Which packages make sense as "protected" in Fedora Workstation?

I have also done a small experiment, I have removed all packages I could and found that GNOME wouldn’t start unless mesa-dri-drivers is installed, maybe that should be added as a dependency for gnome-shell!

Some packages that should not be removed are (they are not a hard requirement like mesa-dri-drivers):

iproute, because it is impossible to configure the ethernet card without it as it is the one that provides the ip utility, which makes installing of packages very difficult.
dhcp-client, because it automates ip assignment for the computer
NetworkManager, so you don’t even need to think about writing sudo dhclient in terminal
gnome-software so you (hopefully) don’t even touch the terminal at all, the only issue with it is that it eats quite a bit of RAM in the background, probably 200 megabytes, so if that annoys you then install gnome-terminal instead
In my case I had to install kernel-modules to have the audio driver, another package to pay attention to is wpa_supplicant if your computer needs wifi to connect to the Internet and its corresponding driver.
The system was using 783 megabytes of RAM at startup after I cleaned the system in this way and rebooted, leaving gnome-terminal installed.
The final package count was 541.

1 Like

To be frank, I’m doing something similar on my hosts.
I mark everything for removal except the actually needed packages:

sudo dnf mark remove $(dnf repoquery --installed)
sudo dnf mark install ${PACKAGES}
sudo dnf autoremove

In fact, even some protected packages like sudo can be removed if you use an alternative:

sudo passwd root
sudo rpm --nodeps -e sudo
su -

GNOME Software, Flatpak and PackageKit can be removed as well.
This way results in a very minimalistic Fedora setup saving a lot of resources.

1 Like

Staring with everything iso or workstation?

If I remember correctly a few years ago, when I did a clean install, there were still some packages to remove, even starting with netinstall and minimal package selection.

1 Like

I think it would be quite reasonable to have NetworkManager and gnome-software in the list of protected packages for Workstation. Or maybe even NetworkManger-wifi (which would imply the base NetworkManager and wpa_supplicant) — even though I don’t have wifi on my main desktop, I don’t think that’s a common situation for most people these days.

I know gnome-software is a bit heavyweight, but is a centerpiece of the desktop environment. You can always remove a protected package by simply editing or removing the corresponding file from /etc/dnf/protected.d, so I think it’s okay to list things that would mess up most people, and advanced users can do that if they really want to.

I don’t think you need iproute if NetworkManager is there… I mean, it’s maybe handy, but not essential, and, really falls under advanced use for most people. And NetworkManager defaults to an internal library for DHCP, so a separate client shouldn’t be required. (Verify on your system with journalctl -b -tNetworkManager |grep -i dhcp|head -1.)

I’m not sure about kernel-modules… it’s probably something that should be locked-in for desktop systems, but there’s some specialness around kernel packages.


Please, I hope you don’t take it wrong…
Gnome-Software is far from essential for Fedora-Linux. I imagine it’s important to the people at Project Gnome, as I believe they want to present a superior, complete product.
Personally I am extremely satisfied, without the Gnome-Software and others, which only bloated my system.

… off topic …
I like managing what’s installed on my machine from the terminal because it’s what I’m used to.
I feel like for Linux to be successful it’s going to need a working “software store’'ish” application. It doesn’t really matter if it’s Gnome or KDE…


Sure, that’s fine. But there’s a certain set of software which makes something “Fedora Workstation”, not Fedora Linux in general. Having that common understanding makes it easier to help people, because we don’t need to guess (or do repeated interrogation about) what software they’re working with.

If you installed Fedora Workstation to start, but that’s not what you want, you can do

sudo dnf swap fedora-release-identity-workstation fedora-release-identity-basic

Or if you want your system to identify as a particular desktop spin, instead of ...basic, use something like fedora-release-identity-kde or fedora-release-identity-xfce. This won’t, in itself, convert the system, but will change some of these basic things.


I think you may be right. Even 5 years ago when I went in and looked at PCs for home use almost all had built in wifi and it is difficult to find a home router that is not also a wifi AP. Also, AFAIK all laptops now have wifi. This would imply that NetworkManger-wifi should be in that list.

iproute and dhclient were necessary for me to chroot into my install to experiment with this kind of thing, it is also extremely useful for recovery purposes, which makes them essential. Unless there is a way to access the Internet from within a chroot environment without setting an ip there.

I think that’s a fairly advanced debugging scenario — for most users who need that kind of recovery, the primary approach is to boot from live media (like an installation USB stick), which will have NetworkManager.

1 Like

That is how one chroots inside your install to recover your system, not having iproute and dhclient pre-installed makes that task unnecessarily difficult when the issue is a corrupt package (or lack of it).

This is probably branching into an entirely separate topic. But I don’t think we should require networking tools that aren’t those used in normal operation of the system.

1 Like

I agree, but one should allow the user to chroot into his install in order to recover his system, and allowing it Internet connection is absolutely essential. Currently I see no way of doing this without iproute and dhcp-client pre-installed.

systemd-networkd - ArchWiki

1 Like

Just my opinion, but I think the backlash for making gnome-software protected would be significant.

Even though it is possible to remove protected software, many people won’t know how to do that and there will suddenly be complaints all over the place that Fedora doesn’t let the user choose which packages to have on their system.

I am also not sure the correlation between advanced Fedora users and people who want to remove Gnome Software is all that high either.


Protected gnome-software would at least increase the complexity of migrating among GUI’s. There can be many reasons for migrating to another GUI without wanting to reinstall the os. I agree that these reasons are not necessarily related to advanced users (and keeping the extensive gnome when not using it is an unnecessary burden for users who are not aware that the protected packages can be changed).

But NetworkManager + NetworkManager-wifi in the workstation make definitely sense, especially as it could be a mess for a non-advanced user to revert it when it was deleted by accident.


Sure, but there’s “migrating to a other GUI” and then there’s “also I must remove the all software associated with that other GUI even though it could run under this one just fine”. That latter case seems like it is an advanced one.


Generally, that’s right. A realistic combination of the need to remove these packages and non-advanced users seems to be the use on legacy systems. However, legacySys+nonAdvancedUser+fedora seems indeed a seldom phenomenon, and of course this is also not the major focus of Fedora. From that point of view, protected gnome can make sense.

However, I think it would anyway make sense to keep consistency in the policy of protected packages among the spins.

Is that really the situation though? When you switch DEs, you would typically use dnf swap. Wouldn’t making gnome-software protected cause the swap to fail?