Dom0 compromised through rice?


I am currently in the process of ricing dom0 and installed a bunch of software in dom0 like kitty, feh, gpick, and gimp.

I didn’t want to transfer anything to dom0 so I thought I would just make everything in dom0, writing scripts like autotiling from scratch and recoloring icons.

I also installed rofi and polybar from the Fedora 32 repos. I just discovered that they are also in the QubesOS-contrib repos.

After reading a few threads about installing software in dom0, I have been doubting if this really was the right way (Security).

Should I nuke my Installation and only install packages from the QubesOS-contrib repo?

Should I just transfer everything I need from an AppVm?

Or is this probably fine?

What’s the most secure/best way to rice QubesOS?

My first rice BTW


you did everything wrong.

You can’t install any software in Dom0.

You should install all software in VM: fedora-37, and then you should create new “apps” machines based on fedora-37 template, and in the template-based machines you should run software previously installed in fedora-37 template.

Be sure to read the article describing how to configure and use qubes: How to organize your qubes | Qubes OS



You can, that’s not recommended because it can compromise the system. If the software is not bundled with anything wrong then it’s safe to run in dom0. For rice, the user will need to install rofi and polybar to dom0 since it needs to appear on the desktop and get information about qubes and more.

Other than that, the remaining software need to be installed in a TemplateVM/StandaloneVM.


Thanks, for replying.

Because nobody answered this question I opened a new thread where I asked this question a little bit differently. But I still think that this title sounds a bit funny…

sorry for opening an unnecessary extra thread. Won’t do it again.