So, a while back I installed Xfce with Chicago95, but was disappointed. Xfce just doesn’t vibe with me, and a strict emulation of Windows95 is not really what I wanted, I just wanted something that “felt” that classic.
So I was gonna give up and just use KDE, until I saw TDE. I think TDE is probably what I’m looking for but I’m concerned about using anything so minor because security.
It TDE secure (for personal use)?
Can a DE even be insecure, or are they all generally as secure as each-other as long as you follow the rules (trustworthy software, closed firewall, install patches fast, and disaster recovery plans)?
What vulnerabilities can a desktop environment even have (edit)?
You must log in or # to comment.
There are no open security bugs against TDE that I’m aware of—if there were, I’d expect them to be fixed in the next release. In my experience, the development team, while not huge, is active and competent.
I’ve been using TDE since a little while after Gentoo sunsetted KDE3, and I’ve had no issues. Just make sure your X server is secure—
-nolistenand all that stuff—and don’t try to use Konqueror as a web browser (it remains an excellent file manager), and you should be fine.Wayland is “more secure” than X in that it makes less LAN contact by default and tries to sandbox programs from one another to an extent, just in case some future browser exploit that can copy random swathes of your screen tries to screenshot your password manager or something. There are no active exploits against a correctly-configured X server at this time that will magically vanish if you switch to Wayland, as far as I’m aware—it’s more future-proofing stuff.
Thanks, that’s a very clear response. I guess I basically can use it until X11 stops getting security updates. I wonder whether an X11 vulnerability can trigger a serious vulnerability even if it doesn’t get security updates.
No idea what that
-nolistenstuff is about. Is that to do with the firewall?-nolistenis an actual option passed to the X server—your distro may do so by default—to work around a known security issue in some versions. I admit I’d have to look up the details, as it’s been a couple of years since that issue was reported. Recent X versions almost certainly have a patch.I’d be kinda shocked if in, in 2025, any download of a DE opened X org up to remote connections by default. But I will double check.
Desktop environments are not equal form the security perspective, but they all are rather insecure, because security is hard and harms UX, and the GNU/Linux desktop is traditionally focused on UX and the user freedom by sacrificing security. However it is possible to build a secure environment based on an insecure DE, what Qubes OS does with XFCE, for example.
The question I want to ask here is, what does “secure” and “insecure” mean in the context of a DE. What distinguishes a secure and insecure DE from a practical perspective (physical access, privilege escalation, rootkits, etc.).
Probably not significantly less secure than Xorg itself, I wouldn’t mind using in your place. DE security is usually not a huge problem, if someone can exploit these vulnerabilities usually you are quite bonked.
Remember most of what happens on screen is xorg, the wm is a simply interacting with xorg and other parts of your DE are simple user level programs like the panel etc…
What kind of threats could affect Xorg? I can’t imagine anything really exploiting the display manager without arbitrary code execution elsewhere (not that I know anything at all about software security).
I guess the biggest risk is whichever browser I use becoming a Wayland exclusive and not getting updates.
It appears to be maintained, which is a point in its favour.
You could send them a message on their mailing list and ask the question.
It’s good that it looks to be still maintained, but I imagine their resources are limited with so little market share and it doesn’t look like they have the resources to switch to Wayland (which I assume is more secure).
I’m not sure my noob questions are worthy of asking the devs directly.
That might be true. They have a Mastodon too https://floss.social/@tde
There are no stupid questions and the attitude of any response would be a good way to judge if using the DE is worth your time.
I started writing out a question, but I realized I need a better understanding of what an insecure desktop environment even means first.
My issue would be the old version of Qt it runs on, which is not maintained anymore. That itself is a bit of a problem security-wise.
Looking at the FAQ, they do “maintain” their version of TQt3. Whether they maintain it to the extent that it’s secure is anyone’s guess. There’s always the question of what kinds of exploits can even exist in a desktop environment (which I should add to my original post).
