I want to install i3 WM in dom0. Is it secure to install.
Does dom0 get security updates for user installed softwares?
First of all, welcome @miki!
As for your concerns, QubesOS is designed such that dom0 doesn’t need updates in the way a normal desktop would. It is based on Fedora, and anywhere from a few to several major versions behind. This is okay because dom0 is heavily isolated from any vectors of attack.
When you install a package into dom0, the main risk is not that the package is vulnerable but that it is malicious. While Qubes-specific packages do need to be kept up-to-date (which the Qubes Team does), i3wm is a package that doesn’t directly affect the security of dom0 unless it is malicious.
In short, it will not get regular updates, but unless you have extenuating circumstances, it is safe to install.
1 Like
So, If I trust a package or software, then there is not much harm expected even if vulnerabilities identified in due course?
With the usual caveats, yes.
The recommendation is that the user is very careful with dom0. I personally refuse to do anything but install necessary packages from official repos and edit config files. The usual caveats are simply that any access to dom0 is like root on steroids—it’s game over, so you should be careful to consider unintended consequences. That being said, unless you have serious safety/security concerns (eg a corporation or government is targeting you) then you have nothing to worry about with installing i3.
You may also consider using sys-gui or sys-gui-gpu. There is a guide for installing window managers there, and it would be safer in case you have concerns.