Suggestion: automatically mark all posts which suggest to change stuff in dom0 as

… dangerous or at-least as un-supervised and not supported by the QubesOS team.


I get the point, but I think the status quo is already reasonable. Many times when people recommend doing stuff in dom0, they mention a skeptical approach.

Many in the community do that already. And there is unfortunately no automated way of doing such control. (I don’t think llms are good here either).


Should have thought about that before writing “automatically”.

Google/YT marks all Covid- and Climate-videos, so that might have been the reason for me to believe that automatically marking posts is the new normal. Discourse isn’t Google, of course.

I have noticed quite a few posts about tempering with dom0 and to me it seems that the consequences of some changes can not be overseen entirely.

Looking forward to more isolation of hardware (like sys-gui), although QubesOS is already eating up quite a few resources.

(For all readers) if you find some post with dom0 commands that look malicious, please flag them :black_flag:

And I don’t think that’s working well for them. Even people debunking misinformation get slapped with that label and demonetized. So in a way this creates incentives not to talk about the subject at all.

But in any case, those mod tools won’t be in our toolbox for years to come.

No prob.


If I may, I would suggest the opposite: We need to stop the fear-based talk about dom0.

Since day one when I joined this Qubes OS party, the first think I observed is the cloud of fear around dom0 in all and every forum talks, documents, etc. I do not think it is healthy.

For quite a long time, dom0 was based on Fedora 25 (if my memory serves well), then suddenly it jumped up to Fedora 32, and now Fedora 37 (in Qubes 4.2). If Qubes Team jumps up Fedora versions just like that, I doubt that they did auditing Fedora code seriously, if they did it at all. And if they just do not care about changes in dom0, why scare people of doing the same? You will never be a master of anything if you are afraid of touching it. At the end of the day, the computer is yours, and if you are not the master (of your computer), who will?

So, my counter-proposal is not to flag talks about dom0, but instead, just talk about it, talk a lot and talk naturally without any “warning” or exclamation marks.

Thank you.

The versions you listed are correct, but it seems you misunderstand the nature of dom0.

First of all, the whole security model of Qubes OS is based on the assumption that dom0 is clean and not compromised. Nothing will save you if dom0 runs untrusted software. You can decide what you trust yourself and install any software in dom0 if you trust (and verify) it. However, new users often do not understand the importance of this and they should be warned about the danger.

Concerning the “jumps” of the Fedora versions, I don’t understand the problem. Of course you should update your base system when you release a new Qubes version, at least to support newer hardware. Of course, I trust Qubes developers that they check the code as much as possible. And Fedora in dom0 is also minimized, with most of software removed.

1 Like

dom0 is a special domain (Admin VM), because it is the only domain that can see and manipulate all other domains. When one installs Qubes OS, dom0 is offline and doesn’t contain any unnecessary programs. Network access is isolated in sys-net and everything is configured with secure defaults.

The danger is that a person with a little knowledge sees this and starts changing the defaults without thinking about the security implications. For example they start to download and apply scripts they found online, import themes, icons and applications. With every step the danger exists that a compromise gets introduced.

So why the warning?

  • because dom0 is different then all the other domU. A compromise in a domU does not affect the entire system, while a compromise in dom0 does
  • in it’s default state dom0 is reasonably secure (the Qubes OS team does not review the entire Fedora system obviously)
  • with very few exceptions (e.g. thinkfan) there is no reason anyone should install anything in dom0 … especially when sys-gui is used.

You are apparently unclear on the concept.

dom0 is supposed to be used, in essence, to manage/administer the other VMs (domUs to distinguish them from dom0). That’s its role. The domUs are what do the main work, the stuff that is the reason you own a computer in the first place.

Since dom0’s job is to manage the other qubes, there should not even be any desire to install third party software on it, with just a couple of exceptions like perhaps you want a different editor for editing bash scripts and the like–but that will only be an issue as you decide to do more complex things with the VMs. You might also want a different desktop manager, and at least some of those are actually an option provided by qubes or the community (not sure which in the case of KDE).

But there’s simply zero reason to install browsers, office suites, video editors/players, photoshop or anything like that in dom0. Those are the sorts of things you do in another VM. You seem to want to install stuff on dom0…why?

I’ve been using QubesOS for a bit over a year now and I don’t even know how to install a package in dom0 unless it’s one of the ones you get to via qubesctl calls (i.e., one provided by the Qubes developers or the community). That should tell you how infrequently I’ve done it. There’s simply no need to.

The QubesOS model is based on the assumption that domUs can be compromised but dom0 needs to be kept isolated. As such you do nothing on dom0 that doesn’t relate to its job of managing other VMs, and you certainly do not connect it to the internet.

There are different kind of users which are running QubesOS. Journalists, activists or lawyers might not run QubesOS in order to become a Xen- or Linux-Blackbelt.

Let me put it this way: there are good reasons to move hardware and drivers out of dom0.

1 Like