Single-tenant · isolation-first Linux

Keep your worlds apart.

qdistro is a Linux workstation for one person who wants real separation between work, personal, and throwaway apps. Each runs in its own isolation tier — SELinux sandbox, podman container, or KVM virtual machine — yet every window lands on a single seamless desktop.

Try the preview Why qdistro is different Read the source

openSUSE Tumbleweed · libweston + Wayland · Python/Qt/QML · GPL-3.0 · v0.1 public test

Tiered isolation

Pick the containment each app gets — from a confined SELinux context, to a rootless podman container, to a full KVM virtual machine. Stronger walls, same desktop.

Seamless windows

Containers and VMs aren't a separate desktop. Each silo runs a nested Wayland compositor; its windows arrive over waypipe and appear as ordinary toplevels — tagged, chromed, and placed by the admin compositor.

Modifiable userspace

The shell, apps, session manager, and policy are plain Python + Qt + QML — no compile step, no opaque binaries. You, or an LLM, can edit a file and reload it live.

Seamless across every boundary

The admin compositor on tty3 owns all hardware — GPU, inputs, audio, network. Every silo is a nested compositor whose surfaces arrive as Wayland clients of admin's. A podman container and a KVM guest use the exact same windowing contract: each toplevel is advertised over qdwin_nested_manager_v1 and stamped with a wp_security_context_v1 identity, so the broker knows which silo every paste, file, and window belongs to.

Tier 0–1
Native & SELinux sandbox
Direct Wayland clients of the admin compositor, confined by an LSM policy. The default for trusted, everyday apps — fully seamless.
Tier 2
podman container
Rootless user namespace with a nested compositor, dropped capabilities, read-only rootfs, and no host bus. Seamless badged windows.
Tier 3
Separate user (uid silo)
Data silos on their own uid; waypipe bridges the display across a group-gated socket. The primary work / personal / dev split.
Tier 4–5
KVM virtual machine
libvirt + QEMU guests, displayed over waypipe on AF_VSOCK — whole-VM or per-app windows, still sitting on your desktop.
Tier 6
Remote machine
A separate physical box as a remote-output target. Framed, not seamless — for when "another machine" is the point.

Full detail in isolation-tiers.md and architecture.md. You pick the tier per app; higher tiers trade a little seamlessness for harder containment.

Rethinking `sudo`

Classic sudo caches your approval for 15 minutes — one prompt opens a window where any privileged command runs unseen. qdistro replaces it with qsu, which defaults to single-command approval and zero caching.

Every escalation routes through the admin broker with a scope picker — just once · 1h · 24h · forever · forever-this-exact-argv — prompts on tty3 or your phone, runs with a sanitized environment under no_new_privs, and lands a full row in the audit log. A compat shim keeps scripts that hard-code sudo working.

You approve what crosses the line

Clipboard, file transfer, window handoff, and device access between silos are mediated by the admin broker — a privileged D-Bus daemon that's the single arbiter of cross-uid actions.

Each request shows who's asking, for what, and the silo it came from; the broker re-verifies process identity against /proc before it ever short-circuits a same-silo transfer. Every decision lands in a polkit-backed audit trail you can review or revoke.

Runs where you already are

qdistro layers onto a standard openSUSE Tumbleweed install rather than replacing your operating system. There's no separate OS to commit to, and you keep your distribution's normal package updates and snapshot rollback.

No dedicated hardware needed

Because containment is layered in software rather than anchored to a bare-metal hypervisor, qdistro is just as comfortable running inside a virtual machine. Kicking the tires doesn't have to mean handing over a whole laptop — a spare VM works nicely too.

Built on commodity Linux, used as-is

qdistro doesn't reinvent the plumbing. It leans on mainstream primitives and keeps the interesting, modifiable work in userspace.

libwestoncompositor core (qdwin)

Wayland + waypipedisplay transport across silos

KVM / libvirtthe VM isolation tiers

podmanrootless container tier

SELinuxtier-1 sandbox policy

PipeWireper-client audio & camera

polkit + D-Busapproval & IPC fabric

systemd + greetdsessions & login

btrfs + Snappersnapshots & rollback

Read the overview, threat model, and D-Bus conventions — qdistro is explicit about exactly what it protects you from, and what it doesn't.

The repositories

qdistro ships as a set of small, focused repos rather than one monolith.

qdistroUmbrella — docs, broker, daemons, SDK, admin app, SELinux policy, tests
qdwinThe Wayland compositor — a libweston shell plugin
qdshellThe desktop shell — panels, tray, admin overlays (Noctalia QML fork)
qdgreeterThe greetd login screen
qdlockerScreen locker with fingerprint unlock
qdbrowserIdentity-pinned browser integration + extensions
qterminatorQt terminal (a port of Terminator)
qnotebookPyQt6 markdown wiki editor
qfilemanFile manager with cross-silo send-to

Try the early preview

qdistro is in its first public test. There's no ISO — you start from a clean openSUSE Tumbleweed install and run one idempotent bootstrap script that builds the compositor, daemons, and apps in about 20 minutes.

git clone https://codeberg.org/qdistro/qdistro.git
git clone https://codeberg.org/qdistro/qdwin.git
git clone https://codeberg.org/qdistro/qdshell.git
cd qdistro && sudo bash scripts/install/qdistro-bootstrap.sh

A developer preview, not a verified release channel — inputs aren't signed or pinned yet. Run it on a spare laptop and tell us what breaks.

Get started on Codeberg Read the v0.1 notes

From the blog

2026-05-17 qdistro v0.1: first public test
2026-05-14 Hello from qdistro