Real threat of installing software in dom0?

Have I said something unreasonable?

1 Like

Not at all. I actually went a bit off topic…sorry. I do that sometimes…

1 Like

Why not? Can you elaborate?
This package was missed from original Fedora almost certainly by mistake.
So I do not understand your resolute and capitalized NOT.

And authors of ~1000 packages from Fedora. If somebody targets Qubes OS they can modify the package in advance, the modification will be used in dom0 eventually. Can’t they?

You still did not explained thread model that you are so afraid of.
The thread model that should prevent you from installing bash completion or bc.

But you are probably OK with installation of hundred of KDE packages or i3 packages that are provided in documentation, right? It is suddenly “OK”, isn’t it?

Good point. I think the logic of @szz9pza about using outdated fedora version in dom0 to avoid updates - is not correct.
It’s probably because it is hard for reasonably small Team to test everything before release and support updated versions of Fedora because it has too short release cycle unlike Ubuntu LTS releases with 5-10 years support. We see that with templates which get unsupported too fast. So fast that the Team is almost not in time to prepare fedora-templates replacements.

1 Like

Maybe, and you probably want to error on the side of caution.

Dom0 is both and adminVM and sys-gui, which isn’t ideal, in the future sys-gui will be separated from the adminVM/dom0. There are some software that if you want to use it you have to install it in dom0, eg. if you want to change the compositor.

The downside is that you are installing it in the adminVM which has full access to the system, and changes to dom0 can impact security, performance, and stability.

You shouldn’t be using dom0, so you shouldn’t need to install any software in dom0. Most of the time when someone wants to install software in dom0, it’s because they are not using Qubes OS as it’s intended to be used, and thinks of Dom0 as Linux.


The capitalized NOT is because you advice to everyone to install it.
bash-completion is quite small, so you can review the code, unless you do it,
I would not advice to install it.

In some extend, yes, some part of Fedora project must be trusted for dom0.
I include those part in the Qubes team, even if they can’t review everything,
I guess they have some unit-test to make sure the code in dom0 is reasonably secure.

And obviously, Fedora and/or Debian are also in the chain of trust for the templates.

That why the less code there are in dom0, the better.
We are trusting Qubes team to do the right thing and to not include those packages into dom0.

When I give advice, to the best of my knowledge, I assume the highest threat model.
Some have installed Qubes OS as enthusiastic, that may not be the case for others.

For KDE, maybe, as it was previously the default in Qubes OS.
I still not recommend it, especially for high threat model (neither KDE or i3 or else).

My point is quite simple:
Do not install anything in dom0 unless you reviewed the code (yourself or by a trust person).

It resumes pretty well the situation.

As we all pointed it out, it depends on your threat model, as always.
But even for low threat model, I do not recommend to install anything in dom0, and will never do.

At the end of the day, you decide the chain of trust of your installation.

1 Like

Totally valid points. But could you please elaborate on these points?:

What exactly is problematic about installing software(just that somebody planted malware targeted for QubesOS three years ago???)

I took a good look in the Qubes Docs but nowhere is written what packages in dom0 are updated.

I mean obviously, Qubes maintains its own repo, but where can I see what’s safe to install and what’s not?
Why are the Fedora repos not disabled by default???

Is it only safe to install software that is in Qubes OS Project · GitHub ?

1 Like

Your system is ‘probably’ not compromised. But now, there is a ‘probably’, ‘potentially’, etc.
You have changed the chain of trust of Qubes OS.
Now, Xen/Qubes team are not anymore the first.

There are a list in Qubes Global Settings > version information
But I guess that anything in dom0 can be updated if Qubes team decide to.

It should be reasonably safe. That depends.
By example for i3 (window manager) is not developed by the Qubes project (neither KDE).
But as it is in the official part of the documentation, I guess it has been reviewed (probably not everythings).

I made my point I think. I will let others people make theirs.
Would like to have @unman point of view. And correct if mistakes were said.

1 Like

OK, I see. No, i3 and KDE have millions of lines, and I am sure your guess about Qubes OS Team being able to review 1000 fedora packages included in dom0 is wrong. And I doubt they have some unit-test for 1000 third-party packages included in dom0, too.

Also I am sure that nobody from the Team had time nor ability to review tons and tons of software that is considered to be OK to install in dom0 according to the official documentation. And it is fine, it is OK, because you still use Fedora in dom0 with 1000 packages that was also not reviewed that way.

Your assumption that installation of mc or bc or bash completion makes system less secure than installation of huge Desktop Environment cannot be true, obviously.

One should understand what is he doing, how does the system work and then blind following some basic recommendations will not be necessary.

I didn’t said that.

I didn’t said that either.

Please, provide the link to that documentation.

I still didn’t said that.
Unless you review the code and disable update, it’s a fact: its a potential security hole.
No matter what you install. Please, notice the ‘potential’.

The blind recommendations to let dom0 alone doesn’t come from me.
It comes from the Qubes Project.

You use Qubes OS, so you trust them with dom0.
Anything that is not preinstalled in dom0 should be reviewed.

If you do not want to do that, that’s fine, but don’t say to everyone, that’s “OK”.
It might be “OK”, it might be a ‘potential’ security hole.

1 Like

Just re-read message you are replying to. It has quotes where you guessed this and guessed that. Once again, I am certain, these guesses are wrong. If you have or can gather different information, please provide, I will be happy to change my mind on that.

The point being is that according to docs it is OK to install even huge packages with millions of lines of code from fedora repo according to documentation. Of course you should understand what your are doing and trust these packages in the same way as you have to trust other 1000 third-part packages already installed in dom0 from Fedora old repos.

Saying that installation of bc, mc, bash-completion or something like that is “a big NO” is not right. You provided no convincing (for me) arguments.

Qubes OS Team members themself have/had a lot of additional Fedora packages installed in dom0, maybe even custom DEs. If it is “a big NO”, “definitely NO” and etc, as you say, maybe you should contact them and convince to reinstall the system and avoid this in future. :slight_smile:

I am not sure we should continue this discussion, I got your point.

1 Like

I didn’t say that they reviewed 1000 fedora packages, and I didn’t say they have unit-test for 1000 fedora packages.
YOU said that I said that.

I said for dom0:

In some extend, yes, some part of Fedora project must be trusted for dom0.
I guess they have some unit-test to make sure the code in dom0 is reasonably secure.

Are you saying Qubes OS team doesn’t make sure their code are reasonably secure ?
If my guess are wrong, so they do not have unit-test (according to you) ?

I said for KDE or i3:

But as it is in the official part of the documentation, I guess it has been reviewed (probably not everythings).

There are several way of reviewing a package.
Reviewing each line of code is one way but not the only one.
You can review a package to make sure it is trustworthy:
either because the devs are already trusted, the code has been audited, or other methods.

Are you saying Qubes OS team are blindy trusting packages they recommend in official documentation ?
If my guess are wrong, so they just trust KDE or i3 without making sure the package or devs are trusted ?

Again, I didn’t said Qubes team has reviewed millons line of code or 1000 fedora packages.
Just re-read message you are replying to.

The links you provided just show how to install those packages.

of software that is considered to be OK to install in dom0 according to the official documentation.

Where is the quote to that affirmation ??

Maybe here ? :

Warning: Installing software in dom0 is for advanced users only. Doing so has the potential to compromise your entire Qubes OS installation. Exercise extreme caution.

If we listen to you, it’s “OK” to install every single packages of the Fedora repo into dom0.
NO, it’s NOT. Yes, a big NO.

If you don’t see the problem of installing millions lines of code into dom0 or to install a non-preinstalled
package into dom0 without reviewing it, I can’t do anything for you.
If you are not aware, a single line of code can compromise your entire system …

Individual Qubes team do whatever they want with their system, as everyone else.
And they have definitely the knowledge to do so.

What about a journalist or else, reading your advice that is “OK” to install anything into dom0
Again, it is not “OK”.
You trust KDE or else fine, install it.
Do not say to someone with a high threat model that it is “OK”. It might be not.

If your still not convinced, see the recent vulnerability discover in Keepass just recently.
Yes, it was trusted and audited. And still …

So again, don’t give bad advice to high threat model.
If you don’t remember, this is the start and the bad advice I refer to:


No, please, read again. I am saying that I am sure Qubes OS team is not reviewing the code or creating and running some “unit-tests” for hundreds and hundreds of packages installed in dom0 from Fedora.

It is not their code. And yes, they trust those packages, and their authors, and maintainers, and Fedora distribution and signing chain. They have to, because nobody has such amount of resources to review and/or “unit-test” the code of such size by themselves. And I am not even talking about huge Linux kernel, that everybody has to trust, too.

This is about these guesses of yours:

And about this:

No, it is simply not true.

Why it is not true:
I provided examples what to my opinion is OK to install and why, and what is NOT OK and why it should be strongly avoided. Just read again the first message that you fight against.

Installing keepass in dom0 would be ridiculous and against the logic of Qubes OS (why would to provide this example for dom0?), while installation of devilspie2, bc, bash-completion, custom video compositor or even custom DE can be OK and sometimes the only option to make things work as one need.

My opinion on this garble of yours:
I think, that you misrepresented my position in the quoted sentence deliberately, and I do not consider it to be an appropriate thing to do in a forum discussion. Also you ignored all inconvenient questions of @Nyo and mine. That’s why it’s not constructive to continue, sorry.

You obviously don’t understand sarcasm and rhetorical questions.

It is clearly what you stated in you first post and trying to convince everyone.
You said that you can install anything except packages that provide connections.
Didn’t you ? yes you did.

Do you think a malicious software in the fedora repo will claim to be malicious ?
Just use your brain, omfg.

Do your opinion is bad advice for high threat model ? yes it is. (for low threat model as well).
Just read again YOUR first message that I fight against.

Again, you say that I said something I didn’t.
Did I mentioned dom0 ? no.
It was an example that even trusted and audited code can have vulnerability.

It can be “OK” if you review those packages.
Did I said the otherwise ? No, I didn’t.
Do I recommend to install them in dom0 ? No, I do not, especially for … high threat model …

My garble ? LOL
I would say your clearly have a lack of knowledge.
When your are not able to open a man page or search by yourself a simple solution to your problem,
just don’t give advice to other people.

I did not misinterpret anything, you clearly did with my sentences, several times.

Except that very last message of me, everything else is appropriate.

Maybe I do not have the knowledge to answer precisely.
Or maybe, as the answer already exist, I didn’t take the time to answer them.

Be free to answer to those questions.

Maybe they wasn’t worth a response …
Mostly because of your lack of knowledge.
To be honest, I don’t know what are those questions, you can reformulate them.
I will not answer them, but maybe someone will.

It’s not constructive because you keep saying that is is “OK” to install unreviewed sotfware and millions of lines of code in dom0 for high threat model.
I said several times I consider your advice bad for high threat model.
And you keep ignoring that very important information of my speech.

That not constructive because you do not understand how security works.
Yes you have a little idea, but you cleary have a lack of knowledge in security, good practices and coding.

Why that are always the people with the less knowledges that give the most advices and talk the most …

You know what.
You are right, I am wrong.
I’m done with you.


@balko When you say that it’s OK to install something in dom0, you should indeed mention that it’s not really OK for everyone, but only if the user knows what they are doing.

The whole deal with (not) installing additional software in dom0 is about trusted computing base. Qubes provides security through compartmentalization, i.e, your TCB must be as small as reasonably possible. The Qubes team is trying to remove most things from dom0: audio, handling of USB devices, GUI and so on. This is the Qubes way. For advanced users, it’s even recommended to use minimal templates, which have less code – despite the fact that you still can install something in them quickly. For this reason you should avoid installing anything in dom0, unless you know what you are doing.

It would be interesting to see a comment from @unman about possible security implications of installing KDE. This is more or less the reason why I’m not using KDE and stick to xfce, which has less code.

See also:


Well. I still have no clue how installing software in dom0 really works and what the real threat is and what’s safe to install and what isn’t. I mean where are we even downloading the old Fedora packages from? I am pretty sure that fedora mirrors don’t keep old packages…

I wanted to use versionlock to pin every package, but I just decided to remove everything I installed.
I will not reinstall Qubes because I am way too lazy and because I don’t want to assume my machine is compromised because I would have to change dozens if not hundreds of passwords…

I am really looking forward to sys-gui maybe more modern rice with Hyprland and eww will be possible then, without worrying too much about security. Until then I will just improve my knowledge of Qubes and Linux so I will finally have a better understanding of this fantastic project.

TBH the only takeaway from this discussion is that if you have no idea (like me), if installing stuff like i3, polybar, rofi, picom, localization, and fonts might compromise your system and you have anything of value on the machine and your network you should just let it be and wait for sys-gui. Don’t install anything that is not absolutely necessary and recommended by Qubes Developers.

Still, I want to say thanks to everybody that replied.

1 Like

In dom0:

$ whereis qubes-dom0-update
qubes-dom0-update: /usr/bin/qubes-dom0-update /usr/share/man/man1/qubes-dom0-update.1.gz

$ less /usr/bin/qubes-dom0-update

View this qube-dom0-update file, it is just a reasonably small bash script that mostly copies dnf state from dom0 to updatevm and runs dnf inside it passing arguments of qube-dom0-update to dnf inside updatevm (remember, that dom0 must stay offline all the time). It uses some modifications like having several additional flags and modification of --action= flag but it is minor details.

If you know bash you can find answers to your questions about how it works, the script is not that big.

No, right the opposite Qubes OS uses fedora mirrors and old packages, and even dnf is not modified.

If somebody hacks Fedora-32 or Fedora-32-Updates repos - the will affect Qubes OS too.
The list of repos that is used for dom0 can be checked in dom0 in /etc/yum.repos.d/, in has Fedora-32 and Fedora-32-Updates repos for R4.1.

The Team is small and cannot afford to write own package manager.
I believe that having own repositories, even cloned from Fedora without code review, is probably desired (like derivative distros do) but not implemented yet. Not even dreaming of reviews of third-party packages of dom0, it is not realistic.

After all, Qubes OS is rather simple from this point of view (I think it is a good thing), one can consider it to be an advanced wrapper of Xen + GNU/Linux for making it work as a solid and comfortable to use operation system.

1 Like

Thanks, I would correct myself like that: it is not really OK if you do not know what you are doing and why. But I considered it to be an obvious condition, because if one does not know what and why they are doing then it is a reason to stop and think, it’s not only about Qubes OS. :slight_smile:

All that I understand. But users deal with what we currently have. DE that cannot remember windows positions properly, bash completion that is not working, lack of editor with syntax highlighting for more effective viewing existing scripts in bash and python, lack of bc that one would use in own scripts and etc.

About audio: in Qubes OS R2 or R3 there was no way to use bluetooth audio without external devices (like BT transmitter) in a secure way. It was not OK (very-very bad idea) to install bluez and other connectivity packages in dom0, because it ruins the main feature of dom0 being completely offline. At that point I would advise to buy a BT transmitter, it was a great solution. Now, for R4.1 it is possible to use bluetooth audio in some qube (like sys-audio), so installation of bluetooth stuff inside dom0 is not only an awful thing to do but also not even necessary.

About minimal templates: I agree completely. I use fedora-minimal and install all applications I need (KDE and Qt-related mostly, because I do not like GTK/Gnome stuff very much).

About installation of bash-completion inside dom0: it is still a good thing to do in my opinion, and I still can recommend it to anyone because it:

  • improves experience and knowledge of user,
  • allows user to make fewer mistakes in dom0,
  • does not affect security in any stronger way that hundreds of other also un-reviewed installed packages,
  • works completely offline,
  • is used in every single GNU/Linux distro with bash,
  • and it was left out of dom0 not intentionally, but probably by mistake, as Marek said on github.

That’s why I did not like how @ssz9pza reacted to this yelling at me. Sorry for that.

I also use XFCE due to similar reasons, but I like KDE way better. More flexible, more features and it does not look ugly.
I remember Qubes OS R2 and R3 with KDE and I think that migratiion to XFCE was not a great decision. I like that @unman uses KDE as a daily driver (if I am not mistaken) and hope that using his afford it will be a main or at least out-of-box DE for Qubes OS in the future. Because I consider KDE to be objectively better for Qubes OS and is not that bloatwared as one may say in the past.

Also we should understand that installation of custom DE is way more dangerous, than installation of any package that I mentioned in this topic, simply due to the amount of code and applications that are not reviewed. But even that is OK if you know what and why you are doing; that’s why we have guides how to install these custom DEs in the first place.

1 Like

On second thought, I am sorry for this dispute and I am taking back any offense or knowledge criticism towards you, sorry.

I understand that you mean well and probably competent in security. We just either have different points of view on the matter or maybe similar one, but have different reasoning and formulation.


Sorry for yelling.
In the future, I will be more concise and specific in my first reply.

I also apologize for the ad hominem attack. Will not happen again.
It wasn’t fair and wrong, you do have knowledges (and I knew it when I wrote those attack).


There is a line of best fit that correlates the number of lines of code in dom0 to the number of humans that can potentially show you random tooltips on your computer saying, “I’m watching you” briefly for like 5 seconds.

How many tooltips are you willing to cope with? There is probably also another correlation that relates the number of tooltip messages to the number of hours inside of a psychologists office.