What would you like to see improved in Qubes OS?

SteveC · February 19, 2025, 5:48pm

To be clear (who originally raised this issue), have no need for “custom” kernels either. I want to be able to use a perfectly normal Debian kernel in a Debian qube without having to build it into a template (and then copy all that extra stuff every time I clone the template).

I ran into a use case where I simply could no longer use Fedora kernels in my VMs; the combination of Fedora Kernel v. 6.6X plus Debian 12 qube + Zfs is broken.

To my mind if we can’t supply debian kernels for debian qubes, we aren’t really supporting Debian.

rangmanalpha · April 6, 2025, 11:42am

Also anticipating some measures to spoof internal ipv4 address for named disposables, i’m not sure the attackers using python script is leveraging those, but i’m feeling nervous.

solene · April 6, 2025, 1:47pm

You can’t spoof ipv4 addresses of qubes

rangmanalpha · April 6, 2025, 1:51pm

ohhhh. got it…
i have no idea why the hell there file exist in my /home/user that indicates the VM name. i’ll report that on this thread :

i’ll upload the file soon.

cow · April 6, 2025, 7:15pm

Wayland with good scaling support. I shouldn’t need to have fonts tiny or massive on my laptop with a weird dpi (Framework 16) and I miss sway. GPU acceleration would also be nice so bloated websites aren’t slow and I don’t need two GPUs in my PC for gaming. I am hoping to be able to use my Framework Desktop when it arrives with Qubes but it does not have enough PCIe lanes for a second GPU. The alpine template becoming an official template would be nice too.

unman · April 7, 2025, 1:38am

qvm-prefs QUBE ip does.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

solene · April 7, 2025, 6:00am

But this requires access to dom0, right? I meant a qube can’t spoof the IP of a neighborhood qube from itself

jjack · April 7, 2025, 2:33pm

I want to install qubes os to usb sticks like Tails.

adw · April 7, 2025, 6:52pm

You can already install Qubes OS onto a USB stick:

https://www.qubes-os.org/doc/installation-guide/#installation-destination

(I haven’t used Tails in a while, though, so I’m not sure if the “like Tails” part indicates some significant difference that I might be missing.)

fsflover · April 9, 2025, 8:15pm

github.com/QubesOS/qubes-issues

Support for opt-in GPU acceleration via virtio-GPU native contexts

opened 07:10PM - 27 Sep 23 UTC

DemiMarie

P: default waiting for upstream C: GPU acceleration meta-issue

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) All rendering happens in software. This is fast enough for many uses, but some users need better performance, even at the expense of increased attack surface. ### The solution you'd like Opt-in GPU acceleration via virtio-GPU native contexts. ### The value to a user, and who that user might be Users for whom software rendering has unacceptable performance will be able to use Qubes OS, without resorting to PCI pass-through. ### Dependency tree Any issue in this list should have https://github.com/QubesOS/qubes-issues/labels/C%3A%20GPU%20acceleration and, if it relates to Wayland support, https://github.com/QubesOS/qubes-issues/labels/C%3A%20Wayland as well. #### Basic GPU acceleration This is sufficient for GPU compute but not for rendering. ##### Cross-vendor - [x] #8983 ##### Intel-specific - [ ] Wait for Intel virtio-GPU native contexts to be merged upstream. - [ ] Optional: Wait for them to be shipped in Google ChromeOS, which would make them in-scope for Google’s Vulnerability Rewards Program. ##### AMD-specific - [x] Wait for AMD virtio-GPU native contexts to be merged upstream. - [ ] Optional: Wait for them to be shipped in Google ChromeOS, which would make them in-scope for Google’s Vulnerability Rewards Program. #### Wayland support virtio-GPU will use Wayland to pass GPU buffers to the host display server, so Wayland support is required. - [ ] #8973 - [ ] #3366 - [ ] #8515 #### User control over GPU acceleration Users need to be in control over which VMs have GPU acceleration - [ ] #8962 #### Security hardening Qubes OS must remain reasonably secure even if GPU acceleration is in use. - [ ] #8969 - [ ] #8972 - [ ] #8974 - [ ] #8984 #### Testing Shipping an untested feature is quite ill-advised. - [ ] #8554 - [ ] #8968 #### Fault detection and recovery GPUs can have problems and users need to be able to recover. - [ ] #8963 - [x] #8971 - [ ] #8982

http · April 12, 2025, 6:58am

Integrated flatpak support (similar to your script but where updates will be notified in update manager when a flatpak update is immediately available, not just when apt and dnf packages are available and then flatpak updates bundled in)
Kicksecure template supported without the need for manually distro morphing
OpenBSD template support (without the need for manual intervention) which should probably be the sys-net and sys-firewall default.
Secure Boot compatibility
Category section in the appvm programs menu
Include all the X11 screensavers (xscreensaver) in dom0 - it is a bit of a hassle doing it manually.
Not including firefox esr due to its unique ID tracker
Maybe KDE support? (I really like XFCE though too)
Wayland support because kinetic scrolling is great.
The ability to easily and quickly uninstall unneeded programs in templates from the applications menu in the qubes manager gui.

adw · April 13, 2025, 2:56am

This depends on the upstream template distro.

Qubes already has KDE support: https://www.qubes-os.org/doc/kde/

A lot of your other suggestions are already in the works.

fsflover · April 14, 2025, 2:22pm

For example, this:

github.com/QubesOS/qubes-issues

Secure boot support

opened 12:57PM - 04 Oct 18 UTC

jasperweiss

security P: default C: boot meta-issue

According the secure boot specification, users can enroll their own keys for sec…ure boot. If the QOS bootloader were signed, users could manually enroll the signing key within the UEFI. That would be a better anti evil maid system since it doesn't require the use of potentially untrusted USB keys. Since dom0 doesn't contain any 3rd party applications, we can enforce code signing on anything that runs within it. [This](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html) blog post mentions secure boot being problematic due to running CA's etc but providing the user with a public key they can enroll manually would be doable. Edit: I'm aware the developers are generally not very fond of secure boot. Could anyone explain why? Alternatively a TPM could be used to unseal the drive encryption key. > Pre-OS firmware components are hashed (measured) Measurements are initiated by startup firmware (Static CRTM) Measurements are stored in a secure location (TPM PCRs) Secrets (encryption keys) are encrypted by the TPM and bounded to PCR measurements (sealed) Can only be decrypted (unsealed) with same PCR measurements stored in the TPM This chain guarantees that firmware hasn’t been tampered with

Some were even mentioned in this very topic, e.g., What would you like to see improved in Qubes OS? - #205 by fsflover

http · April 15, 2025, 3:40pm

Mozilla decided to include a unique download token in downloads from the Firefox website and uses telemetry to send the token and assign users with IDs. However, releases from the Mozilla FTP doesn’t include the token. If you don’t like any of this circus, choose LibreWolf instead.

Thanks for the secure boot thread though. Interesting. I will have a deeper read on that later but it seems like tpm is needed and my qubes says my tpm 2.0 is not supported?

fsflover · April 15, 2025, 3:47pm

So it doesn’t affect Firefox on Qubes, since the browser is not downloaded from the website. (And this discussion is off-topic here, which is why I gave a link to the apropriate place.)

http · April 15, 2025, 6:49pm

ah yes you are absolutely right. sorry about that.

alfonsius · April 16, 2025, 2:53pm

This will be maybe something to add in the standard setup.

fsflover · April 16, 2025, 3:12pm

github.com/QubesOS/qubes-issues

Allow easy configuration of idleness monitor

opened 03:35PM - 28 Mar 23 UTC

unman

C: manager/widget ux P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) Currently the timeout for the idle monitor is hard coded in idleness_monitor.py It's trivial to change this from the default of 15*60, but any changes are overriden when the package is updated. ### The solution you'd like Allow user to set timeout in (e.g.) /rw/config/idle_timeout. A value set here will override the default value. ### The value to a user, and who that user might be Allow customisation without fear of overriding on package update.

github.com/QubesOS/qubes-issues

Make it easy to use the feature that automatically shuts down idle VMs

opened 02:40AM - 06 Sep 19 UTC

closed 05:26AM - 09 Nov 21 UTC

andrewdavidwong

C: manager/widget ux P: default r4.1-buster-stable r4.1-bullseye-stable r4.1-dom0-stable r4.1-fc32-stable r4.1-fc33-stable r4.1-fc34-stable r4.1-centos-stream8-stable r4.1-fc35-cur-test

**The problem you're addressing (if any)** Automatically shutting down idle V…Ms was implemented in #832, but most users don't know how to use it or even that it exists. **Describe the solution you'd like** Make it a user-friendly option in Qubes. For example, have a "Shut down after idle for: [text field] minutes" option in per-qube settings, as well as a global default "Shut down idle qubes after: [text field] minutes" option in the Global Qubes Settings. By default, these can be set to "never" if you're worried about user being surprised. **Where is the value to a user, and who might that user be?** All users who (would) want to use automatic shutdown-when-idle functionality but don't know how or don't know that it exists. **Describe alternatives you've considered** Documenting how to use it. This would be more difficult for users and less discoverable. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://github.com/QubesOS/qubes-app-shutdown-idle **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** https://github.com/QubesOS/qubes-issues/issues/832

barto · April 22, 2025, 8:44am

I’d like to see Qubes installer offer an “out-of-the-box” VPN installation for the popular VPNs (Mullvad, Proton, Nord) and a decent “browser qube” ditching Firefox (Librewolf? Mullvad? Brave? all of the above?). Then Qubes will legitimately be journalist-friendly.
(from a longer post here)