The capitalized NOT is because you advice to everyone to install it.
bash-completion is quite small, so you can review the code, unless you do it,
I would not advice to install it.
In some extend, yes, some part of Fedora project must be trusted for
I include those part in the Qubes team, even if they can’t review everything,
I guess they have some unit-test to make sure the code in
dom0 is reasonably secure.
And obviously, Fedora and/or Debian are also in the chain of trust for the templates.
That why the less code there are in
dom0, the better.
We are trusting Qubes team to do the right thing and to not include those packages into
When I give advice, to the best of my knowledge, I assume the highest threat model.
Some have installed Qubes OS as enthusiastic, that may not be the case for others.
For KDE, maybe, as it was previously the default in Qubes OS.
I still not recommend it, especially for high threat model (neither KDE or i3 or else).
My point is quite simple:
Do not install anything in
dom0 unless you reviewed the code (yourself or by a trust person).
It resumes pretty well the situation.
As we all pointed it out, it depends on your threat model, as always.
But even for low threat model, I do not recommend to install anything in
dom0, and will never do.
At the end of the day, you decide the chain of trust of your installation.