configure Qubes-Whonix XFCE default start menu entries (whitelisted appmenus)
Let’s consider to no longer depend on meta package xfce4. Instead, we could just depend on the individual packages we care about. Some packages that
xfce4 depends on that we may not need or don’t want:
- https://packages.debian.org/buster/gtk2-engines-xfce needed?
- https://packages.debian.org/buster/libxfce4ui-utils needed?
- https://packages.debian.org/buster/thunar keep for sure
- https://packages.debian.org/buster/xfce4-appfinder probably keep
- https://packages.debian.org/buster/xfce4-panel keep for sure
- https://packages.debian.org/buster/xfce4-pulseaudio-plugin keep for sure (but perhaps workstation only, not a big deal)
- https://packages.debian.org/buster/xfce4-session maybe we can avoid this one?
- https://packages.debian.org/buster/xfce4-settings keep for sure
- https://packages.debian.org/buster/xfconf keep for sure (but might be a dependency anyhow, so we might not need to add it as a dependency in Whonix anon-meta-packages)
- https://packages.debian.org/buster/xfwm4 required
- https://packages.debian.org/buster/desktop-base good if we could avoid it (since it contains Debian’s logo) but also not a big deal if we set our own background anyhow
- https://packages.debian.org/buster/tango-icon-theme probably keep
- https://packages.debian.org/buster/thunar-volman probably keep
https://packages.debian.org/buster/xorg we depend on
xserver-xorganyhow, not sure we need to explicitly depend on
- https://packages.debian.org/buster/gtk3-engines-xfce probably required
https://packages.debian.org/buster/xfce4-goodies probably keep (has some things we like such as
xfce4-datetime-pluginbut also some things we don’t need such as
- https://packages.debian.org/buster/xfce4-power-manager avoidable?
What’s the reasoning behind this? Will it be easier to move to alternative DEs in the future? Seems like a lot of deps to add manually instead of xfce4
Unrelated since this only affects package
(Since we nowadays have
non-qubes-whonix-workstation-cli it is nowadays a lot easier to add support for other desktop environments compares to times where Whonix KDE was the only thing that existed.)
See reason for each individual package above. Overall reasons:
- don’t install things which are a potential source of bugs (such as session management, remember this bug where KDE session saving caused this: kdesudo error popup window ( sdwdate-gui ))
- avoid unnecessary things (such as power savings inside VM)
- less potential privacy issues (sessions savings)
- lower attack surface
- save disk space
- not have some unnecessary, potentially harmful package included when upgrading to the next major Debian version
Agreed with your assessment of each. Pull the trigger
Rich source of XFCE settings manipulation:
Anything useful for us there?
It’s not clear to me yet how folder
/etc/xdg/xfce4/xfconf/xfce-perchannel-xml (or more generally folder
/etc/xdg/xfce4/) works. It may be a superior solution to folder
disable removable drives auto-mounting - XFCE only (https://phabricator.whonix.org/T902) was made.
/etc/xdg/xfce4/xfconf/xfce-perchannel-xml looks better in any case. Going to port to it.
<?xml version="1.0" encoding="UTF-8"?> <channel name="xfce4-session" version="1.0"> <property name="general" type="empty"> <property name="FailsafeSessionName" type="string" value="Failsafe"/> </property> <property name="sessions" type="empty"> <property name="Failsafe" type="empty"> <property name="IsFailsafe" type="bool" value="true"/> <property name="Count" type="int" value="5"/> <property name="Client0_Command" type="array"> <value type="string" value="xfwm4"/> </property> <property name="Client0_PerScreen" type="bool" value="false"/> <property name="Client1_Command" type="array"> <value type="string" value="xfsettingsd"/> </property> <property name="Client1_PerScreen" type="bool" value="false"/> <property name="Client2_Command" type="array"> <value type="string" value="xfce4-panel"/> </property> <property name="Client2_PerScreen" type="bool" value="false"/> <property name="Client3_Command" type="array"> <value type="string" value="Thunar"/> <value type="string" value="--daemon"/> </property> <property name="Client3_PerScreen" type="bool" value="false"/> <property name="Client4_Command" type="array"> <value type="string" value="xfdesktop"/> </property> <property name="Client4_PerScreen" type="bool" value="false"/> </property> </property> <property name="splash" type="empty"> <property name="Engine" type="string" value=""/> </property> </channel>
Preparing to unpack .../whonix-xfce-desktop-config_1.4-1_all.deb ... Unpacking whonix-xfce-desktop-config (3:1.4-1) ... dpkg: error processing archive /mnt/initialdeb/pool/main/w/whonix-xfce-desktop-config/whonix-xfce-desktop-config_1.4-1_all.deb (--unpack): trying to overwrite '\''/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml'\'', which is also in package xfce4-session 4.12.1-6 Errors were encountered while processing: /mnt/initialdeb/pool/main/w/whonix-xfce-desktop-config/whonix-xfce-desktop-config_1.4-1_all.deb E: Sub-process /usr/bin/dpkg returned an error code (1) ' + apt_get_exit_code=100
After removing the
xfce4 meta package:
The following packages were automatically installed and are no longer required:
gtk2-engines-xfce libkeybinder-3.0-0 libwnck-common libwnck22
libxfce4ui-utils xfce4-appfinder xfce4-panel xfce4-pulseaudio-plugin
xfce4-session xfce4-settings xfdesktop4 xfdesktop4-data xfwm4
The following packages were not installed by default anyhow:
System would work well without the following packages:
List of packages we depend on from other packages anyhow:
List of packages we would keep for sure (manually add Depends:):
In conclusion, dependencies by https://packages.debian.org/buster/xfce4 by look very good. At most package https://packages.debian.org/buster/gtk2-engines-xfce and https://packages.debian.org/buster/libxfce4ui-utils would be avoidable. Really not worth the effort. Keeping meta package
Any suggestions for the background image? Any background image available from any packages sourced from packages.debian.org?
The only two backgrounds images installed currently (non-removable [as long as we want to use XFCE] dependency package
Why not simply replace the background image by a color, or a set of colors?
no fighting over the best background image
avoiding additional paranoia “are you 100% sure that this particular image is virus/malware-free?” (saw this argument on a similar thread here a few years ago)
one less file!
Yes, I am open to that too.
However, independently from your reasoning below.
(Which I think which might be invalid but that is a rather minor point.)
Just the default xfce logo is somewhat inappropriate. While XFCE is amazing, the main point of Whonix isn’t a fashion nice looking distribution focusing on that. However, that’s also not a very big importance.
If it’s sourced from packages.debian.org, it’s trusted anyhow.
Even if not.
That’s already violated by using arc-theme which ships lots of artwork.
And even without arc-theme, in theory any image / icon by any could include a backdoor already.