So, a while back I installed Xfce with Chicago95, but was disappointed. Xfce just doesn’t vibe with me, and a strict emulation of Windows95 is not really what I wanted, I just wanted something that “felt” that classic.
So I was gonna give up and just use KDE, until I saw TDE. I think TDE is probably what I’m looking for but I’m concerned about using anything so minor because security.
It TDE secure (for personal use)?
Can a DE even be insecure, or are they all generally as secure as each-other as long as you follow the rules (trustworthy software, closed firewall, install patches fast, and disaster recovery plans)?
What vulnerabilities can a desktop environment even have (edit)?
It TDE secure (for personal use)?
Depends on your threat modeling. Though, unfortunately, none of the DEs/WMs on Linux offer perfect security; this even applies to a hardened distro like secureblue.
So, practically-speaking, it probably ain’t great. But we aren’t used to great anyways 😅.
Oh damn, so just viewing a file in your file manager is enough to get infected in an insecure desktop environment, as thumbnails can be generated programmatically? If I clicked a bad link that would 100% infect my system.
I’m not worried too much about screen-capture. I’m worried first and foremost about triggering any arbitrary code execution and thumbnail generation on a file would definitely do it.
Before you give up on XFCE and/or Chicago95 - have you replaced the default menu with Whisker Menu? For me, Whisker Menu is a must-have for any sane XFCE user. When I used it with Chicago95, I found I could have a Windows 7 style interface with Windows 95 aesthetics.
Honestly, even if Chicago95 is aesthetically not what you want, I’d recommend trying an alternate theme on XFCE - I currently use modified DesktopPal '97 combined with a pack of Haiku-style icons.
Overall, I’d be interested to know more about your qualms with XFCE and see if customization can help you overcome them. A lot of distros have annoying defaults for XFCE, but I changed a few simple settings and have a desktop I rather enjoy using. It is totally fine if it still isn’t the thing for you after any potential discussion, but I just want to make sure you really know what XFCE has to offer before you move on.
I don’t really like how I keep accidentally rolling-up the windows in Xfce and how long the settings menu takes to load, I probably had more qualms but I don’t remember what they are. It works fine (except for some aspects of Chicago95), but it feels outdated in a bad way rather than good way. Part of it is probably my crummy laptop with broken CTRL keys and incompatible bluetooth.
DesktopPal '97 seems really cool, but right now my top priority is switching to KDE Plasma 6 with custom themes and seeing how that goes.
Window roll-up can be disabled under Window Manager Tweaks > Accessibility > Use mouse wheel on title bar to roll up the window
Getting the bitmap font right goes a long way towards making the theme much more cohesive: https://github.com/grassmunk/Chicago95/issues/218
If you decide to return to any GTK-based desktop environments, I’d suggest trying out the GTK3 port of the Raleigh theme (https://github.com/thesquash/gtk-theme-raleigh). It’s a much less involved install compared to Chicago 95 but gets you most of the look-and-feel.
The Whisker menu properties menu also has settings to make it fit the Windows 95 style a bit better. Here’s how it could look:
I made the changes, and it’s slightly better but I think the main issue is my bad laptop and the negative association I have with Xfce as a result (since Xfce was what I was interacting with).
Raleigh isn’t really my style. Too many lines. Plus I’ve decide I’ll switch to themed KDE (and probably FreeBSD with TDE on one device).
The theme in the image you sent is really nice. Beige makes it feel more classic, and the red title-bar is far less jarring than a blue one is in 2025.
What do you mean by “window roll-up”?
Also, the settings menu thing is weird - mine takes less than a second to load, and I’m on a machine with a 7 year old processor at this point. I almost worry that if that takes a long time KDE will be more miserable performance-wise, unless you’ve already tried it on here.
By the way, what distro and XFCE version are you running - just for good measure.
The outdated sentiment is probably based, honestly. I think it’s gotten better, but there are rough edges. In the end, do what works for you.
Roll up is when you scroll-up while hovering over the title bar and everything except the title-bar disappears. In the image monovergent provided the title bar is highlighted in red.
I use Linux Mint with Xfce. Gonna change to OpenSUSE once I can be bothered distro-hopping.
EDIT: Specifically it’s the Font Settings that take forever to load, not all of the settings menu.
Oh yeh. The font menu is crap. I can’t argue with that.
It’s one of those mysterious annoying things that’s up there with the GTK file picker in some apps taking 10 seconds to load.
But I also don’t change fonts that often. Still, that has much room for improvement.
There are no open security bugs against TDE that I’m aware of—if there were, I’d expect them to be fixed in the next release. In my experience, the development team, while not huge, is active and competent.
I’ve been using TDE since a little while after Gentoo sunsetted KDE3, and I’ve had no issues. Just make sure your X server is secure—
-nolistenand all that stuff—and don’t try to use Konqueror as a web browser (it remains an excellent file manager), and you should be fine.Wayland is “more secure” than X in that it makes less LAN contact by default and tries to sandbox programs from one another to an extent, just in case some future browser exploit that can copy random swathes of your screen tries to screenshot your password manager or something. There are no active exploits against a correctly-configured X server at this time that will magically vanish if you switch to Wayland, as far as I’m aware—it’s more future-proofing stuff.
Thanks, that’s a very clear response. I guess I basically can use it until X11 stops getting security updates. I wonder whether an X11 vulnerability can trigger a serious vulnerability even if it doesn’t get security updates.
No idea what that
-nolistenstuff is about. Is that to do with the firewall?-nolistenis an actual option passed to the X server—your distro may do so by default—to work around a known security issue in some versions. I admit I’d have to look up the details, as it’s been a couple of years since that issue was reported. Recent X versions almost certainly have a patch.I’d be kinda shocked if in, in 2025, any download of a DE opened X org up to remote connections by default. But I will double check.
As far as the TDE devs know, there haven’t been any issues resulting in a user getting hacked, they’ve modernized the underlying code, and actively patch any reported vulnerabilities: https://redlib.tiekoetter.com/r/linuxquestions/comments/1f81hz4/is_q4ostrinity_desktop_environment_inherently/
That said, it is still a niche codebase with a small team, so they might not have the resources to be so proactive against theoretical vulnerabilities as a project like KDE or GNOME with Wayland. If you’re being targeted, TDE would certainly be a shiny attack surface, but otherwise, I don’t really see why a hacking group would go for something as niche as TDE. There’s a tradeoff, like the one I take with X11 because I refuse to give up my XFCE+Chicago95 setup for an arguably more secure Wayland setup.
Most of the issues of a desktop environment just come down to there being more code and therefore a larger attack surface. Lots of widgets, obscure processes, and nooks and crannies to hide malicious stuff too. And legacy code with expansive privileges from the days before security was as much of a concern. While not Linux, it is analogous with security being a big part of why Microsoft released Server Core, which stripped out much of the GUI.
An extreme case, I also know of a someone who used Windows XP to do rather important work on the internet until around 2020. Only thing that stopped them were websites getting too bloated to load on their computer. But they did follow the basic rules as you mentioned and seemed to be just fine.
I guess it all comes down to the security of X11, and also whether X11 could even be exploited without arbitrary code execution though Anki or Firefox or Steam Chat or something. At which point no sane hacker would waste such an exploit on X11 that’s rapidly becoming defunct.
An extreme case, I also know of a someone who used Windows XP to do rather important work on the internet until around 2020… But they did follow the basic rules as you mentioned and seemed to be just fine.
I think they skipped the third rule, install patches fast.
Sorry for the triple post, refreshed a couple times too much when it didn’t respond
deleted by creator
You don’t need Trinity for that, you can theme up KDE Plasma 6 to look and feel old school too.
That might be a better fit for me. I know KDE has a polish and security I want, I imagine I could make it how I want.
Apparently TDE has lower resource usage, so I wonder if for that reason TDE might be a better fit. Clearly I should get both more experience with KDE and a better idea of what I’m actually looking for.
Modern KDE isn’t bad on resource usage either. You just want the old school look, but you’re not actually on obsolete hardware :)
Desktop environments are not equal form the security perspective, but they all are rather insecure, because security is hard and harms UX, and the GNU/Linux desktop is traditionally focused on UX and the user freedom by sacrificing security. However it is possible to build a secure environment based on an insecure DE, what Qubes OS does with XFCE, for example.
The question I want to ask here is, what does “secure” and “insecure” mean in the context of a DE. What distinguishes a secure and insecure DE from a practical perspective (physical access, privilege escalation, rootkits, etc.).
As one practical example, a malicious program may monitor your key presses to extract your passwords (in web browsers or sudo).
Or it could be taking screenshots behind the scenes and sending that data remotely or to a local AI.
Or turning on your mic and….
So basically they still require arbitrary code execution as a starting point.
Another guy shared this link from Secureblue that goes into thumbnail generation, which can be done programmatically and has been documented in the past as an avenue for infection in Nautilus.
It appears to be maintained, which is a point in its favour.
You could send them a message on their mailing list and ask the question.
It’s good that it looks to be still maintained, but I imagine their resources are limited with so little market share and it doesn’t look like they have the resources to switch to Wayland (which I assume is more secure).
I’m not sure my noob questions are worthy of asking the devs directly.
That might be true. They have a Mastodon too https://floss.social/@tde
There are no stupid questions and the attitude of any response would be a good way to judge if using the DE is worth your time.
I started writing out a question, but I realized I need a better understanding of what an insecure desktop environment even means first.
Probably not significantly less secure than Xorg itself, I wouldn’t mind using in your place. DE security is usually not a huge problem, if someone can exploit these vulnerabilities usually you are quite bonked.
Remember most of what happens on screen is xorg, the wm is a simply interacting with xorg and other parts of your DE are simple user level programs like the panel etc…
What kind of threats could affect Xorg? I can’t imagine anything really exploiting the display manager without arbitrary code execution elsewhere (not that I know anything at all about software security).
I guess the biggest risk is whichever browser I use becoming a Wayland exclusive and not getting updates.
My issue would be the old version of Qt it runs on, which is not maintained anymore. That itself is a bit of a problem security-wise.
Looking at the FAQ, they do “maintain” their version of TQt3. Whether they maintain it to the extent that it’s secure is anyone’s guess. There’s always the question of what kinds of exploits can even exist in a desktop environment (which I should add to my original post).
