Gentoo for Dom0?

janglingquo_575 · February 17, 2025, 8:28pm

Has anybody here experience with Gentoo as OS in dom0?

fsflover · February 17, 2025, 9:06pm

You can’t change the OS in dom0 at the moment. See this:

github.com/QubesOS/qubes-issues

Change the OS used in dom0

opened 04:34PM - 18 Apr 16 UTC

mfc

C: core P: major

We have discussed this numerous times but don't have an issue to track these dis…cussions. It would be worth understanding what would be needed to change dom0 from Fedora to Debian (say Debian 8). Benefits include: - increased hardware compatibility - incorporate serious work taken towards reproducible builds - better firstboot installer - better (slower) release cycle than Fedora with longer-term support - other things? This ticket does not encompass modifying the desktop environment.

Unable to use Qubes Updates on `sys-gui`: [Errno 13] Permission denied

opened 12:07PM - 13 Feb 24 UTC

peakunshift

C: manager/widget C: gui-domain P: default diagnosed affects-4.2

### Qubes OS release 4.2.0 ### Brief summary When using `sys-gui` there is …a permission error that prevents Qubes Updates to open. I'm reporting this specific issue but it's not the only app with this error. I started a topic on the forum around a more general discussion regarding admin privileges for GuiVMs: https://forum.qubes-os.org/t/grant-full-admin-privileges-to-sys-gui-sys-gui-gpu/ ### Steps to reproduce - Install `sys-gui` and log into it - Open Qubes Updates ### Expected behavior - Qubes Updates opens as expected ### Actual behavior Permission error reported on the Bug Report UI tool of `sys-gui`: ``` backtrace __init__.py:1213:_open:PermissionError: [Errno 13] Permission denied: '/var/log/qubes/qui.updater.log' Traceback (most recent call last): File "/usr/bin/qubes-update-gui", line 33, in <module> sys.exit(load_entry_point('qui==0.1', 'gui_scripts', 'qubes-update-gui')()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/qui/updater/updater.py", line 303, in main app = QubesUpdater(qapp, cliargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/qui/updater/updater.py", line 47, in __init__ log_handler = logging.FileHandler( ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/logging/__init__.py", line 1181, in __init__ StreamHandler.__init__(self, self._open()) ^^^^^^^^^^^^ File "/usr/lib64/python3.11/logging/__init__.py", line 1213, in _open return open_func(self.baseFilename, self.mode, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/var/log/qubes/qui.updater.log' ```

github.com/QubesOS/qubes-issues

Document how to enabled and test sys-gui/sys-gui-gpu

opened 12:03AM - 17 Jun 21 UTC

marmarek

C: doc P: default

**Qubes OS version (if applicable)** R4.1 **Affected component(s) or f…unctionality (if applicable)** gui, documentation **Brief summary** Document everything needed to test new GUI VM feature. Some hints at https://qubes-os.discourse.group/t/how-to-enable-the-new-gui-vm/2631/3 **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/gui-configuration/ https://www.qubes-os.org/news/2020/03/18/gui-domain/ **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #833

But see also this:

janglingquo_575 · February 17, 2025, 11:55pm

Sorry my English. Can you tell me which is the most recent development

in GUI-VM?

janglingquo_575 · February 18, 2025, 5:20am

Is Alpine Linux still the leading candidate for dom0 security wise?

What about Open/Hardened BSD?

Is secureblue a candidate?

fsflover · February 18, 2025, 2:31pm

AFAIK my links show the latest developments.

The answer is in this discussion, which I gave above:

github.com/QubesOS/qubes-issues

Change the OS used in dom0

opened 04:34PM - 18 Apr 16 UTC

mfc

C: core P: major

We have discussed this numerous times but don't have an issue to track these dis…cussions. It would be worth understanding what would be needed to change dom0 from Fedora to Debian (say Debian 8). Benefits include: - increased hardware compatibility - incorporate serious work taken towards reproducible builds - better firstboot installer - better (slower) release cycle than Fedora with longer-term support - other things? This ticket does not encompass modifying the desktop environment.

Also this post, which I gave above, explains why the dom0 distribution shouldn’t matter:

Alpine Linux in Dom0

My impression from this and other threads is:

the core team works on moving more and more hardware handling into dedicated qubes (increased security through compartmentalization): sys-net, sys-usb, sys-audio, sys-gui, …?

the distribution used in system qubes is up to the user (to a certain degree, based on what is officially supported and what the skill level of the user is to go beyond that).

eventually dom0 will have little left to do, at which point dom0 might migrate to a minimal build potentially maintained by the Qubes OS team in it’s entirety

there is no specific time frame, but a clear process / direction

given the above, repeated threads proposing various distributions for dom0 are distractions and bring little value: there won’t be any switch in the short-term and long-term the whole discussion becomes irrelevant.

janglingquo_575 · February 18, 2025, 3:19pm

what do you think about hardened Fedora distros like secureblue

fsflover · February 18, 2025, 5:44pm

It’s a great distro, and there’s a plan to have a Template with it in Qubes. However I’m not sure which threats you expect in dom0, where this distro would help. Could you name them?

Related earlier discussion:

Another one:
Alt RPM Distro (CentOS?) in dom0 - #24 by Insurgo.

janglingquo_575 · February 19, 2025, 1:45am

It isn’t only for dom0. You’re right that dom0 is unlikely to be compromised except

for a supply chain attack on Fedora.

I would say the biggest threat would be a supply chain attack on Fedora.

But mainly it would be for the VM security, because these VMs are network

facing.