Some noob questions

Sup everyone!

This system is quite a challenge tbh, but I made it working tho I have some questions regarding how it works… hope you can clarify some things for me and pleeeease, don’t be shorten on words, as I don’t understand the whole lot of things related to each and every question in here.

  1. So I’m reeeeally confused regarding the sys-net thing, I don’t really understand like why it has open access like that and why does the proxy use sys-net directly and not the sys-firewall, I mean I read the docs and all, but doesn’t this makes it more risky to update like that?

  2. Also it’s not clear to me on why is it “Qubes method”(or whatevet) is to assume that the individual VM is already compromised… like how, why… I mean, if my VM is compromised then why would I need Qubes from the first place… like it’s gameover…

  3. There’s that thing Split PGP… It says that the another VM will be responsible not only to hold but also to decrypt/encrypt the message? So… like I open the message in the Split PGP VM at the end or does it goes back to the original VM and then I open it? If it’s the latest, then it’s gameover same as with question 2, if it’s the first case, then all my PGP keys can be exploited… no?

  4. I can’t stand that xfce look… switched to KDE but I have these ugly window colors like red, green… I don’t wanna install anything in the root domain, how do I get rid of them and use default plasma theme, there’s like only some plastik theme and the default with colored windows?


the proxy is in sys-firewall, did you find a documentation text saying otherwise?

Opening a file by mistake or being tricked can happen, in that case you would notice it and you know exactly what was exposed. I think the wording isn’t really good, I’d more say that with Qubes OS, when you will be victim of a malware / attack, you know exactly what is at risk in each qube. While all other traditional OS have everything under a single user account.

it’s on purpose, I think it was discussed a month or two ago, it’s not possible to disable it AFAIK, it’s by design to not mix qubes windows

@shooting_star In the meantime, you can always choose a color you like for all your qubes… If you can’t find one you like, you can always add more. I invite you to read this Topic:

and using this script to add new colors:

And I am having the opposite problem. I want those colors but can’t get them, even using Breeze. I am wondering if adding the colors broke the theme.

And anyone reading this, please be aware that the scripts referenced in the thing you quoted turned out to need one more line added at the end to resolve the issue I was bringing up

Yes @SteveC I didn’t specify the addition of the end of the script because YOU specified it in the end of the topic i’had linking :wink: :
So, for people who want to use the script, don’t forget to add gtk-update-icon-cache at the end of the scripts: GitHub - Willy-JL/Qubes-Scripts: 🧊 Collection of custom scripts for Qubes OS :slight_smile:

All is ok for me :confused: (xfce with Arc-Dark’s theme)


So there are 2 interrelated things that Qubes facilitates which stem from the assumption that any VM could be compromised at any time:

  1. Damage containment
  2. Risk management

In particular, it contains damage by separating things. If a piece of malware is able to infect a VM that you use to watch movies, it will not be able to steal data from a VM that you use for work or the VM that you use to connect to your bank. So it’s game over for that VM, but it’s not game over for your entire digital life.

It allows you to manage risks by deciding how much risk you are willing to accept based on the context you are acting in. You might decide that running a random program which claims to be a fun game is acceptable in a VM that you only use for browsing random sites, but not in the VM that you keep your password database in. Different contexts can tolerate different levels of risk, allowing you to take greater risks that are more likely to occur by limiting the damage that can be caused if they do occur.

For a more grounded example, consider that there have been incidents in the past where people have found ways to spread malware through ad networks (that is, someone purchased ad space and uploaded a malicious file as the ad, not that the ad network itself intentionally attacked people, this article from AVG discusses it further). This means that there is some risk associated with visiting a news website that serves ads. This risk is not so great that it makes sense for people to stop visiting news websites all together, but it is a risk. By keeping a separate VM that you use to visit news website from the one that you use to visit your bank’s website, it is easier to accept the risk of ad-based malware, and if the risk does occur then the damage will be contained.

Didn’t expect so much help right away! Thanks you all!
I’ll go one by one as there so many things…

yes, here

OK, so it makes way mooore sense now… so it doesn’t assume right away it’s compromised etc, etc…

My eyes are falling apart because of these colors… but yeah, OK, I’ll install some other theme then.

So I must use the scripts to add them or is there some other way?

*** What about the question 3 anyone please? Or is it no longer in use or something?

you must use the scripts. I don’t think there’s another way.
I use qubes-color-add and qubes-color-del. You just have to add gtk-update-icon-cache at the end of the scripts, put it in /usr/local/bin folder, and run the command in Dom0…

1 Like

It says “cp: cannot create regular file ‘scalable/apps/appvm-mycolor,svg’: Permission denied”…
I did chmod it with +x and put it in the usr/local/bin…

you have to run it in root :slight_smile: :
sudo qubes-color-add "color_name" "xxxxxx"
and to remove the color:
sudo qubes-color-del "color_name"

1 Like

Also, I (re) discovered this after I somehow lost the added last line in my copies of the scripts:

It’s not sufficient to just put gtk-update-icon-cache in the script, it must read
gtk-update-icon-cache /usr/share/icons/hicolor

In other words you need to supply the name of the relevant theme.

I had /usr/share/icons/hicolor it’s ok for changing color of existing qubes and new qubes BUT it’s doesn’t work for Standalone.
I tried by creating, by changing colors. creating new qubes, disconnecting/rebooting.

This got me thinking.

There’s two Update proxies: one for dom0 and one for domU.
The default for dom0 is the sys-firewall, while all of the rest Templates uses sys-net as default.

What’s the exact reason for that?