It seems Fedora 25 will enable Wayland by default [1], but I think it will still have a XWayland layer for app compatibility. Will Qubes need that, too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there still too many components in the Fedora core that need X11 and can't be transitioned to Wayland anytime soon?
Also, since flatpaks [2] will take full advantage of Wayland security, and it seems to be the app packaging format to take security seriously the most [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its runtime by default in Qubes 4.0?
[2] https://wiki.gnome.org/Projects/SandboxedApps
[3] http://flatpak.org/press/2016-06-21-flatpak-released.html
the gui isolation issues are mostly solved by the current version of qubes, but it is messy under the hood. the biggest current problem is the lack of isolation within a vm. just making more vms quickly adds up in resources. you could run firejail with xpra in an appvm. havent tried it in qubes yet, but thats how i do it on my work laptop.
the gui tools would have to be a wayland compositor, not just a window manager. given how qubes works, this will probably smaller and cleaner than the x11 based tools.
the first target should probably be dom0. qubes has so many problems with graphics drivers that this might actually help.
> It seems Fedora 25 will enable Wayland by default [1], but I think it will still have a XWayland layer for app compatibility. Will Qubes need that, too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there still too many components in the Fedora core that need X11 and can't be transitioned to Wayland anytime soon?
im running fedora 24 with wayland in a vm. most of the apps run in wayland, some are still x11. firefox, chrome, and thunderbird all run in x11. chromium crashes on startup. firefox-wayland crashes on startup.
so, for the most part, some apps would benefit.
i also hope this gets sorted out in fedora25, and that makes it in time for default templates in qubes-4.0.
> Also, since flatpaks [2] will take full advantage of Wayland security, and it seems to be the app packaging format to take security seriously the most [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its runtime by default in Qubes 4.0?
thats already going into fedora 25, so it would inherit it by default.
i dont see anything about configuring the sandbox. have you looked at appimage and firejail?
https://firejail.wordpress.com/documentation-2/appimage-support/