Qubes OS 4.0 + Wayland + Flatpaks - Can Qubes OS 4.0 become Wayland-only?

764 views
Skip to first unread message

kev27

unread,
Aug 21, 2016, 7:40:55 AM8/21/16
to qubes-users
I know Joanna has long talked about how insecure X11 is and how the Qubes team worked to isolate the GUI. Wouldn't it be simpler if Qubes became Wayland-only sooner?

It seems Fedora 25 will enable Wayland by default [1], but I think it will still have a XWayland layer for app compatibility. Will Qubes need that, too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there still too many components in the Fedora core that need X11 and can't be transitioned to Wayland anytime soon?

Also, since flatpaks [2] will take full advantage of Wayland security, and it seems to be the app packaging format to take security seriously the most [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its runtime by default in Qubes 4.0?

[1] https://linux.slashdot.org/story/16/08/20/0341200/fedora-25-to-run-wayland-by-default-instead-of-xorg-server

[2] https://wiki.gnome.org/Projects/SandboxedApps

[3] http://flatpak.org/press/2016-06-21-flatpak-released.html

[4] https://blogs.gnome.org/uraeus/2016/06/21/fedora-workstation-24-is-out-and-flatpak-is-now-officially-launched/

[5] https://mjg59.dreamwidth.org/42320.html

pixel fairy

unread,
Aug 21, 2016, 2:30:08 PM8/21/16
to qubes-users
On Sunday, August 21, 2016 at 4:40:55 AM UTC-7, kev27 wrote:
> I know Joanna has long talked about how insecure X11 is and how the Qubes team worked to isolate the GUI. Wouldn't it be simpler if Qubes became Wayland-only sooner?

the gui isolation issues are mostly solved by the current version of qubes, but it is messy under the hood. the biggest current problem is the lack of isolation within a vm. just making more vms quickly adds up in resources. you could run firejail with xpra in an appvm. havent tried it in qubes yet, but thats how i do it on my work laptop.

the gui tools would have to be a wayland compositor, not just a window manager. given how qubes works, this will probably smaller and cleaner than the x11 based tools.

the first target should probably be dom0. qubes has so many problems with graphics drivers that this might actually help.

> It seems Fedora 25 will enable Wayland by default [1], but I think it will still have a XWayland layer for app compatibility. Will Qubes need that, too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there still too many components in the Fedora core that need X11 and can't be transitioned to Wayland anytime soon?

im running fedora 24 with wayland in a vm. most of the apps run in wayland, some are still x11. firefox, chrome, and thunderbird all run in x11. chromium crashes on startup. firefox-wayland crashes on startup.

so, for the most part, some apps would benefit.

i also hope this gets sorted out in fedora25, and that makes it in time for default templates in qubes-4.0.

> Also, since flatpaks [2] will take full advantage of Wayland security, and it seems to be the app packaging format to take security seriously the most [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its runtime by default in Qubes 4.0?

thats already going into fedora 25, so it would inherit it by default.

i dont see anything about configuring the sandbox. have you looked at appimage and firejail?

https://firejail.wordpress.com/documentation-2/appimage-support/


Andrew David Wong

unread,
Aug 21, 2016, 3:32:45 PM8/21/16
to kev27, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-21 04:40, kev27 wrote:
> I know Joanna has long talked about how insecure X11 is and how the Qubes
> team worked to isolate the GUI. Wouldn't it be simpler if Qubes became
> Wayland-only sooner?
>
> It seems Fedora 25 will enable Wayland by default [1], but I think it will
> still have a XWayland layer for app compatibility. Will Qubes need that,
> too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are
> there still too many components in the Fedora core that need X11 and can't
> be transitioned to Wayland anytime soon?
>

IIRC, there has been quite a bit of discussion about Wayland on these lists
over the past few years. I recommend doing a search if you haven't already.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXugHWAAoJENtN07w5UDAwQboP/ilUzXPUco52plP6mb26Fuw6
c+2UBZSVJeg1koAbYfSnbZz9cT4raQEJZBOfyhKBbL1baNj58UtcHPpc1zc989t7
jW/Er/GDO0AJfdCKADgodUMNkUPiS9SYBmHmzLgNBJjubM4/V9kQwAVAJuNSX5Id
02VnTM9Woep5tyu8hfFlYW+jMo734T+K3yvyHoLPp0BWU1/bFB5rbLvMf5dRmrJB
q8Sx2ywdjYuRXhy2rURTvxUb1/+++9dcGDO8eoffnkGmS9Zr9GRR10VMqQkqlmh3
Cj3sG0SLLy6KAh1Ya7XyhC/3r0xsuwKqKpMrfAtFIuAU4dOKs96kMf24rRI+XKV9
SdsYzA1DtFmi0DMSLg8Vqcv0RGkDkjzixxFox2mSogizLTR95iD6d1MepZRm0VTs
E6bE3oo+ysX2CGxV9Y6V4D+5wrb/X5skDNw5F4kj15c1bfhkOdXGIpTRbAT2ZhMJ
LG51lWQ8wSk+wmyC9b5WZCWpMgqUVgIQPEM3gGbKYJ4z8wcUn0Vs2Yp56QiNh+T2
is7pFq2DikrPUrfi8XbkCvdhIgGM3ddbQfzoWxJ9i15zZ5vxEusiwk5QXj394Av+
ZZ7WJDFsvU0KuQMCkKHDSKpM/2TW93RvLQnb3cxMz10HY2R+xZdTJhfbRZlvhwAr
k+Og3Y/ngTeseRmpi3gJ
=zB9f
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages