Merge branch 'MadsRC-patch-1'

It's fairly easy to miss the fact that some of the text is for R3 and some of it is for R4. In the source it's pretty straightforward (Since it contains a linebreak) but when rendered, said linebreak is removed. Adding a few third-level headers clears this up, at least in opinion.

about/faq.md

@@ -118,7 +118,7 @@ Please refer to [this page](/doc/vm-sudo/).
 ### Why is dom0 so old?
 
 Please see:
-- [Why would one want to update software in dom0?](/doc/software-update-dom0/#why-would-one-want-to-update-software-in-dom0)
+- [Why would one want to update software in dom0?](/doc/software-update-dom0/#why-would-one-want-to-install-or-update-software-in-dom0)
 - [Note on dom0 and EOL](/doc/supported-versions/#note-on-dom0-and-eol)
 
 ### Do you recommend coreboot as an alternative to vendor BIOS?
@@ -494,6 +494,16 @@ Here are some examples of non-Qubes reports about this problem:
 
 More examples can be found by searching for "Failed to synchronize cache for repo" (with quotation marks) on your preferred search engine.
 
+### Could you please make my preference the default?
+
+Wouldn't it be great if Qubes were configured just the way you like it by default with all of your favorite programs and settings?
+Then you could just install Qubes without having to install any programs in it or adjust any settings!
+You might even think that if a particular program or setting works so well for *you*, it would work well for *everyone*, so you'd actually be doing everyone a favor!
+The problem is that Qubes has [tens of thousands of different users](/statistics/) with radically different needs and purposes.
+There is no particular configuration that will be ideal for everyone (despite how much you might feel that your preference would be better for everyone), so the best we can do is to put power in the hands of users to configure their Qubes installations the way they like (subject to security constraints, of course).
+Please don't ask for your favorite program to be installed by default or for some setting that obviously varies by user preference to be changed so that it matches *your* preference.
+This is an incredibly selfish attitude that demonstrates a complete lack of consideration for the thousands of other Qubes users who don't happen to share your preferences.
+
 
 ----------
 

basics_dev/code-signing.md

@@ -141,6 +141,15 @@ your Git commits.
    vtag = !git tag -v `git describe`
    ~~~
 
+GitHub Signature Verification (optional)
+----------------------------------------
+
+GitHub shows a green `Verified` label indicating that the GPG signature could be
+verified using any of the contributor’s GPG keys uploaded to GitHub. You can
+upload your public key on GitHub by adding your public GPG key on the [New GPG
+key][GitHub New GPG key] under the [SSH GPG keys page][GitHub SSH GPG keys
+page].
+
 Code Signature Checks
 ---------------------
 
@@ -203,4 +212,6 @@ Enigmail is a security addon for the Mozilla Thunderbird email client that allow
 [developer mailing list]: /support/#qubes-devel
 [Enigmail]: https://www.enigmail.net/
 [signature-checker]: https://github.com/marmarek/signature-checker
+[GitHub New GPG key]: https://github.com/settings/gpg/new
+[GitHub SSH GPG keys page]: https://github.com/settings/keys
 

common-tasks/software-update-dom0.md

@@ -1,6 +1,6 @@
 ---
 layout: doc
-title: Updating software in dom0
+title: Installing and updating software in dom0
 permalink: /doc/software-update-dom0/
 redirect_from:
 - /en/doc/software-update-dom0/
@@ -8,47 +8,48 @@ redirect_from:
 - /wiki/SoftwareUpdateDom0/
 ---
 
-Updating software in dom0
-=========================
+Installing and updating software in dom0
+========================================
 
-Why would one want to update software in dom0?
-----------------------------------------------
+Why would one want to install or update software in dom0?
+---------------------------------------------------------
 
-Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in a future Qubes release.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
+Normally, there should be few reasons for installing or updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in a future Qubes release.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
 
-However, we anticipate some other situations in which updating dom0 software might be necessary or desirable:
+However, we anticipate some other situations in which installing or updating dom0 software might be necessary or desirable:
 
 -   Updating drivers/libs for new hardware support
 -   Correcting non-security related bugs (e.g. new buttons for qubes manager)
 -   Adding new features (e.g. GUI backup tool)
 
-How is software updated securely in dom0?
------------------------------------------
+How is software installed and updated securely in dom0?
+-------------------------------------------------------
 
-The update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
+The install/update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
 
 Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable. For example, there is nothing that the Qubes project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in GPG's `--verify` operation. At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack. While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain.
 
-How to update software in dom0
-------------------------------
+How to install and update software in dom0
+------------------------------------------
 
-As of Qubes R2 Beta 3, the main update functions have been integrated into the Qubes VM Manager GUI: Simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click.
+### How to update dom0
 
-Of course, command line tools are still available for accomplishing various update-related tasks (some of which are not available via Qubes VM Manager). In order to update dom0 from the command line, start a console in dom0 and then run one of the following commands:
+In the Qubes VM Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click.
 
-1.  To check and install updates for dom0 software:
+Alternatively, command-line tools are available for accomplishing various update-related tasks (some of which are not available via Qubes VM Manager). In order to update dom0 from the command line, start a console in dom0 and then run one of the following commands:
+
+To check and install updates for dom0 software:
 
-    ~~~
     $ sudo qubes-dom0-update
-    ~~~
 
-1.  To install additional packages in dom0 (usually not recommended):
+### How to install a specific package
+
+To install additional packages in dom0 (usually not recommended):
 
-    ~~~
     $ sudo qubes-dom0-update anti-evil-maid
-    ~~~
 
-    You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0). However, this is only for advanced users who really understand what they are doing.
+You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0). However, this is only for advanced users who really understand what they are doing.
+You can also pass commands to `dnf` using `--action=...`.
 
 ### How to downgrade a specific package
 

common-tasks/usb.md

@@ -518,4 +518,4 @@ sys-usb dom0 ask,default_target=dom0
 [Security Warning about USB Input Devices]: #security-warning-about-usb-input-devices
 [How to hide all USB controllers from dom0]: #how-to-hide-all-usb-controllers-from-dom0
 [qubes-usb-proxy]: https://github.com/QubesOS/qubes-app-linux-usb-proxy
-[dom0-updates]: /doc/software-update-dom0/#how-to-update-software-in-dom0
+[dom0-updates]: /doc/software-update-dom0/#how-to-update-dom0

configuration/change-time-zone.md

@@ -0,0 +1,36 @@
+---
+layout: doc
+title: Changing your Time Zone
+permalink: /doc/change-time-zone/
+---
+
+# Changing your Time Zone #
+
+## Qubes 4.0 ##
+
+### Command line ###
+
+If you use the i3 window manager or would prefer to change the system's time
+zone in terminal you can issue the `timedatectl` command with the option
+`set-timezone`.
+
+For example, to set the system's time zone to Berlin, Germany type in a dom0
+terminal:
+
+    $ sudo timedatectl set-timezone 'Europe/Berlin'
+
+You can list the available time zones with the option `list-timezones` and show
+the current settings of the system clock and time zone with option `status`.
+
+Example output status of `timedatectl` on a system with time zone set to
+Europe/Berlin:
+
+    [user@dom0 ~]$ timedatectl status
+          Local time: Sun 2018-10-14 06:20:00 CEST
+      Universal time: Sun 2018-10-14 04:20:00 UTC
+            RTC time: Sun 2018-10-14 04:20:00
+           Time zone: Europe/Berlin (CEST, +0200)
+     Network time on: no
+    NTP synchronized: no
+     RTC in local TZ: no
+

doc.md

@@ -63,8 +63,8 @@ Common Tasks
  * [Copying and Pasting Text Between Domains](/doc/copy-paste/)
  * [Copying and Moving Files Between Domains](/doc/copying-files/)
  * [Copying from (and to) dom0](/doc/copy-from-dom0/)
- * [Updating Software in dom0](/doc/software-update-dom0/)
- * [Updating and Installing Software in VMs](/doc/software-update-vm/)
+ * [Installing and Updating Software in dom0](/doc/software-update-dom0/)
+ * [Installing and Updating Software in VMs](/doc/software-update-vm/)
  * [Backup, Restoration, and Migration](/doc/backup-restore/)
  * [Using Disposable VMs](/doc/dispvm/)
  * [Using and Managing USB Devices](/doc/usb/)
@@ -127,6 +127,7 @@ Configuration Guides
  * [Multibooting](/doc/multiboot/)
  * [Resize Disk Image](/doc/resize-disk-image/)
  * [RPC Policies](/doc/rpc-policy/)
+ * [Changing your Time Zone](/doc/change-time-zone)
  * [Installing ZFS in Qubes](/doc/zfs/)
  * [Mutt Guide](/doc/mutt/)
  * [Postfix Guide](/doc/postfix/)

managing-os/hvm.md

@@ -22,7 +22,8 @@ Interested readers might want to check [this article](https://blog.invisiblethin
 Creating an HVM domain
 ----------------------
 
-R3.2:
+### R3.2 ###
+
 With a GUI: in Qubes Manager VM creation dialog box choose the "Standalone qube not based on a template" type.
 If "install system from device" is selected (which is by default), then `virt_mode` will be set to `hvm` automatically.
 Otherwise, open the newly created VM's Qube Settings GUI and in the "Advanced" tab select "HVM" in the virtualization mode drop-down list.
@@ -32,7 +33,8 @@ Command line (the VM's name and label color are for illustration purposes):
 qvm-create my-new-vm --hvm --label green
 ~~~
 
-R4.0:
+### R4.0 ###
+
 With a GUI: in Qubes Manager VM creation dialog box choose the "Standalone qube not based on a template" type.
 If "install system from device" is selected (which is by default), then `virt_mode` will be set to `hvm` automatically.
 Otherwise, open the newly created VM's Qube Settings GUI and in the "Advanced" tab select `HVM` in the virtualization mode drop-down list.

security-info/canaries.md

@@ -41,4 +41,5 @@ Qubes Canaries are published through the [Qubes Security Pack](/security/pack/).
 
 -   [Qubes Canary \#15](https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-015-2018.txt)
 -   [Qubes Canary \#16](https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-016-2018.txt)
+-   [Qubes Canary \#17](https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-017-2018.txt)