UEFI with the same kernel parameters.
+
+Change the `xen.cfg` on a USB media
+
+01. Attach the usb disk, find the EFI partition and mount it
+02. Edit your xen.cfg changing the `kernel` key to add your kernel parameters on the boot entry of your choice
+03. Install using your modified boot entry
+
+You can also update an iso image, use `losetup` to isolate the EFI partition and mount it.
+
 
 Cannot start installation, installation completes successfully but then BIOS loops at boot device selection, hangs at four penguins after choosing "Test media and install Qubes OS" in GRUB menu
 ---------------------

From 2d84312ac5108cd5ff6d190322f696ea1b25c082 Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Mon, 22 Jan 2018 01:29:01 +0100
Subject: [PATCH 024/125] Improve instructions for randomizing MAC addresses

NetworkManager, by default, uses a connection ID and a per-host random
and secret key to generate `stable` MAC addresses. The intention is to
keep a connection's MAC address stable indefinitely but for it to be
different on every host.

The current instruction mention that "`stable` generates a random
address that persists for each boot session". This is indeed true for
AppVMs using stock TemplateVMs. The reason is that the secret key doesn't
exist in the template and thus is only created when the AppVM starts.
This, however, may not be true for other VMs.

In order to ensure that MACs are always only `stable` during one boot
session, `stable-id`, which is used to generate MACs, can be adjusted.
NetworkManager's documentation suggests to use `${CONNECTION}/${BOOT}`
to ensure generated MACs are unique to a boot session and connection [1].

[1]: https://developer.gnome.org/NetworkManager/stable/nm-settings.html
---
 privacy/anonymizing-your-mac-address.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/privacy/anonymizing-your-mac-address.md b/privacy/anonymizing-your-mac-address.md
index 1ae437bb..7a92429e 100644
--- a/privacy/anonymizing-your-mac-address.md
+++ b/privacy/anonymizing-your-mac-address.md
@@ -34,10 +34,11 @@ wifi.scan-rand-mac-address=yes
 [connection]
 wifi.cloned-mac-address=stable
 ethernet.cloned-mac-address=stable
+connection.stable-id=${CONNECTION}/${BOOT}
 ~~~
 
-`stable` generates a random address that persists for each boot session.
-`random` generates a random address each time a link goes up.
+* `stable` in combination with `${CONNECTION}/${BOOT}` generates a random address that persists for each boot session.
+* `random` generates a random address each time a link goes up.
 
 To see all the available configuration options, refer to the man page: `man nm-settings`
 

From 0a7a794a8998d21e31b4b284e6c8094c2c166591 Mon Sep 17 00:00:00 2001
From: mossy-nw <34462023+mossy-nw@users.noreply.github.com>
Date: Mon, 22 Jan 2018 18:02:52 +0000
Subject: [PATCH 025/125] Update fedora-minimal.md

---
 managing-os/templates/fedora-minimal.md | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md
index 8e725237..9febea4a 100644
--- a/managing-os/templates/fedora-minimal.md
+++ b/managing-os/templates/fedora-minimal.md
@@ -72,12 +72,6 @@ In Qubes R4.0, sudo is not installed by default in the minimal template.  To upd
 [user@dom0 ~]$ qvm-run -u root fedora-26-minimal xterm
 ~~~
 
-If you would like to skip this step in future, please install the `sudo` package:
-
-~~~
-[user@your-new-clone ~]$ dnf install sudo
-~~~
-
 In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be needed to make the customized minimal template work properly. These packages are:
 
 - `qubes-core-agent-qrexec`: Qubes qrexec agent. Installed by default.
@@ -87,7 +81,8 @@ In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be neede
 - `qubes-core-agent-sysvinit`: Qubes unit files for SysV init style or upstart.
 - `qubes-core-agent-networking`: Networking support. Useful if the template has to be used for a `sys-net` VM.
 - `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template has to be used for a `sys-net` VM.
-- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM respondible for 'dom0' updates is based on must contain this package.
+- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM responsible for 'dom0' updates (e.g. `sys-firewall`) is based on must contain this package.
+- `qubes-usb-proxy`: Required in minimal template for a USB qube (`sys-usb`) as well as in minimal template for any destination domains to which USB devices are to be attached (e.g `sys-net` if using USB network adapter).   
 - `pulseaudio-qubes`: Needed to have audio on the template VM.
 
 

From bcc9020c41248aefba1291f5b559e1772dc32f18 Mon Sep 17 00:00:00 2001
From: mossy-nw <34462023+mossy-nw@users.noreply.github.com>
Date: Mon, 22 Jan 2018 19:24:00 +0000
Subject: [PATCH 026/125] Update fedora-minimal.md

some grammar fixes and clarify that `qubes-core-agent-networking` also required for `sys-firewall` VM
---
 managing-os/templates/fedora-minimal.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md
index 9febea4a..39a7c92a 100644
--- a/managing-os/templates/fedora-minimal.md
+++ b/managing-os/templates/fedora-minimal.md
@@ -79,10 +79,10 @@ In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be neede
 - `qubes-core-agent-passwordless-root`, `polkit`: By default the 'fedora-26-minimal' template doesn't have passwordless root. These two packages fix the situation.
 - `qubes-core-agent-nautilus`: This package provides integration with the Nautilus file manager (without it things like "copy to VM/open in disposable VM" will not be shown in Nautilus).
 - `qubes-core-agent-sysvinit`: Qubes unit files for SysV init style or upstart.
-- `qubes-core-agent-networking`: Networking support. Useful if the template has to be used for a `sys-net` VM.
-- `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template has to be used for a `sys-net` VM.
+- `qubes-core-agent-networking`: Networking support. Required if the template is to be used for a `sys-net` or `sys-firewall` VM.
+- `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template is to be used for a `sys-net` VM.
 - `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM responsible for 'dom0' updates (e.g. `sys-firewall`) is based on must contain this package.
-- `qubes-usb-proxy`: Required in minimal template for a USB qube (`sys-usb`) as well as in minimal template for any destination domains to which USB devices are to be attached (e.g `sys-net` if using USB network adapter).   
+- `qubes-usb-proxy`: Required if the template is to be used for a USB qube (`sys-usb`) or for any destination qube to which USB devices are to be attached (e.g `sys-net` if using USB network adapter).   
 - `pulseaudio-qubes`: Needed to have audio on the template VM.
 
 

From 6fd6402c73cc292a11e6d881aad1f76505a27734 Mon Sep 17 00:00:00 2001
From: mossy-nw <34462023+mossy-nw@users.noreply.github.com>
Date: Mon, 22 Jan 2018 19:38:09 +0000
Subject: [PATCH 027/125] Update fedora-minimal.md

added network-manager-applet for system tray icon for minimal sys-net
---
 managing-os/templates/fedora-minimal.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md
index 39a7c92a..48528a34 100644
--- a/managing-os/templates/fedora-minimal.md
+++ b/managing-os/templates/fedora-minimal.md
@@ -81,6 +81,7 @@ In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be neede
 - `qubes-core-agent-sysvinit`: Qubes unit files for SysV init style or upstart.
 - `qubes-core-agent-networking`: Networking support. Required if the template is to be used for a `sys-net` or `sys-firewall` VM.
 - `qubes-core-agent-network-manager`: Integration for NetworkManager. Useful if the template is to be used for a `sys-net` VM.
+- `network-manager-applet`: Useful (together with `dejavu-sans-fonts` and `notification-daemon`) to have a system tray icon if the template is to be used for a `sys-net` VM.
 - `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates. Any template which the VM responsible for 'dom0' updates (e.g. `sys-firewall`) is based on must contain this package.
 - `qubes-usb-proxy`: Required if the template is to be used for a USB qube (`sys-usb`) or for any destination qube to which USB devices are to be attached (e.g `sys-net` if using USB network adapter).   
 - `pulseaudio-qubes`: Needed to have audio on the template VM.

From 13d7375ff204ca5d05ee7b86f87bba458434b6b3 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 25 Jan 2018 21:11:34 +0000
Subject: [PATCH 028/125] formatting and rewording enhancements

---
 configuration/vpn.md | 402 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 381 insertions(+), 21 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 41bd81d9..acff4421 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -68,29 +68,168 @@ This method is more involved than the one above, but has anti-leak features that
     
     Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
     
-    If your choice of template VM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package: for example `sudo systemctl disable openvpn.service`.
+    If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN.
     
-    You may also wish to install `nano` or another simple text editor for entering the scripts below.
+       sudo systemctl disable openvpn.service
+    
+You may also wish to install `nano` or another simple text editor for entering the scripts below.
 
 2.  Set up and test the VPN client.
 
     Make sure the VPN VM and its template VM are not running.
     
-    Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with `sudo mkdir /rw/config/vpn` and copy your VPN config files here (the example config filename used here is `openvpn-client.ovpn`). Files accompanying the main config such as *.crt and *.pem should also go here, and should not be referenced in the main config by absolute paths such as '/etc/...'.
+    Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with.
+    
+        sudo mkdir /rw/config/vpn
+    
+Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn` so you can use the instructions and scripts below as is without modification. Otherwise you would have to replace the file name.
 
-    Notes about VPN config options: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. Lastly, the VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the 'vpn' folder with your credentials and using a directive such as openvpn's `auth-user-pass <filename>` is recommended.
+Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`.
+
+Files referenced in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`.
+
+---
+layout: doc
+title: VPN
+permalink: /doc/vpn/
+redirect_from:
+- /doc/privacy/vpn/
+- /en/doc/vpn/
+- /doc/VPN/
+- /wiki/VPN/
+---
+
+How To make a VPN Gateway in Qubes
+==================================
+
+Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.
+
+Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)
+
+### NetVM
+
+The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
+
+-   You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
+-   All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
+
+### AppVM
+
+While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements.
+
+### ProxyVM
+
+One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions.
+
+Using a ProxyVM to set up a VPN client gives you the ability to:
+
+-   Separate your VPN credentials from your NetVM.
+-   Separate your VPN credentials from your AppVM data.
+-   Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
+
+Set up a ProxyVM as a VPN gateway using NetworkManager
+------------------------------------------------------
+
+1.  Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
+
+    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
+
+2.  Add the `network-manager` service to this new VM.
+
+    ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)
+
+3.  Set up your VPN as described in the NetworkManager documentation linked above.
+
+4.  Configure your AppVMs to use the new VM as a NetVM.
+
+    ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
+
+5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
+
+
+Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
+----------------------------------------------------------------
+
+This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
+
+1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
+
+    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
     
-    __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
-    ```
-    sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
-    ```
+    Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
     
-    Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping` and `traceroute`. DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
+If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. For example in any Debian based VM to install OpenVPN.
+
+       sudo apt-get install openvpn
+
+Disable any auto-starting service that comes with the software package. For example for OpenVPN.
     
-    Proceed to the next step when you're sure the basic VPN connection is working.
+       sudo systemctl disable openvpn.service
+    
+You may also wish to install `nano` or another simple text editor for entering the scripts below.
+
+2.  Set up and test the VPN client.
+
+Make sure the VPN VM and its TemplateVM is not running.
+    
+Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with.
+    
+        sudo mkdir /rw/config/vpn
+    
+Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name.
+
+Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`.
+
+Files reference in `openvpn-client.ovpn` should not be referenced in the main config by absolute paths such as `/etc/...`.
+
+`openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
+
+Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN.
+
+       sudo nano /rw/config/vpn/openvpn-client.ovpn
+       
+ Make sure it already includes or add.
+
+       redirect-gateway def1
+
+The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add.
+
+      auth-user-pass pass.txt
+      
+ Save file `/rw/config/vpn/openvpn-client.ovpn`.
+ 
+ Make sure a `/rw/config/vpn/pass.txt` file actually exists.
+ 
+      sudo nano /rw/config/vpn/pass.txt
+ 
+ Add.
+ 
+ ```
+ username
+ password
+ ```
+ 
+ Replace `username` and `password` with your actual username and password.
+ 
+ __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
+    
+       sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
+    
+Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
+
+       ping 8.8.8.8
+       
+`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
+
+DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
+    
+Proceed to the next step when you're sure the basic VPN connection is working.
 
 3.  Create the DNS-handling script.
-    Use `sudo nano /rw/config/vpn/qubes-vpn-handler.sh` to edit and add:
+
+        sudo nano /rw/config/vpn/qubes-vpn-handler.sh
+       
+ Edit and add:
 
     ~~~
     #!/bin/bash
@@ -130,22 +269,37 @@ This method is more involved than the one above, but has anti-leak features that
     esac
     ~~~
 
-    Now save the script and make it executable:  
-    `sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh`
+Save the script.
+
+Make it executable.
+
+       sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
     
-4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config with `sudo nano /rw/config/vpn/openvpn-client.ovpn` and add these lines:
+4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
+
+       sudo nano /rw/config/vpn/openvpn-client.ovpn
+       
+ Add the following.
 
     ~~~
     script-security 2
     up 'qubes-vpn-handler.sh up'
     down 'qubes-vpn-handler.sh down'
     ~~~
+    
+Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
 
-    **Restart the client and test the connection again** ...this time from an AppVM!
+Save the script.
+
+**Restart the client and test the connection again** ...this time from an AppVM!
 
 5.  Set up iptables anti-leak rules.
 
-    Edit the firewall script with `sudo nano /rw/config/qubes-firewall-user-script` then clear out the existing lines and add:
+    Edit the firewall script.
+    
+       sudo nano /rw/config/qubes-firewall-user-script
+       
+Clear out the existing lines and add.
 
 	~~~
 	#!/bin/bash
@@ -171,12 +325,17 @@ This method is more involved than the one above, but has anti-leak features that
     iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
     ~~~
 
-    Now save the script and make it executable:  
-    `sudo chmod +x /rw/config/qubes-firewall-user-script`
+Save the script.
+
+Make it executable.
+
+       sudo chmod +x /rw/config/qubes-firewall-user-script
 
 5.  Set up the VPN's autostart.
 
-    Use `sudo nano /rw/config/rc.local` to clear out the existing lines and add:
+       sudo nano /rw/config/rc.local
+
+Clear out the existing lines and add.
 
     ~~~
     #!/bin/bash
@@ -188,9 +347,11 @@ This method is more involved than the one above, but has anti-leak features that
     sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
     ~~~
     
-    Change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
+If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
 
-    Now save the script and make it executable:  
+Save the script.
+
+Make it executable:  
     `sudo chmod +x /rw/config/rc.local`
     
 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
@@ -214,6 +375,205 @@ You can do this in the Services tab in Qubes VM Manager or on the command-line:
 Then, configure your templates to use your new FirewallVM as their NetVM.
 
 
+Troubleshooting
+---------------
+
+* Always test your basic VPN connection before adding scripts.
+* Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain.
+* For scripting: Ping external IP addresses from inside the VPN VM using `sudo sg qvpn -c 'ping ...'`, then from an appVM using just `ping ...`. Once the firewall rules are in place, you will have to use `sudo sg` to run any IP network commands in the VPN VM.
+* Use `iptables -L -v` and `iptables -L -v -t nat` to check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding.
+ The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
+
+Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN.
+
+       sudo nano /rw/config/vpn/openvpn-client.ovpn
+       
+ Make sure it already includes or add.
+
+       redirect-gateway def1
+
+The VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add
+
+      auth-user-pass pass.txt
+ 
+ Make sure a `/rw/config/vpn/pass.txt` file actually exists.
+ 
+      sudo nano /rw/config/vpn/pass.txt
+ 
+ Add.
+ 
+ ```
+ username
+ password
+ ```
+ 
+ Replace the username and password with your actual username and password.
+ 
+ __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
+    
+       sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
+    
+Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
+
+       ping 8.8.8.8
+       
+ping can be aborted by pressing the two keys `ctrl` + `c` at the same time.
+
+DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
+    
+Proceed to the next step when you're sure the basic VPN connection is working.
+
+3.  Create the DNS-handling script.
+
+        sudo nano /rw/config/vpn/qubes-vpn-handler.sh
+       
+ Edit and add:
+
+    ~~~
+    #!/bin/bash
+    set -e
+    export PATH="$PATH:/usr/sbin:/sbin"
+
+    case "$1" in
+
+    up)
+	# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
+	# Format is 'X.X.X.X  Y.Y.Y.Y [...]'
+	if [[ -z "$vpn_dns" ]] ; then
+		# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
+		for optionname in ${!foreign_option_*} ; do
+			option="${!optionname}"
+			unset fops; fops=($option)
+			if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
+		done
+	fi
+
+	iptables -t nat -F PR-QBS
+	if [[ -n "$vpn_dns" ]] ; then
+		# Set DNS address translation in firewall:
+		for addr in $vpn_dns; do
+			iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
+			iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
+		done
+		su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
+	else
+		su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
+	fi
+
+	;;
+    down)
+	su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
+	;;
+    esac
+    ~~~
+
+Save the script.
+
+Make it executable.
+
+       sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
+    
+4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
+
+       sudo nano /rw/config/vpn/openvpn-client.ovpn
+       
+ Add the following.
+
+    ~~~
+    script-security 2
+    up 'qubes-vpn-handler.sh up'
+    down 'qubes-vpn-handler.sh down'
+    ~~~
+    
+Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
+
+Save the script.
+
+**Restart the client and test the connection again** ...this time from an AppVM!
+
+5.  Set up iptables anti-leak rules.
+
+Open Qubes firewall script.
+    
+        sudo nano /rw/config/qubes-firewall-user-script
+       
+Clear out the existing lines and add.
+
+	~~~
+	#!/bin/bash
+	#    Block forwarding of connections through upstream network device
+	#    (in case the vpn tunnel breaks):
+	iptables -I FORWARD -o eth0 -j DROP
+	iptables -I FORWARD -i eth0 -j DROP
+
+	#    Block all outgoing traffic
+	iptables -P OUTPUT DROP
+	iptables -F OUTPUT
+	iptables -I OUTPUT -o lo -j ACCEPT
+
+	#    Add the `qvpn` group to system, if it doesn't already exist
+    if ! grep -q "^qvpn:" /etc/group ; then
+        groupadd -rf qvpn
+        sync
+    fi
+    sleep 2s
+
+	#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
+	#    Our VPN client will run with group `qvpn`.
+    iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
+    ~~~
+
+Save the script.
+
+Make it executable.
+
+       sudo chmod +x /rw/config/qubes-firewall-user-script
+
+5.  Set up the VPN's autostart.
+
+       sudo nano /rw/config/rc.local
+
+Clear out the existing lines and add.
+
+    ~~~
+    #!/bin/bash
+    VPN_CLIENT='openvpn'
+    VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
+
+    su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
+    groupadd -rf qvpn ; sleep 2s
+    sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
+    ~~~
+    
+If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
+
+Save the script.
+
+Make it executable.
+
+       sudo chmod +x /rw/config/rc.local
+
+6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
+
+Usage
+-----
+
+Configure your AppVMs to use the VPN VM as a NetVM...
+
+![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
+
+
+If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
+Then, configure AppVMs to use your new FirewallVM as their NetVM.
+
+If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
+You can do this in the Services tab in Qubes VM Manager or on the command-line:
+
+    $ qvm-service -e <name> qubes-updates-proxy
+
+Then, configure your templates to use your new FirewallVM as their NetVM.
+
+
 Troubleshooting
 ---------------
 

From 8e9982cf0828e9db01fac55a531da9ad5992d01f Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 25 Jan 2018 22:46:24 +0000
Subject: [PATCH 029/125] fix

---
 configuration/vpn.md | 299 +------------------------------------------
 1 file changed, 3 insertions(+), 296 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index acff4421..3a1a4574 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -74,100 +74,6 @@ This method is more involved than the one above, but has anti-leak features that
     
 You may also wish to install `nano` or another simple text editor for entering the scripts below.
 
-2.  Set up and test the VPN client.
-
-    Make sure the VPN VM and its template VM are not running.
-    
-    Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with.
-    
-        sudo mkdir /rw/config/vpn
-    
-Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn` so you can use the instructions and scripts below as is without modification. Otherwise you would have to replace the file name.
-
-Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`.
-
-Files referenced in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`.
-
----
-layout: doc
-title: VPN
-permalink: /doc/vpn/
-redirect_from:
-- /doc/privacy/vpn/
-- /en/doc/vpn/
-- /doc/VPN/
-- /wiki/VPN/
----
-
-How To make a VPN Gateway in Qubes
-==================================
-
-Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.
-
-Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)
-
-### NetVM
-
-The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
-
--   You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
--   All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
-
-### AppVM
-
-While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements.
-
-### ProxyVM
-
-One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions.
-
-Using a ProxyVM to set up a VPN client gives you the ability to:
-
--   Separate your VPN credentials from your NetVM.
--   Separate your VPN credentials from your AppVM data.
--   Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
-
-Set up a ProxyVM as a VPN gateway using NetworkManager
-------------------------------------------------------
-
-1.  Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
-
-    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
-
-2.  Add the `network-manager` service to this new VM.
-
-    ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)
-
-3.  Set up your VPN as described in the NetworkManager documentation linked above.
-
-4.  Configure your AppVMs to use the new VM as a NetVM.
-
-    ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
-
-5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
-
-
-Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
-----------------------------------------------------------------
-
-This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
-
-1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
-
-    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
-    
-    Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
-    
-If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. For example in any Debian based VM to install OpenVPN.
-
-       sudo apt-get install openvpn
-
-Disable any auto-starting service that comes with the software package. For example for OpenVPN.
-    
-       sudo systemctl disable openvpn.service
-    
-You may also wish to install `nano` or another simple text editor for entering the scripts below.
-
 2.  Set up and test the VPN client.
 
 Make sure the VPN VM and its TemplateVM is not running.
@@ -178,9 +84,9 @@ Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new
     
 Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name.
 
-Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`.
+Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
 
-Files reference in `openvpn-client.ovpn` should not be referenced in the main config by absolute paths such as `/etc/...`.
+Files reference in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`.
 
 `openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
 
@@ -188,7 +94,7 @@ Also, the config should route all traffic through your VPN's interface after a c
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
        
- Make sure it already includes or add.
+Make sure it already includes or add.
 
        redirect-gateway def1
 
@@ -375,205 +281,6 @@ You can do this in the Services tab in Qubes VM Manager or on the command-line:
 Then, configure your templates to use your new FirewallVM as their NetVM.
 
 
-Troubleshooting
----------------
-
-* Always test your basic VPN connection before adding scripts.
-* Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain.
-* For scripting: Ping external IP addresses from inside the VPN VM using `sudo sg qvpn -c 'ping ...'`, then from an appVM using just `ping ...`. Once the firewall rules are in place, you will have to use `sudo sg` to run any IP network commands in the VPN VM.
-* Use `iptables -L -v` and `iptables -L -v -t nat` to check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding.
- The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
-
-Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN.
-
-       sudo nano /rw/config/vpn/openvpn-client.ovpn
-       
- Make sure it already includes or add.
-
-       redirect-gateway def1
-
-The VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add
-
-      auth-user-pass pass.txt
- 
- Make sure a `/rw/config/vpn/pass.txt` file actually exists.
- 
-      sudo nano /rw/config/vpn/pass.txt
- 
- Add.
- 
- ```
- username
- password
- ```
- 
- Replace the username and password with your actual username and password.
- 
- __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
-    
-       sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
-    
-Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
-
-       ping 8.8.8.8
-       
-ping can be aborted by pressing the two keys `ctrl` + `c` at the same time.
-
-DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
-    
-Proceed to the next step when you're sure the basic VPN connection is working.
-
-3.  Create the DNS-handling script.
-
-        sudo nano /rw/config/vpn/qubes-vpn-handler.sh
-       
- Edit and add:
-
-    ~~~
-    #!/bin/bash
-    set -e
-    export PATH="$PATH:/usr/sbin:/sbin"
-
-    case "$1" in
-
-    up)
-	# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
-	# Format is 'X.X.X.X  Y.Y.Y.Y [...]'
-	if [[ -z "$vpn_dns" ]] ; then
-		# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
-		for optionname in ${!foreign_option_*} ; do
-			option="${!optionname}"
-			unset fops; fops=($option)
-			if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
-		done
-	fi
-
-	iptables -t nat -F PR-QBS
-	if [[ -n "$vpn_dns" ]] ; then
-		# Set DNS address translation in firewall:
-		for addr in $vpn_dns; do
-			iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
-			iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
-		done
-		su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
-	else
-		su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
-	fi
-
-	;;
-    down)
-	su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
-	;;
-    esac
-    ~~~
-
-Save the script.
-
-Make it executable.
-
-       sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
-    
-4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
-
-       sudo nano /rw/config/vpn/openvpn-client.ovpn
-       
- Add the following.
-
-    ~~~
-    script-security 2
-    up 'qubes-vpn-handler.sh up'
-    down 'qubes-vpn-handler.sh down'
-    ~~~
-    
-Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
-
-Save the script.
-
-**Restart the client and test the connection again** ...this time from an AppVM!
-
-5.  Set up iptables anti-leak rules.
-
-Open Qubes firewall script.
-    
-        sudo nano /rw/config/qubes-firewall-user-script
-       
-Clear out the existing lines and add.
-
-	~~~
-	#!/bin/bash
-	#    Block forwarding of connections through upstream network device
-	#    (in case the vpn tunnel breaks):
-	iptables -I FORWARD -o eth0 -j DROP
-	iptables -I FORWARD -i eth0 -j DROP
-
-	#    Block all outgoing traffic
-	iptables -P OUTPUT DROP
-	iptables -F OUTPUT
-	iptables -I OUTPUT -o lo -j ACCEPT
-
-	#    Add the `qvpn` group to system, if it doesn't already exist
-    if ! grep -q "^qvpn:" /etc/group ; then
-        groupadd -rf qvpn
-        sync
-    fi
-    sleep 2s
-
-	#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
-	#    Our VPN client will run with group `qvpn`.
-    iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
-    ~~~
-
-Save the script.
-
-Make it executable.
-
-       sudo chmod +x /rw/config/qubes-firewall-user-script
-
-5.  Set up the VPN's autostart.
-
-       sudo nano /rw/config/rc.local
-
-Clear out the existing lines and add.
-
-    ~~~
-    #!/bin/bash
-    VPN_CLIENT='openvpn'
-    VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
-
-    su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
-    groupadd -rf qvpn ; sleep 2s
-    sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
-    ~~~
-    
-If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
-
-Save the script.
-
-Make it executable.
-
-       sudo chmod +x /rw/config/rc.local
-
-6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
-
-Usage
------
-
-Configure your AppVMs to use the VPN VM as a NetVM...
-
-![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
-
-
-If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
-Then, configure AppVMs to use your new FirewallVM as their NetVM.
-
-If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
-You can do this in the Services tab in Qubes VM Manager or on the command-line:
-
-    $ qvm-service -e <name> qubes-updates-proxy
-
-Then, configure your templates to use your new FirewallVM as their NetVM.
-
-
 Troubleshooting
 ---------------
 

From 56774d73eb8634d29b6d5f112ba2aeb20769bf5f Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 25 Jan 2018 22:50:43 +0000
Subject: [PATCH 030/125] fix

---
 configuration/vpn.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 3a1a4574..ccb12c91 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -257,8 +257,9 @@ If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_O
 
 Save the script.
 
-Make it executable:  
-    `sudo chmod +x /rw/config/rc.local`
+Make it executable.
+
+       sudo chmod +x /rw/config/rc.local`
     
 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
 

From 5fd8389c7399e21a09e17bfe0bf2c8a64688fcc1 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 25 Jan 2018 22:52:47 +0000
Subject: [PATCH 031/125] fix

---
 configuration/vpn.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index ccb12c91..2d326aa0 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -82,13 +82,13 @@ Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new
     
         sudo mkdir /rw/config/vpn
     
-Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name.
+Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents:
 
 Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
 
-Files reference in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`.
+Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
 
-`openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
+The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
 
 Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN.
 

From 35c721095c7c1f91927e98c6016195ab3b021032 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 26 Jan 2018 11:55:26 +0000
Subject: [PATCH 032/125] Update software-update-dom0.md

Dnf vs. Yum, add EFI update
---
 common-tasks/software-update-dom0.md | 32 ++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md
index 1c59390f..50365969 100644
--- a/common-tasks/software-update-dom0.md
+++ b/common-tasks/software-update-dom0.md
@@ -58,10 +58,14 @@ Of course, command line tools are still available for accomplishing various upda
     sudo qubes-dom0-update package-version
     ~~~
 
-    Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf/Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
 
-2.  Downgrade the package:
+2.  Downgrade the package (R4.0+):
 
+    ~~~
+    sudo dnf downgrade package-version
+    ~~~
+    R3.2 and earlier
     ~~~
     sudo yum downgrade package-version
     ~~~
@@ -76,20 +80,26 @@ You can re-install in a similar fashion to downgrading.
     sudo qubes-dom0-update package
     ~~~
 
-    Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf/Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
 
-2.  Re-install the package:
+2.  Re-install the package (R4.0+):
 
+    ~~~
+    sudo dnf reinstall package
+    ~~~
+    R3.2 and earlier
     ~~~
     sudo yum reinstall package
     ~~~
 
-    Note that yum will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
+    Note that Dnf/Yum will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
 
 ### How to uninstall a package
 
-If you've installed a package such as anti-evil-maid, you can remove it with the following command:
+If you've installed a package such as anti-evil-maid, you can remove it with the following command (R4.0+):
 
+    sudo dnf remove anti-evil-maid
+R3.2 and earlier
     sudo yum remove anti-evil-maid
     
 ### Testing repositories
@@ -124,8 +134,16 @@ is needed for the VMs. (Note that the following example enables the unstable rep
 sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm
 ~~~
 
-Rebuild grub config.
+If the update process does not automatically do it (you should see it mentioned in the CLI output
+from the update command), you may need to manually rebuild the EFI or grub config depending on which
+your system uses.
 
+EFI (Replace the file names with the correct versions for your updated kernel)
+~~~
+sudo /usr/bin/dracut -f /boot/efi/EFI/qubes/initramfs-4.4.31-11.pvops.qubes.x86_64.img 4.4.31-11.pvops.qubes.x86_64
+~~~
+
+Grub2
 ~~~
 sudo grub2-mkconfig -o /boot/grub2/grub.cfg
 ~~~

From ad0d428cbcccd2392dc1c77bd487afcca59111c2 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 10:20:53 +0000
Subject: [PATCH 033/125] Remove Yum

---
 common-tasks/software-update-dom0.md | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md
index 50365969..e39a1f2c 100644
--- a/common-tasks/software-update-dom0.md
+++ b/common-tasks/software-update-dom0.md
@@ -14,7 +14,7 @@ Updating software in dom0
 Why would one want to update software in dom0?
 ----------------------------------------------
 
-Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in Qubes 2.0.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
+Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
 
 However, we anticipate some other situations in which updating dom0 software might be necessary or desirable:
 
@@ -58,17 +58,13 @@ Of course, command line tools are still available for accomplishing various upda
     sudo qubes-dom0-update package-version
     ~~~
 
-    Dnf/Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
 
-2.  Downgrade the package (R4.0+):
+2.  Downgrade the package:
 
     ~~~
     sudo dnf downgrade package-version
     ~~~
-    R3.2 and earlier
-    ~~~
-    sudo yum downgrade package-version
-    ~~~
 
 ### How to re-install a package
 
@@ -80,27 +76,21 @@ You can re-install in a similar fashion to downgrading.
     sudo qubes-dom0-update package
     ~~~
 
-    Dnf/Yum will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
 
-2.  Re-install the package (R4.0+):
+2.  Re-install the package:
 
     ~~~
     sudo dnf reinstall package
     ~~~
-    R3.2 and earlier
-    ~~~
-    sudo yum reinstall package
-    ~~~
 
-    Note that Dnf/Yum will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
+    Note that Dnf will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
 
 ### How to uninstall a package
 
-If you've installed a package such as anti-evil-maid, you can remove it with the following command (R4.0+):
+If you've installed a package such as anti-evil-maid, you can remove it with the following command:
 
     sudo dnf remove anti-evil-maid
-R3.2 and earlier
-    sudo yum remove anti-evil-maid
     
 ### Testing repositories
 

From 2d5fbd15fe4f7fbadf6dc681a34caf61e7574135 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 13:31:36 +0000
Subject: [PATCH 034/125] Update for 4.0

Split out 4.0 and 3.2 into multiple sections due to multiple minor differences between procedures. Emergency 4.0 Recovery procedure needs to be developed.
---
 common-tasks/backup-restore.md | 68 ++++++++++++++++++++++++++++++----
 1 file changed, 61 insertions(+), 7 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 0b2ecaa7..14f02a2f 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -11,7 +11,7 @@ redirect_from:
 Qubes Backup, Restoration, and Migration
 ========================================
 
-**Caution:** The Qubes backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). It is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups.
+**Caution:** The Qubes R3.2 backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). Although resolved in R4.0 and higher with the switch to scrypt, it is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups.
 
 
 With Qubes, it's easy to back up and restore your whole system, as well as to migrate between two physical machines.
@@ -19,7 +19,36 @@ With Qubes, it's easy to back up and restore your whole system, as well as to mi
 As of Qubes R2B3, these functions are integrated into the Qubes VM Manager GUI. There are also two command-line tools available which perform the same functions: [qvm-backup](/doc/dom0-tools/qvm-backup/) and [qvm-backup-restore](/doc/dom0-tools/qvm-backup-restore/).
 
 
-Creating a Backup
+Creating a Backup (R4.0 and later)
+-----------------
+
+1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup Qubes** in the drop-down list. This brings up the **Qubes Backup VMs** window.
+
+2. Move the VMs that you want to back up to the right-hand **Selected** column. VMs in the left-hand **Available** column will not be backed up.
+
+   **Note:** A VM must be shut down in order to be backed up. Currently running VMs appear in red.
+
+   You may choose whether to compress backups by checking or unchecking the **Compress the backup** box. Normally this should be left on unless you have a specific reason otherwise.
+   
+   Once you have selected all desired VMs, click **Next**.
+
+3. Select the destination for the backup:
+
+   If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
+   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), first mount the device in a VM, then select the mount point inside that VM as the backup destination.
+
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply type or browse to `backups` in this field. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
+
+   By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
+
+   **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification.
+
+   At this point, you may also choose whether to save your settings by checking or unchecking the **Save settings as default backup profile** box.
+   **Warning: Saving the settings will result in your backup passphrase being saved in plaintext in dom0, so consider your threat model before checking this box.**
+
+4. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
+
+Creating a Backup (R3.2 and earlier)
 -----------------
 
 1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup VMs** in the drop-down list. This brings up the **Qubes Backup VMs** window.
@@ -35,7 +64,7 @@ Creating a Backup
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
    If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
-   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply type `backups` in this field. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply type or browse to `backups` in this field. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
 
    By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
 
@@ -48,7 +77,32 @@ Creating a Backup
 4. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
 
 
-Restoring from a Backup
+Restoring from a Backup (R4.0 and later)
+-----------------------
+
+1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore Qubes from backup** in the drop-down list. This brings up the **Qubes Restore VMs** window.
+
+2. Select the source location of the backup to be restored:
+
+   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), select the device in the drop-down box next to **Device**.
+   - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
+
+   You must also specify the directory in which the backup resides (or a command to be executed in a VM). If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again type `backups` into the **Backup directory** field.
+
+   **Note:** After you have typed the directory location of the backup in the **Backup directory** field, click the ellipsis button `...` to the right of the field.
+
+3. There are three options you may select when restoring from a backup:
+   1.  **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
+   2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
+   3.  **Verify backup integrity, do not restore the data**: Like it says- check this if you only want to verify.
+
+4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
+
+   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification.
+
+5. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
+
+Restoring from a Backup (R3.2 and earlier)
 -----------------------
 
 1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore VMs from backup** in the drop-down list. This brings up the **Qubes Restore VMs** window.
@@ -65,7 +119,7 @@ Restoring from a Backup
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **skip dom0**: If this box is checked, dom0's home directory will not be restored from your backup.
+   3.  **Verify backup integrity, do not restore the data**: Like it says- check this if you only want to verify.
 
 4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 
@@ -81,7 +135,7 @@ Emergency Backup Recovery without Qubes
 
 The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
-For emergency restore of backup created on Qubes R2 or newer take a look [here](/doc/backup-emergency-restore-v3/). For backups created on earlier Qubes version, take a look [here](/doc/backup-emergency-restore-v2/).
+For emergency restore of a backup created on Qubes R4 or newer, take a look here (TBD). For R3 take a look [here](/doc/backup-emergency-restore-v3/). For backups created on even earlier Qubes versions, take a look [here](/doc/backup-emergency-restore-v2/).
 
 
 Migrating Between Two Physical Machines
@@ -101,6 +155,6 @@ Here are some things to consider when selecting a passphrase for your backups:
 Notes
 -----
 
- * The Qubes backup system relies on `openssl enc`, which is known to use a very weak key derivation scheme. The Qubes backup system also uses the same passphrase for authentication and for encryption, which is problematic from a security perspective. Users are advised to use a very high entropy passphrase for Qubes backups. For a full discussion, see [this ticket](https://github.com/QubesOS/qubes-issues/issues/971) and [this thread](https://groups.google.com/d/msg/qubes-devel/CZ7WRwLXcnk/u_rZPoVxL5IJ).
+ * The Qubes R3.2 and earlier backup system relies on `openssl enc`, which is known to use a very weak key derivation scheme. The Qubes backup system also uses the same passphrase for authentication and for encryption, which is problematic from a security perspective. Users are advised to use a very high entropy passphrase for Qubes backups. For a full discussion, see [this ticket](https://github.com/QubesOS/qubes-issues/issues/971) and [this thread](https://groups.google.com/d/msg/qubes-devel/CZ7WRwLXcnk/u_rZPoVxL5IJ).
  * For the technical details of the backup system, please refer to [this thread](https://groups.google.com/d/topic/qubes-devel/TQr_QcXIVww/discussion).
  * If working with symlinks, note the issues described in [this thread](https://groups.google.com/d/topic/qubes-users/EITd1kBHD30/discussion).

From 1d9c917d7988a58b8b0237b636e6caef22a1249b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 17:29:16 +0000
Subject: [PATCH 035/125] Add link to v4 emergency restore

Didn't need to develop, just had to have it pointed out to me
---
 common-tasks/backup-restore.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 14f02a2f..dfaaa433 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -135,7 +135,11 @@ Emergency Backup Recovery without Qubes
 
 The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
-For emergency restore of a backup created on Qubes R4 or newer, take a look here (TBD). For R3 take a look [here](/doc/backup-emergency-restore-v3/). For backups created on even earlier Qubes versions, take a look [here](/doc/backup-emergency-restore-v2/).
+Refer to the follow for emergency restore of a backup created on:
+
+ * [Qubes R4 or newer](/doc/backup-emergency-restore-v4/)
+ * [Qubes R3](/doc/backup-emergency-restore-v3/)
+ * [Earlier Qubes versions](/doc/backup-emergency-restore-v2/)
 
 
 Migrating Between Two Physical Machines

From b975d77280dd87a5f48c219e55c5b255a1f8bca8 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 17:34:30 +0000
Subject: [PATCH 036/125] Grammar and word choice

---
 common-tasks/backup-restore.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index dfaaa433..c7de18b4 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -135,11 +135,11 @@ Emergency Backup Recovery without Qubes
 
 The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
-Refer to the follow for emergency restore of a backup created on:
+Refer to the following for emergency restore of a backup created on:
 
  * [Qubes R4 or newer](/doc/backup-emergency-restore-v4/)
  * [Qubes R3](/doc/backup-emergency-restore-v3/)
- * [Earlier Qubes versions](/doc/backup-emergency-restore-v2/)
+ * [Qubes R2 or older](/doc/backup-emergency-restore-v2/)
 
 
 Migrating Between Two Physical Machines

From 80c0a3c47004e6b5067bd09a5f6214a3f2ae842b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 17:57:08 +0000
Subject: [PATCH 037/125] Better description of Verify only restore option

---
 common-tasks/backup-restore.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index c7de18b4..42e7c6fd 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -94,7 +94,7 @@ Restoring from a Backup (R4.0 and later)
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **Verify backup integrity, do not restore the data**: Like it says- check this if you only want to verify.
+   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
 4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 
@@ -119,7 +119,7 @@ Restoring from a Backup (R3.2 and earlier)
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **Verify backup integrity, do not restore the data**: Like it says- check this if you only want to verify.
+   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details..
 
 4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 

From 2c02e7a13a36be1d2e1963c5ecceac1427f01b22 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 27 Jan 2018 18:12:29 +0000
Subject: [PATCH 038/125] Added whitespace, removed superfluous "."

---
 common-tasks/backup-restore.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 42e7c6fd..9940f6ca 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -44,6 +44,7 @@ Creating a Backup (R4.0 and later)
    **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification.
 
    At this point, you may also choose whether to save your settings by checking or unchecking the **Save settings as default backup profile** box.
+   
    **Warning: Saving the settings will result in your backup passphrase being saved in plaintext in dom0, so consider your threat model before checking this box.**
 
 4. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
@@ -119,7 +120,7 @@ Restoring from a Backup (R3.2 and earlier)
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details..
+   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
 4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 

From 073f55da60c4afd7fa5744f89159e0ded324051b Mon Sep 17 00:00:00 2001
From: Michael Carbone <github@riseup.net>
Date: Sun, 28 Jan 2018 09:01:28 -0500
Subject: [PATCH 039/125] various fixes

fixed formatting, pushed all mentor="inquire qubes-devel" to the bottom.
---
 basics_dev/gsoc.md | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/basics_dev/gsoc.md b/basics_dev/gsoc.md
index f285fcf8..19d4deff 100644
--- a/basics_dev/gsoc.md
+++ b/basics_dev/gsoc.md
@@ -480,6 +480,18 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Mentor**: [Marek Marczykowski-Górecki](/team/)
 
+### Generalize the Qubes PDF Converter to other types of files
+
+**Project**: Qubes Converters
+
+**Brief explanation**: One of the pioneering ideas of Qubes is to use disposable virtual machines to convert untrustworthy files (such as documents given to journalists by unknown and potentially malicious whistleblowers) into trusthworhty files.  See [Joanna's blog on the Qubes PDF Convert](http://theinvisiblethings.blogspot.co.uk/2013/02/converting-untrusted-pdfs-into-trusted.html) for details of the idea.  Joanna has implemented a prototype for PDF documents.  The goal of this project would be to generalize beyond the simple prototype to accommodate a wide variety of file formats, including Word documents, audio files, video files, spreadsheets, and so on.  The converters should prioritise safety over faithful conversion.  For example the Qubes PDF converter typically leads to lower quality PDFs (e.g. cut and paste is no longer possible), because this makes the conversion process safer.
+
+**Expected results**: We expect that in the timeframe, it will be possible to implement many converters for many file formats.  However, if any unexpected difficulties arise, we would prioritise a small number of safe and high quality converters over a large number of unsafe or unuseful converters.
+
+**Knowledge prerequisite**: Most of the coding will probably be implemented as shell scripts to interface with pre-existing converts (such as ImageMagick in the Qubes PDF converter).  However, shell scripts are not safe for processing untrusted data, so any extra processing will need to be implemented in another language -- probably Python.
+
+**Mentors**: Andrew Clausen and Jean-Philippe Ouellet
+
 ### Mitigate focus-stealing attacks
 **Project**: Mitigate focus-stealing attacks
 
@@ -489,7 +501,7 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Knoledge prerequisite**: X APIs, Qubes GUI protocol, familiarity with the targeted window manager.
 
-**Mentor**:
+**Mentor**: Inquire on [qubes-devel][ml-devel].
 
 ### Progress towards reproducible builds
 **Project**: Progress towards reproducible builds
@@ -506,7 +518,7 @@ for more information and qubes-specific background.
 
 **Knoledge prerequisite**: qubes-builder [[1]](https://www.qubes-os.org/doc/qubes-builder/) [[2]](https://www.qubes-os.org/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
 
-**Mentor**:
+**Mentor**: Inquire on [qubes-devel][ml-devel].
 
 ### Android development in Qubes
 
@@ -521,19 +533,8 @@ Details, reference: [#2233](https://github.com/QubesOS/qubes-issues/issues/2233)
 
 **Knowledge prerequisite**:
 
-**Mentor**:
+**Mentor**: Inquire on [qubes-devel][ml-devel].
 
-### Generalize the Qubes PDF Converter to other types of files
-
-**Project**: Qubes Converters
-
-**Brief explanation**: One of the pioneering ideas of Qubes is to use disposable virtual machines to convert untrustworthy files (such as documents given to journalists by unknown and potentially malicious whistleblowers) into trusthworhty files.  See [Joanna's blog on the Qubes PDF Convert](http://theinvisiblethings.blogspot.co.uk/2013/02/converting-untrusted-pdfs-into-trusted.html) for details of the idea.  Joanna has implemented a prototype for PDF documents.  The goal of this project would be to generalize beyond the simple prototype to accommodate a wide variety of file formats, including Word documents, audio files, video files, spreadsheets, and so on.  The converters should prioritise safety over faithful conversion.  For example the Qubes PDF converter typically leads to lower quality PDFs (e.g. cut and paste is no longer possible), because this makes the conversion process safer.
-
-**Expected results**: We expect that in the timeframe, it will be possible to implement many converters for many file formats.  However, if any unexpected difficulties arise, we would prioritise a small number of safe and high quality converters over a large number of unsafe or unuseful converters.
-
-**Knowledge prerequisite**: Most of the coding will probably be implemented as shell scripts to interface with pre-existing converts (such as ImageMagick in the Qubes PDF converter).  However, shell scripts are not safe for processing untrusted data, so any extra processing will need to be implemented in another language -- probably Python.
-
-**Mentors**: Andrew Clausen and Jean-Philippe Ouellet
 ----
 
 We adapted some of the language here about GSoC from the [KDE GSoC page](https://community.kde.org/GSoC).

From db966b207bbd038b312ee2eabffb31f33edbe2a4 Mon Sep 17 00:00:00 2001
From: Michael Carbone <github@riseup.net>
Date: Sun, 28 Jan 2018 09:02:49 -0500
Subject: [PATCH 040/125] standardize formatting of "GUI"

---
 basics_dev/gsoc.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/basics_dev/gsoc.md b/basics_dev/gsoc.md
index f285fcf8..7a502e8d 100644
--- a/basics_dev/gsoc.md
+++ b/basics_dev/gsoc.md
@@ -413,8 +413,8 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Mentor**: [Rafał Wojdyła](/team/)
 
-### Gui agent for Windows 8/10
-**Project**: Gui agent for Windows 8/10
+### GUI agent for Windows 8/10
+**Project**: GUI agent for Windows 8/10
 
 **Brief explanation**: Add support for Windows 8+ to the Qubes GUI agent and video driver. Starting from Windows 8, Microsoft requires all video drivers to conform to the WDDM display driver model which is incompatible with the current Qubes video driver. Unfortunately the WDDM model is much more complex than the old XPDM one and officially *requires* a physical GPU device (which may be emulated). Some progress has been made to create a full WDDM driver that *doesn't* require a GPU device, but the driver isn't working correctly yet. Alternatively, WDDM model supports display-only drivers which are much simpler but don't have access to system video memory and rendering surfaces (a key feature that would simplify seamless GUI mode). [#1861](https://github.com/QubesOS/qubes-issues/issues/1861)
 

From 047353056aa1e2fc33f4ce7eb2dedc06d030f4f0 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 28 Jan 2018 17:50:45 +0000
Subject: [PATCH 041/125] Update backup-restore.md

---
 common-tasks/backup-restore.md | 48 ++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 23 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 9940f6ca..9593fa4d 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -22,12 +22,10 @@ As of Qubes R2B3, these functions are integrated into the Qubes VM Manager GUI.
 Creating a Backup (R4.0 and later)
 -----------------
 
-1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup Qubes** in the drop-down list. This brings up the **Qubes Backup VMs** window.
+1. Go to **Applications menu -> System Tools -> Backup Qubes**. This brings up the **Qubes Backup VMs** window.
 
 2. Move the VMs that you want to back up to the right-hand **Selected** column. VMs in the left-hand **Available** column will not be backed up.
 
-   **Note:** A VM must be shut down in order to be backed up. Currently running VMs appear in red.
-
    You may choose whether to compress backups by checking or unchecking the **Compress the backup** box. Normally this should be left on unless you have a specific reason otherwise.
    
    Once you have selected all desired VMs, click **Next**.
@@ -35,9 +33,9 @@ Creating a Backup (R4.0 and later)
 3. Select the destination for the backup:
 
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
-   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), first mount the device in a VM, then select the mount point inside that VM as the backup destination.
+   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
-   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply type or browse to `backups` in this field. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
 
    By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
 
@@ -47,7 +45,9 @@ Creating a Backup (R4.0 and later)
    
    **Warning: Saving the settings will result in your backup passphrase being saved in plaintext in dom0, so consider your threat model before checking this box.**
 
-4. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
+4. You will now the the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+
+5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
 
 Creating a Backup (R3.2 and earlier)
 -----------------
@@ -63,9 +63,9 @@ Creating a Backup (R3.2 and earlier)
 3. Select the destination for the backup:
 
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
-   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), first mount the device in a VM, then select the mount point inside that VM as the backup destination.
+   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
-   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply type or browse to `backups` in this field. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. If it does not exist, you must create it manually prior to backing up.
 
    By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
 
@@ -75,33 +75,35 @@ Creating a Backup (R3.2 and earlier)
 
    **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification. If you decide not to encrypt your backup (by unchecking the **Encrypt backup** box), the passphrase you supply will be used **only** for integrity verification. If you supply a passphrase but do not check the **Encrypt backup** box, your backup will **not** be encrypted!
 
-4. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
+4. You will now the the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+
+5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
 
 
 Restoring from a Backup (R4.0 and later)
 -----------------------
 
-1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore Qubes from backup** in the drop-down list. This brings up the **Qubes Restore VMs** window.
+1. Go to **Applications menu -> System Tools -> Restore Backup**. This brings up the **Qubes Restore VMs** window.
 
 2. Select the source location of the backup to be restored:
 
-   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), select the device in the drop-down box next to **Device**.
+   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
-   You must also specify the directory in which the backup resides (or a command to be executed in a VM). If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again type `backups` into the **Backup directory** field.
-
-   **Note:** After you have typed the directory location of the backup in the **Backup directory** field, click the ellipsis button `...` to the right of the field.
+   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click it or select it and hit **OK**.
 
 3. There are three options you may select when restoring from a backup:
-   1.  **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
+   1.  **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
    3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
 4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 
-   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification.
+   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification. All backups made from a Qubes R4.0 system will be encrypted.
 
-5. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
+5. You will now the the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+
+6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
 
 Restoring from a Backup (R3.2 and earlier)
 -----------------------
@@ -110,15 +112,13 @@ Restoring from a Backup (R3.2 and earlier)
 
 2. Select the source location of the backup to be restored:
 
-   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), select the device in the drop-down box next to **Device**.
+   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
-   You must also specify the directory in which the backup resides (or a command to be executed in a VM). If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again type `backups` into the **Backup directory** field.
-
-   **Note:** After you have typed the directory location of the backup in the **Backup directory** field, click the ellipsis button `...` to the right of the field.
+   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click or select it and hit **OK**.
 
 3. There are three options you may select when restoring from a backup:
-   1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway.
+   1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
    2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
    3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
@@ -128,7 +128,9 @@ Restoring from a Backup (R3.2 and earlier)
 
    **Note:** A VM cannot be restored from a backup if a VM with the same name already exists on the current system. You must first remove or change the name of any VM with the same name in order to restore such a VM.
 
-5. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
+5. You will now the the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+
+6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
 
 
 Emergency Backup Recovery without Qubes

From 75a7a003c596ac07aa710c2b75c1bf48f5d3855e Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 28 Jan 2018 19:23:24 +0100
Subject: [PATCH 042/125] fix duplicate

"For OpenVPN."
---
 configuration/vpn.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 2d326aa0..f0029828 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -90,7 +90,7 @@ Files referenced in `openvpn-client.ovpn` should not use absolute paths such as
 
 The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
 
-Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN.
+Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
        

From 15bf72edad40c7de87113c1f404ccde6f86e821c Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 28 Jan 2018 19:26:35 +0100
Subject: [PATCH 043/125] fixes

---
 configuration/vpn.md | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index f0029828..3518b9ef 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -94,11 +94,11 @@ Also, the config should route all traffic through your VPN's interface after a c
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
        
-Make sure it already includes or add.
+Make sure it already includes or add:
 
        redirect-gateway def1
 
-The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add.
+The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add:
 
       auth-user-pass pass.txt
       
@@ -108,12 +108,10 @@ The VPN client may not be able to prompt you for credentials when connecting to
  
       sudo nano /rw/config/vpn/pass.txt
  
- Add.
+ Add:
  
- ```
- username
- password
- ```
+        username
+        password
  
  Replace `username` and `password` with your actual username and password.
  
@@ -205,7 +203,7 @@ Save the script.
     
        sudo nano /rw/config/qubes-firewall-user-script
        
-Clear out the existing lines and add.
+Clear out the existing lines and add:
 
 	~~~
 	#!/bin/bash
@@ -241,7 +239,7 @@ Make it executable.
 
        sudo nano /rw/config/rc.local
 
-Clear out the existing lines and add.
+Clear out the existing lines and add:
 
     ~~~
     #!/bin/bash

From 53c88384fee160497a9d622e97b88c8732e8222e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 28 Jan 2018 19:02:24 +0000
Subject: [PATCH 044/125] Dispvm 4.0 updates

Sourced primarily from https://github.com/QubesOS/qubes-issues/issues/2253 and https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-devel/UGh8NDdkrXo#!topic/qubes-devel/UGh8NDdkrXo
---
 common-tasks/dispvm.md | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 3dc72eaa..edbd13c9 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -20,7 +20,31 @@ Once a DispVM has been created it will appear in Qubes VM Manager with the name
 
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
-Disposable VMs and Networking
+Disposable VMs and Networking (R4.0 and later)
+-----------------------------
+
+
+R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
+This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
+the Applications menu (e.g. `fedora-XX-dvm`). Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
+As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
+
+NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
+By default a DispVM will inherit the NetVM and firewall settings of the DispVM Template from which it is built. 
+Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix,
+any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+The default system wide DispVM template can be changed with `qubes-prefs default_dispvm`.
+You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings
+for the VM in question and go to the "Advanced" tab. 
+Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
+Disposable VMs will temporarily appear with the name `disp####`. 
+
+A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
+By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
+Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+
+Disposable VMs and Networking (R3.2 and earlier)
 -----------------------------
 
 NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
@@ -49,7 +73,7 @@ Opening a fresh web browser instance in a new Disposable VM
 -----------------------------------------------------------
 
 Sometimes it is desirable to open an instance of Firefox within a new fresh Disposable VM. 
-This can be done easily using the Start Menu: just go to Start -\> System Tools -\> DispVM:Firefox web browser. 
+This can be done easily using the Start Menu: just go to **Application Menu -\> DisposableVM -\> DispVM:Firefox web browser**. 
 Wait a few seconds until a web browser starts. 
 Once you close the viewing application the whole Disposable VM will be destroyed. 
 
@@ -75,7 +99,7 @@ Sometimes it can be useful to start an arbitrary program in a DispVM. This can b
 [user@vault ~]$ qvm-run '$dispvm' xterm
 ~~~
 
-The created Disposable VM can be accessed via other tools (such as `qvm-copy-to-vm`) using its "dispX" name as shown in the Qubes Manager or `qvm-ls`.
+The created Disposable VM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`.
 
 Starting an arbitrary application in a Disposable VM via command line (from Dom0)
 ---------------------------------------------------------------------------------
@@ -83,6 +107,12 @@ Starting an arbitrary application in a Disposable VM via command line (from Dom0
 The Start Menu has shortcuts for opening a terminal and a web browser in dedicated DispVMs, since these are very common tasks.
 However, it is possible to start an arbitrary application in a DispVM directly from Dom0 by running
 
+R4.0 (border colour will be inherited from that set in the `dispvm-template`)
+~~~
+[joanna@dom0 ~]$ qvm-run --dispvm=dispvm-template --service qubes.StartApp+xterm
+~~~
+
+R3.2 (border colour can be specified in the command)
 ~~~
 [joanna@dom0 ~]$ echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red
 ~~~
@@ -92,8 +122,8 @@ However, it is possible to start an arbitrary application in a DispVM directly f
 Customizing Disposable VMs
 --------------------------
 
-You can change the template used to generate the Disposable VM, and change settings used in the Disposable VM savefile. 
-These changes will be reflected in every new Disposable VM. 
+You can change the template used to generate the Disposable VMs, and change settings used in the Disposable VM savefile. 
+These changes will be reflected in every new Disposable VM spawned from that template. 
 Full instructions can be found [here](/doc/dispvm-customization/).
 
 Disposable VMs and Local Forensics

From ee5361c3e3602fcc6fe5293e5a7e79d5150fd01d Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 28 Jan 2018 19:31:21 +0000
Subject: [PATCH 045/125] Update backup-restore.md

---
 common-tasks/backup-restore.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 9593fa4d..d07e1e1a 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -33,7 +33,7 @@ Creating a Backup (R4.0 and later)
 3. Select the destination for the backup:
 
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
-   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
+   If you wish to send your backup to a [USB mass storage device](/doc/usb/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
    You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
 
@@ -45,7 +45,7 @@ Creating a Backup (R4.0 and later)
    
    **Warning: Saving the settings will result in your backup passphrase being saved in plaintext in dom0, so consider your threat model before checking this box.**
 
-4. You will now the the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+4. You will now see the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
 
 5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
 
@@ -63,7 +63,7 @@ Creating a Backup (R3.2 and earlier)
 3. Select the destination for the backup:
 
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
-   If you wish to send your backup to a [USB mass storage device](/doc/stick-mounting/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
+   If you wish to send your backup to a [USB mass storage device](/doc/usb/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
    You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. If it does not exist, you must create it manually prior to backing up.
 
@@ -75,7 +75,7 @@ Creating a Backup (R3.2 and earlier)
 
    **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification. If you decide not to encrypt your backup (by unchecking the **Encrypt backup** box), the passphrase you supply will be used **only** for integrity verification. If you supply a passphrase but do not check the **Encrypt backup** box, your backup will **not** be encrypted!
 
-4. You will now the the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+4. You will now see the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
 
 5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
 
@@ -87,7 +87,7 @@ Restoring from a Backup (R4.0 and later)
 
 2. Select the source location of the backup to be restored:
 
-   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), attach it first to another VM or select `sys-usb` in the next item.
+   - If your backup is located on a [USB mass storage device](/doc/usb/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
    You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click it or select it and hit **OK**.
@@ -101,7 +101,7 @@ Restoring from a Backup (R4.0 and later)
 
    **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification. All backups made from a Qubes R4.0 system will be encrypted.
 
-5. You will now the the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+5. You will now see the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
 
 6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
 
@@ -112,7 +112,7 @@ Restoring from a Backup (R3.2 and earlier)
 
 2. Select the source location of the backup to be restored:
 
-   - If your backup is located on a [USB mass storage device](/doc/stick-mounting/), attach it first to another VM or select `sys-usb` in the next item.
+   - If your backup is located on a [USB mass storage device](/doc/usb/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
    You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click or select it and hit **OK**.
@@ -128,7 +128,7 @@ Restoring from a Backup (R3.2 and earlier)
 
    **Note:** A VM cannot be restored from a backup if a VM with the same name already exists on the current system. You must first remove or change the name of any VM with the same name in order to restore such a VM.
 
-5. You will now the the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+5. You will now see the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
 
 6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
 

From 6b3eb8fd71bf7ef4f65c52a1584f10d2b4b0f52d Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Sun, 28 Jan 2018 23:14:56 +0100
Subject: [PATCH 046/125] clarify description for randomizing MAC addresses

---
 privacy/anonymizing-your-mac-address.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacy/anonymizing-your-mac-address.md b/privacy/anonymizing-your-mac-address.md
index 7a92429e..3e7f0921 100644
--- a/privacy/anonymizing-your-mac-address.md
+++ b/privacy/anonymizing-your-mac-address.md
@@ -37,7 +37,7 @@ ethernet.cloned-mac-address=stable
 connection.stable-id=${CONNECTION}/${BOOT}
 ~~~
 
-* `stable` in combination with `${CONNECTION}/${BOOT}` generates a random address that persists for each boot session.
+* `stable` in combination with `${CONNECTION}/${BOOT}` generates a random address that persists until reboot.
 * `random` generates a random address each time a link goes up.
 
 To see all the available configuration options, refer to the man page: `man nm-settings`

From 9db21775d3c64ea54aa9f3061e5b8716670740b1 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 29 Jan 2018 14:10:53 +0100
Subject: [PATCH 047/125] remove trailing spaces

---
 configuration/vpn.md | 58 ++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 3518b9ef..475446d3 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -65,23 +65,23 @@ This method is more involved than the one above, but has anti-leak features that
 1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
 
     ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
-    
+
     Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
-    
+
     If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN.
-    
+
        sudo systemctl disable openvpn.service
-    
+
 You may also wish to install `nano` or another simple text editor for entering the scripts below.
 
 2.  Set up and test the VPN client.
 
 Make sure the VPN VM and its TemplateVM is not running.
-    
+
 Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with.
-    
+
         sudo mkdir /rw/config/vpn
-    
+
 Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents:
 
 Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
@@ -93,7 +93,7 @@ The VPN scripts here are intended to work with commonly used `tun` interfaces, w
 Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
-       
+
 Make sure it already includes or add:
 
        redirect-gateway def1
@@ -101,38 +101,38 @@ Make sure it already includes or add:
 The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add:
 
       auth-user-pass pass.txt
-      
+
  Save file `/rw/config/vpn/openvpn-client.ovpn`.
- 
+
  Make sure a `/rw/config/vpn/pass.txt` file actually exists.
- 
+
       sudo nano /rw/config/vpn/pass.txt
- 
+
  Add:
- 
+
         username
         password
- 
+
  Replace `username` and `password` with your actual username and password.
- 
+
  __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
-    
+
        sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
-    
+
 Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
 
        ping 8.8.8.8
-       
+
 `ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
 
 DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
-    
+
 Proceed to the next step when you're sure the basic VPN connection is working.
 
 3.  Create the DNS-handling script.
 
         sudo nano /rw/config/vpn/qubes-vpn-handler.sh
-       
+
  Edit and add:
 
     ~~~
@@ -178,11 +178,11 @@ Save the script.
 Make it executable.
 
        sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
-    
+
 4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
-       
+
  Add the following.
 
     ~~~
@@ -190,7 +190,7 @@ Make it executable.
     up 'qubes-vpn-handler.sh up'
     down 'qubes-vpn-handler.sh down'
     ~~~
-    
+
 Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
 
 Save the script.
@@ -200,9 +200,9 @@ Save the script.
 5.  Set up iptables anti-leak rules.
 
     Edit the firewall script.
-    
+
        sudo nano /rw/config/qubes-firewall-user-script
-       
+
 Clear out the existing lines and add:
 
 	~~~
@@ -211,7 +211,7 @@ Clear out the existing lines and add:
 	#    (in case the vpn tunnel breaks):
 	iptables -I FORWARD -o eth0 -j DROP
 	iptables -I FORWARD -i eth0 -j DROP
-	
+
 	#    Block all outgoing traffic
 	iptables -P OUTPUT DROP
 	iptables -F OUTPUT
@@ -245,12 +245,12 @@ Clear out the existing lines and add:
     #!/bin/bash
     VPN_CLIENT='openvpn'
     VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
-    
+
     su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
     groupadd -rf qvpn ; sleep 2s
     sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
     ~~~
-    
+
 If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
 
 Save the script.
@@ -258,7 +258,7 @@ Save the script.
 Make it executable.
 
        sudo chmod +x /rw/config/rc.local`
-    
+
 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
 
 Usage

From 13f66bce387c850b0aedc8c5f9d87abce5775299 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 29 Jan 2018 15:47:47 +0100
Subject: [PATCH 048/125] Remove completed projects

---
 basics_dev/gsoc.md | 119 ++-------------------------------------------
 1 file changed, 4 insertions(+), 115 deletions(-)

diff --git a/basics_dev/gsoc.md b/basics_dev/gsoc.md
index 126cb941..544798fa 100644
--- a/basics_dev/gsoc.md
+++ b/basics_dev/gsoc.md
@@ -92,44 +92,6 @@ If applicable, links to more information or discussions
 **Mentor**: Name and email address.
 ```
 
-### Qubes MIME handlers
-
-**Project**: Qubes MIME handlers
-
-**Brief explanation**: [#441](https://github.com/QubesOS/qubes-issues/issues/441) (including remembering decision whether some file
-should be opened in DispVM or locally)
-
-**Expected results**:
-
- - Design mechanism for recognising which files should be opened locally and which in Disposable VM. This mechanism should:
-   - Respect default action like "by default open files in Disposable VM" (this
-     may be about files downloaded from the internet, transferred from
-     other VM etc).
-   - Allow setting persistent flag for a file that should be opened in specific
-     way ("locally"); this flag should local to the VM - it shouldn't be possible
-     to preserve (or even fabricate) the flag while transferring the file from/to
-     VM.
-   - See linked ticket for simple ideas.
- - Implement generic file handler to apply this mechanism; it should work
-   regardless of file type, and if file is chosen to be opened locally, normal
-   (XDG) rules of choosing application should apply.
- - Setting/unsetting the flag should be easy - like if once file is chosen to
-   be opened locally, it should remember that decision.
- - Preferably use generic mechanism to integrate it into file managers (XDG
-   standards). If not possible - integrate with Nautilus and Dolphin.
- - Optionally implement the same for Windows.
- - Document the mechanism (how the flag is stored, how mechanism is plugged
-   into file managers etc).
- - Write unit tests and integration tests.
-
-**Knowledge prerequisite**:
-
- - XDG standards
- - Bash or Python scripting
- - Basic knowledge of configuration/extension for file managers
-
-**Mentor**: [Marek Marczykowski-Górecki](/team/)
-
 ### Template manager, new template distribution mechanism
 
 **Project**: Template manager, new template distribution mechanism
@@ -231,37 +193,8 @@ details: [#1552](https://github.com/QubesOS/qubes-issues/issues/1552),
 
 **Mentor**: [Thomas Leonard](mailto:talex5@gmail.com), [Marek Marczykowski-Górecki](/team/)
 
-### IPv6 support
-**Project**: IPv6 support
-
-**Brief explanation**: Add support for native IPv6 in Qubes VMs. This should
-include IPv6 routing (+NAT...), IPv6-aware firewall, DNS configuration, dealing
-with IPv6 being available or not in directly connected network. See
-[#718](https://github.com/QubesOS/qubes-issues/issues/718) for more details.
-
-**Expected results**:
-
- - Add IPv6 handling to network configuration scripts in VMs
- - Add support for IPv6 in Qubes firewall (including CLI/GUI tools to configure it)
- - Design and implement simple mechanism to propagate information about IPv6
-   being available at all (if necessary). This should be aware of ProxyVMs
-   potentially adding/removing IPv6 support - like VPN, Tor etc.
- - Add unit tests and integration tests for both configuration scripts and UI
-   enhancements.
- - Update documentation.
-
-**Knowledge prerequisite**:
-
- - network protocols, especially IPv6, TCP, DNS, DHCPv6, ICMPv6 (including
-   autoconfiguration)
- - ip(6)tables, nftables, NAT
- - Python and Bash scripting
- - network configuration on Linux: ip tool, configuration files on Debian and
-   Fedora, NetworkManager
-
-**Mentor**: [Marek Marczykowski-Górecki](/team/)
-
 ### Thunderbird, Firefox and Chrome extensions
+
 **Project**: additional Thunderbird, Firefox and Chrome extensions
 
 **Brief explanation**: 
@@ -315,31 +248,7 @@ immune to altering past entries. See
  - systemd
  - Python/Bash scripting
 
-**Mentor**: Inquire on [qubes-devel][ml-devel].
-
-### GUI improvements
-
-**Project**: GUI improvements
-
-**Brief explanation**:
-
-* GUI for enabling USB keyboard: [#2329](https://github.com/QubesOS/qubes-issues/issues/2329)
-* GUI for enabling USB passthrough: [#2328](https://github.com/QubesOS/qubes-issues/issues/2328)
-* GUI interface for /etc/qubes/guid.conf: [#2304](https://github.com/QubesOS/qubes-issues/issues/2304)
-* Improving inter-VM file copy / move UX master ticket: [#1839](https://github.com/QubesOS/qubes-issues/issues/1839)
-* and comprehensive list of GUI issues: [#1117](https://github.com/QubesOS/qubes-issues/issues/1117)
-
-**Expected results**:
-
- - Add/enhance GUI tools to configure/do things mentioned in description above.
-   Reasonable subset of those things is acceptable.
- - Write tests for added elements.
-
-**Knowledge prerequisite**:
-
- - Python, PyGTK
-
-**Mentor**: Inquire on [qubes-devel][ml-devel].
+**Mentor**: [Marek Marczykowski-Górecki](/team/)
 
 ### Xen GPU pass-through for Intel integrated GPUs
 **Project**: Xen GPU pass-through for Intel integrated GPUs (largely independent of Qubes)
@@ -424,27 +333,7 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Mentor**: [Rafał Wojdyła](/team/)
 
-### Make Anti Evil Maid resistant against shoulder surfing and video surveillance
-
-**Project**: Observing the user during early boot should not be sufficient to defeat the protection offered by Anti Evil Maid.
-
-**Brief explanation**:
-
-1. Implement optional support for time-based one-time-password seed secrets. Instead of verifying a static text or picture (which the attacker can record and replay later on a compromised system), the user would verify an ephemeral six-digit code displayed on another device, e.g. a smartphone running any Google Authenticator compatible code generator app.
-
-2. Implement optional support for storing a passphrase-encrypted LUKS disk decryption key on a secondary AEM device. The attacker would then have to seize this device in order to decrypt the user's data; just recording the passphrase as it is entered would no longer be enough.
-
-**Expected results**: AEM package updates implementing both features, with fallback support in case the user does not have their smartphone or secondary AEM device at hand. Good UX and documentation for enrolling or upgrading users.
-
-**Knowledge prerequisite**:
-
-- Bash scripting
-- The AEM threat model
-- GRUB2, dracut, systemd, LUKS
-
-**Mentor**: [Rusty Bird](mailto:rustybird@openmailbox.org)
-
-### GNOME support in dom0
+### GNOME support in dom0 / GUI VM
 
 **Project**: GNOME support in dom0
 
@@ -518,7 +407,7 @@ for more information and qubes-specific background.
 
 **Knoledge prerequisite**: qubes-builder [[1]](https://www.qubes-os.org/doc/qubes-builder/) [[2]](https://www.qubes-os.org/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
 
-**Mentor**: Inquire on [qubes-devel][ml-devel].
+**Mentor**: [Marek Marczykowski-Górecki](/team/)
 
 ### Android development in Qubes
 

From 59279c22826e4d676952c4f96d10e1ba77c31b86 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 29 Jan 2018 14:52:51 +0000
Subject: [PATCH 049/125] Update dispvm.md

---
 common-tasks/dispvm.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index edbd13c9..816819d1 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -26,7 +26,7 @@ Disposable VMs and Networking (R4.0 and later)
 
 R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
 This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
-the Applications menu (e.g. `fedora-XX-dvm`). Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
+the Applications menu. Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
 As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
 
 NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
@@ -41,7 +41,6 @@ Disposable VMs will temporarily appear with the name `disp####`.
 
 A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
 By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
 
 Disposable VMs and Networking (R3.2 and earlier)

From 5427e4c4b2da0da8961cb66b9ea091749874fad5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 29 Jan 2018 16:39:07 +0100
Subject: [PATCH 050/125] gsoc: add new ideas collected from qubes-devel ML

---
 basics_dev/gsoc.md | 94 +++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 88 insertions(+), 6 deletions(-)

diff --git a/basics_dev/gsoc.md b/basics_dev/gsoc.md
index 544798fa..d73b0203 100644
--- a/basics_dev/gsoc.md
+++ b/basics_dev/gsoc.md
@@ -36,7 +36,7 @@ Before the summer starts, there are some preparatory tasks which are highly enco
 
 ### Student proposal guidelines
 
-A project proposal is what you will be judged upon. Write a clear proposal on what you plan to do, the scope of your project, and why we should choose you to do it. Proposals are the basis of the GSoC projects and therefore one of the most important things to do well. The proposal is not only the basis of our decision of which student to choose, it has also an effect on Google's decision as to how many student slots are assigned to Qubes. 
+A project proposal is what you will be judged upon. Write a clear proposal on what you plan to do, the scope of your project, and why we should choose you to do it. Proposals are the basis of the GSoC projects and therefore one of the most important things to do well. The proposal is not only the basis of our decision of which student to choose, it has also an effect on Google's decision as to how many student slots are assigned to Qubes.
 
 Below is the application template:
 
@@ -86,7 +86,7 @@ These project ideas were contributed by our developers and may be incomplete. If
 
 **Expected results**: What is the expected result in the timeframe given
 
-**Knowledge prerequisite**: Pre-requisites for working on the project. What coding language and knowledge is needed? 
+**Knowledge prerequisite**: Pre-requisites for working on the project. What coding language and knowledge is needed?
 If applicable, links to more information or discussions
 
 **Mentor**: Name and email address.
@@ -128,7 +128,7 @@ would override all the user changes there). More details:
      [#1705](https://github.com/QubesOS/qubes-issues/issues/1705) for some idea
      (this one lack integrity verification, but similar service could
      be developed with that added)
- - If new "package" format is developed, add support for it into 
+ - If new "package" format is developed, add support for it into
    [linux-template-builder](https://github.com/QubesOS/qubes-linux-template-builder).
  - Document the mechanism.
  - Write unit tests and integration tests.
@@ -143,6 +143,84 @@ would override all the user changes there). More details:
 
 **Mentor**: [Marek Marczykowski-Górecki](/team/)
 
+### Easy inter-VM networking configuration
+
+**Project**: Easy inter-VM networking configuration
+
+**Brief explanation**: Utility to easily configure selected VMs to be reachable (by network) from other VMs or outside network. Currently such configuration require adding iptables rules in multiple VMs manually. For exposing VM to outside network, it may be good to adopt qrexec-based TCP forwarding ([#2148](https://github.com/QubesOS/qubes-issues/issues/2148)).
+
+**Expected results**:
+
+- support firewall rules for inter-VM traffic in qubes-firewall - both VM side (qubes-firewall service) and dom0 configuration side (relevant Admin API calls)
+- mechanism for configuring firewall in target VM, especially INPUT iptables chain - currently it is hardcoded to drop new incoming connections
+- convenient tool (or modification to existing tool) for controlling above mechanisms
+- integration the above with existing GUI tools (especially VM settings)
+
+Relevant links:
+ - [Qubes networking and firewall documentation](/doc/firewall/)
+ - [qubes-firewall service code](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubesagent/firewall.py)
+
+**Knowledge prerequisite**:
+
+- iptables
+- basics of nft
+- python3
+
+**Mentor**: [Marek Marczykowski-Górecki](/team/)
+
+### Mechanism for maintaining in-VM configuration
+
+**Project**: Mechanism for maintaining in-VM configuration
+
+**Brief explanation**: Large number of VMs is hard to maintain. Templates helps with keeping them updated, but many applications have configuration in user home directory, which is not synchronized.
+
+**Expected results**:
+
+- Design a mechanism how to _safely_ synchronize application configuration living in user home directory (`~/.config`, some other "dotfiles"). Mechanism should be resistant against malicious VM forcing its configuration on other VMs. Some approach could be a strict control which VM can send what changes (whitelist approach, not blacklist).
+- Implementation of the above mechanism.
+- Documentation how to configure it securely.
+
+
+**Knowledge prerequisite**:
+
+- shell and/or python scripting
+- Qubes OS qrexec services
+
+**Mentor**: [Marek Marczykowski-Górecki](/team/), [Wojtek Porczyk](/team/).
+
+### Wayland support in GUI agent and/or GUI daemon
+
+**Project**: Wayland support in GUI agent and/or GUI daemon
+
+**Brief explanation**: Currently both GUI agent (VM side of the GUI virtualization) and GUI daemon (dom0 side of GUI virtualization) support X11 protocol only. It may be useful to add support for Wayland there. Note that those are in fact two independent projects:
+
+1. GUI agent - make it work as Wayland compositor, instead of extracting window's composition buffers using custom X11 driver
+2. GUI daemon - act as Wayland application, showing windows retrieved from VMs, keeping zero-copy display path (window content is directly mapped from application running in VM, not copied)
+
+**Expected results**:
+
+Choose either of GUI agent, GUI daemon. Both are of similar complexity and each separately looks like a good task for GSoC time period.
+
+- design relevant GUI agent/daemon changes, the GUI protocol should not be affected
+- consider window decoration handling - VM should have no way of spoofing those, so it must be enforced by GUI daemon (either client-side - by GUI daemon itself, or server-side, based on hints given by GUI daemon)
+- implement relevant GUI agent/daemon changes
+- implement tests for new GUI handling, similar to existing tests for X11 based GUI
+
+Relevant links:
+ - [Low level GUI documentation](/doc/gui/)
+ - [qubes-gui-agent-linux](https://github.com/qubesos/qubes-gui-agent-linux)
+ - [qubes-gui-daemon](https://github.com/qubesos/qubes-gui-daemon)
+ - [Use Wayland instead of X11 to increase performance](https://github.com/qubesos/qubes-issues/issues/3366)
+
+**Knowledge prerequisite**:
+
+- Wayland architecture
+- basics of X11 (for understanding existing code)
+- C language
+- using shared memory (synchronization methods etc)
+
+**Mentor**: [Marek Marczykowski-Górecki](/team/).
+
 ### Qubes Live USB
 
 **Project**: Revive Qubes Live USB, integrate it with installer
@@ -197,7 +275,7 @@ details: [#1552](https://github.com/QubesOS/qubes-issues/issues/1552),
 
 **Project**: additional Thunderbird, Firefox and Chrome extensions
 
-**Brief explanation**: 
+**Brief explanation**:
 
 * browser/mail: open link in vm
 * browser/mail: open link in dispvm
@@ -288,7 +366,7 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Brief explanation**: [T509](https://phabricator.whonix.org/T509)
 
-**Expected results**: 
+**Expected results**:
 
 - Work at upstream Tor: An older version of https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy page was the origin of Whonix. Update that page for nftables / IPv6 support without mentioning Whonix. Then discuss that on the tor-talk mailing list for wider input. - https://trac.torproject.org/projects/tor/ticket/21397
 - implement corridor feature request add IPv6 support / port to nftables - https://github.com/rustybird/corridor/issues/39
@@ -296,7 +374,11 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 - make connections to IPv6 Tor relays work
 - make connections to IPv6 destinations work
 
-**Knowledge prerequisite**: 
+**Knowledge prerequisite**:
+
+- nftables
+- iptables
+- IPv6
 
 **Mentor**: [Patrick Schleizer](/team/)
 

From 3fc8bf94d94382f4ae57ccaef4ecd50ea1bd1e7e Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Mon, 29 Jan 2018 20:40:00 -0600
Subject: [PATCH 051/125] Introduce restrictive clauses with "that" instead of
 "which"

---
 reference/glossary.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/reference/glossary.md b/reference/glossary.md
index 817c7190..3cc17a13 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -22,7 +22,7 @@ The main principle of Qubes OS is security by compartmentalization (or isolation
 VM
 --
 An abbreviation for "virtual machine." 
-A software implementation of a machine (for example, a computer) which executes programs like a physical machine.
+A software implementation of a machine (for example, a computer) that executes programs like a physical machine.
 
 Qube
 ----
@@ -62,34 +62,34 @@ By default, most domUs lack direct hardware access.
 TemplateVM
 ----------
 Template Virtual Machine. 
-Any [VM](#vm) which supplies its root filesystem to another VM. 
+Any [VM](#vm) that supplies its root filesystem to another VM. 
 TemplateVMs are intended for installing and updating software applications, but not for running them.
 
  * Colloquially, TemplateVMs are often referred to as "templates."
 
 TemplateBasedVM
 ---------------
-Any [VM](#vm) which depends on a [TemplateVM](#templatevm) for its root filesystem.
+Any [VM](#vm) that depends on a [TemplateVM](#templatevm) for its root filesystem.
 
 Standalone(VM)
 --------------
 Standalone (Virtual Machine). 
 In general terms, a [VM](#vm) is described as **standalone** if and only if it does not depend on any other VM for its root filesystem. 
 (In other words, a VM is standalone if and only if it is not a TemplateBasedVM.) 
-More specifically, a **StandaloneVM** is a type of VM in Qubes which is created by cloning a TemplateVM. 
+More specifically, a **StandaloneVM** is a type of VM in Qubes that is created by cloning a TemplateVM. 
 Unlike TemplateVMs, however, StandaloneVMs do not supply their root filesystems to other VMs. 
 (Therefore, while a TemplateVM is a type of standalone VM, it is not a StandaloneVM.)
 
 AppVM
 -----
 Application Virtual Machine. 
-A [VM](#vm) which is intended for running software applications. 
+A [VM](#vm) that is intended for running software applications. 
 Typically a TemplateBasedVM, but may be a StandaloneVM. Never a TemplateVM.
 
 NetVM
 -----
 Network Virtual Machine. 
-A type of [VM](#vm) which connects directly to a network and provides access to that network to other VMs which connect to the NetVM. 
+A type of [VM](#vm) that connects directly to a network and provides network access any VMs connected to the NetVM. 
 A NetVM called `sys-net` is created by default in most Qubes installations.
 
 Alternatively, "NetVM" may refer to whichever VM is directly connected to a VM for networking purposes. 
@@ -98,18 +98,18 @@ For example, if `untrusted` is directly connected to `sys-firewall` for network
 ProxyVM
 -------
 Proxy Virtual Machine. 
-A type of [VM](#vm) which proxies network access for other VMs. 
-Typically, a ProxyVM sits between a NetVM and another VM (such as an AppVM or a TemplateVM) which requires network access.
+A type of [VM](#vm) that proxies network access for other VMs. 
+Typically, a ProxyVM sits between a NetVM and another VM (such as an AppVM or a TemplateVM) that requires network access.
 
 FirewallVM
 ----------
 Firewall Virtual Machine. 
-A type of [ProxyVM](#proxyvm) which is used to enforce network-level policies (a.k.a. "firewall rules"). 
+A type of [ProxyVM](#proxyvm) that is used to enforce network-level policies (a.k.a. "firewall rules"). 
 A FirewallVM called `sys-firewall` is created by default in most Qubes installations.
 
 DispVM
 ------
-[Disposable Virtual Machine]. A temporary [AppVM](#appvm) based on a [DVM Template](#dvm-template) which can quickly be created, used, and destroyed.
+[Disposable Virtual Machine]. A temporary [AppVM](#appvm) based on a [DVM Template](#dvm-template) that can quickly be created, used, and destroyed.
 
 DVM
 ---
@@ -139,12 +139,12 @@ Although HVMs are typically slower than paravirtualized VMs due to the required
 
 StandaloneHVM
 -------------
-Any [HVM](#hvm) which is standalone (i.e., does not depend on any other VM for its root filesystem). 
+Any [HVM](#hvm) that is standalone (i.e., does not depend on any other VM for its root filesystem). 
 In Qubes, StandaloneHVMs are referred to simply as **HVMs**.
 
 TemplateHVM
 -----------
-Any [HVM](#hvm) which functions as a [TemplateVM](#templatevm) by supplying its root filesystem to other VMs. 
+Any [HVM](#hvm) that functions as a [TemplateVM](#templatevm) by supplying its root filesystem to other VMs. 
 In Qubes, TemplateHVMs are referred to as **HVM templates**.
 
 TemplateBasedHVM

From f4454dd2dd265d5eae52edf76ffefa2d86c2845c Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Mon, 29 Jan 2018 20:45:11 -0600
Subject: [PATCH 052/125] Clarify the definition of "NetVM"

---
 reference/glossary.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/reference/glossary.md b/reference/glossary.md
index 3cc17a13..bd1af6ce 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -89,7 +89,8 @@ Typically a TemplateBasedVM, but may be a StandaloneVM. Never a TemplateVM.
 NetVM
 -----
 Network Virtual Machine. 
-A type of [VM](#vm) that connects directly to a network and provides network access any VMs connected to the NetVM. 
+A type of [VM](#vm) that connects directly to a network.
+Other VMs gain access to a network by connecting to a NetVM (usually indirectly, via a [FirewallVM](#firewallvm)).
 A NetVM called `sys-net` is created by default in most Qubes installations.
 
 Alternatively, "NetVM" may refer to whichever VM is directly connected to a VM for networking purposes. 

From 82f50fe2e0dab972d7e028ee5232ecdf2cf3680d Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Mon, 29 Jan 2018 21:09:08 -0600
Subject: [PATCH 053/125] Add "TemplateVM" notes; update "DVM Template" for 4.0

https://github.com/QubesOS/qubes-issues/issues/2486
https://github.com/QubesOS/qubes-doc/pull/543
---
 reference/glossary.md | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/reference/glossary.md b/reference/glossary.md
index bd1af6ce..3e6d0d3f 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -66,6 +66,9 @@ Any [VM](#vm) that supplies its root filesystem to another VM.
 TemplateVMs are intended for installing and updating software applications, but not for running them.
 
  * Colloquially, TemplateVMs are often referred to as "templates."
+ * Since every TemplateVM supplies its *own* root filesystem to at least one other VM, no TemplateVM can be based on another TemplateVM.
+   In other words, no TemplateVM is a [TemplateBasedVM](#templatebasedvm).
+ * Since every TemplateVM supplies its *root* filesystem to at least one other VM, no [DVM Template](#dvm-template) is a TemplateVM.
 
 TemplateBasedVM
 ---------------
@@ -118,12 +121,18 @@ An abbreviation of [DispVM](#dispvm), typically used to refer to [DVM Templates]
 
 DVM Template
 ------------
-TemplateBasedVMs on which [DispVMs](#dispvm) are based. 
+A type of [TemplateBasedVM](#templatebasedvm) on which [DispVMs](#dispvm) are based.
 By default, a DVM Template named `fedora-XX-dvm` is created on most Qubes installations (where `XX` is the Fedora version of the default TemplateVM). 
-DVM Templates are neither [TemplateVMs](#templatevm) nor [AppVMs](#appvm). 
-They are intended neither for installing nor running software. 
-Rather, they are intended for *customizing* or *configuring* software that has already been installed on the TemplateVM on which the DVM Template is based (see [DispVM Customization]). 
-This software is then intended to be run (in its customized state) in DispVMs that are based on the DVM Template.
+DVM Templates are not [TemplateVMs](#templatevm), since (being TemplateBasedVMs) they do not have root filesystems of their own to provide to other VMs.
+Rather, DVM Templates are complementary to TemplateVMs insofar as DVM Templates provide their own user filesystems to the DispVMs based on them.
+There are two main kinds of DVM Templates:
+
+ * **Dedicated** DVM Templates are intended neither for installing nor running software.
+   Rather, they are intended for *customizing* or *configuring* software that has already been installed on the TemplateVM on which the DVM Template is based (see [DispVM Customization]).
+   This software is then intended to be run (in its customized state) in DispVMs that are based on the DVM Template.
+ * **Non-dedicated** DVM Templates are typically [AppVMs](#appvm) on which DispVMs are based.
+   For example, an AppVM could be used to generate and store trusted data.
+   Then, a DispVM could be created based on the AppVM (thereby making the AppVM a DVM Template) so that the data can be analyzed by an untrusted program without jeopardizing the integrity of the original data.
 
 PV
 --

From a61d08fed4f1e34410ca5c95de0cd9b02e5ba990 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Mon, 29 Jan 2018 21:19:19 -0600
Subject: [PATCH 054/125] Add "SystemVM" to the glossary

---
 reference/glossary.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/reference/glossary.md b/reference/glossary.md
index 3e6d0d3f..f2ceb492 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -167,6 +167,12 @@ Service Virtual Machine.
 A [VM](#vm) the primary purpose of which is to provide a service or services to other VMs. 
 NetVMs and ProxyVMs are examples of ServiceVMs.
 
+SystemVM
+--------
+System Virtual Machine.
+A synonym for [ServiceVM](#servicevm).
+SystemVMs usually have the prefix `sys-`.
+
 PVHVM
 -----
 [PV](#pv) on [HVM](#hvm). 

From e59b6c29b1c74918b8744c3c34690a2d97856d39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 30 Jan 2018 06:14:09 +0100
Subject: [PATCH 055/125] networking: update for 3.2+, add IPv6 (4.0+)

---
 system/networking.md | 42 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/system/networking.md b/system/networking.md
index 9fce8984..cde78ade 100644
--- a/system/networking.md
+++ b/system/networking.md
@@ -15,9 +15,9 @@ VM network in Qubes
 Overall description
 -------------------
 
-In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of `vif` devices. The default *vif-route* script had some deficiencies (requires `eth0` device to be up, and sets some redundant iptables rules), therefore the custom *vif-route-qubes* script is used.
+In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of `vif` devices and NAT is applied at each network hop. The default *vif-route* script had some deficiencies (requires `eth0` device to be up, and sets some redundant iptables rules), therefore the custom *vif-route-qubes* script is used.
 
-The IP address of `eth0` interface in AppVM, as well as two IP addresses to be used as nameservers (`DNS1` and `DNS2`), are passed via xenstore to AppVM during its boot (thus, there is no need for DHCP daemon in the network driver domain). `DNS1` and `DNS2` are private addresses; whenever an interface is brought up in the network driver domain, the */usr/lib/qubes/qubes\_setup\_dnat\_to\_ns* script sets up the DNAT iptables rules translating `DNS1` and `DNS2` to the newly learned real dns servers. This way AppVM networking configuration does not need to be changed when configuration in the network driver domain changes (e.g. user switches to a different WLAN). Moreover, in the network driver domain, there is no DNS server either, and consequently there are no ports open to the VMs.
+The IP address of `eth0` interface in AppVM, as well as two IP addresses to be used as nameservers (`DNS1` and `DNS2`), are passed via QubesDB to AppVM during its boot (thus, there is no need for DHCP daemon in the network driver domain). `DNS1` and `DNS2` are private addresses; whenever an interface is brought up in the network driver domain, the */usr/lib/qubes/qubes\_setup\_dnat\_to\_ns* script sets up the DNAT iptables rules translating `DNS1` and `DNS2` to the newly learned real dns servers. This way AppVM networking configuration does not need to be changed when configuration in the network driver domain changes (e.g. user switches to a different WLAN). Moreover, in the network driver domain, there is no DNS server either, and consequently there are no ports open to the VMs.
 
 Routing tables examples
 -----------------------
@@ -32,12 +32,40 @@ Network driver domain routing table is a bit longer:
 
 ||
 |Destination|Gateway|Genmask|Flags|Metric|Ref|Use|Iface|
-|10.2.0.16|0.0.0.0|255.255.255.255|UH|0|0|0|vif4.0|
-|10.2.0.7|0.0.0.0|255.255.255.255|UH|0|0|0|vif10.0|
-|10.2.0.9|0.0.0.0|255.255.255.255|UH|0|0|0|vif9.0|
-|10.2.0.8|0.0.0.0|255.255.255.255|UH|0|0|0|vif8.0|
-|10.2.0.12|0.0.0.0|255.255.255.255|UH|0|0|0|vif3.0|
+|10.137.0.16|0.0.0.0|255.255.255.255|UH|0|0|0|vif4.0|
+|10.137.0.7|0.0.0.0|255.255.255.255|UH|0|0|0|vif10.0|
+|10.137.0.9|0.0.0.0|255.255.255.255|UH|0|0|0|vif9.0|
+|10.137.0.8|0.0.0.0|255.255.255.255|UH|0|0|0|vif8.0|
+|10.137.0.12|0.0.0.0|255.255.255.255|UH|0|0|0|vif3.0|
 |192.168.0.0|0.0.0.0|255.255.255.0|U|1|0|0|eth0|
 |0.0.0.0|192.168.0.1|0.0.0.0|UG|0|0|0|eth0|
 
+IPv6
+----
+
+Starting with Qubes 4.0, there is opt-in support for IPv6 forwarding. Similar to the IPv4, traffic is routed and NAT is applied at each network gateway. This way we avoid reconfiguring every connected qube whenever uplink connection is changed, and even telling the qube what that uplink is - which may be complex when VPN or other tunneling services are employed.
+The feature can be enabled on any network-providing qube, and will be propagated down the network tree, so every qube connected to it will also have IPv6 enabled.
+To enable the `ipv6` feature use `qvm-features` tool and set the value to `1`. For example to enable it on `sys-net`, execute in dom0:
+
+    qvm-features sys-net ipv6 1
+
+It is also possible to explicitly disable IPv6 support for some qubes, even if it is connected to IPv6-providing one. This can be done by setting `ipv6` feature to empty value:
+
+    qvm-features ipv4-only-qube ipv6 ''
+
+This configuration is presented below - green qubes have IPv6 access, red one does not.
+
+![ipv6-1](/attachment/wiki/IPv6/ipv6-1.png)
+
+In that case, system uplink connection have native IPv6. But in some cases it may not be true. Then some tunneling solution can be used (for example teredo). The same will apply when the user is connected to VPN service providing IPv6 support, regardless of user's internet connection.
+Such configuration can be expressed by enabling `ipv6` feature only on some subset of Qubes networking, for example by creating separate qube to encapsulate IPv6 traffic and setting `ipv6` to `1` only there. See diagram below
+
+![ipv6-2](/attachment/wiki/IPv6/ipv6-2.png)
+
+Besides enabling IPv6 forwarding, standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only `qvm-firewall` command support adding IPv6 rules, GUI firewall editor will have this ability later.
+
+### Limitations ###
+
+Currently only IPv4 DNS servers are configured, regardless of `ipv6` feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.
+But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.
 

From ce4e5f8cd967b79edd16ec06f1507d2578449af9 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 12:40:50 +0000
Subject: [PATCH 056/125] mention discard mount option

nothing 4.0 specific
---
 common-tasks/tips-and-tricks.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 668d38fb..0ecc6486 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -58,4 +58,5 @@ Trim for standalone AppVMs
 ---------------------
 The `qvm-trim-template` command is not available for a standalone AppVM.
 
-It is still possible to trim the AppVM disks by using the `fstrim --all` command from the appvm
+It is still possible to trim the AppVM disks by using the `fstrim --all` command from the appvm.
+Note you may need to add the `discard` option to the mount line in `/etc/fstab` inside the standalone AppVM before this will work as expected.

From eeef6a0c0572ba2dab7c4e85b10cf5d7bcbadd93 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 12:49:04 +0000
Subject: [PATCH 057/125] move rarely used content down

---
 common-tasks/usb.md | 359 ++++++++++++++++++++++----------------------
 1 file changed, 179 insertions(+), 180 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 655048de..ad3e0fab 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -21,186 +21,6 @@ redirect_from:
 Using and Managing USB Devices
 ==============================
 
-Creating and Using a USB qube
------------------------------
-
-**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this in an encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23].
-
-Connecting an untrusted USB device to dom0 is a security risk since dom0,
-like almost every OS, reads partition tables automatically. The whole
-USB stack is put to work to parse the data presented by the USB device in order
-to determine if it is a USB mass storage device, to read its configuration, etc.
-This happens even if the drive is then assigned and mounted in another qube.
-
-To avoid this risk, it is possible to prepare and utilize a USB qube.
-
-A USB qube acts as a secure handler for potentially malicious USB devices,
-preventing them from coming into contact with dom0 (which could otherwise be
-fatal to the security of the whole system). With a USB qube, every time you
-connect an untrusted USB drive to a USB port managed by that USB controller, you
-will have to attach it to the qube in which you wish to use it (if different
-from the USB qube itself), either by using Qubes VM Manager or the command line
-(see instructions above). 
-You can create a USB qube using the management stack by performing the following
-steps as root in dom0:
-
- 1. Enable `sys-usb`:
-
-        sudo qubesctl top.enable qvm.sys-usb
-
- 2. Apply the configuration:
-
-        sudo qubesctl state.highstate
-
-Alternatively, you can create a USB qube manually as follows:
-
- 1.  Read the [Assigning Devices] page to learn how to list and identify your
-     USB controllers. Carefully check whether you have a USB controller that
-     would be appropriate to assign to a USB qube. Note that it should have no
-     input devices, programmable devices, and any other devices that must be
-     directly available to dom0. If you find a free controller, note its name
-     and proceed to step 2.
- 2.  Create a new qube. Give it an appropriate name and color label
-     (recommended: `sys-usb`, red). If you need to attach a networking device,
-     it might make sense to create a NetVM. If not, an AppVM might make more
-     sense. (The default `sys-usb` is a NetVM.)
- 3.  In the qube's settings, go to the "Devices" tab. Find the USB controller
-     that you identified in step 1 in the "Available" list. Move it to the
-     "Selected" list.
-
-     **Caution:** By assigning a USB controller to a USB qube, it will no longer
-     be available to dom0. This can make your system unusable if, for example,
-     you have only one USB controller, and you are running Qubes off of a USB
-     drive.
-
- 4.  Click "OK." Restart the qube.
- 5.  Recommended: Check the box on the "Basic" tab which says "Start VM
-     automatically on boot." (This will help to mitigate attacks in which
-     someone forces your system to reboot, then plugs in a malicious USB
-     device.)
-
-If the USB qube will not start, see [here][faq-usbvm].
-
-How to hide all USB controllers from dom0
------------------------------------------
-
-If you create a USB qube manually, there will be a brief period of time during the
-boot process during which dom0 will be exposed to your USB controllers (and any
-attached devices). This is a potential security risk, since even brief exposure
-to a malicious USB device could result in dom0 being compromised. There are two
-approaches to this problem:
-
-1. Physically disconnect all USB devices whenever you reboot the host.
-2. Hide (i.e., blacklist) all USB controllers from dom0.
-
-**Warning:** If you use a USB [AEM] device, do not use the second option. Using
-a USB AEM device requires dom0 to have access to the USB controller to which
-your USB AEM device is attached. If dom0 cannot read your USB AEM device, AEM
-will hang.
-
-The procedure to hide all USB controllers from dom0 is as follows:
-
-1. Open the file `/etc/default/grub` in dom0.
-2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
-3. Add `rd.qubes.hide_all_usb` to that line.
-4. Save and close the file.
-5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-6. Reboot.
-
-(Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you
-opt to create a USB qube during installation. This also occurs automatically if
-you choose to [create a USB qube] using the `qubesctl` method, which is the
-first pair of steps in the linked section.)
-
-**Warning:** USB keyboard cannot be used to type the disk passphrase
-if USB controllers were hidden from dom0. Before hiding USB controllers
-make sure your laptop keyboard is not internally connected via USB
-(by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
-(if using a desktop PC). Failure to do so will render your system unusable.
-
-
-Removing a USB qube
--------------------
-
-**Warning:** This procedure will result in your USB controller(s) being attached
-directly to dom0.
-
-1. Shut down the USB qube.
-2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
-3. Open the file `/etc/default/grub` in dom0.
-4. Find the line(s) that begins with `GRUB_CMDLINE_LINUX`.
-5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
-6. Save and close the file.
-7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-8. Reboot.
-
-
-Security Warning about USB Input Devices
-----------------------------------------
-
-**Important security warning. Please read this section carefully!**
-
-If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system.
-Because of this, the benefits of using a USB qube are much smaller than using a fully untrusted USB qube.
-In addition to having control over your system, such VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
-
-There is no simple way to protect against sniffing, but you can make it harder to exploit control over input devices.
-
-If you have only a USB mouse connected to a USB qube, but the keyboard is connected directly to dom0 (using a PS/2 connector, for example), you simply need to lock the screen when you are away from your computer.
-You must do this every time you leave your computer unattended, even if there no risk of anyone else having direct physical access to your computer.
-This is because you are guarding the system not only against anyone with local access, but also against possible actions from a potentially compromised USB qube.
-
-If your keyboard is also connected to a USB qube, things are much harder.
-Locking the screen (with a traditional password) does not solve the problem, because the USB qube can simply sniff this password and later easily unlock the screen.
-One possibility is to set up the screen locker to require an additional step to unlock (i.e., two-factor authentication).
-One way to achieve this is to use a [YubiKey], or some other hardware token, or even to manually enter a one-time password.
-
-How to use a USB keyboard
--------------------------
-
-**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
-
-In order to use a USB keyboard, you must first attach it to a USB qube, then give that qube permission to pass keyboard input to dom0.
-Edit the `qubes.InputKeyboard` policy file in dom0, which is located here:
-
-    /etc/qubes-rpc/policy/qubes.InputKeyboard
-
-Add a line like this one to the top of the file:
-
-    sys-usb dom0 allow,user=root
-
-(Change `sys-usb` to your desired USB qube.)
-
-You can now use your USB keyboard.
-
-For a confirmation dialog each time the USB keyboard is connected, change this line to:
-```
-sys-usb dom0 ask,default_target=dom0
-```
-
-How to use a USB mouse
-----------------------
-
-**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
-
-In order to use a USB mouse, you must first attach it to a USB qube, then give that qube permission to pass mouse input to dom0.
-Edit the `qubes.InputMouse` policy file in dom0, which is located here:
-
-    /etc/qubes-rpc/policy/qubes.InputMouse
-
-Add a line like this to the top of the file:
-
-    sys-usb dom0 allow,user=root
-    
-(Change `sys-usb` to your desired USB qube.)
-
-You can now use your USB mouse.
-
-For a confirmation dialog each time the USB mouse is connected, change this line to:
-```
-sys-usb dom0 ask,default_target=dom0
-```
-
 How to attach USB drives
 ------------------------
 
@@ -383,6 +203,185 @@ When you finish, detach the device:
 
 This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our our Project Ideas [here][project-page].
 
+Creating and Using a USB qube
+-----------------------------
+
+**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this in an encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23].
+
+Connecting an untrusted USB device to dom0 is a security risk since dom0,
+like almost every OS, reads partition tables automatically. The whole
+USB stack is put to work to parse the data presented by the USB device in order
+to determine if it is a USB mass storage device, to read its configuration, etc.
+This happens even if the drive is then assigned and mounted in another qube.
+
+To avoid this risk, it is possible to prepare and utilize a USB qube.
+
+A USB qube acts as a secure handler for potentially malicious USB devices,
+preventing them from coming into contact with dom0 (which could otherwise be
+fatal to the security of the whole system). With a USB qube, every time you
+connect an untrusted USB drive to a USB port managed by that USB controller, you
+will have to attach it to the qube in which you wish to use it (if different
+from the USB qube itself), either by using Qubes VM Manager or the command line
+(see instructions above). 
+You can create a USB qube using the management stack by performing the following
+steps as root in dom0:
+
+ 1. Enable `sys-usb`:
+
+        sudo qubesctl top.enable qvm.sys-usb
+
+ 2. Apply the configuration:
+
+        sudo qubesctl state.highstate
+
+Alternatively, you can create a USB qube manually as follows:
+
+ 1.  Read the [Assigning Devices] page to learn how to list and identify your
+     USB controllers. Carefully check whether you have a USB controller that
+     would be appropriate to assign to a USB qube. Note that it should have no
+     input devices, programmable devices, and any other devices that must be
+     directly available to dom0. If you find a free controller, note its name
+     and proceed to step 2.
+ 2.  Create a new qube. Give it an appropriate name and color label
+     (recommended: `sys-usb`, red). If you need to attach a networking device,
+     it might make sense to create a NetVM. If not, an AppVM might make more
+     sense. (The default `sys-usb` is a NetVM.)
+ 3.  In the qube's settings, go to the "Devices" tab. Find the USB controller
+     that you identified in step 1 in the "Available" list. Move it to the
+     "Selected" list.
+
+     **Caution:** By assigning a USB controller to a USB qube, it will no longer
+     be available to dom0. This can make your system unusable if, for example,
+     you have only one USB controller, and you are running Qubes off of a USB
+     drive.
+
+ 4.  Click "OK." Restart the qube.
+ 5.  Recommended: Check the box on the "Basic" tab which says "Start VM
+     automatically on boot." (This will help to mitigate attacks in which
+     someone forces your system to reboot, then plugs in a malicious USB
+     device.)
+
+If the USB qube will not start, see [here][faq-usbvm].
+
+How to hide all USB controllers from dom0
+-----------------------------------------
+
+If you create a USB qube manually, there will be a brief period of time during the
+boot process during which dom0 will be exposed to your USB controllers (and any
+attached devices). This is a potential security risk, since even brief exposure
+to a malicious USB device could result in dom0 being compromised. There are two
+approaches to this problem:
+
+1. Physically disconnect all USB devices whenever you reboot the host.
+2. Hide (i.e., blacklist) all USB controllers from dom0.
+
+**Warning:** If you use a USB [AEM] device, do not use the second option. Using
+a USB AEM device requires dom0 to have access to the USB controller to which
+your USB AEM device is attached. If dom0 cannot read your USB AEM device, AEM
+will hang.
+
+The procedure to hide all USB controllers from dom0 is as follows:
+
+1. Open the file `/etc/default/grub` in dom0.
+2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
+3. Add `rd.qubes.hide_all_usb` to that line.
+4. Save and close the file.
+5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
+6. Reboot.
+
+(Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you
+opt to create a USB qube during installation. This also occurs automatically if
+you choose to [create a USB qube] using the `qubesctl` method, which is the
+first pair of steps in the linked section.)
+
+**Warning:** USB keyboard cannot be used to type the disk passphrase
+if USB controllers were hidden from dom0. Before hiding USB controllers
+make sure your laptop keyboard is not internally connected via USB
+(by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
+(if using a desktop PC). Failure to do so will render your system unusable.
+
+
+Removing a USB qube
+-------------------
+
+**Warning:** This procedure will result in your USB controller(s) being attached
+directly to dom0.
+
+1. Shut down the USB qube.
+2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
+3. Open the file `/etc/default/grub` in dom0.
+4. Find the line(s) that begins with `GRUB_CMDLINE_LINUX`.
+5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
+6. Save and close the file.
+7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
+8. Reboot.
+
+
+Security Warning about USB Input Devices
+----------------------------------------
+
+**Important security warning. Please read this section carefully!**
+
+If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system.
+Because of this, the benefits of using a USB qube are much smaller than using a fully untrusted USB qube.
+In addition to having control over your system, such VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
+
+There is no simple way to protect against sniffing, but you can make it harder to exploit control over input devices.
+
+If you have only a USB mouse connected to a USB qube, but the keyboard is connected directly to dom0 (using a PS/2 connector, for example), you simply need to lock the screen when you are away from your computer.
+You must do this every time you leave your computer unattended, even if there no risk of anyone else having direct physical access to your computer.
+This is because you are guarding the system not only against anyone with local access, but also against possible actions from a potentially compromised USB qube.
+
+If your keyboard is also connected to a USB qube, things are much harder.
+Locking the screen (with a traditional password) does not solve the problem, because the USB qube can simply sniff this password and later easily unlock the screen.
+One possibility is to set up the screen locker to require an additional step to unlock (i.e., two-factor authentication).
+One way to achieve this is to use a [YubiKey], or some other hardware token, or even to manually enter a one-time password.
+
+How to use a USB keyboard
+-------------------------
+
+**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
+
+In order to use a USB keyboard, you must first attach it to a USB qube, then give that qube permission to pass keyboard input to dom0.
+Edit the `qubes.InputKeyboard` policy file in dom0, which is located here:
+
+    /etc/qubes-rpc/policy/qubes.InputKeyboard
+
+Add a line like this one to the top of the file:
+
+    sys-usb dom0 allow,user=root
+
+(Change `sys-usb` to your desired USB qube.)
+
+You can now use your USB keyboard.
+
+For a confirmation dialog each time the USB keyboard is connected, change this line to:
+```
+sys-usb dom0 ask,default_target=dom0
+```
+
+How to use a USB mouse
+----------------------
+
+**Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
+
+In order to use a USB mouse, you must first attach it to a USB qube, then give that qube permission to pass mouse input to dom0.
+Edit the `qubes.InputMouse` policy file in dom0, which is located here:
+
+    /etc/qubes-rpc/policy/qubes.InputMouse
+
+Add a line like this to the top of the file:
+
+    sys-usb dom0 allow,user=root
+    
+(Change `sys-usb` to your desired USB qube.)
+
+You can now use your USB mouse.
+
+For a confirmation dialog each time the USB mouse is connected, change this line to:
+```
+sys-usb dom0 ask,default_target=dom0
+```
 
 [mass-storage]: https://en.wikipedia.org/wiki/USB_mass_storage_device_class
 [Assigning Devices]: /doc/assigning-devices/

From 216d339201b0f8c1d79fb63a9dbdc84142d3c2d3 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 13:50:46 +0000
Subject: [PATCH 058/125] update usb:How to attach USB drives with 4.0

---
 common-tasks/usb.md | 94 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 92 insertions(+), 2 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index ad3e0fab..e1bfea27 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -35,6 +35,95 @@ qube's settings page in Qubes VM Manager or by using the
 [qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
 controller, see [here][usb-controller].)
 
+ * R4.0
+
+USB drive mounting is integrated into the Connection Widget. This is the tooltray
+icon with a yellow square located in the top right of your screen by default.
+Simply insert
+your USB drive and click on the widget. You will see multiple entries for your
+USB drive; typically, `sys-usb:sda`, `sys-usb:sda1`, and `sys-usb:2-1` for example.
+The simplest (but slightly less secure, see note below about attaching individual
+partitions) option is to attach the entire block drive. In our example, this is `sda`,
+so hover over it.
+This will pop up a submenu showing running VMs to which the USB drive can be connected.
+Click on one and your USB drive will be attached!
+
+Note that attaching individual partitions can be slightly more secure because it doesn't
+force the target AppVM to parse the partition table. However, it often means the 
+AppVM won't detect the new partition and you will need to manually mount it inside
+the AppVM. To do this with the GUI,
+you'd select the `sda1` entry in our example and proceed to connect to an AppVM.
+Once the USB drive has been attached to the AppVM, it will
+appear as `/dev/xvd*` (usually `xvdi` but sometimes with higher letters if you
+have multiple devices attached.) Follow the below steps if you need to manually mount
+the partition:
+    ```
+    cd ~
+    mkdir mnt
+    sudo mount /dev/xvdi mnt
+    ```
+    And when done:
+    `sudo umount mnt`
+    
+The command-line tool you may use to mount whole USB drives or their partitions
+is `qvm-block`. This tool can be used to assign a USB drive to a qube as
+follows:
+
+ 1. Insert your USB drive.
+
+ 2. In a dom0 console (running as a normal user), list all available block
+    devices:
+
+        qvm-block
+
+    This will list all available block devices connected to any USB controller
+    in your system, no matter which qube hosts the controller. The name of the
+    qube hosting the USB controller is displayed before the colon in the device
+    name. The string after the colon is the name of the device used within the
+    qube, like so:
+
+        dom0:sdb1     Cruzer () 4GiB
+        
+        usbVM:sdb1    Disk () 2GiB
+
+    **Note:** If your device is not listed here, you may refresh the list by
+    calling (from the qube to which the device is connected):
+
+        sudo udevadm trigger --action=change
+
+ 3.  Assuming your USB drive is attached to dom0 and is `sdb`, we attach the
+     device to a qube with the name `personal` like so:
+
+         qvm-block a personal dom0:sdb
+
+     This will attach the device to the qube as `/dev/xvdi` if that name is not
+     already taken by another attached device, or `/dev/xvdj`, etc.
+
+     You may also mount one partition at a time by using the same command with
+     the partition number after `sdb`.
+
+     **Warning:** when working with single partitions, it is possible to assign
+     the same partition to multiple qubes. For example, you could attach `sdb1`
+     to qube1 and then `sdb` to qube2. It is up to the user not to make this
+     mistake. The Xen block device framework currently does not provide an easy
+     way around this. Point 2 of [this comment on issue 1072][1072-comm2] gives
+     details about this.
+
+ 4.  The USB drive is now attached to the qube. If using a default qube, you may
+     open the Nautilus file manager in the qube, and your drive should be
+     visible in the **Devices** panel on the left.
+
+ 5.  When you finish using your USB drive, click the eject button or right-click
+     and select **Unmount**.
+
+ 6.  In a dom0 console, detach the stick
+
+         qvm-block d <vmname> <device>
+
+ 7.  You may now remove the device.
+
+ * R3.2
+
 USB drive mounting is integrated into the Qubes VM Manager GUI. Simply insert
 your USB drive, right-click on the desired qube in the Qubes VM Manager list,
 click **Attach/detach block devices**, and select your desired action and
@@ -50,7 +139,7 @@ follows:
  2. In a dom0 console (running as a normal user), list all available block
     devices:
 
-        qvm-block -l
+        qvm-block
 
     This will list all available block devices connected to any USB controller
     in your system, no matter which qube hosts the controller. The name of the
@@ -76,7 +165,8 @@ follows:
      already taken by another attached device, or `/dev/xvdj`, etc.
 
      You may also mount one partition at a time by using the same command with
-     the partition number after `sdb`.
+     the partition number after `sdb`. This is slightly more secure because it
+     does not force the target AppVM to parse the partition table.
 
      **Warning:** when working with single partitions, it is possible to assign
      the same partition to multiple qubes. For example, you could attach `sdb1`

From d85351b4721f3535d4b78a3a8f18dc9cf82605a6 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 14:58:43 +0000
Subject: [PATCH 059/125] Update tips-and-tricks.md

---
 common-tasks/tips-and-tricks.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 0ecc6486..39be0303 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -59,4 +59,4 @@ Trim for standalone AppVMs
 The `qvm-trim-template` command is not available for a standalone AppVM.
 
 It is still possible to trim the AppVM disks by using the `fstrim --all` command from the appvm.
-Note you may need to add the `discard` option to the mount line in `/etc/fstab` inside the standalone AppVM before this will work as expected.
+You can also add the `discard` option to the mount line in `/etc/fstab` inside the standalone AppVM if you want trimming to be performed automatically, but there may be a performance impact on writes and deletes.

From 866d25120f1b562bf11f316a9d4e0a9d9387784c Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 16:05:24 +0000
Subject: [PATCH 060/125] Cleanup How to attach USB drives section

---
 common-tasks/usb.md | 61 ++++++++++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 26 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index e1bfea27..91f81710 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -35,9 +35,9 @@ qube's settings page in Qubes VM Manager or by using the
 [qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
 controller, see [here][usb-controller].)
 
- * R4.0
+**R4.0**
 
-USB drive mounting is integrated into the Connection Widget. This is the tooltray
+USB drive mounting is integrated into the Connection Widget. This is the tool tray
 icon with a yellow square located in the top right of your screen by default.
 Simply insert
 your USB drive and click on the widget. You will see multiple entries for your
@@ -51,19 +51,7 @@ Click on one and your USB drive will be attached!
 Note that attaching individual partitions can be slightly more secure because it doesn't
 force the target AppVM to parse the partition table. However, it often means the 
 AppVM won't detect the new partition and you will need to manually mount it inside
-the AppVM. To do this with the GUI,
-you'd select the `sda1` entry in our example and proceed to connect to an AppVM.
-Once the USB drive has been attached to the AppVM, it will
-appear as `/dev/xvd*` (usually `xvdi` but sometimes with higher letters if you
-have multiple devices attached.) Follow the below steps if you need to manually mount
-the partition:
-    ```
-    cd ~
-    mkdir mnt
-    sudo mount /dev/xvdi mnt
-    ```
-    And when done:
-    `sudo umount mnt`
+the AppVM. See below for more detailed steps.
     
 The command-line tool you may use to mount whole USB drives or their partitions
 is `qvm-block`. This tool can be used to assign a USB drive to a qube as
@@ -91,10 +79,10 @@ follows:
 
         sudo udevadm trigger --action=change
 
- 3.  Assuming your USB drive is attached to dom0 and is `sdb`, we attach the
+ 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the
      device to a qube with the name `personal` like so:
 
-         qvm-block a personal dom0:sdb
+         qvm-block a personal sys-usb:sdb
 
      This will attach the device to the qube as `/dev/xvdi` if that name is not
      already taken by another attached device, or `/dev/xvdj`, etc.
@@ -108,13 +96,21 @@ follows:
      mistake. The Xen block device framework currently does not provide an easy
      way around this. Point 2 of [this comment on issue 1072][1072-comm2] gives
      details about this.
-
+     
  4.  The USB drive is now attached to the qube. If using a default qube, you may
      open the Nautilus file manager in the qube, and your drive should be
-     visible in the **Devices** panel on the left.
+     visible in the **Devices** panel on the left. If you've attached a single
+     partition, you may need to manually mount before it becomes visible:
+     ```
+     cd ~
+     mkdir mnt
+     sudo mount /dev/xvdi mnt
+     ```
 
  5.  When you finish using your USB drive, click the eject button or right-click
-     and select **Unmount**.
+     and select **Unmount**. If you've manually mounted a single partition
+     in the above step, use:
+     `sudo umount mnt`
 
  6.  In a dom0 console, detach the stick
 
@@ -122,7 +118,7 @@ follows:
 
  7.  You may now remove the device.
 
- * R3.2
+**R3.2**
 
 USB drive mounting is integrated into the Qubes VM Manager GUI. Simply insert
 your USB drive, right-click on the desired qube in the Qubes VM Manager list,
@@ -130,6 +126,11 @@ click **Attach/detach block devices**, and select your desired action and
 device. This, however, only works for the whole device. If you would like to
 attach individual partitions, you must use the command-line tool.
 
+Note that attaching individual partitions can be slightly more secure because it doesn't
+force the target AppVM to parse the partition table. However, it often means the 
+AppVM won't detect the new partition and you will need to manually mount it inside
+the AppVM. See below for more detailed steps.
+    
 The command-line tool you may use to mount whole USB drives or their partitions
 is `qvm-block`. This tool can be used to assign a USB drive to a qube as
 follows:
@@ -156,10 +157,10 @@ follows:
 
         sudo udevadm trigger --action=change
 
- 3.  Assuming your USB drive is attached to dom0 and is `sdb`, we attach the
+ 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the
      device to a qube with the name `personal` like so:
 
-         qvm-block -a personal dom0:sdb
+         qvm-block -a personal sys-usb:sdb
 
      This will attach the device to the qube as `/dev/xvdi` if that name is not
      already taken by another attached device, or `/dev/xvdj`, etc.
@@ -177,10 +178,18 @@ follows:
 
  4.  The USB drive is now attached to the qube. If using a default qube, you may
      open the Nautilus file manager in the qube, and your drive should be
-     visible in the **Devices** panel on the left.
-
+     visible in the **Devices** panel on the left. If you've attached a single
+     partition, you may need to manually mount before it becomes visible:
+     ```
+     cd ~
+     mkdir mnt
+     sudo mount /dev/xvdi mnt
+     ```
+   
  5.  When you finish using your USB drive, click the eject button or right-click
-     and select **Unmount**.
+     and select **Unmount**. If you've manually mounted a single partition
+     in the above step, use:
+     `sudo umount mnt`
 
  6.  In a dom0 console, detach the stick
 

From bf6c66e95a083efc836edaf0e6ea5bb3fc30af20 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 16:35:27 +0000
Subject: [PATCH 061/125] Incorporate Marmarek's comments

---
 common-tasks/usb.md | 36 +++++++++++++++++-------------------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 91f81710..e4322ff8 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -30,14 +30,11 @@ sticks, this includes things like USB external hard drives.)
 
 Qubes OS supports the ability to attach a USB drive (or just one or more of its
 partitions) to any qube easily, no matter which qube actually handles the USB
-controller. (The USB controller may be assigned on the **Devices** tab of a
-qube's settings page in Qubes VM Manager or by using the
-[qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
-controller, see [here][usb-controller].)
+controller.
 
 **R4.0**
 
-USB drive mounting is integrated into the Connection Widget. This is the tool tray
+USB drive mounting is integrated into the Devices Widget. This is the tool tray
 icon with a yellow square located in the top right of your screen by default.
 Simply insert
 your USB drive and click on the widget. You will see multiple entries for your
@@ -75,14 +72,14 @@ follows:
         usbVM:sdb1    Disk () 2GiB
 
     **Note:** If your device is not listed here, you may refresh the list by
-    calling (from the qube to which the device is connected):
+    calling from the qube to which the device is connected (typically `sys-usb`):
 
         sudo udevadm trigger --action=change
 
  3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the
      device to a qube with the name `personal` like so:
 
-         qvm-block a personal sys-usb:sdb
+         qvm-block attach personal sys-usb:sdb
 
      This will attach the device to the qube as `/dev/xvdi` if that name is not
      already taken by another attached device, or `/dev/xvdj`, etc.
@@ -90,13 +87,6 @@ follows:
      You may also mount one partition at a time by using the same command with
      the partition number after `sdb`.
 
-     **Warning:** when working with single partitions, it is possible to assign
-     the same partition to multiple qubes. For example, you could attach `sdb1`
-     to qube1 and then `sdb` to qube2. It is up to the user not to make this
-     mistake. The Xen block device framework currently does not provide an easy
-     way around this. Point 2 of [this comment on issue 1072][1072-comm2] gives
-     details about this.
-     
  4.  The USB drive is now attached to the qube. If using a default qube, you may
      open the Nautilus file manager in the qube, and your drive should be
      visible in the **Devices** panel on the left. If you've attached a single
@@ -114,7 +104,7 @@ follows:
 
  6.  In a dom0 console, detach the stick
 
-         qvm-block d <vmname> <device>
+         qvm-block detach <vmname> <device>
 
  7.  You may now remove the device.
 
@@ -153,7 +143,7 @@ follows:
         usbVM:sdb1    Disk () 2GiB
 
     **Note:** If your device is not listed here, you may refresh the list by
-    calling (from the qube to which the device is connected):
+    calling from the qube to which the device is connected (typically `sys-usb`):
 
         sudo udevadm trigger --action=change
 
@@ -321,7 +311,10 @@ fatal to the security of the whole system). With a USB qube, every time you
 connect an untrusted USB drive to a USB port managed by that USB controller, you
 will have to attach it to the qube in which you wish to use it (if different
 from the USB qube itself), either by using Qubes VM Manager or the command line
-(see instructions above). 
+(see instructions above). The USB controller may be assigned on the **Devices** tab of a
+qube's settings page in Qubes VM Manager or by using the
+[qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
+controller, see [here][usb-controller].)
 You can create a USB qube using the management stack by performing the following
 steps as root in dom0:
 
@@ -331,7 +324,7 @@ steps as root in dom0:
 
  2. Apply the configuration:
 
-        sudo qubesctl state.highstate
+        sudo qubesctl state.sls qvm.sys-usb
 
 Alternatively, you can create a USB qube manually as follows:
 
@@ -464,7 +457,12 @@ How to use a USB mouse
 
 **Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
 
-In order to use a USB mouse, you must first attach it to a USB qube, then give that qube permission to pass mouse input to dom0.
+In order to use a USB mouse, you must first attach it to a USB qube, then give that
+qube permission to pass mouse input to dom0.
+The following steps are already done by default if you created the sys-usb qube with
+`qubesctl state.sls qvm.sys-usb` above, or let Qubes create it for you on first boot. However,
+if you've created the USB qube manually:
+
 Edit the `qubes.InputMouse` policy file in dom0, which is located here:
 
     /etc/qubes-rpc/policy/qubes.InputMouse

From acdc936726ca9f7a1541c394020a3eb23700ce5e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 17:15:08 +0000
Subject: [PATCH 062/125] Add 4.0 content to usage of qubes-usb-proxy

Also set "What if I removed the device before detaching it from the VM?" to R3.2 because procedure should be unnecessary under 4.0 and attempting it on 4.0 results in "libxl: error: libxl.c:2233:device_disk_add: device already exists in xenstore".
---
 common-tasks/usb.md | 55 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 6 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index e4322ff8..6206e327 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -200,7 +200,7 @@ manually. The device will show up as `/dev/xvdi` (or `/dev/xvdj` if there is
 already one device attached -- if two, `/dev/xvdk`, and so on).
 
 
-### What if I removed the device before detaching it from the VM? ###
+### What if I removed the device before detaching it from the VM? (R3.2) ###
 
 Currently (until issue [1082] gets implemented), if you remove the device
 before detaching it from the qube, Qubes OS (more precisely, `libvirtd`) will
@@ -219,7 +219,7 @@ steps:
 
         [user@dom0 ~]$ qvm-block
         sys-usb:sda DataTraveler_2.0 () 246 MiB (attached to 'testvm' as 'xvdi')
-        [user@dom0 ~]$ xl block-attach testvm phy:/dev/sda backend=sys-usb xvdi
+        [user@dom0 ~]$ sudo xl block-attach testvm phy:/dev/sda backend=sys-usb xvdi
 
     In above example, all `xl block-attach` parameters can be deduced from the
     output of `qvm-block`. In order:
@@ -260,7 +260,52 @@ you want to attach the USB device to.
 - Fedora: `sudo dnf install qubes-usb-proxy`
 - Debian/Ubuntu: `sudo apt-get install qubes-usb-proxy`
 
-### Usage of qubes-usb-proxy ###
+### Usage of qubes-usb-proxy (R4.0) ###
+
+This feature is also available from the Devices Widget. This is the tool tray
+icon with a yellow square located in the top right of your screen by default.
+Simply insert
+your USB device and click on the widget. You will see an entry for your device
+such as `sys-usb:2-5 - 058f_USB_2.0_Camera` for example.
+Hover over it.
+This will pop up a submenu showing running VMs to which the USB device can be connected.
+Click on one and your device will be attached! You may also use the command line:
+
+Listing available USB devices:
+
+    [user@dom0 ~]$ qvm-usb
+    sys-usb:2-4     04ca:300d 04ca_300d
+    sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
+    sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
+
+Attaching selected USB device:
+
+    [user@dom0 ~]$ qvm-usb attach conferences sys-usb:2-5
+    [user@dom0 ~]$ qvm-usb
+    conferences:2-1 058f:3822 058f_USB_2.0_Camera
+    sys-usb:2-4     04ca:300d 04ca_300d
+    sys-usb:2-5     058f:3822 058f_USB_2.0_Camera (attached to conferences)
+    sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
+
+Now, you can use your USB device (camera in this case) in the `conferences` qube.
+If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead,
+please refer to the [Installation Section][installation].
+
+When you finish, detach the device. This can be done in the GUI by
+clicking on the Devices Widget. You will see a bolded entry for your device
+such as `sys-usb:2-5 - 058f_USB_2.0_Camera` for example.
+Hover over it.
+This will pop up a submenu showing running VMs. The one which your device is
+connected to will have an Eject button next to it. Click that and your device
+will be detached. You may also use the command line:
+
+    [user@dom0 ~]$ qvm-usb detach sys-usb:2-5
+    [user@dom0 ~]$ qvm-usb
+    sys-usb:2-4     04ca:300d 04ca_300d
+    sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
+    sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
+    
+### Usage of qubes-usb-proxy (R3.2) ###
 
 Listing available USB devices:
 
@@ -290,7 +335,7 @@ When you finish, detach the device:
     sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
     sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
 
-This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our our Project Ideas [here][project-page].
+This feature is not available in Qubes Manager.
 
 Creating and Using a USB qube
 -----------------------------
@@ -494,8 +539,6 @@ sys-usb dom0 ask,default_target=dom0
 [1618]: https://github.com/QubesOS/qubes-issues/issues/1618
 [create a USB qube]: #creating-and-using-a-usb-qube
 [usb-challenges]: https://blog.invisiblethings.org/2011/05/31/usb-security-challenges.html
-[project-page]: /gsoc/
-[gsoc-page]: https://summerofcode.withgoogle.com/organizations/6239659689508864/
 [YubiKey]: /doc/YubiKey/
 [Security Warning about USB Input Devices]: #security-warning-about-usb-input-devices
 [qubes-usb-proxy]: https://github.com/QubesOS/qubes-app-linux-usb-proxy

From eb61ae021255129b61ed3313eb2516032840196a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 30 Jan 2018 17:42:41 +0000
Subject: [PATCH 063/125] Add EFI, misc cleanup

---
 common-tasks/usb.md | 57 +++++++++++++++++++++++++++++++--------------
 1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 6206e327..96d1cdb3 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -292,14 +292,14 @@ If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead,
 please refer to the [Installation Section][installation].
 
 When you finish, detach the device. This can be done in the GUI by
-clicking on the Devices Widget. You will see a bolded entry for your device
-such as `sys-usb:2-5 - 058f_USB_2.0_Camera` for example.
+clicking on the Devices Widget. You will see an entry in bold for your device
+such as **`sys-usb:2-5 - 058f_USB_2.0_Camera`**.
 Hover over it.
 This will pop up a submenu showing running VMs. The one which your device is
 connected to will have an Eject button next to it. Click that and your device
 will be detached. You may also use the command line:
 
-    [user@dom0 ~]$ qvm-usb detach sys-usb:2-5
+    [user@dom0 ~]$ qvm-usb detach conferences sys-usb:2-5
     [user@dom0 ~]$ qvm-usb
     sys-usb:2-4     04ca:300d 04ca_300d
     sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
@@ -359,7 +359,7 @@ from the USB qube itself), either by using Qubes VM Manager or the command line
 (see instructions above). The USB controller may be assigned on the **Devices** tab of a
 qube's settings page in Qubes VM Manager or by using the
 [qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
-controller, see [here][usb-controller].)
+controller, see [here][usb-controller].
 You can create a USB qube using the management stack by performing the following
 steps as root in dom0:
 
@@ -419,12 +419,22 @@ will hang.
 
 The procedure to hide all USB controllers from dom0 is as follows:
 
-1. Open the file `/etc/default/grub` in dom0.
-2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
-3. Add `rd.qubes.hide_all_usb` to that line.
-4. Save and close the file.
-5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-6. Reboot.
+ * GRUB2
+
+ 1. Open the file `/etc/default/grub` in dom0.
+ 2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
+ 3. Add `rd.qubes.hide_all_usb` to that line.
+ 4. Save and close the file.
+ 5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
+ 6. Reboot.
+
+ * EFI
+ 
+ 1. Open the file `/boot/efi/EFI/qubes/xen.cfg` in dom0.
+ 2. Find the lines that begin with `kernel=`. There may be more than one.
+ 3. Add `rd.qubes.hide_all_usb` to those lines.
+ 4. Save and close the file.
+ 5. Reboot.
 
 (Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you
 opt to create a USB qube during installation. This also occurs automatically if
@@ -444,15 +454,26 @@ Removing a USB qube
 **Warning:** This procedure will result in your USB controller(s) being attached
 directly to dom0.
 
-1. Shut down the USB qube.
-2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
-3. Open the file `/etc/default/grub` in dom0.
-4. Find the line(s) that begins with `GRUB_CMDLINE_LINUX`.
-5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
-6. Save and close the file.
-7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-8. Reboot.
+ * GRUB2
+ 
+ 1. Shut down the USB qube.
+ 2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
+ 3. Open the file `/etc/default/grub` in dom0.
+ 4. Find the line(s) that begins with `GRUB_CMDLINE_LINUX`.
+ 5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
+ 6. Save and close the file.
+ 7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
+ 8. Reboot.
 
+ * EFI
+ 
+ 1. Shut down the USB qube.
+ 2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
+ 3. Open the file `/boot/efi/EFI/qubes/xen.cfg` in dom0.
+ 4. Find the line(s) that begins with `kernel=`.
+ 5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
+ 6. Save and close the file.
+ 7. Reboot.
 
 Security Warning about USB Input Devices
 ----------------------------------------

From b41c8bf4acef3c49461a7edbcc817789ae92c896 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Tue, 30 Jan 2018 20:41:56 -0600
Subject: [PATCH 064/125] Fix formatting

https://github.com/QubesOS/qubes-doc/pull/544
---
 configuration/vpn.md | 299 +++++++++++++++++++++----------------------
 1 file changed, 149 insertions(+), 150 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 475446d3..ff4b41c6 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -20,8 +20,8 @@ Please refer to your guest OS and VPN service documentation when considering the
 
 The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
 
--   You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
--   All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
+- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
+- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
 
 ### AppVM
 
@@ -33,26 +33,26 @@ One of the best unique features of Qubes OS is its special type of VM called a P
 
 Using a ProxyVM to set up a VPN client gives you the ability to:
 
--   Separate your VPN credentials from your NetVM.
--   Separate your VPN credentials from your AppVM data.
--   Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
+- Separate your VPN credentials from your NetVM.
+- Separate your VPN credentials from your AppVM data.
+- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
 
 Set up a ProxyVM as a VPN gateway using NetworkManager
 ------------------------------------------------------
 
-1.  Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
+1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
 
-    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
+   ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
 
-2.  Add the `network-manager` service to this new VM.
+2. Add the `network-manager` service to this new VM.
 
-    ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)
+   ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)
 
-3.  Set up your VPN as described in the NetworkManager documentation linked above.
+3. Set up your VPN as described in the NetworkManager documentation linked above.
 
-4.  Configure your AppVMs to use the new VM as a NetVM.
+4. Configure your AppVMs to use the new VM as a NetVM.
 
-    ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
+   ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
 
 5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
 
@@ -60,206 +60,206 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
 Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
 ----------------------------------------------------------------
 
-This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
+This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted.
+It has been tested with Fedora 23 and Debian 8 templates.
 
 1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
 
-    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
+   ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
 
-    Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
+   Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features.
+   If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM...
+   Create a new one according to this step.
 
-    If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN.
+   If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding.
+   Disable any auto-starting service that comes with the software package.
+   For example for OpenVPN.
 
        sudo systemctl disable openvpn.service
 
-You may also wish to install `nano` or another simple text editor for entering the scripts below.
+   You may also wish to install `nano` or another simple text editor for entering the scripts below.
 
-2.  Set up and test the VPN client.
+2. Set up and test the VPN client.
+   Make sure the VPN VM and its TemplateVM is not running.
+   Run a terminal (CLI) in the VPN VM -- this will start the VM.
+   Then create a new `/rw/config/vpn` folder with.
 
-Make sure the VPN VM and its TemplateVM is not running.
+       sudo mkdir /rw/config/vpn
 
-Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with.
+   Copy your VPN config files to `/rw/config/vpn`.
+   Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification.
+   Otherwise you would have to replace the file name.
+   `openvpn-client.ovpn` contents:
 
-        sudo mkdir /rw/config/vpn
+      * Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
+      * Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
 
-Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents:
-
-Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
-
-Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
-
-The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
-
-Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
+   The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
+   Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
 
-Make sure it already includes or add:
+   Make sure it already includes or add:
 
        redirect-gateway def1
 
-The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add:
+   The VPN client may not be able to prompt you for credentials when connecting to the server.
+   Create a file in the `/rw/config/vpn` folder with your credentials and using a directive.
+   For example for OpenVPN, add:
 
-      auth-user-pass pass.txt
+       auth-user-pass pass.txt
 
- Save file `/rw/config/vpn/openvpn-client.ovpn`.
+   Save file `/rw/config/vpn/openvpn-client.ovpn`.
+   Make sure a `/rw/config/vpn/pass.txt` file actually exists.
 
- Make sure a `/rw/config/vpn/pass.txt` file actually exists.
+       sudo nano /rw/config/vpn/pass.txt
 
-      sudo nano /rw/config/vpn/pass.txt
+   Add:
 
- Add:
+       username
+       password
 
-        username
-        password
+   Replace `username` and `password` with your actual username and password.
 
- Replace `username` and `password` with your actual username and password.
-
- __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
+   **Test your client configuration:**
+   Run the client from a CLI prompt in the 'vpn' folder, preferably as root.
+   For example:
 
        sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
 
-Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
+   Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
 
        ping 8.8.8.8
 
-`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
+   `ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
+   DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete).
+   Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
+   Proceed to the next step when you're sure the basic VPN connection is working.
 
-DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
+3. Create the DNS-handling script.
 
-Proceed to the next step when you're sure the basic VPN connection is working.
+       sudo nano /rw/config/vpn/qubes-vpn-handler.sh
 
-3.  Create the DNS-handling script.
+   Edit and add:
 
-        sudo nano /rw/config/vpn/qubes-vpn-handler.sh
+   ~~~
+   #!/bin/bash
+   set -e
+   export PATH="$PATH:/usr/sbin:/sbin"
+  
+   case "$1" in
+  
+   up)
+   # To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
+   # Format is 'X.X.X.X  Y.Y.Y.Y [...]'
+   if [[ -z "$vpn_dns" ]] ; then
+       # Parses DHCP foreign_option_* vars to automatically set DNS address translation:
+       for optionname in ${!foreign_option_*} ; do
+           option="${!optionname}"
+           unset fops; fops=($option)
+           if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
+       done
+   fi
+  
+   iptables -t nat -F PR-QBS
+   if [[ -n "$vpn_dns" ]] ; then
+       # Set DNS address translation in firewall:
+       for addr in $vpn_dns; do
+           iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
+           iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
+       done
+       su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
+   else
+       su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
+   fi
+  
+   ;;
+   down)
+   su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
+   ;;
+   esac
+   ~~~
 
- Edit and add:
-
-    ~~~
-    #!/bin/bash
-    set -e
-    export PATH="$PATH:/usr/sbin:/sbin"
-
-    case "$1" in
-
-    up)
-	# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
-	# Format is 'X.X.X.X  Y.Y.Y.Y [...]'
-	if [[ -z "$vpn_dns" ]] ; then
-		# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
-		for optionname in ${!foreign_option_*} ; do
-			option="${!optionname}"
-			unset fops; fops=($option)
-			if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
-		done
-	fi
-
-	iptables -t nat -F PR-QBS
-	if [[ -n "$vpn_dns" ]] ; then
-		# Set DNS address translation in firewall:
-		for addr in $vpn_dns; do
-			iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
-			iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
-		done
-		su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
-	else
-		su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
-	fi
-
-	;;
-    down)
-	su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
-	;;
-    esac
-    ~~~
-
-Save the script.
-
-Make it executable.
+   Save the script.
+   Make it executable.
 
        sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
 
-4.  Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
+4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
 
        sudo nano /rw/config/vpn/openvpn-client.ovpn
 
- Add the following.
+   Add the following.
 
-    ~~~
-    script-security 2
-    up 'qubes-vpn-handler.sh up'
-    down 'qubes-vpn-handler.sh down'
-    ~~~
+       script-security 2
+       up 'qubes-vpn-handler.sh up'
+       down 'qubes-vpn-handler.sh down'
 
-Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
+   Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
+   Save the script.
+   **Restart the client and test the connection again** ...this time from an AppVM!
 
-Save the script.
-
-**Restart the client and test the connection again** ...this time from an AppVM!
-
-5.  Set up iptables anti-leak rules.
-
-    Edit the firewall script.
+5. Set up iptables anti-leak rules.
+   Edit the firewall script.
 
        sudo nano /rw/config/qubes-firewall-user-script
 
-Clear out the existing lines and add:
+   Clear out the existing lines and add:
 
-	~~~
-	#!/bin/bash
-	#    Block forwarding of connections through upstream network device
-	#    (in case the vpn tunnel breaks):
-	iptables -I FORWARD -o eth0 -j DROP
-	iptables -I FORWARD -i eth0 -j DROP
-
-	#    Block all outgoing traffic
-	iptables -P OUTPUT DROP
-	iptables -F OUTPUT
-	iptables -I OUTPUT -o lo -j ACCEPT
-
-	#    Add the `qvpn` group to system, if it doesn't already exist
-    if ! grep -q "^qvpn:" /etc/group ; then
+   ~~~
+   #!/bin/bash
+   #    Block forwarding of connections through upstream network device
+   #    (in case the vpn tunnel breaks):
+   iptables -I FORWARD -o eth0 -j DROP
+   iptables -I FORWARD -i eth0 -j DROP
+   
+   #    Block all outgoing traffic
+   iptables -P OUTPUT DROP
+   iptables -F OUTPUT
+   iptables -I OUTPUT -o lo -j ACCEPT
+   
+   #    Add the `qvpn` group to system, if it doesn't already exist
+   if ! grep -q "^qvpn:" /etc/group ; then
         groupadd -rf qvpn
         sync
-    fi
-    sleep 2s
+   fi
+   sleep 2s
+   
+   #    Allow traffic from the `qvpn` group to the uplink interface (eth0);
+   #    Our VPN client will run with group `qvpn`.
+   iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
+   ~~~
 
-	#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
-	#    Our VPN client will run with group `qvpn`.
-    iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
-    ~~~
-
-Save the script.
-
-Make it executable.
+   Save the script.
+   Make it executable.
 
        sudo chmod +x /rw/config/qubes-firewall-user-script
 
-5.  Set up the VPN's autostart.
+5. Set up the VPN's autostart.
 
        sudo nano /rw/config/rc.local
 
-Clear out the existing lines and add:
+   Clear out the existing lines and add:
 
-    ~~~
-    #!/bin/bash
-    VPN_CLIENT='openvpn'
-    VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
+   ~~~
+   #!/bin/bash
+   VPN_CLIENT='openvpn'
+   VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
+   
+   su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
+   groupadd -rf qvpn ; sleep 2s
+   sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
+   ~~~
 
-    su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
-    groupadd -rf qvpn ; sleep 2s
-    sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
-    ~~~
-
-If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
-
-Save the script.
-
-Make it executable.
+   If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
+   Save the script.
+   Make it executable.
 
        sudo chmod +x /rw/config/rc.local`
 
-6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
+6. Restart the new VM!
+   The link should then be established automatically with a popup notification to that effect.
+
 
 Usage
 -----
@@ -268,14 +268,13 @@ Configure your AppVMs to use the VPN VM as a NetVM...
 
 ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
 
-
 If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
 Then, configure AppVMs to use your new FirewallVM as their NetVM.
 
 If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
 You can do this in the Services tab in Qubes VM Manager or on the command-line:
 
-    $ qvm-service -e <name> qubes-updates-proxy
+    qvm-service -e <name> qubes-updates-proxy
 
 Then, configure your templates to use your new FirewallVM as their NetVM.
 

From e5e2aa78098155f1c088c0fbe0bd09057c682491 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 31 Jan 2018 12:36:25 +0000
Subject: [PATCH 065/125] Update usb.md

---
 common-tasks/usb.md | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 96d1cdb3..4c2d7e18 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -361,15 +361,9 @@ qube's settings page in Qubes VM Manager or by using the
 [qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
 controller, see [here][usb-controller].
 You can create a USB qube using the management stack by performing the following
-steps as root in dom0:
+as root in dom0:
 
- 1. Enable `sys-usb`:
-
-        sudo qubesctl top.enable qvm.sys-usb
-
- 2. Apply the configuration:
-
-        sudo qubesctl state.sls qvm.sys-usb
+    sudo qubesctl state.sls qvm.sys-usb
 
 Alternatively, you can create a USB qube manually as follows:
 

From cd5acfea81f5e921f77c28fd1c68ffe979471cdd Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 31 Jan 2018 13:35:12 +0000
Subject: [PATCH 066/125] templates 4.0 updates

Add 4.0 and split out version specific content
---
 managing-os/templates.md | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/managing-os/templates.md b/managing-os/templates.md
index 3189aa57..b936c7e3 100644
--- a/managing-os/templates.md
+++ b/managing-os/templates.md
@@ -45,7 +45,23 @@ By installing these templates, you are trusting not only ITL and the distributio
 * [Archlinux](/doc/templates/archlinux/)
 
 
-Important Notes
+Important Notes (R4.0)
+---------------
+
+ * Whenever a TemplateBasedVM is created, the contents of the `/home`
+   directory of its parent TemplateVM are *not* copied to the child TemplateBasedVM's
+   `/home`. The child TemplateBasedVM's `/home`
+   is always independent from its parent TemplateVM's `/home`, which means that any
+   subsequent changes to the parent TemplateVM's `/home` will not affect
+   the child TemplateBasedVM's `/home`.
+   
+ * Template VMs are created in a thin pool, making `qvm-trim-template`
+   no longer necessary.
+
+   The root filesystems in Standalone VMs can employ
+   TRIM/discard on the root fs using normal tools and configuration options.
+
+Important Notes (R3.2 and earlier)
 ---------------
 
  * Whenever a TemplateBasedVM is created, the contents of the `/home`
@@ -54,6 +70,16 @@ Important Notes
    is independent from its parent TemplateVM's `/home`, which means that any
    subsequent changes to the parent TemplateVM's `/home` will no longer affect
    the child TemplateBasedVM's `/home`.
+   
+ * Template VMs can occupy more space on the dom0 filesystem than necessary
+   because they cannot employ automatic TRIM/discard on the root fs. The
+   `qvm-trim-template` command in dom0 is used to recover this unused space.
+
+   Conversely, the root filesystems in Standalone VMs *can* employ
+   TRIM/discard on the root fs using normal tools and configuration options.
+   
+Important Notes (all versions)
+---------------
 
  * Once a TemplateBasedVM has been created, any changes in its `/home`,
    `/usr/local`, or `/rw/config` directories will be persistent across reboots,
@@ -71,18 +97,11 @@ Important Notes
    update a template from dom0 (and thereby lose any user modifications in the
    existing template), you must first uninstall the existing template from dom0:
 
-       $ sudo yum remove qubes-template-fedora-25
+       $ sudo dnf remove qubes-template-fedora-25
 
  * Standalone VMs using Template VMs as a basis can be created easily. These
    VMs receive a *copy* of the operating system and do not get automatically
    updated when Template VMs are updated--they must be updated individually.
-   
- * Template VMs can occupy more space on the dom0 filesystem than necessary
-   because they cannot employ automatic TRIM/discard on the root fs. The
-   `qvm-trim-template` command in dom0 is used to recover this unused space.
-
-   Conversely, the root filesystems in Standalone VMs *can* employ
-   TRIM/discard on the root fs using normal tools and configuration options.
  
  * On XFCE based Dom0, a manual action may be required to remove the "Start Menu"
    sub-menu of the removed TemplateVM. For example, to remove a dangling sub-menu

From 80149fc0b9fdc0dd74ecf833a4c34b0a8ac32d70 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 31 Jan 2018 14:20:24 +0000
Subject: [PATCH 067/125] hvm 4.0rc4 updates

---
 managing-os/hvm.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 8d27c51b..fc095ce2 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -17,8 +17,14 @@ What are HVM domains?
 
 HVM domains (Hardware VM), in contrast to PV domains (Paravirtualized domains), allow one to create domains based on any OS for which one has an installation ISO.  For example, this allows one to have Windows-based VMs in Qubes.
 
-Interested readers might want to check [this article](https://blog.invisiblethings.org/2012/03/03/windows-support-coming-to-qubes.html) to learn why it took so long for Qubes OS to support HVM domains (Qubes 1 only supported Linux based PV domains). As of
-Qubes 4, every VM is HVM by default ([see here](https://blog.invisiblethings.org/2017/07/31/qubes-40-rc1.html)).
+Interested readers might want to check
+[this article](https://blog.invisiblethings.org/2012/03/03/windows-support-coming-to-qubes.html)
+to learn why it took so long for Qubes OS to support HVM domains
+(Qubes 1 only supported Linux based PV domains). As of
+Qubes 4, every VM is PVH by default, except those with attached PCI devices which are HVM.
+[See here](https://blog.invisiblethings.org/2017/07/31/qubes-40-rc1.html) for a discussion
+of the switch to HVM from R3.2's PV, and [here](https://www.qubes-os.org/news/2018/01/11/qsb-37/)
+for changing the default to PVH.
 
 Creating an HVM domain
 ----------------------

From 199359538fc13e6107aa3d367e9c69b73dbadaa3 Mon Sep 17 00:00:00 2001
From: Yassine Ilmi <yilmi@users.noreply.github.com>
Date: Wed, 31 Jan 2018 22:44:03 +0000
Subject: [PATCH 068/125] Precised part number and iso update procedure

As per @marmarek comments specify that EFI part is #2 and added procedure to edit iso using losetup
---
 troubleshooting/uefi-troubleshooting.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/troubleshooting/uefi-troubleshooting.md b/troubleshooting/uefi-troubleshooting.md
index a5f74ca1..e36e28ad 100644
--- a/troubleshooting/uefi-troubleshooting.md
+++ b/troubleshooting/uefi-troubleshooting.md
@@ -10,15 +10,19 @@ Troubleshooting UEFI related problems
 Change installer kernel parameters in UEFI
 ---------------------
 
-If you've installed successfully in legacy mode but had to change some kernel parameters for it to work, you should try installing in UEFI with the same kernel parameters.
+If you've installed successfully in legacy mode but had to change some kernel parameters for it to work, you should try installing in UEFI mode with the same parameters.
 
-Change the `xen.cfg` on a USB media
-
-01. Attach the usb disk, find the EFI partition and mount it
-02. Edit your xen.cfg changing the `kernel` key to add your kernel parameters on the boot entry of your choice
+**Change the xen configuration on a USB media**
+01. Attach the usb disk, mount the EFI partition (second partition available on the disk) 
+02. Edit your xen config (`xen.cfg/BOOTX64.cfg`) changing the `kernel` key to add your kernel parameters on the boot entry of your choice
 03. Install using your modified boot entry
 
-You can also update an iso image, use `losetup` to isolate the EFI partition and mount it.
+**Change xen configuration directly in an iso image**
+01. Get EFI partition boundaries `parted Qubes-R4.0-rc4-x86_64.iso unit B print`
+02. Using the start address and the size of the EFI partition, setup a loop device for it `sudo losetup -o 524288 --sizelimit 30562304 /dev/loop0 Qubes-R4.0-rc4-x86_64.iso`
+03. Mount the loop device `sudo mount /dev/loop0 /mnt`
+04. Edit `EFI/BOOT/BOOTX64.cfg` to add your params to the `kernel` configuration key
+05. Save your changes, unmount and dd to usb device
 
 
 Cannot start installation, installation completes successfully but then BIOS loops at boot device selection, hangs at four penguins after choosing "Test media and install Qubes OS" in GRUB menu

From 27052b83a67428eae37f9e719df824344c06e662 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Wed, 31 Jan 2018 22:31:03 -0600
Subject: [PATCH 069/125] Improve organization, clarify procedure, and clean up
 source

---
 basics_user/reporting-bugs.md | 103 +++++++++++++++++-----------------
 1 file changed, 51 insertions(+), 52 deletions(-)

diff --git a/basics_user/reporting-bugs.md b/basics_user/reporting-bugs.md
index 7cd31084..8fb9ca63 100644
--- a/basics_user/reporting-bugs.md
+++ b/basics_user/reporting-bugs.md
@@ -16,71 +16,65 @@ redirect_from:
 Reporting Bugs
 ==============
 
-One of the most important ways in which you can [contribute to the Qubes OS Project] is by reporting any bugs you have found. 
-Please note that there is a separate process for [reporting security issues](/security/).
+One of the most important ways in which you can [contribute to the Qubes OS Project] is by reporting any bugs you have found.
 
 
-Before you submit a report
---------------------------
+Important
+---------
 
-Before you submit a bug report, please take a moment to:
-
- * Check whether your issue has already been reported.
- 
- * Determine which venue is most appropriate for it.
-
- * Read the [documentation] to see whether what you've found is really a bug.
-
- * Search through the existing [Qubes issues][qubes-issues] by typing your key
-   words in the **Filters** box. Make sure to check both currently open issues,
-   as well as issues that are already closed. If you find an issue that seems to
-   be similar to yours, read through it. If this issue is the same as yours, you
-   can comment with additional information to help the maintainer debug it.
-   Adding a comment will subscribe you to email notifications, which can be
-   helpful in getting important updates regarding the issue. If you don't have
-   anything to add but still want to receive email updates, you can click the
-   "watch" button at the bottom of the comments.
-
- * Search through our [mailing list] archives by visiting the Google Groups web
-   interfaces for both [qubes-users] and [qubes-devel].
+- **To disclose a security issue confidentially, please see the [Security] page.**
+- **In all other cases, please do not email individual developers about bugs.**
+- **Please note that many issues can be resolved by reading the [documentation].**
 
 
 Where to submit your report
 ---------------------------
 
-Our [GitHub issues][qubes-issues] tracker is not intended for personal,
-localized troubleshooting questions, such as problems that affect only a
-specific laptop model. Those questions are more likely to be answered in
-[qubes-users], which receives much more traffic. Instead, GitHub issues are
-meant to track more general bugs and enhancements that affect a broad range of
-Qubes users.
-
-
-How to copy information out of Dom0
------------------------------------
-
-See [Copying from (and to) dom0](/doc/copy-from-dom0/).
-
-
-How to submit a report on the mailing lists
--------------------------------------------
-
-Please see the [mailing list guidelines][mailing list].
+All issues pertaining to the Qubes OS Project (including auxiliary infrastructure such as the [website]) are tracked in [qubes-issues], our GitHub issues tracker.
+However, [qubes-issues] is not intended for personal, localized troubleshooting questions, such as problems that affect only a specific laptop model.
+Those questions should instead be asked in [qubes-users], where they are more likely to be answered.
+Instead, [qubes-issues] is meant for tracking more general bugs and enhancements that affect a broad range of Qubes users.
+Please see the sections [How to submit a report on GitHub] and [How to submit a report on the mailing lists] below for more information.
 
 
 How to submit a report on GitHub
 --------------------------------
 
-We track all bugs in the [qubes-issues] tracker on GitHub.
+**Before you submit an issue in [qubes-issues], please check to see whether it has already been reported.**
+Search through the existing issues by typing your key words in the **Filters** box.
+Make sure to check both currently open issues, as well as issues that are already closed.
+If you find an issue that seems to be similar to yours, read through it.
+If this issue is the same as yours, you can comment with additional information to help the maintainer debug it.
+Adding a comment will subscribe you to email notifications, which can be helpful in getting important updates regarding the issue.
+If you don't have anything to add but still want to receive email updates, you can click the "watch" button at the bottom of the comments.
 
-When you file a new issue, you should be sure to include the version of Qubes
-your'e using, as well as versions of related software packages. If your issue is
-related to hardware, provide as many details as possible about the hardware,
-which could include using command-line tools such as `lspci`.
+When you file a new issue, you should be sure to include the version of Qubes you're using, as well as versions of related software packages.
+If your issue is related to hardware, provide as many details as possible about the hardware, which could include using command-line tools such as `lspci`.
 If you're reporting a bug in a package that is in a [testing] repository, please reference the appropriate issue in the [updates-status] repository.
+Project maintainers really appreciate thorough explanations.
+It usually helps them address the problem more quickly, so everyone wins!
 
-Project maintainers really appreciate thorough explanations. It usually
-helps them address the problem more quickly, so everyone wins!
+Once your issue is addressed, your GitHub issue may be closed.
+After that, the package containing the fix will move to the appropriate [testing] repository, then to the appropriate stable repository.
+If you so choose, you can test the fix while it's in the [testing] repository, or you can wait for it to land in the stable repository.
+If, after testing the fix, you find that it does not really fix your bug, please leave a comment on your issue explaining the situation.
+When you do, we will receive a notification and respond on your issue or reopen it (or both).
+Please **do not** create a duplicate issue or attempt to contact the developers individually about your problem.
+
+
+How to submit a report on the mailing lists
+-------------------------------------------
+
+Before submitting a report on the mailing lists, please check to see whether your issue has already been reported by searching through the archives.
+You can do this by visiting the Google Groups web interfaces for both [qubes-users] and [qubes-devel].
+Please see the [Mailing Lists] page for further information.
+
+
+How to copy information out of dom0
+-----------------------------------
+
+Copying information out of dom0 can be useful when reporting bugs.
+See [Copying from (and to) dom0] for more information.
 
 
 Testing new releases and updates
@@ -96,12 +90,17 @@ Please see our guidelines on [how to contribute code].
 
 
 [contribute to the Qubes OS Project]: /doc/contributing/
+[Security]: /security/
 [documentation]: /doc/
+[website]: /
 [qubes-issues]: https://github.com/QubesOS/qubes-issues/issues
-[mailing list]: https://www.qubes-os.org/mailing-lists/
-[qubes-users]: https://groups.google.com/group/qubes-users
-[qubes-devel]: https://groups.google.com/group/qubes-devel
+[Mailing List]: /mailing-lists/
+[qubes-users]: /mailing-lists/#qubes-users
+[qubes-devel]: /mailing-lists/#qubes-devel
+[How to submit a report on GitHub]: #how-to-submit-a-report-on-github
+[How to submit a report on the mailing lists]: #how-to-submit-a-report-on-the-mailing-lists
 [testing]: /doc/testing/
 [updates-status]: https://github.com/QubesOS/updates-status/issues
+[Copying from (and to) dom0]: /doc/copy-from-dom0/
 [how to contribute code]: /doc/contributing/#contributing-code
 

From fb7952840e001711554a58da107abb06e3b3c9cb Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Wed, 31 Jan 2018 22:40:01 -0600
Subject: [PATCH 070/125] Clarify language, improve links, and clean up source

---
 security-info/security.md | 53 +++++++++++++++++++++++++--------------
 1 file changed, 34 insertions(+), 19 deletions(-)

diff --git a/security-info/security.md b/security-info/security.md
index b44c2136..323774c0 100644
--- a/security-info/security.md
+++ b/security-info/security.md
@@ -17,38 +17,53 @@ redirect_from:
 Qubes OS Project Security Center
 ================================
 
--   [Security FAQ](/faq/#general--security)
--   [Security Goals](/security/goals/)
--   [Security Pack](/security/pack/)
--   [Security Bulletins](/security/bulletins/)
--   [Canaries](/security/canaries/)
--   [Xen Security Advisory (XSA) Tracker](/security/xsa/)
--   [Why and How to Verify Signatures](/security/verifying-signatures/)
--   [PGP Keys](https://keys.qubes-os.org/keys/)
+- [Security FAQ]
+- [Security Goals]
+- [Security Pack]
+- [Security Bulletins]
+- [Canaries]
+- [Xen Security Advisory (XSA) Tracker]
+- [Why and How to Verify Signatures]
+- [PGP Keys]
+
 
 Reporting Security Issues in Qubes OS
 -------------------------------------
 
 If you believe you have found a security issue affecting Qubes OS, either directly or indirectly (e.g. the issue affects Xen in a configuration that is used in Qubes OS), then we would be more than happy to hear from you!
+We promise to treat any reported issue seriously and, if the investigation confirms that it affects Qubes, to patch it within a reasonable time and release a public [Qubes Security Bulletin][Security Bulletins] that describes the issue, discusses the potential impact of the vulnerability, references applicable patches or workarounds, and credits the discoverer.
 
-We promise to treat any reported issue seriously and, if the investigation confirms it affects Qubes, to patch it within a reasonable time, release a public Security Bulletin that describes the issue, discuss potential impact of the vulnerability, reference applicable patches or workarounds, and credit the discoverer.
-
-The list of all Qubes Security Advisories published so far can be found [here](/security/bulletins/).
 
 The Qubes Security Team
 -----------------------
 
-The Qubes Security Team can be contacted via email using the following address:
+The Qubes Security Team can be contacted via email at the following address:
 
-~~~
-security at qubes-os dot org
-~~~
+    security at qubes-os dot org
 
-### Qubes Security Team GPG Key ###
 
-Please use [this GPG key](https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc) to encrypt any emails sent to this address. Like all GPG keys used by the Qubes project, this key is signed by the Qubes Master key. Please see [this page](/security/verifying-signatures/) for more information on how to verify the keys.
+### Security Team PGP Key ###
+
+Please use the [Security Team PGP Key] to encrypt all emails sent to this address.
+This key is signed by the [Qubes Master Signing Key].
+Please see [Why and How to Verify Signatures] for information about how to verify these keys.
 
 ### Members of the Security Team ###
 
--   Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
--   Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+- [Joanna Rutkowska]
+- [Marek Marczykowski-Górecki]
+
+
+[Security FAQ]: /faq/#general--security
+[Security Goals]: /security/goals/
+[Security Pack]: /security/pack/
+[Security Bulletins]: /security/bulletins/
+[Canaries]: /security/canaries/
+[Xen Security Advisory (XSA) Tracker]: /security/xsa/
+[Why and How to Verify Signatures]: /security/verifying-signatures/
+[PGP Keys]: https://keys.qubes-os.org/keys/
+[Security Team PGP Key]: https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc
+[Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
+[Joanna Rutkowska]: /team/#joanna-rutkowska
+[Marek Marczykowski-Górecki]: /team/#marek-marczykowski-górecki
+

From 922340303e71cbddebfcee31ae4846374d360300 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Thu, 1 Feb 2018 14:59:45 +0000
Subject: [PATCH 071/125] security-guidelines 4.0 update

yum -> dnf
Replace R3.x specific description of treatment of template's home directory with link to /doc/template
---
 security/security-guidelines.md | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/security/security-guidelines.md b/security/security-guidelines.md
index cf712f13..1d143600 100644
--- a/security/security-guidelines.md
+++ b/security/security-guidelines.md
@@ -32,7 +32,7 @@ See the page on [Verifying Signatures](https://www.qubes-os.org/security/verifyi
 Once you have Qubes installed, the standard program installation command for Fedora and Qubes repositories
 
 ~~~
-sudo yum install <program>
+sudo dnf install <program>
 ~~~
 
 automatically accomplishes this verification. 
@@ -93,7 +93,7 @@ sudo qubes-dom0-update
 and run in templates and standalone VM
 
 ~~~
-sudo yum update
+sudo dnf update
 ~~~
 
 or use the equivalent items in Qubes Manager, which displays an icon when an update is available.
@@ -154,12 +154,6 @@ As explained [here](/getting-started/#appvms-qubes-and-templatevms), dom0 should
 TemplateBasedVM Directories
 ---------------------------
 
- * Whenever a TemplateBasedVM is created, the contents of its `/home`
-   directory is copied from its parent TemplateVM. From that point onward, the child TemplateBasedVM's `/home`
-   is independent from its parent TemplateVM's `/home`, which means that any
-   subsequent changes to the parent TemplateVM's `/home` will no longer affect
-   the child TemplateBasedVM's `/home`.
-
  * Once a TemplateBasedVM has been created, any changes in its `/home`,
    `/usr/local`, or `/rw/config` directories will be persistent across reboots,
    which means that any files stored there will still be available after
@@ -167,3 +161,6 @@ TemplateBasedVM Directories
    TemplateBasedVMs persist in this manner. If you would like to make changes
    in other directories which *do* persist in this manner, you must make those
    changes in the parent TemplateVM.
+   
+ * See [here](/doc/templates) for more detail and version specific information.
+ 

From 2f523a8d8343d131b921a87e46b57a17d84c8271 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 2 Feb 2018 00:32:22 +0100
Subject: [PATCH 072/125] 4.0 release notes: add link to upgrade instruction

---
 releases/4.0/release-notes.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index aed5bc95..8119b4b7 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -58,6 +58,7 @@ Upgrading
 There is no in-place upgrade path from earlier Qubes versions. The only
 supported option to upgrade to Qubes R4.0 is to install it from scratch and use
 [qubes backup and restore tools][backup] for migrating of all of the user VMs.
+We also provide [detailed instruction][upgrade-to-r4.0] for this procedure.
 
 
 [backup]: /doc/backup-restore/
@@ -77,3 +78,4 @@ supported option to upgrade to Qubes R4.0 is to install it from scratch and use
 [qsb-24]: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt
 [backup-format]: /doc/backup-emergency-restore-v4/
 [api-doc]: https://dev.qubes-os.org/projects/qubes-core-admin/en/latest/
+[upgrade-to-r4.0]: https://www.qubes-os.org/doc/upgrade-to-r4.0/

From 9801e192db18702585ae7332693b90c1bb139fd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 2 Feb 2018 01:03:44 +0100
Subject: [PATCH 073/125] USB: USB keyboard usage, including LUKS passphrase

---
 common-tasks/usb.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 4c2d7e18..18f82500 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -494,6 +494,24 @@ How to use a USB keyboard
 
 **Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
 
+If you use USB keyboard, automatic USB qube creation during installation is disabled.
+Additional steps are required to avoid locking you out from the system.
+Those steps are not performed by default, because of risk explained in [Security Warning about USB Input Devices].
+
+### R4.0, using salt ###
+
+To allow USB keyboard usage (including early boot for LUKS passphrase), execute in dom0:
+
+    sudo qubesctl state.sls qvm.usb-keyboard
+
+The above command will take care of all required configuration, including creating USB qube if not present.
+Note that it will expose dom0 to USB devices while entering LUKS passphrase.
+Users are advised to physically disconnect other devices from the system for that time, to minimize the risk.
+
+If you wish to perform only subset of this configuration (for example do not enable USB keyboard during boot), see manual instructions below.
+
+### R3.2, manual ###
+
 In order to use a USB keyboard, you must first attach it to a USB qube, then give that qube permission to pass keyboard input to dom0.
 Edit the `qubes.InputKeyboard` policy file in dom0, which is located here:
 
@@ -512,6 +530,9 @@ For a confirmation dialog each time the USB keyboard is connected, change this l
 sys-usb dom0 ask,default_target=dom0
 ```
 
+Additionally, if you want to use USB keyboard to enter LUKS passphrase, it is incompatible with [hiding USB controllers from dom0][How to hide all USB controllers from dom0].
+You need to revert that procedure (remove `rd.qubes.hide_all_usb` option from files mentioned there) and employ alternative protection during system boot - disconnect other devices during startup.
+
 How to use a USB mouse
 ----------------------
 
@@ -556,4 +577,5 @@ sys-usb dom0 ask,default_target=dom0
 [usb-challenges]: https://blog.invisiblethings.org/2011/05/31/usb-security-challenges.html
 [YubiKey]: /doc/YubiKey/
 [Security Warning about USB Input Devices]: #security-warning-about-usb-input-devices
+[How to hide all USB controllers from dom0]: #how-to-hide-all-usb-controllers-from-dom0
 [qubes-usb-proxy]: https://github.com/QubesOS/qubes-app-linux-usb-proxy

From 9e144a3154cc1a6a23eafcd9c0277dae65d830b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 2 Feb 2018 01:27:11 +0100
Subject: [PATCH 074/125] usb keyboard: add note about updating dom0 first

---
 common-tasks/usb.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 18f82500..c3ef3d60 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -500,7 +500,7 @@ Those steps are not performed by default, because of risk explained in [Security
 
 ### R4.0, using salt ###
 
-To allow USB keyboard usage (including early boot for LUKS passphrase), execute in dom0:
+To allow USB keyboard usage (including early boot for LUKS passphrase), make sure you have the latest `qubes-mgmt-salt-dom0-virtual-machines` package (simply [install dom0 updates][dom0-updates]) and execute in dom0:
 
     sudo qubesctl state.sls qvm.usb-keyboard
 
@@ -579,3 +579,4 @@ sys-usb dom0 ask,default_target=dom0
 [Security Warning about USB Input Devices]: #security-warning-about-usb-input-devices
 [How to hide all USB controllers from dom0]: #how-to-hide-all-usb-controllers-from-dom0
 [qubes-usb-proxy]: https://github.com/QubesOS/qubes-app-linux-usb-proxy
+[dom0-updates]: /doc/software-update-dom0/#how-to-update-software-in-dom0

From 80179d4481f5552a01b449f0a6138141dcef6272 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Thu, 1 Feb 2018 23:35:35 -0600
Subject: [PATCH 075/125] Improve 4.0 upgrade instructions regarding
 TemplateVMs

Fixes QubesOS/qubes-issues#3514
---
 installing/upgrade/upgrade-to-r4.0.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/installing/upgrade/upgrade-to-r4.0.md b/installing/upgrade/upgrade-to-r4.0.md
index 650965f6..b3771760 100644
--- a/installing/upgrade/upgrade-to-r4.0.md
+++ b/installing/upgrade/upgrade-to-r4.0.md
@@ -84,18 +84,19 @@ Restore from your backup
 4. Go to **Qubes menu -> System Tools -> Qubes Manager** to start it.
 
 5. Follow the **Restoring from a Backup** section in the [Backup, Restoration, and Migration](/doc/backup-restore/) guide.
-   It is cleanest to restore only the [AppVMs](/doc/glossary/#appvm) and [StandaloneVMs](/doc/glossary/#standalonevm) from R3.2, so it is recommended not to select any **sys-** or templates to restore unless you've heavily customized them.
-   If the restore tool complains about missing templates, you can select the option to restore the AppVMs anyways, then change them after restore to use one of the default R4.0 templates.
+   We recommend that you restore only your [TemplateBasedVMs](/doc/glossary/#templatebasedvm) and [StandaloneVMs](/doc/glossary/#standalonevm) from R3.2.
+   Using [TemplateVMs](/doc/templates/) and [SystemVMs](/doc/glossary/#systemvm) from R3.2 is not fully supported (see [#3514](https://github.com/QubesOS/qubes-issues/issues/3514)).
+   Instead, we recommend using the TemplateVMs that were created specifically for R4.0, which you can [customize](/doc/software-update-vm/) according to your needs.
+   For the TemplateVM OS versions supported in R4.0, see [Supported Versions](/doc/supported-versions/#templatevms).
+   If the restore tool complains about missing templates, you can select the option to restore the AppVMs anyway, then change them afterward to use one of the default R4.0 templates.
 
 
 Upgrade all Template and Standalone VM(s)
 -----------------------------------------
 
-By default, in Qubes R4.0, there are few [TemplateVMs](/doc/templates/) and no [StandaloneVMs](/doc/glossary/#standalonevm).
-However, users are free to create StandaloneVMs.
-More information on using multiple TemplateVMs, as well as StandaloneVMs, can be found [here](/doc/software-update-vm/).
-We strongly recommend that you upgrade **all** TemplateVMs and StandaloneVMs.
-Please consult the guides below for specific instructions:
+We strongly recommend that you update **all** TemplateVMs and StandaloneVMs before use so that you have the latest security patches from upstream distributions.
+In addition, if the default templates have reached EOL (end-of-life) by the time you install R4.0, we strongly recommend that you upgrade them before use.
+Please see [Supported Versions](/doc/supported-versions/) for information on supported OS versions and consult the guides below for specific upgrade instructions:
 
  * [Upgrading Fedora TemplateVMs](/doc/templates/fedora/#upgrading)
  * [Upgrading Debian TemplateVMs](/doc/templates/debian/#upgrading)

From 6a631651d6403938cb16dc7d7388a56f8891036e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 2 Feb 2018 13:06:10 +0000
Subject: [PATCH 076/125] firewall 4.0 updates

---
 security/firewall.md | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/security/firewall.md b/security/firewall.md
index fa908a33..8285278b 100644
--- a/security/firewall.md
+++ b/security/firewall.md
@@ -32,6 +32,11 @@ Manager and press the "firewall" button:
 
 ![r2b1-manager-firewall.png](/attachment/wiki/QubesFirewall/r2b1-manager-firewall.png)
 
+*R4.0 note:* ICMP and DNS are no longer accessible in the GUI, but can be changed
+via `qvm-firewall` described below. Connections to Updates Proxy are no longer made
+over network so can not be allowed or blocked with firewall rules
+(see [R4.0 Updates proxy](https://www.qubes-os.org/doc/software-update-vm/) for more detail.
+
 Note that if you specify a rule by DNS name it will be resolved to IP(s)
 *at the moment of applying the rules*, and not on the fly for each new
 connection. This means it will not work for servers using load balancing. More
@@ -52,7 +57,28 @@ by putting appropriate rules in `/rw/config`. See [below](#where-to-put-firewall
 In complex cases, it might be appropriate to load a ruleset using `iptables-restore`
 called from `/rw/config/rc.local`.
 
-Reconnecting VMs after a NetVM reboot
+Reconnecting VMs after a NetVM reboot (R4.0)
+----------------------------------------
+
+Normally Qubes doesn't let the user stop a NetVM if there are other qubes
+running which use it as their own NetVM. But in case the NetVM stops for
+whatever reason (e.g. it crashes, or the user forces its shutdown via qvm-kill
+via terminal in Dom0), Qubes R4.0 will often automatically repair the
+connection. If it does not, then there is an easy way to restore the connection to
+the NetVM by issuing:
+
+` qvm-prefs <vm> netvm <netvm> `
+
+Normally qubes do not connect directly to the actual NetVM which has networking
+devices, but rather to the default sys-firewall first, and in most cases it would
+be the NetVM that will crash, e.g. in response to S3 sleep/restore or other
+issues with WiFi drivers. In that case it is only necessary to issue the above
+command once, for the sys-firewall (this assumes default VM-naming used by the
+default Qubes installation):
+
+` qvm-prefs sys-firewall netvm sys-net `
+
+Reconnecting VMs after a NetVM reboot (R3.2)
 ----------------------------------------
 
 Normally Qubes doesn't let the user stop a NetVM if there are other qubes
@@ -70,7 +96,7 @@ issues with WiFi drivers. In that case it is only necessary to issue the above
 command once, for the sys-firewall (this assumes default VM-naming used by the
 default Qubes installation):
 
-` qvm-prefs sys-firewall -s netvm netvm `
+` qvm-prefs sys-firewall -s netvm sys-net `
 
 Enabling networking between two qubes
 --------------------------------------
@@ -344,7 +370,18 @@ fi
 This time testing should allow connectivity to the service as long as the
 service is up :-)
 
-Where to put firewall rules
+Where to put firewall rules (R4.0)
+---------------------------
+
+Implicit in the above example [scripts](/doc/config-files/), but worth 
+calling attention to: for all qubes *except* NetVMs, iptables commands 
+should be added to the `/rw/config/rc.local` script. For NetVMs 
+(`sys-firewall` inclusive), iptables commands should be added to 
+`/rw/config/qubes-firewall-user-script`. This is because a NetVM is 
+constantly adjusting its firewall, and therefore initial settings from 
+`rc.local` do not persist.
+
+Where to put firewall rules (R3.2)
 ---------------------------
 
 Implicit in the above example [scripts](/doc/config-files/), but worth 

From 019b577b4595b27a66000f8eb34aac01dbaf0a0a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 2 Feb 2018 13:28:58 +0000
Subject: [PATCH 077/125] multifactor-authentication update fedora version

and yum -> dnf
---
 security/multifactor-authentication.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/multifactor-authentication.md b/security/multifactor-authentication.md
index a60b3104..20b2ce82 100644
--- a/security/multifactor-authentication.md
+++ b/security/multifactor-authentication.md
@@ -67,24 +67,24 @@ Optional Preparation Steps
     [minimal Fedora template][FedoraMinimal]. Get it if you haven't already done
     so:
 
-        [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-25-minimal
+        [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-26-minimal
 
  2. Since we'll be making some modifications, you may want to clone the minimal
     template:
 
-        [user@dom0 ~]$ qvm-clone fedora-25-minimal fedora-25-min-mfa
+        [user@dom0 ~]$ qvm-clone fedora-26-minimal fedora-26-min-mfa
 
  3. Since this is going to be a minimal environment in which we run `oathtool`
     from the command line, we'll install only a couple of packages:
 
-        [user@fedora-25-min-mfa ~]$ su -
-        [user@fedora-25-min-mfa ~]# yum install oathtool vim-minimal
-        [user@fedora-25-min-mfa ~]$ poweroff
+        [user@fedora-26-min-mfa ~]$ su -
+        [user@fedora-26-min-mfa ~]# dnf install oathtool vim-minimal
+        [user@fedora-26-min-mfa ~]$ poweroff
 
  4. Create an AppVM and set it to use the TemplateVM we just created:
 
         [user@dom0 ~]$ qvm-create -l black mfa
-        [user@dom0 ~]$ qvm-prefs -s mfa template fedora-25-min-mfa
+        [user@dom0 ~]$ qvm-prefs -s mfa template fedora-26-min-mfa
 
  5. Isolate the new AppVM from the network:
 

From 1a6c777d8b2ae598484521ee34253ddd92786c4a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 2 Feb 2018 13:40:40 +0000
Subject: [PATCH 078/125] split-gpg update package utilities

yum -> dnf
apt-get -> apt
---
 security/split-gpg.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/split-gpg.md b/security/split-gpg.md
index f519ec27..64d0b759 100644
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@@ -86,11 +86,11 @@ In dom0, make sure the `qubes-gpg-split-dom0` package is installed.
 If using templates based on Debian or Whonix, make sure you have the `qubes-gpg-split`
 package installed.
 
-    [user@debian-8 ~]$ sudo apt-get install qubes-gpg-split
+    [user@debian-8 ~]$ sudo apt install qubes-gpg-split
     
 For Fedora.
 
-    [user@fedora-25 ~]$ sudo yum install qubes-gpg-split
+    [user@fedora-25 ~]$ sudo dnf install qubes-gpg-split
 
 Start with creating a dedicated AppVM for storing your keys (the GPG backend
 domain). It is recommended that this domain be network disconnected (set its

From 471696d97903ba1dadf0055b06df2299ddb2c6d1 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 2 Feb 2018 13:44:51 +0000
Subject: [PATCH 079/125] usb make headings consistent

---
 common-tasks/usb.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index c3ef3d60..7eaef543 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -32,7 +32,7 @@ Qubes OS supports the ability to attach a USB drive (or just one or more of its
 partitions) to any qube easily, no matter which qube actually handles the USB
 controller.
 
-**R4.0**
+### R4.0 ###
 
 USB drive mounting is integrated into the Devices Widget. This is the tool tray
 icon with a yellow square located in the top right of your screen by default.
@@ -108,7 +108,7 @@ follows:
 
  7.  You may now remove the device.
 
-**R3.2**
+### R3.2 ###
 
 USB drive mounting is integrated into the Qubes VM Manager GUI. Simply insert
 your USB drive, right-click on the desired qube in the Qubes VM Manager list,

From 646aa7d5f5cf13d69ab43ee17173c3da1ba07b5f Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 2 Feb 2018 15:15:06 +0000
Subject: [PATCH 080/125] Update firewall.md

---
 security/firewall.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/security/firewall.md b/security/firewall.md
index 8285278b..6b9898b8 100644
--- a/security/firewall.md
+++ b/security/firewall.md
@@ -374,12 +374,11 @@ Where to put firewall rules (R4.0)
 ---------------------------
 
 Implicit in the above example [scripts](/doc/config-files/), but worth 
-calling attention to: for all qubes *except* NetVMs, iptables commands 
-should be added to the `/rw/config/rc.local` script. For NetVMs 
-(`sys-firewall` inclusive), iptables commands should be added to 
-`/rw/config/qubes-firewall-user-script`. This is because a NetVM is 
-constantly adjusting its firewall, and therefore initial settings from 
-`rc.local` do not persist.
+calling attention to: for all qubes *except* AppVMs supplying networking,
+iptables commands should be added to the `/rw/config/rc.local` script. For
+AppVMs supplying networking (`sys-firewall` inclusive), 
+iptables commands should be added to 
+`/rw/config/qubes-firewall-user-script`.
 
 Where to put firewall rules (R3.2)
 ---------------------------

From 2a48a90f4262a8bd453e59abe17150eb464cc2ac Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 13:23:34 +0000
Subject: [PATCH 081/125] link to deprecated /doc/torvm

---
 privacy/whonix.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/privacy/whonix.md b/privacy/whonix.md
index d2dc9ce5..3b55bef8 100644
--- a/privacy/whonix.md
+++ b/privacy/whonix.md
@@ -22,6 +22,9 @@ a **"workstation"**. Qubes security architecture makes use of Whonix's isolation
 by using the gateway as a ProxyVM to route all network traffic through Tor,
 while the workstation is used for making AppVMs.
 
+Whonix in Qubes replaces the deprecated [TorVM](/doc/torvm) service used in earlier
+versions of Qubes.
+
 ## Getting Started with Whonix
 *  Note: To install Whonix in Qubes, you must already have a working Qubes machine.
 *  [Installing Whonix in Qubes](/doc/whonix/install/)

From 39bd80291b7b79fb52b5e9238e6c907a13a8b2a9 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 13:25:49 +0000
Subject: [PATCH 082/125] remove deprecated TorVM from doc list

---
 doc.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc.md b/doc.md
index 48b85b3f..154fc482 100644
--- a/doc.md
+++ b/doc.md
@@ -113,7 +113,6 @@ Privacy Guides
  * [Whonix for Privacy & Anonymity](/doc/whonix/)
  * [Running Tails in Qubes](/doc/tails/)
  * [Anonymizing your MAC Address](/doc/anonymizing-your-mac-address/)
- * [TorVM](/doc/torvm/)
  * [Martus](/doc/martus/)
  * [Signal](/doc/signal/)
  * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/)

From 6d2f80b5003531bae8d639234301682cf88cc007 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 13:36:52 +0000
Subject: [PATCH 083/125] add VM Settings -> Applications path

---
 privacy/signal.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/privacy/signal.md b/privacy/signal.md
index 73bf1cd8..69b7fed7 100644
--- a/privacy/signal.md
+++ b/privacy/signal.md
@@ -51,6 +51,7 @@ Always obtain a trusted key fingerprint via other channels, and always check any
         
 6. Create an AppVM based on this TemplateVM
 7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> `"AppVM Name": Add more shortcuts`
+(or `"AppVM Name": VM Settings` -> `Applications`). 
    Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window.
 
 -----

From 3d6379b968aa89bbbdaa54b8103cd6e59bbf7b8d Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 13:48:00 +0000
Subject: [PATCH 084/125] fix spelling

---
 configuration/w3m.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/w3m.md b/configuration/w3m.md
index 9586ef40..5511adb3 100644
--- a/configuration/w3m.md
+++ b/configuration/w3m.md
@@ -19,7 +19,7 @@ You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#brow
 
 * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`.
 
-	By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the Tor Browser Bundle (TBB). One in fourteen browsers finderprinted by Panopticlick has this value.
+	By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the Tor Browser Bundle (TBB). One in fourteen browsers fingerprinted by Panopticlick has this value.
 
 * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file:
 
@@ -29,7 +29,7 @@ You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#brow
 		
 	These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.
 	
-Testing these settings on <https://browserprint.info> returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's locale settings or other specifics about it in the HTTP_ACCEPT headers. And while it may be inferred from your fingerprint that you use w3m, it is not be explicitly stated in the User-Agent header.
+Testing these settings on <https://browserprint.info> returns a fingerprint that is distinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* (<https://panopticlick.eff.org> does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sophisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's locale settings or other specifics about it in the HTTP_ACCEPT headers. And while it may be inferred from your fingerprint that you use w3m, it is not be explicitly stated in the User-Agent header.
 
 **Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.**
 

From bddcd0cad29e7aa864664149eaa2c860c33ee8be Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sat, 3 Feb 2018 14:51:06 -0600
Subject: [PATCH 085/125] Replace absolute with relative paths for Qubes URLs

---
 about/code-of-conduct.md                   |  2 +-
 about/faq.md                               |  6 +++---
 basics_dev/gsoc.md                         | 18 +++++++++---------
 basics_user/contributing.md                |  2 +-
 building/building-archlinux-template.md    |  2 +-
 building/qubes-builder.md                  |  2 +-
 common-tasks/dispvm.md                     |  2 +-
 configuration/resize-disk-image.md         |  2 +-
 configuration/secondary-storage.md         |  4 ++--
 customization/kde.md                       |  2 +-
 customization/xfce.md                      |  2 +-
 installing/live-usb.md                     |  2 +-
 managing-os/hvm.md                         |  2 +-
 managing-os/templates/debian.md            |  2 +-
 privacy/anonymizing-your-mac-address.md    |  2 +-
 privacy/tails.md                           |  4 ++--
 privacy/torvm.md                           |  8 ++++----
 releases/3.2/release-notes.md              |  4 ++--
 releases/4.0/release-notes.md              |  2 +-
 security/security-guidelines.md            |  4 ++--
 security/yubi-key.md                       |  2 +-
 troubleshooting/install-nvidia-driver.md   |  2 +-
 troubleshooting/macbook-troubleshooting.md |  2 +-
 23 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/about/code-of-conduct.md b/about/code-of-conduct.md
index af4ae3fa..3925c62d 100644
--- a/about/code-of-conduct.md
+++ b/about/code-of-conduct.md
@@ -27,7 +27,7 @@ Examples of unacceptable behavior by participants include:
 - Publishing others' private information, such as a physical or electronic address, without explicit permission
 - Other conduct which could reasonably be considered inappropriate in a professional setting
 
-(Please also see our [mailing list discussion guidelines](https://www.qubes-os.org/mailing-lists/#discussion-list-guidelines).)
+(Please also see our [mailing list discussion guidelines](/mailing-lists/#discussion-list-guidelines).)
 
 ## Our Responsibilities
 
diff --git a/about/faq.md b/about/faq.md
index b21f41c2..e3a02b59 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -113,7 +113,7 @@ At the same time, due to the smart use of Xen shared memory, our GUI implementat
 
 ### Why passwordless sudo?
 
-Please refer to [this page](https://www.qubes-os.org/doc/vm-sudo/).
+Please refer to [this page](/doc/vm-sudo/).
 
 ### How should I report documentation issues?
 
@@ -193,7 +193,7 @@ Qubes assumes that the user who controls Dom0 controls the whole system.
 It is very difficult to **securely** implement multi-user support. 
 See [here](https://groups.google.com/group/qubes-devel/msg/899f6f3efc4d9a06) for details.
 
-However, in Qubes 4.x we will be implementing management functionality. See [Admin API](https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/) and [Core Stack](https://www.qubes-os.org/news/2017/10/03/core3/) for more details.
+However, in Qubes 4.x we will be implementing management functionality. See [Admin API](/news/2017/06/27/qubes-admin-api/) and [Core Stack](/news/2017/10/03/core3/) for more details.
 
 
 ### What are the system requirements for Qubes OS?
@@ -352,7 +352,7 @@ Another solution would be to set the pci_strictreset option in dom0:
         qvm-prefs usbVM -s pci_strictreset false
 
 These options allow the VM to ignore the error and the VM will start.
-Please review the note on [this page](https://www.qubes-os.org/doc/Dom0Tools/QvmPrefs/) and be aware of the potential risk.
+Please review the note on [this page](/doc/Dom0Tools/QvmPrefs/) and be aware of the potential risk.
 
 ### I assigned a PCI device to a qube, then unassigned it/shut down the qube. Why isn't the device available in dom0?
 
diff --git a/basics_dev/gsoc.md b/basics_dev/gsoc.md
index d73b0203..9ed852cc 100644
--- a/basics_dev/gsoc.md
+++ b/basics_dev/gsoc.md
@@ -479,7 +479,7 @@ details in [#2618](https://github.com/QubesOS/qubes-issues/issues/2618).
 
 **Brief explanation**: A long-term goal is to be able to build the entire OS and installation media in a completely bit-wise deterministic manner, but there are many baby steps to be taken along that path. See:
 
-- "[Security challenges for the Qubes build process](https://www.qubes-os.org/news/2016/05/30/build-security/)"
+- "[Security challenges for the Qubes build process](/news/2016/05/30/build-security/)"
 - [This mailing list post](https://groups.google.com/d/msg/qubes-devel/gq-wb9wTQV8/mdliS4P2BQAJ)
 - and [reproducible-builds.org](https://reproducible-builds.org/)
 
@@ -487,7 +487,7 @@ for more information and qubes-specific background.
 
 **Expected results**: Significant progress towards making the Qubes build process deterministic. This would likely involve cooperation with and hacking on several upstream build tools to eliminate sources of variability.
 
-**Knoledge prerequisite**: qubes-builder [[1]](https://www.qubes-os.org/doc/qubes-builder/) [[2]](https://www.qubes-os.org/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
+**Knoledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder/) [[2]](/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
 
 **Mentor**: [Marek Marczykowski-Górecki](/team/)
 
@@ -513,17 +513,17 @@ We adapted some of the language here about GSoC from the [KDE GSoC page](https:/
 [2017-archive]: https://summerofcode.withgoogle.com/archive/2017/organizations/5074771758809088/
 [gsoc-qubes]: https://summerofcode.withgoogle.com/organizations/6239659689508864/
 [gsoc]: https://summerofcode.withgoogle.com/
-[team]: https://www.qubes-os.org/team/
+[team]: /team/
 [gsoc-faq]: https://developers.google.com/open-source/gsoc/faq
-[contributing]: https://www.qubes-os.org/doc/contributing/#contributing-code
-[patches]: https://www.qubes-os.org/doc/source-code/#how-to-send-patches
-[code-signing]: https://www.qubes-os.org/doc/code-signing/
-[ml-devel]: https://www.qubes-os.org/mailing-lists/#qubes-devel
+[contributing]: /doc/contributing/#contributing-code
+[patches]: /doc/source-code/#how-to-send-patches
+[code-signing]: /doc/code-signing/
+[ml-devel]: /mailing-lists/#qubes-devel
 [gsoc-participate]: https://developers.google.com/open-source/gsoc/
 [gsoc-student]: https://developers.google.com/open-source/gsoc/resources/manual#student_manual
 [how-to-gsoc]: http://teom.org/blog/kde/how-to-write-a-kick-ass-proposal-for-google-summer-of-code/
 [gsoc-submit]: https://summerofcode.withgoogle.com/
-[mailing-lists]: https://www.qubes-os.org/mailing-lists/
+[mailing-lists]: /mailing-lists/
 [qubes-issues]: https://github.com/QubesOS/qubes-issues/issues
 [qubes-issues-suggested]: https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22
-[qubes-builder]: https://www.qubes-os.org/doc/qubes-builder/
+[qubes-builder]: /doc/qubes-builder/
diff --git a/basics_user/contributing.md b/basics_user/contributing.md
index b3e13b22..5a7568b1 100644
--- a/basics_user/contributing.md
+++ b/basics_user/contributing.md
@@ -75,6 +75,6 @@ be grateful to [receive your patch][patch].
 [Facebook]: https://www.facebook.com/QubesOS
 [GitHub issues]: https://github.com/QubesOS/qubes-issues/issues
 [qubes-devel]: /mailing-lists/#qubes-devel
-[Community-Developed Feature Tracker]: https://www.qubes-os.org/qubes-issues/
+[Community-Developed Feature Tracker]: /qubes-issues/
 [Qubes download mirror]: /downloads/mirrors/
 
diff --git a/building/building-archlinux-template.md b/building/building-archlinux-template.md
index f95186fc..ff701a4d 100644
--- a/building/building-archlinux-template.md
+++ b/building/building-archlinux-template.md
@@ -83,7 +83,7 @@ redirect_from:
 
       gpg --keyserver pgp.mit.edu --recv-keys 0xDDFA1A3E36879494
 
-* Verify its fingerprint, set as 'trusted'. [This is described here](https://www.qubes-os.org/doc/VerifyingSignatures).
+* Verify its fingerprint, set as 'trusted'. [This is described here](/doc/VerifyingSignatures).
 
 * Download the Qubes developers' keys.
 
diff --git a/building/qubes-builder.md b/building/qubes-builder.md
index 8ee0172e..d5fe6e48 100644
--- a/building/qubes-builder.md
+++ b/building/qubes-builder.md
@@ -8,7 +8,7 @@ redirect_from:
 - /wiki/QubesBuilder/
 ---
 
-**Note: The build system has been improved since this how-to was last updated. The [Archlinux template building instructions](https://www.qubes-os.org/doc/building-archlinux-template/) contain more up-to-date and detailed information on how to use the build system.**
+**Note: The build system has been improved since this how-to was last updated. The [Archlinux template building instructions](/doc/building-archlinux-template/) contain more up-to-date and detailed information on how to use the build system.**
 
 Building Qubes from scratch
 ===========================
diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 3dc72eaa..cda6ce0c 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -29,7 +29,7 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). 
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template). 
 By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 6e6b8e19..35159d7f 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -133,4 +133,4 @@ You will see that there is unallocated free space at the end of your primary dis
 You can use standard linux tools like fdisk and mkfs to make this space available.
 
 
-[resizing the root disk image]: https://www.qubes-os.org/doc/resize-root-disk-image/
+[resizing the root disk image]: /doc/resize-root-disk-image/
diff --git a/configuration/secondary-storage.md b/configuration/secondary-storage.md
index f04b6665..2c12b194 100644
--- a/configuration/secondary-storage.md
+++ b/configuration/secondary-storage.md
@@ -39,7 +39,7 @@ Known Issues
    dom0.) Do not attempt to detach these disks. (They will automatically be
    detached when you shut down the AppVM.) [[2]]
 
-[Qubes Backup]: https://www.qubes-os.org/doc/BackupRestore/
-[TemplateVM]: https://www.qubes-os.org/doc/Templates/
+[Qubes Backup]: /doc/BackupRestore/
+[TemplateVM]: /doc/Templates/
 [1]: https://groups.google.com/d/topic/qubes-users/EITd1kBHD30/discussion
 [2]: https://groups.google.com/d/topic/qubes-users/nDrOM7dzLNE/discussion
diff --git a/customization/kde.md b/customization/kde.md
index cee094a6..f0df5598 100644
--- a/customization/kde.md
+++ b/customization/kde.md
@@ -12,7 +12,7 @@ Installation
 ------------
 
 Prior to R3.2, KDE was the default desktop environment in Qubes. Beginning with
-R3.2, however, [XFCE is the new default desktop environment](https://www.qubes-os.org/doc/releases/3.2/release-notes/). Nonetheless, it is
+R3.2, however, [XFCE is the new default desktop environment](/doc/releases/3.2/release-notes/). Nonetheless, it is
 still possible to install KDE by issuing this command in dom0:
 
     $ sudo qubes-dom0-update @kde-desktop-qubes
diff --git a/customization/xfce.md b/customization/xfce.md
index 64eb5c53..f9c8de96 100644
--- a/customization/xfce.md
+++ b/customization/xfce.md
@@ -15,7 +15,7 @@ XFCE installation in dom0
 **Disclaimer: The article is obsolete for Qubes OS 3.2 and later.**
 
 Prior to R3.2, KDE was the default desktop environment in Qubes. Beginning with
-R3.2 [XFCE is the new default desktop environment](https://www.qubes-os.org/doc/releases/3.2/release-notes/) and does not require manual installation.
+R3.2 [XFCE is the new default desktop environment](/doc/releases/3.2/release-notes/) and does not require manual installation.
 
 
 Installation:
diff --git a/installing/live-usb.md b/installing/live-usb.md
index a4d3e9a4..43f499b4 100644
--- a/installing/live-usb.md
+++ b/installing/live-usb.md
@@ -121,5 +121,5 @@ Downloading and burning
    and `of` or specify an incorrect device, you could accidentally overwrite
    your primary system drive. Please be careful!
 
-[project-page]: https://www.qubes-os.org/gsoc/
+[project-page]: /gsoc/
 [gsoc-page]: https://summerofcode.withgoogle.com/organizations/6239659689508864/
diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index fc095ce2..1632a84d 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -23,7 +23,7 @@ to learn why it took so long for Qubes OS to support HVM domains
 (Qubes 1 only supported Linux based PV domains). As of
 Qubes 4, every VM is PVH by default, except those with attached PCI devices which are HVM.
 [See here](https://blog.invisiblethings.org/2017/07/31/qubes-40-rc1.html) for a discussion
-of the switch to HVM from R3.2's PV, and [here](https://www.qubes-os.org/news/2018/01/11/qsb-37/)
+of the switch to HVM from R3.2's PV, and [here](/news/2018/01/11/qsb-37/)
 for changing the default to PVH.
 
 Creating an HVM domain
diff --git a/managing-os/templates/debian.md b/managing-os/templates/debian.md
index d83fdc61..94bf1b22 100644
--- a/managing-os/templates/debian.md
+++ b/managing-os/templates/debian.md
@@ -114,5 +114,5 @@ More information
 * [Debian wiki](https://wiki.debian.org/Qubes)
 
 
-[stretch]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/ 
+[stretch]: /doc/template/debian/upgrade-8-to-9/ 
 
diff --git a/privacy/anonymizing-your-mac-address.md b/privacy/anonymizing-your-mac-address.md
index 3e7f0921..3dfb3783 100644
--- a/privacy/anonymizing-your-mac-address.md
+++ b/privacy/anonymizing-your-mac-address.md
@@ -16,7 +16,7 @@ privacy](https://tails.boum.org/contribute/design/MAC_address/#index1h1). Curren
 
 Newer versions of Network Manager have a robust set of options for randomizing MAC addresses, and can handle the entire process across reboots, sleep/wake cycles and different connection states. In particular, versions 1.4.2 and later should be well suited for Qubes.
 
-Network Manager 1.4.2 or later is available from the Fedora 25 repository as well as the Debian 9 repository, which you can install by [upgrading a Debian 8 template to version 9.](https://www.qubes-os.org/doc/debian-template-upgrade-8/) 
+Network Manager 1.4.2 or later is available from the Fedora 25 repository as well as the Debian 9 repository, which you can install by [upgrading a Debian 8 template to version 9.](/doc/debian-template-upgrade-8/) 
 
 In the Debian 9 or Fedora 25 template you intend to use as a NetVM, check that Network Manager version is now at least 1.4.2:
 
diff --git a/privacy/tails.md b/privacy/tails.md
index 76136479..646b4ffd 100644
--- a/privacy/tails.md
+++ b/privacy/tails.md
@@ -16,7 +16,7 @@ Despite this, in case that method becomes cumbersome, Tails can be used inside v
 
 To run Tails under Qubes:
 
-1.  Read about [creating and using HVM qubes](https://www.qubes-os.org/doc/hvm/)
+1.  Read about [creating and using HVM qubes](/doc/hvm/)
 
 2.  Download and verify Tails from [https://tails.boum.org](https://tails.boum.org) in a qube, (saved as `/home/user/Downloads/tails.iso` on qube "isoVM" for purposes of this guide).
 
@@ -76,7 +76,7 @@ The Tails qube will not shut down cleanly.
 Kill it from the GUI Manager or ```qvm-kill Tails``` in Konsole.
 
 ### Security
-You will probably want to implement [MAC spoofing](https://www.qubes-os.org/doc/anonymizing-your-mac-address/).
+You will probably want to implement [MAC spoofing](/doc/anonymizing-your-mac-address/).
 
 There are added security concerns for Tails users when running it in a virtual machine.
 If you intend to do this, you should read [the warnings](https://tails.boum.org/doc/advanced_topics/virtualization/) from the Tails team about it.
diff --git a/privacy/torvm.md b/privacy/torvm.md
index bb1ddf13..d04de0f1 100644
--- a/privacy/torvm.md
+++ b/privacy/torvm.md
@@ -20,7 +20,7 @@ Qubes TorVM (qubes-tor)
 
 Qubes TorVM is a deprecated ProxyVM service that provides torified networking to
 all its clients. **If you are interested in TorVM, you will find the
-[Whonix implementation in Qubes](https://www.qubes-os.org/doc/privacy/whonix/) a
+[Whonix implementation in Qubes](/doc/privacy/whonix/) a
 more usable and robust solution for creating a torifying traffic proxy.**
 
 By default, any AppVM using the TorVM as its NetVM will be fully torified, so
@@ -273,9 +273,9 @@ transparent torified solutions. Notably the following:
 [stream-isolation]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/171-separate-streams.txt
 [stream-isolation-explained]: https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html
 [tor-threats]: https://www.torproject.org/projects/torbrowser/design/#adversary
-[qubes-net]: https://www.qubes-os.org/doc/QubesNet/
+[qubes-net]: /doc/QubesNet/
 [dns]: https://tails.boum.org/todo/support_arbitrary_dns_queries/
 [tor-browser]: https://www.torproject.org/download/download-easy.html
 [tor-verify-sig]: https://www.torproject.org/docs/verifying-signatures.html
-[dispvm]: https://www.qubes-os.org/doc/DisposableVms/
-[dispvm-customization]: https://www.qubes-os.org/doc/UserDoc/DispVMCustomization/
+[dispvm]: /doc/DisposableVms/
+[dispvm-customization]: /doc/UserDoc/DispVMCustomization/
diff --git a/releases/3.2/release-notes.md b/releases/3.2/release-notes.md
index 7a083562..623936c9 100644
--- a/releases/3.2/release-notes.md
+++ b/releases/3.2/release-notes.md
@@ -24,7 +24,7 @@ You can get detailed description in [completed github issues][github-release-not
 Known issues
 ------------
 
-* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](https://www.qubes-os.org/news/2016/11/15/fedora-24-template-available/).
+* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](/news/2016/11/15/fedora-24-template-available/).
 
 * Windows Tools: `qvm-block` does not work
 
@@ -43,7 +43,7 @@ Installation instructions
 -------------------------
 
 See [Installation Guide](/doc/installation-guide/).
-After installation, [manually upgrade to Fedora 24](https://www.qubes-os.org/news/2016/11/15/fedora-24-template-available/).
+After installation, [manually upgrade to Fedora 24](/news/2016/11/15/fedora-24-template-available/).
 
 Upgrading
 ---------
diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index 8119b4b7..fedfde6c 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -78,4 +78,4 @@ We also provide [detailed instruction][upgrade-to-r4.0] for this procedure.
 [qsb-24]: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt
 [backup-format]: /doc/backup-emergency-restore-v4/
 [api-doc]: https://dev.qubes-os.org/projects/qubes-core-admin/en/latest/
-[upgrade-to-r4.0]: https://www.qubes-os.org/doc/upgrade-to-r4.0/
+[upgrade-to-r4.0]: /doc/upgrade-to-r4.0/
diff --git a/security/security-guidelines.md b/security/security-guidelines.md
index 1d143600..a1ec0d96 100644
--- a/security/security-guidelines.md
+++ b/security/security-guidelines.md
@@ -27,7 +27,7 @@ While your connection to the Qubes website and download mirrors is encrypted, me
 Signature verification allows us to validate for ourselves that these files were the ones authored and signed by their creators (in this case the Qubes development team). 
 
 Because it's so easy for a hacker who manages to tamper with the downloaded iso files this way to patch in malware, it is of the utmost importance that you **verify the signature of the Qubes iso** you use to install Qubes. 
-See the page on [Verifying Signatures](https://www.qubes-os.org/security/verifying-signatures/) for more information and a tutorial on how to accomplish this.
+See the page on [Verifying Signatures](/security/verifying-signatures/) for more information and a tutorial on how to accomplish this.
 
 Once you have Qubes installed, the standard program installation command for Fedora and Qubes repositories
 
@@ -79,7 +79,7 @@ qubes-hcl-report <userVM>
 
 where \<userVM\> is the name of the VM within which the report will be written (but the report will also be displayed in the Dom0 terminal). If it displays that VT-d is active, you should be able to assign **PCIe devices to an HVM** and **enjoy DMA protection** for your driver domains, so you successfully passed this step.
 
-If VT-d is not active, attempt to activate it by selecting the **VT-d flag** within the BIOS settings. If your processor/BIOS does not allow VT-d activation you still enjoy much better security than alternative systems, but you may be vulnerable to **DMA attacks**. Next time you buy a computer consult our **[HCL (Hardware Compatibility List)](https://www.qubes-os.org/hcl/)** and possibly contribute to it.
+If VT-d is not active, attempt to activate it by selecting the **VT-d flag** within the BIOS settings. If your processor/BIOS does not allow VT-d activation you still enjoy much better security than alternative systems, but you may be vulnerable to **DMA attacks**. Next time you buy a computer consult our **[HCL (Hardware Compatibility List)](/hcl/)** and possibly contribute to it.
 
 Updating Software
 -----------------
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 7ec45fcb..9cc6ad03 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -11,7 +11,7 @@ Using YubiKey to Qubes authentication
 =====================================
 
 You can use YubiKey to enhance Qubes user authentication, for example to mitigate
-risk of snooping the password. This can also slightly improve security when you have [USB keyboard](https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices).
+risk of snooping the password. This can also slightly improve security when you have [USB keyboard](/doc/usb/#security-warning-about-usb-input-devices).
 
 There (at least) two possible configurations: using OTP mode and using challenge-response mode.
 
diff --git a/troubleshooting/install-nvidia-driver.md b/troubleshooting/install-nvidia-driver.md
index f3b946e5..d52c79d7 100644
--- a/troubleshooting/install-nvidia-driver.md
+++ b/troubleshooting/install-nvidia-driver.md
@@ -21,7 +21,7 @@ Support for newer cards is limited until AMDGPU support in the 4.5+ kernel, whic
 Built in Intel graphics, Radeon graphics (between that 4000-9000 range), and perhaps some prebaked NVIDIA card support that i don't know about. Those are your best bet for great Qubes support.
 
 If you do happen to get proprietary drivers working on your Qubes system (via installing them). Please take the time to go to the 
-[Hardware Compatibility List (HCL)](https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports )
+[Hardware Compatibility List (HCL)](/doc/hcl/#generating-and-submitting-new-reports )
 Add your computer, graphics card, and installation steps you did to get everything working.
 
 ## RpmFusion packages
diff --git a/troubleshooting/macbook-troubleshooting.md b/troubleshooting/macbook-troubleshooting.md
index b7f53c71..5e1d144f 100644
--- a/troubleshooting/macbook-troubleshooting.md
+++ b/troubleshooting/macbook-troubleshooting.md
@@ -135,7 +135,7 @@ Please see [this thread o the qubes-devel mailing list][macbook-air-2012-5-1].
 
 [1]: https://github.com/QubesOS/qubes-issues/issues/794
 [2]: https://github.com/QubesOS/qubes-issues/issues/1261
-[3]: https://www.qubes-os.org/doc/assigning-devices/
+[3]: /doc/assigning-devices/
 [bluetooth-replacement]: https://www.ifixit.com/Guide/MacBook+Air+13-Inch+Mid+2011+AirPort-Bluetooth+Card+Replacement/6360
 [macbook-air-2012-5-1]: https://groups.google.com/d/topic/qubes-devel/uLDYGdKk_Dk/discussion
 

From 0c29e05f3ded851c0e6acb894dcbc33318277d31 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sat, 3 Feb 2018 15:08:05 -0600
Subject: [PATCH 086/125] Update Markdown Conventions

 - Add convention for using relative rather than absolute paths
 - Follow the convention to insert a newline at the end of each sentence
 - Note the class of exceptions to the aforementioned convention
---
 basics_user/doc-guidelines.md | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index 2c34e0c4..27869f28 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -146,25 +146,25 @@ Style Guidelines
 Markdown Conventions
 --------------------
 
-All the documentation is written in Markdown for maximum accessibility. When
-making contributions, please try to observe the following style conventions:
+All the documentation is written in Markdown for maximum accessibility.
+When making contributions, please try to observe the following style conventions:
 
  * Use spaces instead of tabs.
- * Insert a newline at the end of each sentence.
-   * Rationale: This practice is most appropriate for source that consists
-     primarily of natural language text. It results in the most useful diffs
-     and facilitates translation into other languages while mostly preserving
-     source readability.
- * If appropriate, make numerals in numbered lists match between Markdown
-   source and HTML output.
-   * Rationale: In the event that a user is required to read the Markdown source
-     directly, this will make it easier to follow, e.g., numbered steps in a set
-     of instructions.
+ * In order to enable offline browsing, use relative paths (e.g., `/doc/doc-guidelines/` instead of `https://www.qubes-os.org/doc/doc-guidelines/`, except when the source text will be reproduced outside of the Qubes website repo.
+   Examples of exceptions:
+   * [QSBs] (intended to be read as plain text)
+   * [News] posts (plain text is reproduced on the [mailing lists])
+   * URLs that appear inside code blocks (e.g., in comments and document templates)
+   * Files like `README.md` and `CONTRIBUTING.md`
+ * Insert a newline at the end of each sentence, except when the text will be reproduced outside of the Qubes website repo (see previous item for examples).
+   * Rationale: This practice is most appropriate for source that consists primarily of natural language text.
+     It results in the most useful diffs and facilitates translation into other languages while mostly preserving source readability.
+ * If appropriate, make numerals in numbered lists match between Markdown source and HTML output.
+   * Rationale: In the event that a user is required to read the Markdown source directly, this will make it easier to follow, e.g., numbered steps in a set of instructions.
  * Use hanging indentations  
    where appropriate.
- * Use underline headings (`=====` and `-----`) if possible. If this is not
-   possible, use Atx-style headings on both the left and right sides
-   (`### H3 ###`).
+ * Use underline headings (`=====` and `-----`) if possible.
+   If this is not possible, use Atx-style headings on both the left and right sides (`### H3 ###`).
  * Use `[reference-style][ref]` links.  
  
 `[ref]: https://daringfireball.net/projects/markdown/syntax#link`
@@ -188,5 +188,8 @@ Please try to write good commit messages, according to the
 [gh-pull]: https://help.github.com/articles/using-pull-requests/
 [GitHub]: https://github.com/
 [mailing lists]: /mailing-lists/
+[QSBs]: /security/bulletins/
+[News]: /news/
 [md]: https://daringfireball.net/projects/markdown/
 [git-commit]: /doc/coding-style/#commit-message-guidelines
+

From 2576c530dc8246e6892532c1530bbb7b0002dc7e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:12:10 +0000
Subject: [PATCH 087/125] 4.0 updates

adjust title to "Private" vs. counterpart document "Root"
add 4.0 content
add placeholder procedure for Shrinking private disk image (Linux VM, R4.0)
remove outdated, root.img specific content
misc. spelling/grammar
---
 configuration/resize-disk-image.md | 80 ++++++++++++++----------------
 1 file changed, 37 insertions(+), 43 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 35159d7f..b68b56dd 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -1,6 +1,6 @@
 ---
 layout: doc
-title: Resize Disk Image
+title: Resize Private Disk Image
 permalink: /doc/resize-disk-image/
 redirect_from:
 - /en/doc/resize-disk-image/
@@ -8,33 +8,55 @@ redirect_from:
 - /wiki/ResizeDiskImage/
 ---
 
-Resize Disk Image
+Resize Private Disk Image
 -----------------
 
-There are several disk images which can be easily extended. But pay attention to the overall consumed space of your sparse disk images.
+There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images. See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
 
-### Private disk image
 
-1048576 MB is the maximum size which can be assigned to a private storage through qubes-manager.
+### Private disk image (R4.0)
 
-To grow the private disk image of a AppVM beyond this limit [qubes-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
+1048576 MiB is the maximum size which can be assigned to a private storage through Qube Manager.
+
+To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+
+~~~
+qvm-volume extend <vm_name>:private <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+
+### Private disk image (R3.2)
+
+1048576 MB is the maximum size which can be assigned to a private storage through Qubes Manager.
+
+To grow the private disk image of an AppVM beyond this limit, [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
 
 ~~~
 qvm-grow-private <vm-name> <size>
 ~~~
 
-Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
 
-### Shrinking private disk image (Linux VM)
+### Shrinking private disk image (Linux VM, R4.0)
 
-**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create new VM with smaller disk and move the data.**
+1.  Create a new qube with smaller disk using Qube Manager or qvm-create
+2.  Move data using OS tools
+3.  Delete old qube using Qube Manager or qvm-remove
+
+### Shrinking private disk image (Linux VM, R3.2)
+
+**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
 
 The basic idea is to:
 
 1.  Shrink filesystem on the private disk image.
 2.  Then shrink the image.
 
-Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibility is to interrupt its normal startup by adding `rd.break` kernel option:
+Ext4 does not support online shrinking, so it can't be done as conveniently as growing the image.
+Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
+First you need to start VM without `/rw` mounted. One possibility is to interrupt its normal startup
+by adding the `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
@@ -76,37 +98,11 @@ Done.
 >With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk)
 
 
-### Template disk image
+OS Specific Follow-up Instructions
+-----------------
 
-If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing the root disk image].
-
-1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
-2.  Sanity check: verify that none of loop device are pointing at this template root.img. Run this in dom0: `sudo losetup -a`
-3.  Resize root.img file. Run this in dom0: `truncate -s <desired size> <path to root.img>` (the root.img path can be obtained from qvm-prefs).
-4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
-5.  Start the template.
-6.  Execute `sudo resize2fs /dev/mapper/dmroot` in the template.
-7.  Verify available space in the template using `df -h`
-8.  Shutdown the template.
-9.  Restore original netvm setting (if changed), check firewall settings (setting netvm to none causes firewall reset to "block all")
-
-### HVM disk image
-
-In this example we will grow the disk image of an HVM to 30GB.
-
-First, stop/shutdown the HVM.
-
-Then, from a Dom0 terminal (in KDE: System Tools -\> Terminal Emulator) do the following:
-
-~~~
-cd /var/lib/qubes/appvms/<yourHVM>/
-ls -lh root.img  (<--verify current size of disk image)
-truncate -s 30GB root.img
-ls -lh root.img  (<--verify new size of disk image)
-~~~
-
-The partition table and file-system must be adjusted after this change.
-Use tools appropriate to the OS in your HVM. Brief instructions for Windows 7,
+After resizing volumes, the partition table and file-system may need to be adjusted.
+Use tools appropriate to the OS in your qube. Brief instructions for Windows 7,
 FreeBSD, and Linux are provided below.
 
 #### Windows 7
@@ -129,8 +125,6 @@ zpool online -e poolname ada0
 
 #### Linux
 
+Qubes will automatically grow the filesystem for you on AppVMs but not HVMs.
 You will see that there is unallocated free space at the end of your primary disk.
 You can use standard linux tools like fdisk and mkfs to make this space available.
-
-
-[resizing the root disk image]: /doc/resize-root-disk-image/

From c380832af15b3651b1d5647209becbef7121622a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:37:46 +0000
Subject: [PATCH 088/125] 4.0 updates

Add root specific content moved from /doc/resize-disk-image
Add 4.0 content
Remove outdated (<R3.?) and duplicated content
---
 configuration/resize-root-disk-image.md | 70 +++++++++++++++----------
 1 file changed, 42 insertions(+), 28 deletions(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index bee7272f..630a1dcf 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,11 +11,49 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
-The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
+### Template disk image 
 
-### Resize a StandaloneVM Root Image
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing private disk images](/doc/resize-disk-image/).
+*Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
-In `dom0` Konsole run the following command (replace the size and path):
+1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
+2.  Resize root image using Qubes version specific procedure below.
+3.  If any netvm/proxyvm used by this template is based on it, set template's netvm to none.
+4.  Start the template.
+5.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically with Linux templates).
+6.  Verify available space in the template using `df -h` or OS specific tools.
+7.  Shutdown the template.
+8.  Restore original netvm setting (if changed), check firewall settings (setting netvm to none causes the firewall to reset to "block all")
+
+### Root disk image (R4.0)
+
+1048576 MiB is the maximum size which can be assigned to root storage through Qube Manager.
+
+To grow the root disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+
+~~~
+qvm-volume extend <vm_name>:root <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+
+### Root disk image (R3.2)
+
+1048576 MB is the maximum size which can be assigned to root storage through Qubes Manager.
+
+To grow the root disk image of an AppVM beyond this limit, [qvm-grow-root](/doc/dom0-tools/qvm-grow-root/) can be used:
+
+~~~
+qvm-grow-root <vm-name> <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
+
+### Resize a StandaloneVM Root Image (R3.2)
+
+Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` console.
+
+In `dom0` console run the following command (replace the size and path):
 
 ~~~
 truncate -s 20G /var/lib/qubes/appvms/standalonevm/root.img
@@ -27,28 +65,4 @@ Then start Terminal for this StandaloneVM and run:
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the StandaloneVM and you will have extended the size of it's `root.img`
-
-
-### Resize a TemplateVM Root Image
-
-Shut down the TemplateVM, as well as all VMs based on that template (since they
-share `root.img`).
-In `dom0` Konsole run the following command (replace the size and path):
-*Make sure changes in the TemplateVM between reboots didn't exceed 10G.*
-
-~~~
-truncate -s 20G /var/lib/qubes/vm-templates/fedora-21/root.img
-~~~
-
-Then start only the TemplateVM and run the following. Note that if you are
-resizing the TemplateVM used by, e.g., your NetVM, you may need to disable
-networking so when the TemplateVM is started, it does not autostart other VMs
-based on the same `root.img`. Otherwise you will get an error message `Nothing
-to do!`.
-
-~~~
-sudo resize2fs /dev/mapper/dmroot
-~~~
-
-Shutdown the TemplateVM and you will have extended the size of it's `root.img`.
+Shutdown the StandaloneVM and you will have extended the size of its `root.img`.

From 0cd1cf06646972e0f0b93ca255d53b8ad580f394 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:40:44 +0000
Subject: [PATCH 089/125] adjust disk resizing titles

---
 doc.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc.md b/doc.md
index 154fc482..c951c8ac 100644
--- a/doc.md
+++ b/doc.md
@@ -124,8 +124,8 @@ Configuration Guides
  * [How to set up a ProxyVM as a VPN Gateway](/doc/vpn/)
  * [Storing AppVMs on Secondary Drives](/doc/secondary-storage/)
  * [Multibooting](/doc/multiboot/)
- * [Resizing AppVM and HVM Disk Images](/doc/resize-disk-image/)
- * [Extending `root.img` Size](/doc/resize-root-disk-image/)
+ * [Resize Private Disk Image](/doc/resize-disk-image/)
+ * [Resize Root Disk Image](/doc/resize-root-disk-image/)
  * [RPC Policies](/doc/rpc-policy/)
  * [Installing ZFS in Qubes](/doc/zfs/)
  * [Mutt Guide](/doc/mutt/)

From 6bfaf3f35ec7e0885d5c66767cfecb9000125630 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:46:08 +0000
Subject: [PATCH 090/125] tweak R4.0 shrink procedure

---
 configuration/resize-disk-image.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index b68b56dd..5aa6321f 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -16,7 +16,7 @@ There are several disk images which can be easily extended, but pay attention to
 
 ### Private disk image (R4.0)
 
-1048576 MiB is the maximum size which can be assigned to a private storage through Qube Manager.
+1048576 MiB is the maximum size which can be assigned to private storage through Qube Manager.
 
 To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
 
@@ -28,7 +28,7 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Private disk image (R3.2)
 
-1048576 MB is the maximum size which can be assigned to a private storage through Qubes Manager.
+1048576 MB is the maximum size which can be assigned to private storage through Qubes Manager.
 
 To grow the private disk image of an AppVM beyond this limit, [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
 
@@ -40,9 +40,9 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Shrinking private disk image (Linux VM, R4.0)
 
-1.  Create a new qube with smaller disk using Qube Manager or qvm-create
-2.  Move data using OS tools
-3.  Delete old qube using Qube Manager or qvm-remove
+1.  Create a new qube with smaller disk using Qube Manager or `qvm-create`
+2.  Move data to the new qube using `qvm-copy` or OS utilities
+3.  Delete old qube using Qube Manager or `qvm-remove`
 
 ### Shrinking private disk image (Linux VM, R3.2)
 

From 4f4c3973521a70309f5434c294b9b3593a5b1f9b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:49:36 +0000
Subject: [PATCH 091/125] call out "OS Specific" procedure in linked doc

---
 configuration/resize-root-disk-image.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index 630a1dcf..eef31d8b 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,9 +11,11 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
+See additional information and caveats about [resizing private disk images](/doc/resize-disk-image/), paying particular attention to "OS Specific Follow-up Instructions" at the end.
+
 ### Template disk image 
 
-If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing private disk images](/doc/resize-disk-image/).
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
 *Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
 1.  Make sure that all the VMs based on this template are shut off (including netvms etc).

From 550e23b266757675bfa1fa3b84d16c3326193939 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 15:18:20 +0000
Subject: [PATCH 092/125] yum -> dnf

---
 configuration/postfix.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/postfix.md b/configuration/postfix.md
index 0bde2398..14d86a93 100644
--- a/configuration/postfix.md
+++ b/configuration/postfix.md
@@ -16,11 +16,11 @@ Postfix is full featured MTA (Message Transfer Agent). Here we will configure it
 Installation
 ------------
 
-`yum install postfix procmail make cyrus-sasl cyrus-sasl-plain`
+`dnf install postfix procmail make cyrus-sasl cyrus-sasl-plain`
 
 Cyrus-sasl is installed to authenticate to remote servers. Procmail is not strictly necessary, but is useful to sort your incoming mail, for example to put each mailing list in its own directory. Make is also not necessary, but is used to keep Postfix lookup tables.
 
-You should also check `alternatives` command, to see if it is the default `mta`. It probably is not. You may need to `yum remove ssmtp` or something
+You should also check `alternatives` command, to see if it is the default `mta`. It probably is not. You may need to `dnf remove ssmtp` or something
 
 Configuration
 -------------

From 7b1b113bb9babac22acf00340b66703b1c7e06a6 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 15:20:42 +0000
Subject: [PATCH 093/125] yum -> dnf

---
 configuration/fetchmail.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/fetchmail.md b/configuration/fetchmail.md
index 0bdd128e..25bd4ab6 100644
--- a/configuration/fetchmail.md
+++ b/configuration/fetchmail.md
@@ -16,7 +16,7 @@ Fetchmail is standalone MRA (Mail Retrieval Agent) aka "IMAP/POP3 client". Its s
 Installation
 ------------
 
-`yum install fetchmail`
+`dnf install fetchmail`
 
 Configuration
 -------------

From 84c626986d859f1f67181d42def4076dfb15c22f Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 18:02:12 +0000
Subject: [PATCH 094/125] add links to /doc/assigning-devices

and fix qvm-pci attach long options
---
 about/faq.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/about/faq.md b/about/faq.md
index e3a02b59..3f633494 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -345,14 +345,14 @@ Another solution would be to set the pci_strictreset option in dom0:
 
  - In Qubes R4.x, when attaching the PCI device to the VM (where `<BDF>` can be obtained from running [qvm-pci](/doc/dom0-tools/qvm-pci/)):
 
-        qvm-pci attach -persistent -option no-strict-reset=true usbVM dom0:<BDF>
+        qvm-pci attach --persistent --option no-strict-reset=true usbVM dom0:<BDF>
 
  - In Qubes R3.x, by modifying the VM's properties:
 
         qvm-prefs usbVM -s pci_strictreset false
 
 These options allow the VM to ignore the error and the VM will start.
-Please review the note on [this page](/doc/Dom0Tools/QvmPrefs/) and be aware of the potential risk.
+Please review the notes on [this page](/doc/Dom0Tools/QvmPrefs/) and [here](/doc/assigning-devices/) and be aware of the potential risks.
 
 ### I assigned a PCI device to a qube, then unassigned it/shut down the qube. Why isn't the device available in dom0?
 
@@ -371,6 +371,8 @@ or
         MOD=`modprobe -R $MODALIAS | head -n 1`
         echo 0000:<BDF> > /sys/bus/pci/drivers/$MOD/bind
 
+See also [here](/doc/assigning-devices/).
+
 ### How do I install Flash in a Debian qube?
 
 The Debian way is to install the flashplugin-nonfree package. 

From d6e48fd63aaeadb9c5c96275262aeda7a77b6c22 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 18:17:23 +0000
Subject: [PATCH 095/125] use correct term for Devices Widget

---
 about/faq.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/faq.md b/about/faq.md
index 3f633494..556bfbae 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -415,7 +415,7 @@ For Fedora:
 
 The recommended approach is to pass only the specific partition you intend to use from [`sys-usb`](/doc/usb/) to another qube via [qvm-block](/doc/dom0-tools/qvm-block/). They will show up in the destination qube as `/dev/xvd*` and must be mounted manually. Another approach is to attach the entire USB drive to your destination qube. However, this could theoretically lead to an attack because it forces the destination qube to parse the device's partition table. If you believe your device is safe, you may proceed to attach it.
 
-In Qubes 4.0, this is accomplished with the widget located in the tool tray (default top right corner, look for an icon with a yellow square). From the top part of the list, click on the drive you want to attach, then select the qube to attach it to. Although you can also attach the entire USB device to a qube by selecting it from the bottom part of the list, in general this approach should not be used because you are exposing the target qube to unnecessary additional attack surface.
+In Qubes 4.0, this is accomplished with the Devices Widget located in the tool tray (default top right corner, look for an icon with a yellow square). From the top part of the list, click on the drive you want to attach, then select the qube to attach it to. Although you can also attach the entire USB device to a qube by selecting it from the bottom part of the list, in general this approach should not be used because you are exposing the target qube to unnecessary additional attack surface.
 
 In Qubes 3.2, you can use the Qubes VM Manager. Simply insert your USB drive, right-click on the desired qube in the Qubes VM Manager list, click Attach/detach block devices, and select your desired action and device.
 

From 35b02c848cff6ca1786a9b9241c1fca8c73fbd9c Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 4 Feb 2018 17:32:30 -0600
Subject: [PATCH 096/125] Reorganize and update CLI tool references pages for
 4.0

Requested by: QubesOS/qubes-issues#3495
Requests:     QubesOS/qubes-issues#3538
---
 doc.md                                        |  6 ++-
 reference/dom0-tools.md                       | 37 ------------------
 reference/tools.md                            | 13 +++++++
 reference/tools/3.2/dom0.md                   | 39 +++++++++++++++++++
 .../3.2/dom0}/qubes-dom0-update.md            |  3 +-
 .../3.2/dom0}/qubes-prefs.md                  |  3 +-
 .../3.2/dom0}/qvm-add-appvm.md                |  3 +-
 .../3.2/dom0}/qvm-add-template.md             |  3 +-
 .../3.2/dom0}/qvm-backup-restore.md           |  3 +-
 .../3.2/dom0}/qvm-backup.md                   |  3 +-
 .../3.2/dom0}/qvm-block.md                    |  4 +-
 .../3.2/dom0}/qvm-clone.md                    |  3 +-
 .../3.2/dom0}/qvm-create-default-dvm.md       |  3 +-
 .../3.2/dom0}/qvm-create.md                   |  3 +-
 .../3.2/dom0}/qvm-firewall.md                 |  3 +-
 .../3.2/dom0}/qvm-grow-private.md             |  3 +-
 .../3.2/dom0}/qvm-kill.md                     |  3 +-
 .../{dom0-tools => tools/3.2/dom0}/qvm-ls.md  |  3 +-
 .../{dom0-tools => tools/3.2/dom0}/qvm-pci.md |  3 +-
 .../3.2/dom0}/qvm-prefs.md                    |  3 +-
 .../3.2/dom0}/qvm-remove.md                   |  3 +-
 .../3.2/dom0}/qvm-revert-template-changes.md  |  3 +-
 .../{dom0-tools => tools/3.2/dom0}/qvm-run.md |  3 +-
 .../3.2/dom0}/qvm-service.md                  |  3 +-
 .../3.2/dom0}/qvm-shutdown.md                 |  3 +-
 .../3.2/dom0}/qvm-start.md                    |  3 +-
 .../3.2/dom0}/qvm-sync-appmenus.md            |  3 +-
 .../3.2/dom0}/qvm-template-commit.md          |  3 +-
 reference/tools/3.2/domU.md                   | 19 +++++++++
 .../3.2/domU}/qvm-copy-to-vm.md               |  3 +-
 .../3.2/domU}/qvm-open-in-dvm.md              |  3 +-
 .../3.2/domU}/qvm-open-in-vm.md               |  3 +-
 .../{vm-tools => tools/3.2/domU}/qvm-run.md   |  3 +-
 reference/tools/4.0/dom0.md                   | 14 +++++++
 reference/tools/4.0/domU.md                   | 14 +++++++
 reference/tools/tools-3.2.md                  | 13 +++++++
 reference/tools/tools-4.0.md                  | 13 +++++++
 reference/vm-tools.md                         | 17 --------
 38 files changed, 186 insertions(+), 84 deletions(-)
 delete mode 100644 reference/dom0-tools.md
 create mode 100644 reference/tools.md
 create mode 100644 reference/tools/3.2/dom0.md
 rename reference/{dom0-tools => tools/3.2/dom0}/qubes-dom0-update.md (92%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qubes-prefs.md (88%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-add-appvm.md (91%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-add-template.md (90%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-backup-restore.md (94%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-backup.md (89%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-block.md (90%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-clone.md (90%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-create-default-dvm.md (92%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-create.md (95%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-firewall.md (94%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-grow-private.md (87%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-kill.md (88%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-ls.md (93%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-pci.md (92%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-prefs.md (99%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-remove.md (90%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-revert-template-changes.md (86%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-run.md (95%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-service.md (98%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-shutdown.md (91%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-start.md (91%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-sync-appmenus.md (88%)
 rename reference/{dom0-tools => tools/3.2/dom0}/qvm-template-commit.md (86%)
 create mode 100644 reference/tools/3.2/domU.md
 rename reference/{vm-tools => tools/3.2/domU}/qvm-copy-to-vm.md (88%)
 rename reference/{vm-tools => tools/3.2/domU}/qvm-open-in-dvm.md (86%)
 rename reference/{vm-tools => tools/3.2/domU}/qvm-open-in-vm.md (86%)
 rename reference/{vm-tools => tools/3.2/domU}/qvm-run.md (89%)
 create mode 100644 reference/tools/4.0/dom0.md
 create mode 100644 reference/tools/4.0/domU.md
 create mode 100644 reference/tools/tools-3.2.md
 create mode 100644 reference/tools/tools-4.0.md
 delete mode 100644 reference/vm-tools.md

diff --git a/doc.md b/doc.md
index 154fc482..08ddea76 100644
--- a/doc.md
+++ b/doc.md
@@ -176,8 +176,10 @@ Troubleshooting
 
 Reference Pages
 ---------------
- * [Dom0 Command-Line Tools](/doc/dom0-tools/)
- * [DomU Command-Line Tools](/doc/vm-tools/)
+ * [Command-Line Tools: Qubes 3.2, dom0](/doc/tools/3.2/dom0/)
+ * [Command-Line Tools: Qubes 3.2, domU](/doc/tools/3.2/domU/)
+ * [Command-Line Tools: Qubes 4.0, dom0](/doc/tools/4.0/dom0/)
+ * [Command-Line Tools: Qubes 4.0, domU](/doc/tools/4.0/domU/)
  * [Glossary of Qubes Terminology](/doc/glossary/)
  * [Qubes Service Framework](/doc/qubes-service/)
  * [Command Execution in VMs (and Qubes RPC)](/doc/qrexec/)
diff --git a/reference/dom0-tools.md b/reference/dom0-tools.md
deleted file mode 100644
index 458ec2ab..00000000
--- a/reference/dom0-tools.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-layout: doc
-title: Dom0 Tools
-permalink: /doc/dom0-tools/
-redirect_from:
-- /en/doc/dom0-tools/
-- /doc/DomZeroTools/
-- /wiki/DomZeroTools/
----
-
-QVM-tools:
-
--   [qubes-dom0-update](/doc/dom0-tools/qubes-dom0-update/)
--   [qubes-prefs](/doc/dom0-tools/qubes-prefs/)
--   [qvm-add-appvm](/doc/dom0-tools/qvm-add-appvm/)
--   [qvm-add-template](/doc/dom0-tools/qvm-add-template/)
--   [qvm-backup-restore](/doc/dom0-tools/qvm-backup-restore/)
--   [qvm-backup](/doc/dom0-tools/qvm-backup/)
--   [qvm-block](/doc/dom0-tools/qvm-block/)
--   [qvm-clone](/doc/dom0-tools/qvm-clone/)
--   [qvm-create-default-dvm](/doc/dom0-tools/qvm-create-default-dvm/)
--   [qvm-create](/doc/dom0-tools/qvm-create/)
--   [qvm-firewall](/doc/dom0-tools/qvm-firewall/)
--   [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/)
--   [qvm-ls](/doc/dom0-tools/qvm-ls/)
--   [qvm-kill](/doc/dom0-tools/qvm-kill/)
--   [qvm-pci](/doc/dom0-tools/qvm-pci/)
--   [qvm-prefs](/doc/dom0-tools/qvm-prefs/)
--   [qvm-remove](/doc/dom0-tools/qvm-remove/)
--   [qvm-revert-template-changes](/doc/dom0-tools/qvm-revert-template-changes/)
--   [qvm-run](/doc/dom0-tools/qvm-run/)
--   [qvm-service](/doc/dom0-tools/qvm-service/)
--   [qvm-shutdown](/doc/dom0-tools/qvm-shutdown/)
--   [qvm-start](/doc/dom0-tools/qvm-start/)
--   [qvm-sync-appmenus](/doc/dom0-tools/qvm-sync-appmenus/)
--   [qvm-template-commit](/doc/dom0-tools/qvm-template-commit/)
-
diff --git a/reference/tools.md b/reference/tools.md
new file mode 100644
index 00000000..5febc899
--- /dev/null
+++ b/reference/tools.md
@@ -0,0 +1,13 @@
+---
+layout: doc
+title: Command-Line Tools
+permalink: /doc/tools/
+---
+
+Command-Line Tools
+==================
+
+Please see the page for your version of Qubes OS:
+
+ * [Qubes 4.0 Command-Line Tools](/doc/tools/4.0)
+ * [Qubes 3.2 Command-Line Tools](/doc/tools/3.2)
diff --git a/reference/tools/3.2/dom0.md b/reference/tools/3.2/dom0.md
new file mode 100644
index 00000000..331c0754
--- /dev/null
+++ b/reference/tools/3.2/dom0.md
@@ -0,0 +1,39 @@
+---
+layout: doc
+title: Dom0 Command-Line Tools for Qubes 3.2
+permalink: /doc/tools/3.2/dom0/
+redirect_from:
+- /doc/tools/3.2/dom0/
+- /en/doc/tools/3.2/dom0/
+- /doc/DomZeroTools/
+- /wiki/DomZeroTools/
+---
+
+Dom0 Command-Line Tools for Qubes 3.2
+=====================================
+
+ * [qubes-dom0-update](/doc/tools/3.2/dom0/qubes-dom0-update/)
+ * [qubes-prefs](/doc/tools/3.2/dom0/qubes-prefs/)
+ * [qvm-add-appvm](/doc/tools/3.2/dom0/qvm-add-appvm/)
+ * [qvm-add-template](/doc/tools/3.2/dom0/qvm-add-template/)
+ * [qvm-backup-restore](/doc/tools/3.2/dom0/qvm-backup-restore/)
+ * [qvm-backup](/doc/tools/3.2/dom0/qvm-backup/)
+ * [qvm-block](/doc/tools/3.2/dom0/qvm-block/)
+ * [qvm-clone](/doc/tools/3.2/dom0/qvm-clone/)
+ * [qvm-create-default-dvm](/doc/tools/3.2/dom0/qvm-create-default-dvm/)
+ * [qvm-create](/doc/tools/3.2/dom0/qvm-create/)
+ * [qvm-firewall](/doc/tools/3.2/dom0/qvm-firewall/)
+ * [qvm-grow-private](/doc/tools/3.2/dom0/qvm-grow-private/)
+ * [qvm-ls](/doc/tools/3.2/dom0/qvm-ls/)
+ * [qvm-kill](/doc/tools/3.2/dom0/qvm-kill/)
+ * [qvm-pci](/doc/tools/3.2/dom0/qvm-pci/)
+ * [qvm-prefs](/doc/tools/3.2/dom0/qvm-prefs/)
+ * [qvm-remove](/doc/tools/3.2/dom0/qvm-remove/)
+ * [qvm-revert-template-changes](/doc/tools/3.2/dom0/qvm-revert-template-changes/)
+ * [qvm-run](/doc/tools/3.2/dom0/qvm-run/)
+ * [qvm-service](/doc/tools/3.2/dom0/qvm-service/)
+ * [qvm-shutdown](/doc/tools/3.2/dom0/qvm-shutdown/)
+ * [qvm-start](/doc/tools/3.2/dom0/qvm-start/)
+ * [qvm-sync-appmenus](/doc/tools/3.2/dom0/qvm-sync-appmenus/)
+ * [qvm-template-commit](/doc/tools/3.2/dom0/qvm-template-commit/)
+
diff --git a/reference/dom0-tools/qubes-dom0-update.md b/reference/tools/3.2/dom0/qubes-dom0-update.md
similarity index 92%
rename from reference/dom0-tools/qubes-dom0-update.md
rename to reference/tools/3.2/dom0/qubes-dom0-update.md
index 03e3673e..97def7e6 100644
--- a/reference/dom0-tools/qubes-dom0-update.md
+++ b/reference/tools/3.2/dom0/qubes-dom0-update.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qubes-dom0-update
-permalink: /doc/dom0-tools/qubes-dom0-update/
+permalink: /doc/tools/3.2/dom0/qubes-dom0-update/
 redirect_from:
+- /doc/dom0-tools/qubes-dom0-update/
 - /en/doc/dom0-tools/qubes-dom0-update/
 - /doc/Dom0Tools/QubesDom0Update/
 - /wiki/Dom0Tools/QubesDom0Update/
diff --git a/reference/dom0-tools/qubes-prefs.md b/reference/tools/3.2/dom0/qubes-prefs.md
similarity index 88%
rename from reference/dom0-tools/qubes-prefs.md
rename to reference/tools/3.2/dom0/qubes-prefs.md
index fe19f160..5368466f 100644
--- a/reference/dom0-tools/qubes-prefs.md
+++ b/reference/tools/3.2/dom0/qubes-prefs.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qubes-prefs
-permalink: /doc/dom0-tools/qubes-prefs/
+permalink: /doc/tools/3.2/dom0/qubes-prefs/
 redirect_from:
+- /doc/dom0-tools/qubes-prefs/
 - /en/doc/dom0-tools/qubes-prefs/
 - /doc/Dom0Tools/QubesPrefs/
 - /wiki/Dom0Tools/QubesPrefs/
diff --git a/reference/dom0-tools/qvm-add-appvm.md b/reference/tools/3.2/dom0/qvm-add-appvm.md
similarity index 91%
rename from reference/dom0-tools/qvm-add-appvm.md
rename to reference/tools/3.2/dom0/qvm-add-appvm.md
index bd86d695..d061900e 100644
--- a/reference/dom0-tools/qvm-add-appvm.md
+++ b/reference/tools/3.2/dom0/qvm-add-appvm.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-add-appvm
-permalink: /doc/dom0-tools/qvm-add-appvm/
+permalink: /doc/tools/3.2/dom0/qvm-add-appvm/
 redirect_from:
+- /doc/dom0-tools/qvm-add-appvm/
 - /en/doc/dom0-tools/qvm-add-appvm/
 - /doc/Dom0Tools/QvmAddAppvm/
 - /wiki/Dom0Tools/QvmAddAppvm/
diff --git a/reference/dom0-tools/qvm-add-template.md b/reference/tools/3.2/dom0/qvm-add-template.md
similarity index 90%
rename from reference/dom0-tools/qvm-add-template.md
rename to reference/tools/3.2/dom0/qvm-add-template.md
index 2bef4299..81badcb2 100644
--- a/reference/dom0-tools/qvm-add-template.md
+++ b/reference/tools/3.2/dom0/qvm-add-template.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-add-template
-permalink: /doc/dom0-tools/qvm-add-template/
+permalink: /doc/tools/3.2/dom0/qvm-add-template/
 redirect_from:
+- /doc/dom0-tools/qvm-add-template/
 - /en/doc/dom0-tools/qvm-add-template/
 - /doc/Dom0Tools/QvmAddTemplate/
 - /wiki/Dom0Tools/QvmAddTemplate/
diff --git a/reference/dom0-tools/qvm-backup-restore.md b/reference/tools/3.2/dom0/qvm-backup-restore.md
similarity index 94%
rename from reference/dom0-tools/qvm-backup-restore.md
rename to reference/tools/3.2/dom0/qvm-backup-restore.md
index a1907025..5456f460 100644
--- a/reference/dom0-tools/qvm-backup-restore.md
+++ b/reference/tools/3.2/dom0/qvm-backup-restore.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-backup-restore
-permalink: /doc/dom0-tools/qvm-backup-restore/
+permalink: /doc/tools/3.2/dom0/qvm-backup-restore/
 redirect_from:
+- /doc/dom0-tools/qvm-backup-restore/
 - /en/doc/dom0-tools/qvm-backup-restore/
 - /doc/Dom0Tools/QvmBackupRestore/
 - /wiki/Dom0Tools/QvmBackupRestore/
diff --git a/reference/dom0-tools/qvm-backup.md b/reference/tools/3.2/dom0/qvm-backup.md
similarity index 89%
rename from reference/dom0-tools/qvm-backup.md
rename to reference/tools/3.2/dom0/qvm-backup.md
index a260317b..e5ff645c 100644
--- a/reference/dom0-tools/qvm-backup.md
+++ b/reference/tools/3.2/dom0/qvm-backup.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-backup
-permalink: /doc/dom0-tools/qvm-backup/
+permalink: /doc/tools/3.2/dom0/qvm-backup/
 redirect_from:
+- /doc/dom0-tools/qvm-backup/
 - /en/doc/dom0-tools/qvm-backup/
 - /doc/Dom0Tools/QvmBackup/
 - /wiki/Dom0Tools/QvmBackup/
diff --git a/reference/dom0-tools/qvm-block.md b/reference/tools/3.2/dom0/qvm-block.md
similarity index 90%
rename from reference/dom0-tools/qvm-block.md
rename to reference/tools/3.2/dom0/qvm-block.md
index efa3c1b1..25dcc759 100644
--- a/reference/dom0-tools/qvm-block.md
+++ b/reference/tools/3.2/dom0/qvm-block.md
@@ -1,8 +1,10 @@
 ---
 layout: doc
 title: qvm-block
-permalink: /doc/dom0-tools/qvm-block/
+permalink: /doc/tools/3.2/dom0/qvm-block/
 redirect_from:
+- /doc/dom0-tools/qvm-block/
+- /doc/dom0-tools/qvm-block/
 - /en/doc/dom0-tools/qvm-block/
 - /doc/Dom0Tools/QvmBlock/
 - /wiki/Dom0Tools/QvmBlock/
diff --git a/reference/dom0-tools/qvm-clone.md b/reference/tools/3.2/dom0/qvm-clone.md
similarity index 90%
rename from reference/dom0-tools/qvm-clone.md
rename to reference/tools/3.2/dom0/qvm-clone.md
index c3abd934..9ea56033 100644
--- a/reference/dom0-tools/qvm-clone.md
+++ b/reference/tools/3.2/dom0/qvm-clone.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-clone
-permalink: /doc/dom0-tools/qvm-clone/
+permalink: /doc/tools/3.2/dom0/qvm-clone/
 redirect_from:
+- /doc/dom0-tools/qvm-clone/
 - /en/doc/dom0-tools/qvm-clone/
 - /doc/Dom0Tools/QvmClone/
 - /wiki/Dom0Tools/QvmClone/
diff --git a/reference/dom0-tools/qvm-create-default-dvm.md b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
similarity index 92%
rename from reference/dom0-tools/qvm-create-default-dvm.md
rename to reference/tools/3.2/dom0/qvm-create-default-dvm.md
index fe907fda..efd61e31 100644
--- a/reference/dom0-tools/qvm-create-default-dvm.md
+++ b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-create-default-dvm
-permalink: /doc/dom0-tools/qvm-create-default-dvm/
+permalink: /doc/tools/3.2/dom0/qvm-create-default-dvm/
 redirect_from:
+- /doc/dom0-tools/qvm-create-default-dvm/
 - /en/doc/dom0-tools/qvm-create-default-dvm/
 - /doc/Dom0Tools/QvmCreateDefaultDvm/
 - /wiki/Dom0Tools/QvmCreateDefaultDvm/
diff --git a/reference/dom0-tools/qvm-create.md b/reference/tools/3.2/dom0/qvm-create.md
similarity index 95%
rename from reference/dom0-tools/qvm-create.md
rename to reference/tools/3.2/dom0/qvm-create.md
index 037fcdba..ea8db752 100644
--- a/reference/dom0-tools/qvm-create.md
+++ b/reference/tools/3.2/dom0/qvm-create.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-create
-permalink: /doc/dom0-tools/qvm-create/
+permalink: /doc/tools/3.2/dom0/qvm-create/
 redirect_from:
+- /doc/dom0-tools/qvm-create/
 - /en/doc/dom0-tools/qvm-create/
 - /doc/Dom0Tools/QvmCreate/
 - /wiki/Dom0Tools/QvmCreate/
diff --git a/reference/dom0-tools/qvm-firewall.md b/reference/tools/3.2/dom0/qvm-firewall.md
similarity index 94%
rename from reference/dom0-tools/qvm-firewall.md
rename to reference/tools/3.2/dom0/qvm-firewall.md
index ff1b5cab..bcc9cae2 100644
--- a/reference/dom0-tools/qvm-firewall.md
+++ b/reference/tools/3.2/dom0/qvm-firewall.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-firewall
-permalink: /doc/dom0-tools/qvm-firewall/
+permalink: /doc/tools/3.2/dom0/qvm-firewall/
 redirect_from:
+- /doc/dom0-tools/qvm-firewall/
 - /en/doc/dom0-tools/qvm-firewall/
 - /doc/Dom0Tools/QvmFirewall/
 - /wiki/Dom0Tools/QvmFirewall/
diff --git a/reference/dom0-tools/qvm-grow-private.md b/reference/tools/3.2/dom0/qvm-grow-private.md
similarity index 87%
rename from reference/dom0-tools/qvm-grow-private.md
rename to reference/tools/3.2/dom0/qvm-grow-private.md
index 360a3a5e..6b93a87c 100644
--- a/reference/dom0-tools/qvm-grow-private.md
+++ b/reference/tools/3.2/dom0/qvm-grow-private.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-grow-private
-permalink: /doc/dom0-tools/qvm-grow-private/
+permalink: /doc/tools/3.2/dom0/qvm-grow-private/
 redirect_from:
+- /doc/dom0-tools/qvm-grow-private/
 - /en/doc/dom0-tools/qvm-grow-private/
 - /doc/Dom0Tools/QvmGrowPrivate/
 - /wiki/Dom0Tools/QvmGrowPrivate/
diff --git a/reference/dom0-tools/qvm-kill.md b/reference/tools/3.2/dom0/qvm-kill.md
similarity index 88%
rename from reference/dom0-tools/qvm-kill.md
rename to reference/tools/3.2/dom0/qvm-kill.md
index cff5f038..9903453a 100644
--- a/reference/dom0-tools/qvm-kill.md
+++ b/reference/tools/3.2/dom0/qvm-kill.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-kill
-permalink: /doc/dom0-tools/qvm-kill/
+permalink: /doc/tools/3.2/dom0/qvm-kill/
 redirect_from:
+- /doc/dom0-tools/qvm-kill/
 - /en/doc/dom0-tools/qvm-kill/
 - /doc/Dom0Tools/QvmKill/
 - /wiki/Dom0Tools/QvmKill/
diff --git a/reference/dom0-tools/qvm-ls.md b/reference/tools/3.2/dom0/qvm-ls.md
similarity index 93%
rename from reference/dom0-tools/qvm-ls.md
rename to reference/tools/3.2/dom0/qvm-ls.md
index 643a19ef..13f4917f 100644
--- a/reference/dom0-tools/qvm-ls.md
+++ b/reference/tools/3.2/dom0/qvm-ls.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-ls
-permalink: /doc/dom0-tools/qvm-ls/
+permalink: /doc/tools/3.2/dom0/qvm-ls/
 redirect_from:
+- /doc/dom0-tools/qvm-ls/
 - /en/doc/dom0-tools/qvm-ls/
 - /doc/Dom0Tools/QvmLs/
 - /wiki/Dom0Tools/QvmLs/
diff --git a/reference/dom0-tools/qvm-pci.md b/reference/tools/3.2/dom0/qvm-pci.md
similarity index 92%
rename from reference/dom0-tools/qvm-pci.md
rename to reference/tools/3.2/dom0/qvm-pci.md
index 5dba5aee..d7aa69b1 100644
--- a/reference/dom0-tools/qvm-pci.md
+++ b/reference/tools/3.2/dom0/qvm-pci.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-pci
-permalink: /doc/dom0-tools/qvm-pci/
+permalink: /doc/tools/3.2/dom0/qvm-pci/
 redirect_from:
+- /doc/dom0-tools/qvm-pci/
 - /en/doc/dom0-tools/qvm-pci/
 - /doc/Dom0Tools/QvmPci/
 - /wiki/Dom0Tools/QvmPci/
diff --git a/reference/dom0-tools/qvm-prefs.md b/reference/tools/3.2/dom0/qvm-prefs.md
similarity index 99%
rename from reference/dom0-tools/qvm-prefs.md
rename to reference/tools/3.2/dom0/qvm-prefs.md
index eb053384..32850812 100644
--- a/reference/dom0-tools/qvm-prefs.md
+++ b/reference/tools/3.2/dom0/qvm-prefs.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-prefs
-permalink: /doc/dom0-tools/qvm-prefs/
+permalink: /doc/tools/3.2/dom0/qvm-prefs/
 redirect_from:
+- /doc/dom0-tools/qvm-prefs/
 - /en/doc/dom0-tools/qvm-prefs/
 - /doc/Dom0Tools/QvmPrefs/
 - /wiki/Dom0Tools/QvmPrefs/
diff --git a/reference/dom0-tools/qvm-remove.md b/reference/tools/3.2/dom0/qvm-remove.md
similarity index 90%
rename from reference/dom0-tools/qvm-remove.md
rename to reference/tools/3.2/dom0/qvm-remove.md
index 4e436dea..412ef8c3 100644
--- a/reference/dom0-tools/qvm-remove.md
+++ b/reference/tools/3.2/dom0/qvm-remove.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-remove
-permalink: /doc/dom0-tools/qvm-remove/
+permalink: /doc/tools/3.2/dom0/qvm-remove/
 redirect_from:
+- /doc/dom0-tools/qvm-remove/
 - /en/doc/dom0-tools/qvm-remove/
 - /doc/Dom0Tools/QvmRemove/
 - /wiki/Dom0Tools/QvmRemove/
diff --git a/reference/dom0-tools/qvm-revert-template-changes.md b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
similarity index 86%
rename from reference/dom0-tools/qvm-revert-template-changes.md
rename to reference/tools/3.2/dom0/qvm-revert-template-changes.md
index 355d2e26..a0f62648 100644
--- a/reference/dom0-tools/qvm-revert-template-changes.md
+++ b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-revert-template-changes
-permalink: /doc/dom0-tools/qvm-revert-template-changes/
+permalink: /doc/tools/3.2/dom0/qvm-revert-template-changes/
 redirect_from:
+- /doc/dom0-tools/qvm-revert-template-changes/
 - /en/doc/dom0-tools/qvm-revert-template-changes/
 - /doc/Dom0Tools/QvmRevertTemplateChanges/
 - /wiki/Dom0Tools/QvmRevertTemplateChanges/
diff --git a/reference/dom0-tools/qvm-run.md b/reference/tools/3.2/dom0/qvm-run.md
similarity index 95%
rename from reference/dom0-tools/qvm-run.md
rename to reference/tools/3.2/dom0/qvm-run.md
index eb7e8b8c..aee15e02 100644
--- a/reference/dom0-tools/qvm-run.md
+++ b/reference/tools/3.2/dom0/qvm-run.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-run
-permalink: /doc/dom0-tools/qvm-run/
+permalink: /doc/tools/3.2/dom0/qvm-run/
 redirect_from:
+- /doc/dom0-tools/qvm-run/
 - /en/doc/dom0-tools/qvm-run/
 - /doc/Dom0Tools/QvmRun/
 - /wiki/Dom0Tools/QvmRun/
diff --git a/reference/dom0-tools/qvm-service.md b/reference/tools/3.2/dom0/qvm-service.md
similarity index 98%
rename from reference/dom0-tools/qvm-service.md
rename to reference/tools/3.2/dom0/qvm-service.md
index e077265b..1d5b8192 100644
--- a/reference/dom0-tools/qvm-service.md
+++ b/reference/tools/3.2/dom0/qvm-service.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-service
-permalink: /doc/dom0-tools/qvm-service/
+permalink: /doc/tools/3.2/dom0/qvm-service/
 redirect_from:
+- /doc/dom0-tools/qvm-service/
 - /en/doc/dom0-tools/qvm-service/
 - /doc/Dom0Tools/QvmService/
 - /wiki/Dom0Tools/QvmService/
diff --git a/reference/dom0-tools/qvm-shutdown.md b/reference/tools/3.2/dom0/qvm-shutdown.md
similarity index 91%
rename from reference/dom0-tools/qvm-shutdown.md
rename to reference/tools/3.2/dom0/qvm-shutdown.md
index 1cd80810..d6769487 100644
--- a/reference/dom0-tools/qvm-shutdown.md
+++ b/reference/tools/3.2/dom0/qvm-shutdown.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-shutdown
-permalink: /doc/dom0-tools/qvm-shutdown/
+permalink: /doc/tools/3.2/dom0/qvm-shutdown/
 redirect_from:
+- /doc/dom0-tools/qvm-shutdown/
 - /en/doc/dom0-tools/qvm-shutdown/
 - /doc/Dom0Tools/QvmShutdown/
 - /wiki/Dom0Tools/QvmShutdown/
diff --git a/reference/dom0-tools/qvm-start.md b/reference/tools/3.2/dom0/qvm-start.md
similarity index 91%
rename from reference/dom0-tools/qvm-start.md
rename to reference/tools/3.2/dom0/qvm-start.md
index c66afa89..fc3cbfb5 100644
--- a/reference/dom0-tools/qvm-start.md
+++ b/reference/tools/3.2/dom0/qvm-start.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-start
-permalink: /doc/dom0-tools/qvm-start/
+permalink: /doc/tools/3.2/dom0/qvm-start/
 redirect_from:
+- /doc/dom0-tools/qvm-start/
 - /en/doc/dom0-tools/qvm-start/
 - /doc/Dom0Tools/QvmStart/
 - /wiki/Dom0Tools/QvmStart/
diff --git a/reference/dom0-tools/qvm-sync-appmenus.md b/reference/tools/3.2/dom0/qvm-sync-appmenus.md
similarity index 88%
rename from reference/dom0-tools/qvm-sync-appmenus.md
rename to reference/tools/3.2/dom0/qvm-sync-appmenus.md
index f1cee881..16095b72 100644
--- a/reference/dom0-tools/qvm-sync-appmenus.md
+++ b/reference/tools/3.2/dom0/qvm-sync-appmenus.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-sync-appmenus
-permalink: /doc/dom0-tools/qvm-sync-appmenus/
+permalink: /doc/tools/3.2/dom0/qvm-sync-appmenus/
 redirect_from:
+- /doc/dom0-tools/qvm-sync-appmenus/
 - /en/doc/dom0-tools/qvm-sync-appmenus/
 - /doc/Dom0Tools/QvmSyncAppmenus/
 - /wiki/Dom0Tools/QvmSyncAppmenus/
diff --git a/reference/dom0-tools/qvm-template-commit.md b/reference/tools/3.2/dom0/qvm-template-commit.md
similarity index 86%
rename from reference/dom0-tools/qvm-template-commit.md
rename to reference/tools/3.2/dom0/qvm-template-commit.md
index c0cdd8e5..12d4b19c 100644
--- a/reference/dom0-tools/qvm-template-commit.md
+++ b/reference/tools/3.2/dom0/qvm-template-commit.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-template-commit
-permalink: /doc/dom0-tools/qvm-template-commit/
+permalink: /doc/tools/3.2/dom0/qvm-template-commit/
 redirect_from:
+- /doc/dom0-tools/qvm-template-commit/
 - /en/doc/dom0-tools/qvm-template-commit/
 - /doc/Dom0Tools/QvmTemplateCommit/
 - /wiki/Dom0Tools/QvmTemplateCommit/
diff --git a/reference/tools/3.2/domU.md b/reference/tools/3.2/domU.md
new file mode 100644
index 00000000..71ae0db8
--- /dev/null
+++ b/reference/tools/3.2/domU.md
@@ -0,0 +1,19 @@
+---
+layout: doc
+title: DomU Command-Line Tools for Qubes 3.2
+permalink: /doc/tools/3.2/domU/
+redirect_from:
+- /doc/tools/3.2/domU/
+- /en/doc/tools/3.2/domU/
+- /doc/VmTools/
+- /wiki/VmTools/
+---
+
+DomU Command-Line Tools for Qubes 3.2
+=====================================
+
+ * [qvm-copy-to-vm](/doc/tools/3.2/domU/qvm-copy-to-vm/)
+ * [qvm-open-in-dvm](/doc/tools/3.2/domU/qvm-open-in-dvm/)
+ * [qvm-open-in-vm](/doc/tools/3.2/domU/qvm-open-in-vm/)
+ * [qvm-run](/doc/tools/3.2/domU/qvm-run/)
+
diff --git a/reference/vm-tools/qvm-copy-to-vm.md b/reference/tools/3.2/domU/qvm-copy-to-vm.md
similarity index 88%
rename from reference/vm-tools/qvm-copy-to-vm.md
rename to reference/tools/3.2/domU/qvm-copy-to-vm.md
index e9ad5c17..2f720aa6 100644
--- a/reference/vm-tools/qvm-copy-to-vm.md
+++ b/reference/tools/3.2/domU/qvm-copy-to-vm.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-copy-to-vm
-permalink: /doc/vm-tools/qvm-copy-to-vm/
+permalink: /doc/tools/3.2/domU/qvm-copy-to-vm/
 redirect_from:
+- /doc/vm-tools/qvm-copy-to-vm/
 - /en/doc/vm-tools/qvm-copy-to-vm/
 - /doc/VmTools/QvmCopyToVm/
 - /wiki/VmTools/QvmCopyToVm/
diff --git a/reference/vm-tools/qvm-open-in-dvm.md b/reference/tools/3.2/domU/qvm-open-in-dvm.md
similarity index 86%
rename from reference/vm-tools/qvm-open-in-dvm.md
rename to reference/tools/3.2/domU/qvm-open-in-dvm.md
index 17e77d82..53bd4cef 100644
--- a/reference/vm-tools/qvm-open-in-dvm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-dvm.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-open-in-dvm
-permalink: /doc/vm-tools/qvm-open-in-dvm/
+permalink: /doc/tools/3.2/domU/qvm-open-in-dvm/
 redirect_from:
+- /doc/vm-tools/qvm-open-in-dvm/
 - /en/doc/vm-tools/qvm-open-in-dvm/
 - /doc/VmTools/QvmOpenInDvm/
 - /wiki/VmTools/QvmOpenInDvm/
diff --git a/reference/vm-tools/qvm-open-in-vm.md b/reference/tools/3.2/domU/qvm-open-in-vm.md
similarity index 86%
rename from reference/vm-tools/qvm-open-in-vm.md
rename to reference/tools/3.2/domU/qvm-open-in-vm.md
index c8259c9b..80fa4a57 100644
--- a/reference/vm-tools/qvm-open-in-vm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-vm.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-open-in-vm
-permalink: /doc/vm-tools/qvm-open-in-vm/
+permalink: /doc/tools/3.2/domU/qvm-open-in-vm/
 redirect_from:
+- /doc/vm-tools/qvm-open-in-vm/
 - /en/doc/vm-tools/qvm-open-in-vm/
 - /doc/VmTools/QvmOpenInVm/
 - /wiki/VmTools/QvmOpenInVm/
diff --git a/reference/vm-tools/qvm-run.md b/reference/tools/3.2/domU/qvm-run.md
similarity index 89%
rename from reference/vm-tools/qvm-run.md
rename to reference/tools/3.2/domU/qvm-run.md
index 84a2a8bc..7ef27ea3 100644
--- a/reference/vm-tools/qvm-run.md
+++ b/reference/tools/3.2/domU/qvm-run.md
@@ -1,8 +1,9 @@
 ---
 layout: doc
 title: qvm-run
-permalink: /doc/vm-tools/qvm-run/
+permalink: /doc/tools/3.2/domU/qvm-run/
 redirect_from:
+- /doc/vm-tools/qvm-run/
 - /en/doc/vm-tools/qvm-run/
 - /doc/VmTools/QvmRun/
 - /wiki/VmTools/QvmRun/
diff --git a/reference/tools/4.0/dom0.md b/reference/tools/4.0/dom0.md
new file mode 100644
index 00000000..3fb9d427
--- /dev/null
+++ b/reference/tools/4.0/dom0.md
@@ -0,0 +1,14 @@
+---
+layout: doc
+title: Dom0 Command-Line Tools for Qubes 4.0
+permalink: /doc/tools/4.0/dom0/
+---
+
+Dom0 Command-Line Tools for Qubes 4.0
+=====================================
+
+Reference pages for these tools are being written.
+This page will be updated when they're available.
+
+Tracking issue: <https://github.com/QubesOS/qubes-issues/issues/3538>
+
diff --git a/reference/tools/4.0/domU.md b/reference/tools/4.0/domU.md
new file mode 100644
index 00000000..a2ac1716
--- /dev/null
+++ b/reference/tools/4.0/domU.md
@@ -0,0 +1,14 @@
+---
+layout: doc
+title: DomU Command-Line Tools for Qubes 4.0
+permalink: /doc/tools/4.0/domU/
+---
+
+DomU Command-Line Tools for Qubes 4.0
+=====================================
+
+Reference pages for these tools are being written.
+This page will be updated when they're available.
+
+Tracking issue: <https://github.com/QubesOS/qubes-issues/issues/3538>
+
diff --git a/reference/tools/tools-3.2.md b/reference/tools/tools-3.2.md
new file mode 100644
index 00000000..47ffd430
--- /dev/null
+++ b/reference/tools/tools-3.2.md
@@ -0,0 +1,13 @@
+---
+layout: doc
+title: Qubes 3.2 Command-Line Tools
+permalink: /doc/tools/3.2/
+---
+
+Qubes 3.2 Command-Line Tools
+============================
+
+Please see the page for your desired domain:
+
+ * [Dom0 Command-Line Tools](/doc/tools/3.2/dom0/)
+ * [DomU Command-Line Tools](/doc/tools/3.2/domU/)
diff --git a/reference/tools/tools-4.0.md b/reference/tools/tools-4.0.md
new file mode 100644
index 00000000..1bd1937e
--- /dev/null
+++ b/reference/tools/tools-4.0.md
@@ -0,0 +1,13 @@
+---
+layout: doc
+title: Qubes 4.0 Command-Line Tools
+permalink: /doc/tools/4.0/
+---
+
+Qubes 4.0 Command-Line Tools
+============================
+
+Please see the page for your desired domain:
+
+ * [Dom0 Command-Line Tools](/doc/tools/4.0/dom0/)
+ * [DomU Command-Line Tools](/doc/tools/4.0/domU/)
diff --git a/reference/vm-tools.md b/reference/vm-tools.md
deleted file mode 100644
index bca5a278..00000000
--- a/reference/vm-tools.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-layout: doc
-title: VM Tools
-permalink: /doc/vm-tools/
-redirect_from:
-- /en/doc/vm-tools/
-- /doc/VmTools/
-- /wiki/VmTools/
----
-
-VM tools:
-
--   [qvm-copy-to-vm](/doc/vm-tools/qvm-copy-to-vm/)
--   [qvm-open-in-dvm](/doc/vm-tools/qvm-open-in-dvm/)
--   [qvm-open-in-vm](/doc/vm-tools/qvm-open-in-vm/)
--   [qvm-run](/doc/vm-tools/qvm-run/)
-

From 04c4b043dae34ff040ee2f745a1aa57e05528c7e Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 4 Feb 2018 17:46:19 -0600
Subject: [PATCH 097/125] Fix link

---
 basics_user/getting-started.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/basics_user/getting-started.md b/basics_user/getting-started.md
index 7a8ebf85..691e8ebd 100644
--- a/basics_user/getting-started.md
+++ b/basics_user/getting-started.md
@@ -58,7 +58,7 @@ Qubes VM Manager and Command Line Tools
 All aspects of the Qubes system can be controlled using command line tools run under a dom0 console. 
 To open a console window in dom0, either go to Start-\>System Tools-\>Konsole or press Alt-F2 and type `konsole`.
 
-Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/dom0-tools/).
+Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/).
 
 ![r2b1-dom0-konsole.png](/attachment/wiki/GettingStarted/r2b1-dom0-konsole.png)
 

From ac45c208f987719c328528dd50b843d2a0c6e4af Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 4 Feb 2018 18:00:34 -0600
Subject: [PATCH 098/125] Update 4.0 release schedule with 4.0-rc4 release date

Closes #562
---
 releases/4.0/schedule.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/releases/4.0/schedule.md b/releases/4.0/schedule.md
index a7ddd34b..ccb5f505 100644
--- a/releases/4.0/schedule.md
+++ b/releases/4.0/schedule.md
@@ -21,5 +21,5 @@ This schedule is based on [Version Scheme](/doc/version-scheme/#release-schedule
 | 27 Nov 2017 | 4.0-rc3 release |
 | 11 Dec 2017 | decide whether 4.0-rc3 is the final 4.0 |
 |  1 Jan 2018 | current-testing freeze before 4.0-rc4 |
-| <strike>8 Jan 2018</strike><br/>TBD | 4.0-rc4 release |
+| <strike>8 Jan 2018</strike><br/>31 Jan 2018 | 4.0-rc4 release |
 | <strike>22 Jan 2018</strike><br/>TBD | decide whether 4.0-rc4 is the final 4.0 |

From a800ae9d1c43d9e4b8604e528f1478329ca4306c Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 4 Feb 2018 23:15:22 -0600
Subject: [PATCH 099/125] Clarify one-sentence-per-line convention

To avoid misunderstanding, e.g.:
https://github.com/QubesOS/qubes-doc/pull/565#issuecomment-362980018
---
 basics_user/doc-guidelines.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index 27869f28..428dd376 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -156,8 +156,8 @@ When making contributions, please try to observe the following style conventions
    * [News] posts (plain text is reproduced on the [mailing lists])
    * URLs that appear inside code blocks (e.g., in comments and document templates)
    * Files like `README.md` and `CONTRIBUTING.md`
- * Insert a newline at the end of each sentence, except when the text will be reproduced outside of the Qubes website repo (see previous item for examples).
-   * Rationale: This practice is most appropriate for source that consists primarily of natural language text.
+ * Insert a newline at, and only at, the end of each sentence, except when the text will be reproduced outside of the Qubes website repo (see previous item for examples).
+   * Rationale: This practice results in one sentence per line, which is most appropriate for source that consists primarily of natural language text.
      It results in the most useful diffs and facilitates translation into other languages while mostly preserving source readability.
  * If appropriate, make numerals in numbered lists match between Markdown source and HTML output.
    * Rationale: In the event that a user is required to read the Markdown source directly, this will make it easier to follow, e.g., numbered steps in a set of instructions.

From 6dda05712e217e37a3975aa7af2c2b8f1469ce4c Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:15:13 +0000
Subject: [PATCH 100/125] add linebreaks, use US spelling of grey

---
 common-tasks/backup-restore.md | 141 +++++++++++++++++++++++----------
 1 file changed, 101 insertions(+), 40 deletions(-)

diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index d07e1e1a..24be5e44 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -11,22 +11,27 @@ redirect_from:
 Qubes Backup, Restoration, and Migration
 ========================================
 
-**Caution:** The Qubes R3.2 backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). Although resolved in R4.0 and higher with the switch to scrypt, it is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups.
+**Caution:** The Qubes R3.2 backup system currently relies on a [weak key derivation scheme](https://github.com/QubesOS/qubes-issues/issues/971). 
+Although resolved in R4.0 and higher with the switch to scrypt, it is *strongly recommended* that users select a *high-entropy* passphrase for use with Qubes backups.
 
 
 With Qubes, it's easy to back up and restore your whole system, as well as to migrate between two physical machines.
 
-As of Qubes R2B3, these functions are integrated into the Qubes VM Manager GUI. There are also two command-line tools available which perform the same functions: [qvm-backup](/doc/dom0-tools/qvm-backup/) and [qvm-backup-restore](/doc/dom0-tools/qvm-backup-restore/).
+As of Qubes R2B3, these functions are integrated into the Qubes VM Manager GUI.
+There are also two command-line tools available which perform the same functions: [qvm-backup](/doc/dom0-tools/qvm-backup/) and [qvm-backup-restore](/doc/dom0-tools/qvm-backup-restore/).
 
 
 Creating a Backup (R4.0 and later)
 -----------------
 
-1. Go to **Applications menu -> System Tools -> Backup Qubes**. This brings up the **Qubes Backup VMs** window.
+1. Go to **Applications menu -> System Tools -> Backup Qubes**.
+This brings up the **Qubes Backup VMs** window.
 
-2. Move the VMs that you want to back up to the right-hand **Selected** column. VMs in the left-hand **Available** column will not be backed up.
+2. Move the VMs that you want to back up to the right-hand **Selected** column.
+VMs in the left-hand **Available** column will not be backed up.
 
-   You may choose whether to compress backups by checking or unchecking the **Compress the backup** box. Normally this should be left on unless you have a specific reason otherwise.
+   You may choose whether to compress backups by checking or unchecking the **Compress the backup** box.
+   Normally this should be left on unless you have a specific reason otherwise.
    
    Once you have selected all desired VMs, click **Next**.
 
@@ -35,9 +40,14 @@ Creating a Backup (R4.0 and later)
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
    If you wish to send your backup to a [USB mass storage device](/doc/usb/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
-   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. This destination directory must already exist. If it does not exist, you must create it manually prior to backing up.
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. 
+   For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right.
+   This destination directory must already exist.
+   If it does not exist, you must create it manually prior to backing up.
 
-   By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
+   By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM.
+   Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM.
+   This can be used to send your backup directly to, e.g., a remote server using SSH.
 
    **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification.
 
@@ -45,18 +55,24 @@ Creating a Backup (R4.0 and later)
    
    **Warning: Saving the settings will result in your backup passphrase being saved in plaintext in dom0, so consider your threat model before checking this box.**
 
-4. You will now see the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+4. You will now see the summary of VMs to be backed up.
+If there are any issues preventing the backup, they will be listed here and the **Next** button grayed out.
 
-5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
+5. When you are ready, click **Next**.
+Qubes will proceed to create your backup. 
+Once the progress bar has completed, you may click **Finish**.
 
 Creating a Backup (R3.2 and earlier)
 -----------------
 
-1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup VMs** in the drop-down list. This brings up the **Qubes Backup VMs** window.
+1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Backup VMs** in the drop-down list.
+This brings up the **Qubes Backup VMs** window.
 
-2. Move the VMs that you want to back up to the right-hand **Selected** column. VMs in the left-hand **Available** column will not be backed up.
+2. Move the VMs that you want to back up to the right-hand **Selected** column. 
+VMs in the left-hand **Available** column will not be backed up.
 
-   **Note:** A VM must be shut down in order to be backed up. Currently running VMs appear in red.
+   **Note:** A VM must be shut down in order to be backed up. 
+   Currently running VMs appear in red.
 
    Once you have selected all desired VMs, click **Next**.
 
@@ -65,78 +81,114 @@ Creating a Backup (R3.2 and earlier)
    If you wish to send your backup to a (currently running) VM, select the VM in the drop-down box next to **Target AppVM**.
    If you wish to send your backup to a [USB mass storage device](/doc/usb/), you can use the directory selection widget to mount a connected device (under "Other locations" item on the left); or first mount the device in a VM, then select the mount point inside that VM as the backup destination.
 
-   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right. If it does not exist, you must create it manually prior to backing up.
+   You must also specify a directory on the device or in the VM, or a command to be executed in the VM as a destination for your backup. 
+   For example, if you wish to send your backup to the `~/backups` folder in the target VM, you would simply browse to it using the convenient directory selection dialog (`...`) at the right.
+   If it does not exist, you must create it manually prior to backing up.
 
-   By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM. This can be used to send your backup directly to, e.g., a remote server using SSH.
+   By specifying the appropriate directory as the destination in a VM, it is possible to send the backup directly to, e.g., a USB mass storage device attached to the VM. 
+   Likewise, it is possible to enter any command as a backup target by specifying the command as the destination in the VM.
+   This can be used to send your backup directly to, e.g., a remote server using SSH.
 
    At this point, you must also choose whether to encrypt your backup by checking or unchecking the **Encrypt backup** box.
 
    **Note:** It is strongly recommended that you opt to encrypt all backups which will be sent to untrusted destinations!
 
-   **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification. If you decide not to encrypt your backup (by unchecking the **Encrypt backup** box), the passphrase you supply will be used **only** for integrity verification. If you supply a passphrase but do not check the **Encrypt backup** box, your backup will **not** be encrypted!
+   **Note:** The supplied passphrase is used for **both** encryption/decryption and integrity verification.
+   If you decide not to encrypt your backup (by unchecking the **Encrypt backup** box), the passphrase you supply will be used **only** for integrity verification.
+   If you supply a passphrase but do not check the **Encrypt backup** box, your backup will **not** be encrypted!
 
-4. You will now see the summary of VMs to be backed up. If there are any issues preventing the backup, they will be listed here and the **Next** button greyed out.
+4. You will now see the summary of VMs to be backed up. 
+If there are any issues preventing the backup, they will be listed here and the **Next** button grayed out.
 
-5. When you are ready, click **Next**. Qubes will proceed to create your backup. Once the progress bar has completed, you may click **Finish**.
+5. When you are ready, click **Next**.
+Qubes will proceed to create your backup. 
+Once the progress bar has completed, you may click **Finish**.
 
 
 Restoring from a Backup (R4.0 and later)
 -----------------------
 
-1. Go to **Applications menu -> System Tools -> Restore Backup**. This brings up the **Qubes Restore VMs** window.
+1. Go to **Applications menu -> System Tools -> Restore Backup**.
+This brings up the **Qubes Restore VMs** window.
 
 2. Select the source location of the backup to be restored:
 
    - If your backup is located on a [USB mass storage device](/doc/usb/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
-   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click it or select it and hit **OK**.
+   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. 
+   If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3.
+   For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder.
+   Once you've located the backup file, double-click it or select it and hit **OK**.
 
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing templates and net VMs**: If any of the VMs in your backup depended upon a NetVM or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
-   2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
+   2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory.
+   If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
+   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data.
+   However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file.
+   See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
-4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
+4. If your backup is encrypted, you must check the **Encrypted backup** box. 
+If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 
-   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification. All backups made from a Qubes R4.0 system will be encrypted.
+   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. 
+   If the backup was not encrypted, the supplied passphrase is used only for integrity verification.
+   All backups made from a Qubes R4.0 system will be encrypted.
 
-5. You will now see the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+5. You will now see the summary of VMs to be restored. 
+If there are any issues preventing the restore, they will be listed here and the **Next** button grayed out.
 
-6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
+6. When you are ready, click **Next**. 
+Qubes will proceed to restore from your backup. 
+Once the progress bar has completed, you may click **Finish**.
 
 Restoring from a Backup (R3.2 and earlier)
 -----------------------
 
-1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore VMs from backup** in the drop-down list. This brings up the **Qubes Restore VMs** window.
+1. In **Qubes VM Manager**, click **System** on the menu bar, then click **Restore VMs from backup** in the drop-down list. 
+This brings up the **Qubes Restore VMs** window.
 
 2. Select the source location of the backup to be restored:
 
    - If your backup is located on a [USB mass storage device](/doc/usb/), attach it first to another VM or select `sys-usb` in the next item.
    - If your backup is located in a (currently running) VM, select the VM in the drop-down box next to **AppVM**.
 
-   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field. If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3. For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. Once you've located the backup file, double-click or select it and hit **OK**.
+   You must also specify the directory and filename of the backup (or a command to be executed in a VM) in the **Backup file** field.
+   If you followed the instructions in the previous section, "Creating a Backup," then your backup is most likely in the location you chose as the destination in step 3.
+   For example, if you had chosen the `~/backups` directory of a VM as your destination in step 3, you would now select the same VM and again browse to (using `...`) the `backups` folder. 
+   Once you've located the backup file, double-click or select it and hit **OK**.
 
 3. There are three options you may select when restoring from a backup:
    1.  **ignore missing**: If any of the VMs in your backup depended upon a NetVM, ProxyVM, or TemplateVM that is not present in (i.e., "missing from") the current system, checking this box will ignore the fact that they are missing and restore the VMs anyway and set them to use the default NetVM and system default template.
-   2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory. If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
-   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
+   2.  **ignore username mismatch**: This option applies only to the restoration of dom0's home directory.
+   If your backup was created on a Qubes system which had a different dom0 username than the dom0 username of the current system, then checking this box will ignore the mismatch between the two usernames and proceed to restore the home directory anyway.
+   3.  **Verify backup integrity, do not restore the data**: This will scan the backup file for corrupted data. 
+   However, it does not currently detect if it is missing data as long as it is a correctly structured, non-corrupted backup file. See [issue #3498](https://github.com/QubesOS/qubes-issues/issues/3498) for more details.
 
-4. If your backup is encrypted, you must check the **Encrypted backup** box. If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
+4. If your backup is encrypted, you must check the **Encrypted backup** box. 
+If a passphrase was supplied during the creation of your backup (regardless of whether it is encrypted), then you must supply it here.
 
-   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. If the backup was not encrypted, the supplied passphrase is used only for integrity verification.
+   **Note:** The passphrase which was supplied when the backup was created was used for **both** encryption/decryption and integrity verification. 
+   If the backup was not encrypted, the supplied passphrase is used only for integrity verification.
 
-   **Note:** A VM cannot be restored from a backup if a VM with the same name already exists on the current system. You must first remove or change the name of any VM with the same name in order to restore such a VM.
+   **Note:** A VM cannot be restored from a backup if a VM with the same name already exists on the current system. 
+   You must first remove or change the name of any VM with the same name in order to restore such a VM.
 
-5. You will now see the summary of VMs to be restored. If there are any issues preventing the restore, they will be listed here and the **Next** button greyed out.
+5. You will now see the summary of VMs to be restored. 
+If there are any issues preventing the restore, they will be listed here and the **Next** button grayed out.
 
-6. When you are ready, click **Next**. Qubes will proceed to restore from your backup. Once the progress bar has completed, you may click **Finish**.
+6. When you are ready, click **Next**. 
+Qubes will proceed to restore from your backup.
+Once the progress bar has completed, you may click **Finish**.
 
 
 Emergency Backup Recovery without Qubes
 ---------------------------------------
 
-The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
+The Qubes backup system has been designed with emergency disaster recovery in mind. 
+No special Qubes-specific tools are required to access data backed up by Qubes.
+In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
 Refer to the following for emergency restore of a backup created on:
 
@@ -148,20 +200,29 @@ Refer to the following for emergency restore of a backup created on:
 Migrating Between Two Physical Machines
 ---------------------------------------
 
-In order to migrate your Qubes system from one physical machine to another, simply follow the backup procedure on the old machine, [install Qubes](/downloads/) on the new machine, and follow the restoration procedure on the new machine. All of your settings and data will be preserved!
+In order to migrate your Qubes system from one physical machine to another, simply follow the backup procedure on the old machine, [install Qubes](/downloads/) on the new machine, and follow the restoration procedure on the new machine.
+All of your settings and data will be preserved!
 
 Choosing a Backup Passphrase
 ----------------------------
 
 Here are some things to consider when selecting a passphrase for your backups:
 
- * If you plan to store the backup for a long time or on third-party servers, you should make sure to use a very long, high-entropy passphrase. (Depending on the decryption passphrase you use for your system drive, this may necessitate selecting a stronger passphrase. If your system drive decryption passphrase is already sufficiently strong, it may not.)
- * An adversary who has access to your backups may try to substitute one backup for another. For example, when you attempt to retrieve a recent backup, the adversary may instead give you a very old backup containing a compromised VM. If you're concerned about this type of attack, you may wish to use a different passphrase for each backup, e.g., by appending a number or date to the passphrase.
- * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong). On the othe hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
+ * If you plan to store the backup for a long time or on third-party servers, you should make sure to use a very long, high-entropy passphrase. 
+ (Depending on the decryption passphrase you use for your system drive, this may necessitate selecting a stronger passphrase. 
+ If your system drive decryption passphrase is already sufficiently strong, it may not.)
+ * An adversary who has access to your backups may try to substitute one backup for another. 
+ For example, when you attempt to retrieve a recent backup, the adversary may instead give you a very old backup containing a compromised VM. 
+ If you're concerned about this type of attack, you may wish to use a different passphrase for each backup, e.g., by appending a number or date to the passphrase.
+ * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong).
+ On the othe hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
 
 Notes
 -----
 
- * The Qubes R3.2 and earlier backup system relies on `openssl enc`, which is known to use a very weak key derivation scheme. The Qubes backup system also uses the same passphrase for authentication and for encryption, which is problematic from a security perspective. Users are advised to use a very high entropy passphrase for Qubes backups. For a full discussion, see [this ticket](https://github.com/QubesOS/qubes-issues/issues/971) and [this thread](https://groups.google.com/d/msg/qubes-devel/CZ7WRwLXcnk/u_rZPoVxL5IJ).
+ * The Qubes R3.2 and earlier backup system relies on `openssl enc`, which is known to use a very weak key derivation scheme.
+ The Qubes backup system also uses the same passphrase for authentication and for encryption, which is problematic from a security perspective.
+ Users are advised to use a very high entropy passphrase for Qubes backups.
+ For a full discussion, see [this ticket](https://github.com/QubesOS/qubes-issues/issues/971) and [this thread](https://groups.google.com/d/msg/qubes-devel/CZ7WRwLXcnk/u_rZPoVxL5IJ).
  * For the technical details of the backup system, please refer to [this thread](https://groups.google.com/d/topic/qubes-devel/TQr_QcXIVww/discussion).
  * If working with symlinks, note the issues described in [this thread](https://groups.google.com/d/topic/qubes-users/EITd1kBHD30/discussion).

From e36fc0ec3bd8216422a1356ffb99c952a4b61478 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:55:34 +0000
Subject: [PATCH 101/125] Fix line breaks and misc spelling

---
 configuration/resize-disk-image.md | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 5aa6321f..dd5aaf25 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -11,7 +11,8 @@ redirect_from:
 Resize Private Disk Image
 -----------------
 
-There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images. See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
+There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images.
+See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
 
 
 ### Private disk image (R4.0)
@@ -46,7 +47,8 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Shrinking private disk image (Linux VM, R3.2)
 
-**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
+**This operation is dangerous and this is why it isn't available in standard Qubes tools.
+If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
 
 The basic idea is to:
 
@@ -55,15 +57,16 @@ The basic idea is to:
 
 Ext4 does not support online shrinking, so it can't be done as conveniently as growing the image.
 Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
-First you need to start VM without `/rw` mounted. One possibility is to interrupt its normal startup
-by adding the `rd.break` kernel option:
+First you need to start VM without `/rw` mounted. 
+One possibility is to interrupt its normal startup by adding the `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
 qvm-start --no-guid <vm-name>
 ~~~
 
-And wait for qrexec connect timeout (or simply press Ctrl-C). Then you can connect to VM console and shrink the filesystem:
+And wait for qrexec connect timeout (or simply press Ctrl-C). 
+Then you can connect to VM console and shrink the filesystem:
 
 ~~~
 sudo xl console <vm-name>
@@ -85,7 +88,9 @@ Now you can resize the image:
 truncate -s <new-desired-size> /var/lib/qubes/appvms/<vm-name>/private.img
 ~~~
 
-**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will loose your data!** Then reset kernel options back to default:
+**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call.
+Otherwise you will lose your data!** 
+Then reset kernel options back to default:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts default
@@ -93,17 +98,18 @@ qvm-prefs -s <vm-name> kernelopts default
 
 Done.
 
->In order to avoid error, you might want to first reduce the filesystem to a smaller size than desired (say 3G), then truncate the image to the target size (for example 4G), and lastly grow the filesystem to the target size. In order to do this, after the `truncate` step, start the vm again in maintenance mode and use the following command to extend the filesystem to the correct size : `resize2fs /dev/xvdb`.
+>In order to avoid error, you might want to first reduce the filesystem to a smaller size than desired (say 3G), then truncate the image to the target size (for example 4G), and lastly grow the filesystem to the target size.
+>In order to do this, after the `truncate` step, start the vm again in maintenance mode and use the following command to extend the filesystem to the correct size : `resize2fs /dev/xvdb`.
 >
->With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk)
+>With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk).
 
 
 OS Specific Follow-up Instructions
 -----------------
 
 After resizing volumes, the partition table and file-system may need to be adjusted.
-Use tools appropriate to the OS in your qube. Brief instructions for Windows 7,
-FreeBSD, and Linux are provided below.
+Use tools appropriate to the OS in your qube.
+Brief instructions for Windows 7, FreeBSD, and Linux are provided below.
 
 #### Windows 7
 

From d6910de8b046f1a35f49edea63cfe6d63acfb04a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:56:51 +0000
Subject: [PATCH 102/125] fix line breaks

---
 configuration/resize-root-disk-image.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index eef31d8b..3c3567b4 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -53,7 +53,9 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Resize a StandaloneVM Root Image (R3.2)
 
-Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` console.
+Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM.
+Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*.
+To do this run `qvm-create --standalone` from `dom0` console.
 
 In `dom0` console run the following command (replace the size and path):
 

From 6f98eb4083a71075d7d8a821ab50e1401b452bd9 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Tue, 6 Feb 2018 01:38:31 -0600
Subject: [PATCH 103/125] Fix link

---
 security/firewall.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/firewall.md b/security/firewall.md
index 6b9898b8..53f0d16b 100644
--- a/security/firewall.md
+++ b/security/firewall.md
@@ -53,7 +53,8 @@ This equates to somewhere between 35 and 39 rules.
 If this limit is exceeded, the qube will not start.
 
 It is possible to work around this limit by enforcing the rules on the qube itself
-by putting appropriate rules in `/rw/config`. See [below](#where-to-put-firewall-rules).
+by putting appropriate rules in `/rw/config`.
+See the "Where to put firewall rules" sections below for [R4.0](#where-to-put-firewall-rules-r40) and [R3.2](#where-to-put-firewall-rules-r32).
 In complex cases, it might be appropriate to load a ruleset using `iptables-restore`
 called from `/rw/config/rc.local`.
 

From f74759eede77b8503a03d3ea24b5a46dafa18307 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 6 Feb 2018 08:08:07 +0000
Subject: [PATCH 104/125] disk-trim 4.0 updates

add introduction
relocate some existing content to introduction
add generic content
add 4.0 and 3.2.1 content
update 3.2 content
remove reference to WONTFIX bug
---
 configuration/disk-trim.md | 84 +++++++++++++++++++++++++++++++++-----
 1 file changed, 74 insertions(+), 10 deletions(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index cbb67259..7478fd98 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -8,31 +8,95 @@ redirect_from:
 - /wiki/DiskTRIM/
 ---
 
-VMs have already TRIM enabled by default, but dom0 doesn't. There are some security implications (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but IMO not very serious.
+Disk Trim
+----------
+
+Disk trimming is the procedure by which the operating system informs the underlying storage device of which storage blocks are no longer in use.
+It does this by issuing an `ATA_TRIM` command for the block. This is also known as a `discard`.
+In this way, the storage device can perform garbage collection of the unused blocks and internally prepare them for reuse. SSDs in general benefit from this, while HDDs do not.
+
+In a Linux system running on bare metal, this is relatively straight-forward. 
+When instructed by the operating system, discards are issued by the file-system driver directly to the storage driver and then to the SSD.
+
+In Qubes, this gets more complex due to virtualization, LUKS, and LVM (and thin pools on R4.0 and up).
+If you run `fstrim --all` inside a TemplateVM, the `discard` can follow a path like:
+
+    OS -> File-system Driver -> Virtual Storage Driver -> Backend Storage Driver -> LVM Storage Driver -> LUKS Driver -> Physical Storage Driver -> Physical Storage Device
+    
+If discards are not supported at any one of those layers, it will not make it to the underlying physical device.
+
+There are some security implications to permitting TRIM (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but in most cases not exploitable.
+
+
+Configuration
+----------
+
+In all versions of Qubes, you may want to set up a periodic job in `dom0` to trim the disk.
+
+This can be done from a terminal as root, by creating a `trim` file in `/etc/cron.daily` (or `/etc/cron.weekly`).
+Add the following contents:
+
+```
+#!/bin/bash
+/sbin/fstrim --all
+```
+
+And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
+
+**Note** Although discards can be issued on every delete by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+
+If you are using Qubes with LVM, you may also want to set `issue_discards = 1` in `/etc/lvm/lvm.conf`.
+Setting this option will permit LVM to issue discards to the SSD when logical volumes are shrunk or deleted.
+This is relatively rare in R3.x, but more frequent in R4.x with disposable VMs.
+
+To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a number of bytes trimmed).
+
+See also version specific notes below.
+
+
+R4.0
+----------
+
+TRIM support is enabled by default at all layers, including LUKS.
+
+LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` in `/etc/lvm/lvm.conf` is recommended if using an SSD.
+
+
+R3.2.1
+----------
+
+TRIM support is enabled by default at all layers, including LUKS.
+
+
+R3.2
+----------
+
+VMs have already TRIM enabled by default, but dom0 doesn't. 
 
 To enable TRIM in dom0 you need:
 
-1.  Get your LUKS device UUID:
+1. Get your LUKS device UUID:
 
     ~~~
     ls /dev/mapper/luks-*
     ~~~
 
-2.  Add entry to `/etc/crypttab` (replace luks-\<UUID\> with the device name and the \<UUID\> with UUID alone):
+2. Add entry to `/etc/crypttab` (replace luks-\<UUID\> with the device name and the \<UUID\> with UUID alone):
 
     ~~~
-    luks-<UUID> UUID=<UUID> none allow-discards
+    luks-<UUID> UUID=<UUID> none discard
     ~~~
 
-3.  Add `rd.luks.allow-discards=1` to kernel cmdline (`/etc/default/grub`, GRUB\_CMDLINE\_LINUX line)
-4.  Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)
-5.  Rebuild initrd **in hostonly mode**:
+3. Add `rd.luks.options=discard` to kernel cmdline (follow either GRUB2 or EFI, not both): 
+    * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
+      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
+    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
+
+4. Rebuild initrd **in hostonly mode**:
 
     ~~~
     dracut -H -f
     ~~~
 
-6.  Add "discard" option to `/etc/fstab` for root device
-7.  Reboot the system, verify that allow-discards is really enabled (`dmsetup table`)
+5. Reboot the system and verify that discards are really enabled.
 
-There is a [bug affecting allow-discards option](https://bugzilla.redhat.com/show_bug.cgi?id=890533), once it will be fixed, first two steps will be no longer needed.

From 0083c0c7fef2f698dc98fe0f051f36360edf63ca Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 6 Feb 2018 12:21:39 +0000
Subject: [PATCH 105/125] collapse sections, explain LUKS

---
 configuration/disk-trim.md | 37 ++++++++++++-------------------------
 1 file changed, 12 insertions(+), 25 deletions(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index 7478fd98..5a430b08 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -19,7 +19,7 @@ In a Linux system running on bare metal, this is relatively straight-forward.
 When instructed by the operating system, discards are issued by the file-system driver directly to the storage driver and then to the SSD.
 
 In Qubes, this gets more complex due to virtualization, LUKS, and LVM (and thin pools on R4.0 and up).
-If you run `fstrim --all` inside a TemplateVM, the `discard` can follow a path like:
+If you run `fstrim --all` inside a TemplateVM, in a worst case the `discard` can follow a path like:
 
     OS -> File-system Driver -> Virtual Storage Driver -> Backend Storage Driver -> LVM Storage Driver -> LUKS Driver -> Physical Storage Driver -> Physical Storage Device
     
@@ -43,37 +43,21 @@ Add the following contents:
 
 And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
 
-**Note** Although discards can be issued on every delete by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+**Note** Although discards can be issued on every delete inside `dom0` by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+However, inside App and Template qubes, the `discard` mount option is on by default to notify the LVM thin pool driver (R4.0) or sparse file driver (R3.2) that the space is no longer needed and can be zeroed and re-used.
 
 If you are using Qubes with LVM, you may also want to set `issue_discards = 1` in `/etc/lvm/lvm.conf`.
 Setting this option will permit LVM to issue discards to the SSD when logical volumes are shrunk or deleted.
-This is relatively rare in R3.x, but more frequent in R4.x with disposable VMs.
-
-To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a number of bytes trimmed).
-
-See also version specific notes below.
+In R4.x, LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` is recommended if using an SSD.
+However, this is relatively rare in R3.x.
 
 
-R4.0
+LUKS
 ----------
 
-TRIM support is enabled by default at all layers, including LUKS.
+If you have enabled LUKS in dom0, discards will not get passed down to the storage device. 
 
-LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` in `/etc/lvm/lvm.conf` is recommended if using an SSD.
-
-
-R3.2.1
-----------
-
-TRIM support is enabled by default at all layers, including LUKS.
-
-
-R3.2
-----------
-
-VMs have already TRIM enabled by default, but dom0 doesn't. 
-
-To enable TRIM in dom0 you need:
+To enable TRIM support in dom0 with LUKS you need to:
 
 1. Get your LUKS device UUID:
 
@@ -98,5 +82,8 @@ To enable TRIM in dom0 you need:
     dracut -H -f
     ~~~
 
-5. Reboot the system and verify that discards are really enabled.
+5. Reboot the system.
+
+6. To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a `/` followed by the number of bytes trimmed).
+
 

From 6e2f0f3b45f444df6fdb8906cd872d8a46a964a7 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:02:52 +0000
Subject: [PATCH 106/125] network-printer 4.0 updates

"the default template" -> "a DVM template" since R4.0 can have more than one
fix line breaks
---
 configuration/network-printer.md | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/configuration/network-printer.md b/configuration/network-printer.md
index 6cb9a0cd..adf7d43f 100644
--- a/configuration/network-printer.md
+++ b/configuration/network-printer.md
@@ -14,27 +14,42 @@ Configuring a network printer for Qubes AppVMs
 Where to configure printers and install drivers?
 ------------------------------------------------
 
-One would normally want to configure a printer in a template VM, rather than in particular AppVMs. This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).
+One would normally want to configure a printer in a template VM, rather than in particular AppVMs.
+This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. 
+When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).
 
 Alternatively one can add a printer in a standalone VM, but this would limit the printer usage to this particular VM.
 
 Security considerations for network printers and drivers
 --------------------------------------------------------
 
-Some printers require third-party drivers, typically downloadable from the vendor's website. Such drivers are typically distributed in a form of ready to install RPM packages. However, they are often unsigned, and additionally the downloads are available via HTTP connections only. As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. (Again, it's not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).
+Some printers require third-party drivers, typically downloadable from the vendor's website. 
+Such drivers are typically distributed in a form of ready to install RPM packages. 
+However, they are often unsigned, and additionally the downloads are available via HTTP connections only.
+As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. 
+(Again, it's not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).
 
-In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there. Such template might then be made the default template for [Disposable VM creation](/doc/dispvm/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template, that is not poisoned by third-party printer drivers).
+In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there.
+Such template might then be made a DVM template for [Disposable VM creation](/doc/dispvm/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there.
+This would allow to print documents from more trusted AppVMs (based on a trusted default template that is not poisoned by third-party printer drivers).
 
-However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
+However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. 
+This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed.
+This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
 
-Additionally, the printer drivers as well as CUPS application itself, might be buggy and might got exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
+Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM).
+Consider not using printing from your more trusted AppVMs for this reason.
 
 Steps to configure a network printer in a template VM
 ----------------------------------------------------------
 
 1.  Start the "Printer Settings" App in a template VM (either via Qubes "Start Menu", or by launching the `system-config-printer` in the template).
-2.  Add/Configure the printer in the same way as one would do on any normal Linux. Be sure to allow network access from the template VM to your printer, as normally the template VM is not allowed any network access, except to the Qubes proxy for software installation. One can use Qubes Manager to modify firewall rules for particular VMs.
+2.  Add/Configure the printer in the same way as one would do on any normal Linux.
+  You may need to allow network access from the template VM to your printer to complete configuration, as normally the template VM is not allowed any network access except to the Qubes proxy for software installation.
+  One can use Qubes Manager to modify firewall rules for particular VMs.
 3.  Optional: Test the printer by printing a test page. If it works, shut down the template VM.
-4.  Open an AppVM (make sure it's based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works. If it doesn't then probably the AppVM doesn't have networking access to the printer -- in that case adjust the firewall settings for that AppVM in Qubes Manager. Also, make sure that the AppVM gets restarted after the template was shutdown.
+4.  Open an AppVM (make sure it's based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works.
+  If it doesn't then probably the AppVM doesn't have networking access to the printer -- in that case adjust the firewall settings for that AppVM in Qubes Manager. 
+  Also, make sure that the AppVM gets restarted after the template was shutdown.
 5.  Alternatively if you do not want to modify the firewall rules of the template VM (that have security scope) you can simply shut down the template VM without trying to print the test page (which will not work), start or restart an AppVM based on the template and test printing there.
 

From 0f5ba79d4cb486f5b23598a1078c5818553e2559 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:14:34 +0000
Subject: [PATCH 107/125] external-audio 4.0 updates

yum -> dnf
fix line breaks
---
 configuration/external-audio.md | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 27f05ae7..f9dcc363 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -14,19 +14,24 @@ Using External Audio Devices
 Why you want to use external audio devices
 ------------------------------------------
 
-Qubes audio virtualization protocol does not implement latency reporting for security reasons, keeping the protocol as simple as possible. Also, in a compromise between low latency and low CPU usage, latency may be around 200 ms. So applications demanding higher audio quality (even Skype) need a better environment. But Qubes flexibility fully allows that using external audio devices. These are mostly USB audio cards, but firewire devices also might be used.
+Qubes audio virtualization protocol does not implement latency reporting for security reasons, keeping the protocol as simple as possible.
+Also, in a compromise between low latency and low CPU usage, latency may be around 200 ms.
+So applications demanding higher audio quality (even Skype) need a better environment.
+But Qubes flexibility fully allows that using external audio devices. 
+These are mostly USB audio cards, but firewire devices also might be used.
 
 Implementing external audio devices
 -----------------------------------
 
-First you need to identify an user VM dedicated to audio and [assign a device](/doc/AssigningDevices) to it. In the most common case the assigned device is the USB controller to which your USB audio card will be connected.
+First you need to identify an user VM dedicated to audio and [assign a device](/doc/AssigningDevices) to it.
+In the most common case the assigned device is the USB controller to which your USB audio card will be connected.
 
 ### Fedora VMs
 
 In a terminal of the template from which you user VM depends, install pavucontrol with:
 
 ~~~
-sudo yum install pavucontrol
+sudo dnf install pavucontrol
 ~~~
 
 Close the template and start or restart your user VM, insert your external audio device, open a terminal and prepare pulseaudio to use it with:
@@ -38,9 +43,10 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol.
+You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
 
-If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding an other line at the beginning:
+If you detach your external audio device, then want to insert it again (or want to change it with another one), you need to repeat the previous commands in terminal adding another line at the beginning:
 
 ~~~
 pactl unload-module module-udev-detect

From 7c8ff903e8cfeb6faeb0f8081aa1d6ed132b3546 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:28:14 +0000
Subject: [PATCH 108/125] remove "Booting with GRUB2 and GPT"

---
 doc.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc.md b/doc.md
index 08ddea76..c59a061a 100644
--- a/doc.md
+++ b/doc.md
@@ -139,7 +139,6 @@ Configuration Guides
  * [Enabling TRIM for SSD disks](/doc/disk-trim/)
  * [Configuring a Network Printer](/doc/network-printer/)
  * [Using External Audio Devices](/doc/external-audio/)
- * [Booting with GRUB2 and GPT](https://groups.google.com/group/qubes-devel/browse_thread/thread/e4ac093cabd37d2b/d5090c20d92c4128#d5090c20d92c4128)
  * [Rxvt Guide](/doc/rxvt/)
  * [Managing VM kernel](/doc/managing-vm-kernel/)
  * [Salt management stack](/doc/salt/)

From 72693064cfe1bb67e8a8b8b161e3d0314662e5b5 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:36:14 +0000
Subject: [PATCH 109/125] yum -> dnf, fix line breaks

---
 configuration/rxvt.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/configuration/rxvt.md b/configuration/rxvt.md
index 2031dd4d..d88edaef 100644
--- a/configuration/rxvt.md
+++ b/configuration/rxvt.md
@@ -16,12 +16,16 @@ Rxvt
 Installation
 ------------
 
-`yum install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension. Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
+`dnf install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension.
+Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
 
 Xresources
 ----------
 
-In TemplateVM create file `/etc/X11/Xresources.urxvt` and paste config below. `!`-lines are comments and may be left out. `#`-lines are directives to CPP (C preprocessor) and are necessary. This shouldn't go to `/etc/X11/Xresources`, because that file is not preprocessed by default.
+In TemplateVM create file `/etc/X11/Xresources.urxvt` and paste config below.
+`!`-lines are comments and may be left out.
+`#`-lines are directives to CPP (C preprocessor) and are necessary.
+This shouldn't go to `/etc/X11/Xresources`, because that file is not preprocessed by default.
 
 ~~~
 ! CGA colour palette
@@ -132,7 +136,8 @@ URxvt.insecure:                 False
 !URxvt.termName:                rxvt-256color
 ~~~
 
-Then create script to automatically merge those to xrdb. File `/etc/X11/xinit/xinitrc.d/urxvt.sh`:
+Then create script to automatically merge those to xrdb.
+File `/etc/X11/xinit/xinitrc.d/urxvt.sh`:
 
 ~~~
 #!/bin/sh
@@ -143,4 +148,5 @@ Then create script to automatically merge those to xrdb. File `/etc/X11/xinit/xi
 Shortcuts
 ---------
 
-For each AppVM, go to *Qubes Manager \> VM Settings \> Applications*. Find `rxvt-unicode` (or `rxvt-unicode (256-color) multi-language`) and add.
+For each AppVM, go to *Qubes Manager \> VM Settings \> Applications*. 
+Find `rxvt-unicode` (or `rxvt-unicode (256-color) multi-language`) and add.

From 01d702c5f7011e31a27c693360b9841b1f9dcad1 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:38:45 +0000
Subject: [PATCH 110/125] yum -> dnf

---
 configuration/rxvt.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/rxvt.md b/configuration/rxvt.md
index d88edaef..aa0c0bbc 100644
--- a/configuration/rxvt.md
+++ b/configuration/rxvt.md
@@ -17,7 +17,7 @@ Installation
 ------------
 
 `dnf install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension.
-Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
+Let me also recommend excellent Terminus font: `dnf install terminus-fonts`.
 
 Xresources
 ----------

From 852d970927fd54c1bfd1f082b01198a73b96292d Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 12:47:14 +0000
Subject: [PATCH 111/125] remove broken /doc/dom0-tools link for now

---
 configuration/resize-disk-image.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index dd5aaf25..4a7c9087 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -19,7 +19,7 @@ See also additional information and caveats about [resizing the root disk image]
 
 1048576 MiB is the maximum size which can be assigned to private storage through Qube Manager.
 
-To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+To grow the private disk image of an AppVM beyond this limit, `qvm-volume` can be used:
 
 ~~~
 qvm-volume extend <vm_name>:private <size>

From 341a578f9bf8312739d6fe17345c6e2ae010b860 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 12:48:16 +0000
Subject: [PATCH 112/125] remove broken /doc/dom0-tools links for now

---
 configuration/resize-root-disk-image.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index 3c3567b4..8f38dae0 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -31,7 +31,7 @@ If you want install a lot of software in your TemplateVM, you may need to increa
 
 1048576 MiB is the maximum size which can be assigned to root storage through Qube Manager.
 
-To grow the root disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+To grow the root disk image of an AppVM beyond this limit, `qvm-volume` can be used:
 
 ~~~
 qvm-volume extend <vm_name>:root <size>
@@ -43,7 +43,7 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 1048576 MB is the maximum size which can be assigned to root storage through Qubes Manager.
 
-To grow the root disk image of an AppVM beyond this limit, [qvm-grow-root](/doc/dom0-tools/qvm-grow-root/) can be used:
+To grow the root disk image of an AppVM beyond this limit, `qvm-grow-root` can be used:
 
 ~~~
 qvm-grow-root <vm-name> <size>

From 02fadafec86156253455b30b3686c972abbf2ed9 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Wed, 7 Feb 2018 22:30:44 +0000
Subject: [PATCH 113/125] Update release-notes.md

---
 releases/4.0/release-notes.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index fedfde6c..fe153ee4 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -31,6 +31,10 @@ New features since 3.2
 
 You can get detailed description in [completed github issues][github-release-notes]
 
+Note
+----
+* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restaured from R4.x are not migrated.
+
 Known issues
 ------------
 
@@ -40,6 +44,8 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
+* Until R4.rc3 included, PV VMs restaured from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 
 Downloads
@@ -76,6 +82,7 @@ We also provide [detailed instruction][upgrade-to-r4.0] for this procedure.
 [vm-interface]: /doc/vm-interface/
 [admin-api]: /news/2017/06/27/qubes-admin-api/
 [qsb-24]: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt
+[qsb-37]: https://www.qubes-os.org/news/2018/01/24/qsb-37-update/
 [backup-format]: /doc/backup-emergency-restore-v4/
 [api-doc]: https://dev.qubes-os.org/projects/qubes-core-admin/en/latest/
 [upgrade-to-r4.0]: /doc/upgrade-to-r4.0/

From bc215a5dc03ead74ed668a6ac897859270654be7 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Wed, 7 Feb 2018 21:52:55 -0600
Subject: [PATCH 114/125] Provide instructions for adding images

---
 basics_user/doc-guidelines.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index 428dd376..3ac2b48d 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -105,6 +105,18 @@ pull request, we'll post a comment explaining why we can't.
 ![done](/attachment/wiki/doc-edit/10-done.png)
 
 
+How to add images
+-----------------
+
+To add an image to a page, use the following syntax in the main document:
+
+```
+![Image Title](/attachment/wiki/page-title/image-filename.png)
+```
+
+Then, submit your image(s) in a separate pull request to the [qubes-attachment](https://github.com/QubesOS/qubes-attachment) repository using the same path and filename.
+
+
 Version-specific Documentation
 ------------------------------
 

From 7ac21d0b677946a6fc46349ad004e4ef91f2e046 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Thu, 8 Feb 2018 08:26:33 +0000
Subject: [PATCH 115/125] Fixed spelling mistake

I enjoy my French restaurants too much :)
---
 releases/4.0/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index fe153ee4..b9340efd 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -33,7 +33,7 @@ You can get detailed description in [completed github issues][github-release-not
 
 Note
 ----
-* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restaured from R4.x are not migrated.
+* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
 
 Known issues
 ------------
@@ -44,7 +44,7 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restaured from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
 
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 

From e173f5659f2ba57f826fcc8a9cfe691b3957118b Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Thu, 8 Feb 2018 08:36:44 +0000
Subject: [PATCH 116/125] two other typos fixed.

---
 releases/4.0/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index b9340efd..d51a4baf 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -33,7 +33,7 @@ You can get detailed description in [completed github issues][github-release-not
 
 Note
 ----
-* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
+* PV VMs restored from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
 
 Known issues
 ------------
@@ -44,7 +44,7 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be exposed to [QSB 37][qsb-37].
 
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 

From 4a480c8209305a6f02a1df0dd85a1bad179fbd87 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Thu, 8 Feb 2018 09:05:55 -0600
Subject: [PATCH 117/125] Rewrite security note regarding PV to PVH migration

Requested by QubesOS/qubes-issues#3530
---
 releases/4.0/release-notes.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index d51a4baf..c134b162 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -31,9 +31,12 @@ New features since 3.2
 
 You can get detailed description in [completed github issues][github-release-notes]
 
-Note
-----
-* PV VMs restored from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
+Security Notes
+--------------
+
+* PV VMs migrated from 3.2 to 4.0-rc4 or later are automatically set to PVH mode in order to protect against Meltdown (see [QSB #37][qsb-37]).
+  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automically set to PVH mode.
+  These must be set manually.
 
 Known issues
 ------------
@@ -44,8 +47,6 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be exposed to [QSB 37][qsb-37].
-
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 
 Downloads

From ce15b9d05e97865b0af17eccfb61f54ee84a546b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:12:21 +0000
Subject: [PATCH 118/125] reword and reorganize 4.0 content

---
 common-tasks/dispvm.md | 62 ++++++++++++++++++++++++++----------------
 1 file changed, 39 insertions(+), 23 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 816819d1..11c74be5 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -11,37 +11,54 @@ redirect_from:
 Disposable VMs (DispVMs)
 ========================
 
-A Disposable VM (DispVM) is a lightweight VM that can be created quickly and will disappear when closed. 
-Disposable VMs are usually created in order to host a single application, like a viewer, editor, or web browser. 
-Changes made to a file opened in a Disposable VM are passed back to the originating VM. 
-This means that you can safely work with untrusted files without risk of compromising your other VMs. 
-DispVMs can be created either directly from Dom0 or from within AppVMs. 
-Once a DispVM has been created it will appear in Qubes VM Manager with the name "dispX". 
+A Disposable VM (DispVM) is a lightweight VM that can be created quickly and will disappear when closed.
+Disposable VMs are usually created in order to host a single application, like a viewer, editor, or web browser.
+
+From inside an AppVM, choosing the `Open in Disposable VM` option on a file will launch a DispVM for just that file.
+Changes made to a file opened in a DispVM are passed back to the originating VM.
+This means that you can safely work with untrusted files without risk of compromising your other VMs.
+DispVMs can be launched either directly from Dom0's Start Menu or terminal window, or from within AppVMs.
+While running, DispVMs will appear in Qubes VM Manager with the name `disp####`.
 
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
+
+DVM Templates
+----------
+
+Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+
+On a fresh installation of Qubes, the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+
 Disposable VMs and Networking (R4.0 and later)
 -----------------------------
 
+R4.0 introduces the concept of multiple disposable VM templates, whereas R3.2 was limited to only one.
+You can set any AppVM to have the ability to act as a DVM Template with:
 
-R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
-This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
-the Applications menu. Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
-As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
+    qvm-prefs <vmname> template_for_dispvms true
 
-NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
-By default a DispVM will inherit the NetVM and firewall settings of the DispVM Template from which it is built. 
-Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix,
-any DispVM launched from this AppVM will have sys-whonix as its NetVM.
-The default system wide DispVM template can be changed with `qubes-prefs default_dispvm`.
-You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings
-for the VM in question and go to the "Advanced" tab. 
+The default system wide DVM template can be changed with `qubes-prefs default_dispvm`.
+By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM template you specified.
+
+You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
-Disposable VMs will temporarily appear with the name `disp####`. 
+This can also be changed from the command line with:
 
-A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
-By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+    qvm-prefs <vmname> default_dispvm <dvmtemplatename>
+
+You can even set an AppVM that has also been configured as a DVM template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
+
+NetVM and firewall rules for DVM templates can be set as they can for a normal VM. 
+By default a DispVM will inherit the NetVM and firewall settings of the DVM Template on which it is based.
+Launching a DispVM from an AppVM will result in it using the DispVM's network/firewall settings (which default to the DVM template on which it is based).
+Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+
+**Note** The opposite is also true. This means if the default system DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
+
+A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the DVM Template on which it is based.
+Note that changing the "NetVM" setting for the system default DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+Different DVM Templates with individual NetVM settings can be added to the Start Menu. 
 
 Disposable VMs and Networking (R3.2 and earlier)
 -----------------------------
@@ -52,8 +69,7 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). 
-By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 

From 82163602b2e253fed479c40b1df7e3fda0625285 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:23:01 +0000
Subject: [PATCH 119/125] /doc/glossary/#dvm-template

---
 common-tasks/dispvm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 11c74be5..601d6168 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -69,7 +69,7 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template).
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 

From a858018b36c2acfa455ee91bf2130e2c5a235e2b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:40:08 +0000
Subject: [PATCH 120/125] add HVM in R4.0 won't let me start/install entry

---
 about/faq.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/about/faq.md b/about/faq.md
index 556bfbae..1b994ea2 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -461,6 +461,15 @@ If it seems like the issue described in [this thread](https://github.com/QubesOS
 
 Please report (via the mailing lists) if you experience this issue, and whether disabling the compositor fixes it for you or not.
 
+### My HVM in Qubes R4.0 won't let me start/install an OS
+
+I see a screen popup with SeaBios and 4 lines, last one being "Probing EDD (edd=off to disable!... ok".
+
+From a `dom0` prompt, enter:
+
+    qvm-prefs <HVMname> kernel ""
+
+
 ----------
 
 ## Developers

From 55916a1c569d664fff64f78bcac6bd1903177065 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 15:02:38 +0000
Subject: [PATCH 121/125] double quote -> single so Travis won't spellcheck

---
 about/faq.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/faq.md b/about/faq.md
index 1b994ea2..61e08437 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -463,7 +463,7 @@ Please report (via the mailing lists) if you experience this issue, and whether
 
 ### My HVM in Qubes R4.0 won't let me start/install an OS
 
-I see a screen popup with SeaBios and 4 lines, last one being "Probing EDD (edd=off to disable!... ok".
+I see a screen popup with SeaBios and 4 lines, last one being `Probing EDD (edd=off to disable!... ok`.
 
 From a `dom0` prompt, enter:
 

From 694e3022f7e969e970ca5e3c8312195e29f38f69 Mon Sep 17 00:00:00 2001
From: ssixty <ssixty@users.noreply.github.com>
Date: Fri, 9 Feb 2018 18:06:01 +0000
Subject: [PATCH 122/125] release-notes: update Fedora template links

fedora 24 and 25 are now EOL, update links to point to Fedora 26 instructions.
---
 releases/3.2/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/3.2/release-notes.md b/releases/3.2/release-notes.md
index 623936c9..f7b66dee 100644
--- a/releases/3.2/release-notes.md
+++ b/releases/3.2/release-notes.md
@@ -24,7 +24,7 @@ You can get detailed description in [completed github issues][github-release-not
 Known issues
 ------------
 
-* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](/news/2016/11/15/fedora-24-template-available/).
+* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](/news/2018/01/06/fedora-26-upgrade/).
 
 * Windows Tools: `qvm-block` does not work
 
@@ -43,7 +43,7 @@ Installation instructions
 -------------------------
 
 See [Installation Guide](/doc/installation-guide/).
-After installation, [manually upgrade to Fedora 24](/news/2016/11/15/fedora-24-template-available/).
+After installation, [manually upgrade to Fedora 26](/news/2018/01/06/fedora-26-upgrade/).
 
 Upgrading
 ---------

From 697775fcf823db2f0b33bbe51d8c75d2309da00a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 11:44:43 +0000
Subject: [PATCH 123/125] additional 4.0 revisions

---
 common-tasks/dispvm.md | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 601d6168..31e477a6 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -23,38 +23,38 @@ While running, DispVMs will appear in Qubes VM Manager with the name `disp####`.
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
 
-DVM Templates
-----------
-
-Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
-
-On a fresh installation of Qubes, the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-
 Disposable VMs and Networking (R4.0 and later)
 -----------------------------
 
-R4.0 introduces the concept of multiple disposable VM templates, whereas R3.2 was limited to only one.
+Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+R4.0 introduces the concept of multiple DVM Templates, whereas R3.2 was limited to only one.
+
+On a fresh installation of Qubes, the default DVM Template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM).
+If you have included the Whonix option in your install, there will also be a `whonix-ws-dvm` DVM Template available for your use.
+
 You can set any AppVM to have the ability to act as a DVM Template with:
 
     qvm-prefs <vmname> template_for_dispvms true
 
-The default system wide DVM template can be changed with `qubes-prefs default_dispvm`.
-By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM template you specified.
+The default system wide DVM Template can be changed with `qubes-prefs default_dispvm`.
+By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM Template you specified.
 
 You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings for the VM in question and go to the "Advanced" tab. 
-Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
+Here you can edit the "Default DispVM" setting to specify which DVM Template will be used to launch DispVMs from that VM.
 This can also be changed from the command line with:
 
     qvm-prefs <vmname> default_dispvm <dvmtemplatename>
 
-You can even set an AppVM that has also been configured as a DVM template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
+For example, `anon-whonix` has been set to use `whonix-ws-dvm` as its `default_dispvm`, instead of the system default.
+You can even set an AppVM that has also been configured as a DVM Template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
 
-NetVM and firewall rules for DVM templates can be set as they can for a normal VM. 
+NetVM and firewall rules for DVM Templates can be set as they can for a normal VM. 
 By default a DispVM will inherit the NetVM and firewall settings of the DVM Template on which it is based.
-Launching a DispVM from an AppVM will result in it using the DispVM's network/firewall settings (which default to the DVM template on which it is based).
-Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+This is a change in behaviour from R3.2, where DispVMs would inherit the settings of the AppVM from which they were launched.
+Therefore, launching a DispVM from an AppVM will result in it using the network/firewall settings of the DVM Template on which it is based.
+For example, if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
 
-**Note** The opposite is also true. This means if the default system DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
+**Warning:** The opposite is also true. This means if you have changed anon-whonix's `default_dispvm` to use the system default, and the system default DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
 
 A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the DVM Template on which it is based.
 Note that changing the "NetVM" setting for the system default DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
@@ -69,7 +69,8 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template).
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template). 
+By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 
@@ -138,7 +139,7 @@ Customizing Disposable VMs
 --------------------------
 
 You can change the template used to generate the Disposable VMs, and change settings used in the Disposable VM savefile. 
-These changes will be reflected in every new Disposable VM spawned from that template. 
+These changes will be reflected in every new Disposable VM based on that template. 
 Full instructions can be found [here](/doc/dispvm-customization/).
 
 Disposable VMs and Local Forensics

From 376c1478ac2898d153cd8d7d1f09783cda436faa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sat, 10 Feb 2018 17:15:22 +0100
Subject: [PATCH 124/125] Clarify archlinux gui agent problem description

Text by @jpouellet
---
 managing-os/templates/archlinux.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 7e74f913..7cbcfb42 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -105,9 +105,9 @@ The two lines that have just been added to /etc/pacman.conf should then be remov
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-Upgrading pulseaudio or xorg-server to a newer major version will break the Qubes GUI agent. Avoid upgrading these packages until such time that a future version of the GUI agent addresses this issue.
-
-Specifically, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
+The Qubes GUI agent must be rebuilt whenever xorg-server or pulseaudio make major changes.
+If an update of one of these packages causes your template to break, simply [revert it](https://www.qubes-os.org/doc/software-update-vm/#reverting-changes-to-a-templatevm) and wait for corresponding Qubes package updates to be available (or attempt to build them yourself, if you're so inclined).
+This should not happen frequently.
 
 ### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 

From 37523d315acd0d8b1bfdf7968dc21ba5521a12b3 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sat, 10 Feb 2018 14:10:47 -0600
Subject: [PATCH 125/125] Fix typo

---
 releases/4.0/release-notes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index c134b162..68ed8216 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -35,7 +35,7 @@ Security Notes
 --------------
 
 * PV VMs migrated from 3.2 to 4.0-rc4 or later are automatically set to PVH mode in order to protect against Meltdown (see [QSB #37][qsb-37]).
-  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automically set to PVH mode.
+  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automatically set to PVH mode.
   These must be set manually.
 
 Known issues