How I learned to love Liteqube (and why you should, too, even if you have enough RAM)

Hi there, arkenoi,

I’ll look more into Liteqube after reading this! I was daydreaming of a dom0 supporting VR by having X windows supported in VR. I think this dynamic xorg attacher is an elegant solution since X windows may not be the only kind of GUI process spawned for a lightweight hypervising server. I’m not sure but I’m still investigating VR processes like what I describe. Could this methodology work for Windows-compatible Qubes systems, too? (not to add more to our plate, happy developers, happy developers!!)

Definitely. I tried xfreerdp-based control for windows apps (can’t remember the name of the project, it was built for some other VM management system) and it worked reasonably well with Windows on Qubes. Unfortunately, it did not solve synthetic Office windows problem.

It took enormously long time, but apparently I fixed core-tor for 4.3 (and all that was unnecessary work because it would be better just to adopt unman’s newer version of 3isec-tor). Hope to finish 4.3 compatibility before 4.3 release.

Sadly, none of volunteers actively participated so far.

Thank you! I’ve been thinking of Liteqube lately for a small/thin host I want to craft for Qubes. I’d love to hybridize a bunch of these existing states of Qubes so I can put Liteqube’s scripts, or other large modifications, into an image preceding the install… Or live boot

And, out of consideration you have volunteers, that’s something I find they do. I know it doesn’t seem like a lot as you’re also the Project Mgr and Product Lead. When that number grows to 10 times as much, you might have a few regular contributors VS folk who just get time randomly, like me. :3

Almost here with 4.3 – everything apparently works, need a few more days for debugging and cleanup and will put 4.3 branch on github.

My apologies, I ended up getting bogged down with R4.3 issues unrelated to liteqube.

Anyway, I can at least try testing your latest version against latest R4.3, if you like.

Also, there’s apparently a new R4.3 gotcha:

Ok! I will restructure the code a bit, because I got weird issues with Debian 13 and I think it is the time to make proper rollbacks and diagnostics,and also declarative package management. Also got issues with wifi and mirage-firewall.

@arkenoi
Think that your idea and liteqube project awesome!

Sadly, starting from second point:
“Transfer it to dom0 and unpack to a folder of your choice.”
it’s high entry threshold of trust to cross before using your solution.
What your opinion at the moment about submitting your work into community testing builds at less?

I think this project sounds awesome, and I appreciate @arkenoi 's efforts. However, I am also weary about using and maintaining a non-standard way to do my system-qubes. It adds to my qubesOS use-burden, imo. However, I am happy to be shown wrong by the liteqube users.

Well. I am trying to move major part to Salt, yet…

Almost everyone runs way more complex stuff at dom0. And liteqube code was out there for review for many years.

What i am more worried about is unclean rollback and state transitions, also got issues with Debian 13, trying to fix. Will be away for a week and then going to resume my work.

I want to like liteqube, and in theory I do, but I can’t use it until installation and management is streamlined. I’d love to support and test, but unfortunately I think this would just be the straw that breaks the camel’s back as far as one more thing to do right now when I’m already very busy. I did take a moment to see if I could give feedback as a potential user.

First, @arkenoi, you may want to use ansible and python instead of salt and bash since ansible seems to be the future. Also, the Qubes team uses python, not bash, for cross-OS compatibility (and bash is less secure than python out of the box anyways). I’m not a fan of python per se. In fact I hate that it’s syntax is based on whitespace, but that’s immaterial. But there’s a lot of precedent here.

Second, for the project to be viable for normal use, some things need to be upstreamed to Qubes if possible. The template and RPC calls at least. That would make the project relevant to more than just those wanting the whole package. It would also make installation and maintenance much more manageable as far as trust, updates, and portability go. This is a big deal for me as I can’t think about everything, and I want to avoid trusting extraneous sources unnecessarily. The coding in bash instead of python and ansible as mentioned makes this even harder.

Third, it seems like it’s trying to do too much at once. I understand the idea and have nothing against it, I just think maybe the base functionality should be separate from the features, like mail, storage, and RDP from networking, VPN, audio, and USB. This is admittedly arbitrary though, and mainly a precursor to my last main issue.

Last, the liteqube seems a bit unorganized, like you’re trying to fit too many things in one small box. On one hand I understand this is kind of the point, but I think it could be done with more elegance. My system is complex and I have near 50+ qubes, as I’m sure others do too. But because my main setup is complicated, I need everything that can be to be simple and easily understandable. IMO, the web of RPC and what does what is just a little too tangled for my taste. But that may be improved simply by a move to Salt or Ansible where the configuration is more human-readable.

I’m in no way saying that this is a bad project. In fact, I really like it. I’m glad to see a real effort to harden qubes in a meaningful way by stripping attack surface and adding “now you’re thinking with Qubes” designs like the VM boot protect stuff. I also like the real potential for simplification and ease of understanding because it’s important to understand a system to be secure with it. I just think it’s too early in the design stage for me to be able to work with it because of the existing complexity of my qubes. Hope this was helpful.