Current problem (if any)

Many OSes are running a lot of services that aren't required for each qube, one of those is the gui-agent.

Proposed solution

Check which qubes needs the gui feature enabled:

• Most service qubes don't as they don't open any graphical application.
• Any template that doesn't install graphical applications also don't need it, would make Qubes Update with more concurrent qubes possible on resource constrained systems.

Enumerating the service qubes that need gui:

• sys-net: needs NetworkManager.
• sys-pgp: needs to accept zenity dialog when autoaccept ends.
• sys-audio: pavucontrol, volumeicon
• sys-print: system-config-printer
• Any qube using tpl-browser such as sys-pihole-browser, sys-cacher-browser and sys-syncthing-browser
• Any sys-gui variant

Non service formulas that need gui:

• Qubes templates: debian*, fedora* etc, should we touch those? Qusal policy so far is not to touch besides updating them and lowering memory and removing gui might break expectations.
• browser: obvious
• dev: cause coding in a terminal is better than management console
• electrum: obvious, but the disposable builders don't need it
• element: obvious
• fetcher: only if using transmission-qt
• mail: just the reader
• media: obvious
• qubes-builder: doesn't need it, but will follow the same resolution as dev
• reader: obvious
• remmina: obvious
• signal: obvious
• sys-bitcoin: only itself and the gateway but not the builder qubes
• vault: KeepassXC, but if using only the cli such as with pass (not implemented), can be removed, maybe something that can be set by pillar for some qubes.

Downside is obvious, I can see people having trouble in the beginning as some qubes will open a terminal while others will require using a different command to open the management console. There is no GUI entry in app-menu or qui-domain entry to open the console, only on Qubes Manager.

There are several issues that I consider very important, but requires some changes upstream

• GUI tools do not consider qube can have gui feature disabled QubesOS/qubes-issues#9787
• Management console is hard to find QubesOS/qubes-issues#9788
• qvm-run --gui waits indefinetly for GUI application even if gui feature is disabled QubesOS/qubes-issues#9789
• Management console window does not inform which qube it is connected to QubesOS/qubes-issues#9810

It is not possible to proceed without many of these being done, they are vital for a good user experience with the management console, that without them, users can get lost on which security domains they are, why their applications are not opening without warning etc.

The value to a user, and who that user might be

Running more qubes on resource constrained machines.