🛠️ Xen Summit 2025: Find Your Place in the Future of Virtualization
https://xenproject.org/blog/xen-summit-2025-find-your-place-in-the-future-of-virtualization/
The annual Xen Summit is right around the corner, and there has never been a more exciting time to be part of the Xen Project.As enterprise and industrial needs shift and proprietary vendors rethink their licensing, the industry is ready for strong, open alternatives. Xen stands out not only
https://xenproject.org/blog/xen-summit-2025-find-your-place-in-the-future-of-virtualization/
The annual Xen Summit is right around the corner, and there has never been a more exciting time to be part of the Xen Project.As enterprise and industrial needs shift and proprietary vendors rethink their licensing, the industry is ready for strong, open alternatives. Xen stands out not only
XSAs released on 2025-07-01
https://www.qubes-os.org/news/2025/07/01/xsas-released-on-2025-07-01/
The Xen Project (https://xenproject.org/) has released one or more Xen security advisories (XSAs) (https://xenbits.xen.org/xsa/).
The security of Qubes OS is not affected.
XSAs that DO affect the security of Qubes OS
The following XSAs do affect the security of Qubes OS:
(none)
XSAs that DO NOT affect the security of Qubes OS
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-470 (https://xenbits.xen.org/xsa/advisory-470.html)
Denial of service only
About this announcement
Qubes OS uses the Xen hypervisor (https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its architecture (https://www.qubes-os.org/doc/architecture/). When the Xen Project (https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a Xen security advisory (XSA) (https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a Qubes security bulletin (QSB) (https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only positive confirmation that certain XSAs do affect the security of Qubes OS. QSBs cannot provide negative confirmation that other XSAs do not affect the security of Qubes OS. Therefore, we also maintain an XSA tracker (https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
https://www.qubes-os.org/news/2025/07/01/xsas-released-on-2025-07-01/
The Xen Project (https://xenproject.org/) has released one or more Xen security advisories (XSAs) (https://xenbits.xen.org/xsa/).
The security of Qubes OS is not affected.
XSAs that DO affect the security of Qubes OS
The following XSAs do affect the security of Qubes OS:
(none)
XSAs that DO NOT affect the security of Qubes OS
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-470 (https://xenbits.xen.org/xsa/advisory-470.html)
Denial of service only
About this announcement
Qubes OS uses the Xen hypervisor (https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its architecture (https://www.qubes-os.org/doc/architecture/). When the Xen Project (https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a Xen security advisory (XSA) (https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a Qubes security bulletin (QSB) (https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only positive confirmation that certain XSAs do affect the security of Qubes OS. QSBs cannot provide negative confirmation that other XSAs do not affect the security of Qubes OS. Therefore, we also maintain an XSA tracker (https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
Qubes OS Summit 2025: Call for sponsors
https://www.qubes-os.org/news/2025/07/08/qubes-os-summit-2025-call-for-sponsors/
The Qubes OS Project and 3mdeb (https://3mdeb.com/) are excited to announce the upcoming Qubes OS Summit 2025 (https://events.dasharo.com/event/2/qubes-os-summit-2025)! This event will be an incredible opportunity for the community to come together, share knowledge, and discuss the future of secure computing.
Event Details:
Date: Fri, Sep 26, 2025 10:00 AM – Sun, Sep 28, 2025 3:00 PM GMT+2
Location: The Social Hub Berlin (Alexanderstraße 40, Berlin, 10179, DE)
Format: In-person event with online participation option featuring talks, workshops, and networking opportunities
To make this summit a success, we’re seeking sponsors who are interested in supporting our mission and engaging with our vibrant community. Sponsorship offers a unique chance to showcase your commitment to security and privacy while gaining visibility among a diverse audience of developers, researchers, and enthusiasts.
For detailed information about sponsorship opportunities, please refer to our Qubes OS Summit 2025 Sponsorship Prospectus (https://dl.3mdeb.com/dasharo/qoss/2025/qubes_os_summit_2025_prospectus.pdf).
We look forward to your support in making Qubes OS Summit 2025 a remarkable event!
https://www.qubes-os.org/news/2025/07/08/qubes-os-summit-2025-call-for-sponsors/
The Qubes OS Project and 3mdeb (https://3mdeb.com/) are excited to announce the upcoming Qubes OS Summit 2025 (https://events.dasharo.com/event/2/qubes-os-summit-2025)! This event will be an incredible opportunity for the community to come together, share knowledge, and discuss the future of secure computing.
Event Details:
Date: Fri, Sep 26, 2025 10:00 AM – Sun, Sep 28, 2025 3:00 PM GMT+2
Location: The Social Hub Berlin (Alexanderstraße 40, Berlin, 10179, DE)
Format: In-person event with online participation option featuring talks, workshops, and networking opportunities
To make this summit a success, we’re seeking sponsors who are interested in supporting our mission and engaging with our vibrant community. Sponsorship offers a unique chance to showcase your commitment to security and privacy while gaining visibility among a diverse audience of developers, researchers, and enthusiasts.
For detailed information about sponsorship opportunities, please refer to our Qubes OS Summit 2025 Sponsorship Prospectus (https://dl.3mdeb.com/dasharo/qoss/2025/qubes_os_summit_2025_prospectus.pdf).
We look forward to your support in making Qubes OS Summit 2025 a remarkable event!
🛠️ Engineering Trust: How Xen’s Open CI Powers Global, Hardware-Level Testing
https://xenproject.org/blog/engineering-trust-how-xens-open-ci-powers-global-hardware-level-testing/
In safety-critical industries like automotive and industrial systems, trust is non-negotiable. When building software that controls critical hardware, like braking systems or factory automation, you need confidence. The software must behave exactly as intended. Every time. On the actual device.That's why the Xen Project is investing in
https://xenproject.org/blog/engineering-trust-how-xens-open-ci-powers-global-hardware-level-testing/
In safety-critical industries like automotive and industrial systems, trust is non-negotiable. When building software that controls critical hardware, like braking systems or factory automation, you need confidence. The software must behave exactly as intended. Every time. On the actual device.That's why the Xen Project is investing in
XSAs released on 2025-07-08
https://www.qubes-os.org/news/2025/07/11/xsas-released-on-2025-07-08/
The Xen Project (https://xenproject.org/) has released one or more Xen security advisories (XSAs) (https://xenbits.xen.org/xsa/).
The security of Qubes OS is affected.
XSAs that DO affect the security of Qubes OS
The following XSAs do affect the security of Qubes OS:
XSA-471 (https://xenbits.xen.org/xsa/advisory-471.html)
See QSB-108 (https://www.qubes-os.org/news/2025/07/11/qsb-108/)
XSAs that DO NOT affect the security of Qubes OS
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
(none)
About this announcement
Qubes OS uses the Xen hypervisor (https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its architecture (https://www.qubes-os.org/doc/architecture/). When the Xen Project (https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a Xen security advisory (XSA) (https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a Qubes security bulletin (QSB) (https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only positive confirmation that certain XSAs do affect the security of Qubes OS. QSBs cannot provide negative confirmation that other XSAs do not affect the security of Qubes OS. Therefore, we also maintain an XSA tracker (https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
https://www.qubes-os.org/news/2025/07/11/xsas-released-on-2025-07-08/
The Xen Project (https://xenproject.org/) has released one or more Xen security advisories (XSAs) (https://xenbits.xen.org/xsa/).
The security of Qubes OS is affected.
XSAs that DO affect the security of Qubes OS
The following XSAs do affect the security of Qubes OS:
XSA-471 (https://xenbits.xen.org/xsa/advisory-471.html)
See QSB-108 (https://www.qubes-os.org/news/2025/07/11/qsb-108/)
XSAs that DO NOT affect the security of Qubes OS
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
(none)
About this announcement
Qubes OS uses the Xen hypervisor (https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as part of its architecture (https://www.qubes-os.org/doc/architecture/). When the Xen Project (https://xenproject.org/) publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a Xen security advisory (XSA) (https://xenproject.org/developers/security-policy/). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a Qubes security bulletin (QSB) (https://www.qubes-os.org/security/qsb/). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only positive confirmation that certain XSAs do affect the security of Qubes OS. QSBs cannot provide negative confirmation that other XSAs do not affect the security of Qubes OS. Therefore, we also maintain an XSA tracker (https://www.qubes-os.org/security/xsa/), which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
QSB-108: Transitive Scheduler Attacks (XSA-471)
https://www.qubes-os.org/news/2025/07/11/qsb-108/
We have published Qubes Security Bulletin (QSB) 108: Transitive Scheduler Attacks (XSA-471) (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.
Qubes Security Bulletin 108
---===[ Qubes Security Bulletin 108 ]===---
2025-07-08
Transitive Scheduler Attacks (XSA-471)
Changelog
----------
2025-07-08: Original QSB
2025-07-11: Revise language
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2025-07-08, the Xen Project published XSA-471, "x86: Transitive
Scheduler Attacks" (CVE-2024-36350, CVE-2024-36357) [3]:
| Researchers from Microsoft and ETH Zurich have discovered several new
| speculative sidechannel attacks which bypass current protections.
| They are detailed in a paper noscriptd "Enter, Exit, Page Fault, Leak:
| Testing Isolation Boundaries for Microarchitectural Leaks".
|
| Two issues, which AMD have named Transitive Scheduler Attacks, utilise
| timing information from instruction execution. These are:
|
| * CVE-2024-36350: TSA-SQ (TSA in the Store Queues)
| * CVE-2024-36357: TSA-L1 (TSA in the L1 data cache)
For more information, see also [4], [5] and [6].
Impact
-------
On affected systems, an attacker who manages to compromise a qube may be
able to use it to infer the contents of arbitrary system memory,
including memory assigned to other qubes.
As noted in XSA-471, the paper [6] also describes two Rogue System
Register Read (sometimes called Spectre-v3a) attacks, namely
CVE-2024-36348 and CVE-2045-36349. However, these are not believed to
affect the security of Qubes OS.
Affected systems
-----------------
Only AMD CPUs with Zen 3 or Zen 4 cores are believed to be affected
(CPUID family 0x19). For a more detailed list, see [5].
Patching
---------
As of this writing, AMD has published only non-server CPU microcode
updates via the linux-firmware repository. [7] They have not yet
published microcode updates for server CPUs. When this happens, we will
provide an updated amd-ucode-firmware package. Users with server CPUs
may be able to obtain the relevant microcode update via a motherboard
firmware (BIOS/UEFI) update, but this depends on the motherboard vendor
making such an update available. The appendix of [4] (page 5) contains a
table showing the minimum microcode version required for mitigating
transient scheduler attacks for different CPUs. The required microcode
version (not to be confused with the amd-ucode-firmware package version)
depends on the CPUID family/model/stepping. Users can compare the
values from the table with their own system's family/model/stepping and
current microcode version, which can be viewed by executing the command
`cat /proc/cpuinfo` in a dom0 terminal.
On affected systems with non-server CPUs, the following packages contain
security updates that address the vulnerabilities described in this
bulletin:
For Qubes 4.2, in dom0:
- Xen packages, version 4.17.5-10
- amd-ucode-firmware version 20250708-1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages should be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.
Credits
--------
https://www.qubes-os.org/news/2025/07/11/qsb-108/
We have published Qubes Security Bulletin (QSB) 108: Transitive Scheduler Attacks (XSA-471) (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.
Qubes Security Bulletin 108
---===[ Qubes Security Bulletin 108 ]===---
2025-07-08
Transitive Scheduler Attacks (XSA-471)
Changelog
----------
2025-07-08: Original QSB
2025-07-11: Revise language
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2025-07-08, the Xen Project published XSA-471, "x86: Transitive
Scheduler Attacks" (CVE-2024-36350, CVE-2024-36357) [3]:
| Researchers from Microsoft and ETH Zurich have discovered several new
| speculative sidechannel attacks which bypass current protections.
| They are detailed in a paper noscriptd "Enter, Exit, Page Fault, Leak:
| Testing Isolation Boundaries for Microarchitectural Leaks".
|
| Two issues, which AMD have named Transitive Scheduler Attacks, utilise
| timing information from instruction execution. These are:
|
| * CVE-2024-36350: TSA-SQ (TSA in the Store Queues)
| * CVE-2024-36357: TSA-L1 (TSA in the L1 data cache)
For more information, see also [4], [5] and [6].
Impact
-------
On affected systems, an attacker who manages to compromise a qube may be
able to use it to infer the contents of arbitrary system memory,
including memory assigned to other qubes.
As noted in XSA-471, the paper [6] also describes two Rogue System
Register Read (sometimes called Spectre-v3a) attacks, namely
CVE-2024-36348 and CVE-2045-36349. However, these are not believed to
affect the security of Qubes OS.
Affected systems
-----------------
Only AMD CPUs with Zen 3 or Zen 4 cores are believed to be affected
(CPUID family 0x19). For a more detailed list, see [5].
Patching
---------
As of this writing, AMD has published only non-server CPU microcode
updates via the linux-firmware repository. [7] They have not yet
published microcode updates for server CPUs. When this happens, we will
provide an updated amd-ucode-firmware package. Users with server CPUs
may be able to obtain the relevant microcode update via a motherboard
firmware (BIOS/UEFI) update, but this depends on the motherboard vendor
making such an update available. The appendix of [4] (page 5) contains a
table showing the minimum microcode version required for mitigating
transient scheduler attacks for different CPUs. The required microcode
version (not to be confused with the amd-ucode-firmware package version)
depends on the CPUID family/model/stepping. Users can compare the
values from the table with their own system's family/model/stepping and
current microcode version, which can be viewed by executing the command
`cat /proc/cpuinfo` in a dom0 terminal.
On affected systems with non-server CPUs, the following packages contain
security updates that address the vulnerabilities described in this
bulletin:
For Qubes 4.2, in dom0:
- Xen packages, version 4.17.5-10
- amd-ucode-firmware version 20250708-1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages should be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen
binaries.
Credits
--------
See the original Xen Security Advisory and linked publications.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-471.html
[4] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
[5] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html
[6] https://www.microsoft.com/en-us/research/publication/enter-exit-page-fault-leak-testing-isolation-boundaries-for-microarchitectural-leaks/
[7] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode/README
--
The Qubes Security Team
https://www.qubes-os.org/security/
Source: qsb-108-2025.txt (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt)
Marek Marczykowski-Górecki (https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki)’s PGP signature
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmhxKTUACgkQ1lWk8hgw
4Go/kg//X4Vtf3hJSfyKRZLSf9Hd336j+BUk07hOQT/KsTo9ETuIWp0acUlvrTgy
TJcZ+L6vFyqoBRGFDj4I3x2f3OQ4V1gOCyha6XJqeMnxPh/hJ39tAFq8f7eEgha4
URi0jP9x6v22/UjBz3OHmrlVWOP3UnLq3jO4Hnsdcf+ark/nasX76YQ4+gnjuLwQ
8uMOpyt8eBs0/kfQS4yrqvxbLUTkIqQ3Nb8fx/I316xyc1s4mIwSNBNdG583Ql/r
sXyREUN3E8NnwUsnXLDLRg068aFCRvkmtpRPsfRgcLGsAhHro5Vo+m2Hv6HJticW
IjOGVpFW5TxS+coZP8/dSs5b6pfa/0MBlIwUfJuvPhmH1lGOnrAigPrjCCS6xRWA
AI/Idqyb/aRO1vPpj7Z+qe5swHJZ3UjzslizNxqtKcC3O2ZX75XoCRfVz75mZ41s
mE2HfIFHAk2axgAoNS8+xo4AkAlbTHeQxCpL6aGRkFOVCVHCiHEvb4B7KgRoBGiD
xdsgzoTOk+nxWrKl6AJiKjQtDn8I0oiyVDeeH4xXr5dg13TqmiDnVvTQJYISD7Uk
q7mBgZeR0u3pJm+GHgPq2wzyHsXdoqHWIfiVFy+3WkPmhrsIfrGnjUX+dnWRJ41V
vVwscsSAYR6/xgXHHu7mf9yP3B+xqaXGoCKzZN8zu7PTedTrERw=
=Inl1
-----END PGP SIGNATURE-----
Source: qsb-108-2025.txt.sig.marmarek (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt.sig.marmarek)
Simon Gaiser (aka HW42) (https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)’s PGP signature
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmhxJ3oACgkQSsGN4REu
FJBPxQ//VhaBX7JK4hiVSIARXOcGmgEq/5Oh1LHwpOgY9xMeDfA7rfcLJ8voXpnL
Tkjqglxj5uETUQpnJ4etmnWx4BggUWq7ePEJhTLpdoT6wkwRjpQb68O00eTr/Wta
Ib/GuDeUbKX0r17AgkcXlEnyXcjFamBzq44uWUy10c6AnmdR+CBFuMC7+aHUARju
tDQQRm/4JJLClgUPsvslcyxvp7pQ9CsVzjrZAEOe3znUVAUGU6hfNwbm7VOMaDBi
kXT3LjcEGDvrSBiwgDgrOdykon/h5dTd1XYAf22i7KCjUO6+KBrwp/kV0j1LvvJq
iH/WM+P1fp+FKy52KuAr/O07FtC3RHyNGyuj/5rfhyKF6YNIXU3UUus5e1kMI9oZ
go6A3v8mJAR4ewfwmqSeIEDO0bMYE79uH8yd+0tH0iwAdVux53Mwgjf55uw2oBgf
BM5jcV0CFBNiOiGisowA3OJT5P5faOVYc65ZjliU6icU08Ysw4hhe3CZKtKbL9VR
4V+SIbo4VZY3OrhC9GJa0meW/HLo4nskBlTu/GwglPDlKaddkniou7BtVUFelsxv
Rw7IQ2Yr95g9TJWxjYuW9Qfqo53YEvgYvF3QttOnR2Uvf1b3bTfATJ5RedUV7YG4
mzbfpBFNdZwMBSv9mumlwe0I5Hq4xeQ6qaq3URmLTOJlh/VpqzA=
=JLcN
-----END PGP SIGNATURE-----
Source: qsb-108-2025.txt.sig.simon (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt.sig.simon)
What is the purpose of this announcement?
The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published.
What is a Qubes security bulletin (QSB)?
A Qubes security bulletin (QSB) is a security announcement issued by the Qubes security team (https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see Qubes security bulletins (QSBs) (https://www.qubes-os.org/security/qsb/).
Why should I care about QSBs?
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-471.html
[4] https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
[5] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html
[6] https://www.microsoft.com/en-us/research/publication/enter-exit-page-fault-leak-testing-isolation-boundaries-for-microarchitectural-leaks/
[7] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode/README
--
The Qubes Security Team
https://www.qubes-os.org/security/
Source: qsb-108-2025.txt (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt)
Marek Marczykowski-Górecki (https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki)’s PGP signature
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmhxKTUACgkQ1lWk8hgw
4Go/kg//X4Vtf3hJSfyKRZLSf9Hd336j+BUk07hOQT/KsTo9ETuIWp0acUlvrTgy
TJcZ+L6vFyqoBRGFDj4I3x2f3OQ4V1gOCyha6XJqeMnxPh/hJ39tAFq8f7eEgha4
URi0jP9x6v22/UjBz3OHmrlVWOP3UnLq3jO4Hnsdcf+ark/nasX76YQ4+gnjuLwQ
8uMOpyt8eBs0/kfQS4yrqvxbLUTkIqQ3Nb8fx/I316xyc1s4mIwSNBNdG583Ql/r
sXyREUN3E8NnwUsnXLDLRg068aFCRvkmtpRPsfRgcLGsAhHro5Vo+m2Hv6HJticW
IjOGVpFW5TxS+coZP8/dSs5b6pfa/0MBlIwUfJuvPhmH1lGOnrAigPrjCCS6xRWA
AI/Idqyb/aRO1vPpj7Z+qe5swHJZ3UjzslizNxqtKcC3O2ZX75XoCRfVz75mZ41s
mE2HfIFHAk2axgAoNS8+xo4AkAlbTHeQxCpL6aGRkFOVCVHCiHEvb4B7KgRoBGiD
xdsgzoTOk+nxWrKl6AJiKjQtDn8I0oiyVDeeH4xXr5dg13TqmiDnVvTQJYISD7Uk
q7mBgZeR0u3pJm+GHgPq2wzyHsXdoqHWIfiVFy+3WkPmhrsIfrGnjUX+dnWRJ41V
vVwscsSAYR6/xgXHHu7mf9yP3B+xqaXGoCKzZN8zu7PTedTrERw=
=Inl1
-----END PGP SIGNATURE-----
Source: qsb-108-2025.txt.sig.marmarek (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt.sig.marmarek)
Simon Gaiser (aka HW42) (https://www.qubes-os.org/team/#simon-gaiser-aka-hw42)’s PGP signature
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmhxJ3oACgkQSsGN4REu
FJBPxQ//VhaBX7JK4hiVSIARXOcGmgEq/5Oh1LHwpOgY9xMeDfA7rfcLJ8voXpnL
Tkjqglxj5uETUQpnJ4etmnWx4BggUWq7ePEJhTLpdoT6wkwRjpQb68O00eTr/Wta
Ib/GuDeUbKX0r17AgkcXlEnyXcjFamBzq44uWUy10c6AnmdR+CBFuMC7+aHUARju
tDQQRm/4JJLClgUPsvslcyxvp7pQ9CsVzjrZAEOe3znUVAUGU6hfNwbm7VOMaDBi
kXT3LjcEGDvrSBiwgDgrOdykon/h5dTd1XYAf22i7KCjUO6+KBrwp/kV0j1LvvJq
iH/WM+P1fp+FKy52KuAr/O07FtC3RHyNGyuj/5rfhyKF6YNIXU3UUus5e1kMI9oZ
go6A3v8mJAR4ewfwmqSeIEDO0bMYE79uH8yd+0tH0iwAdVux53Mwgjf55uw2oBgf
BM5jcV0CFBNiOiGisowA3OJT5P5faOVYc65ZjliU6icU08Ysw4hhe3CZKtKbL9VR
4V+SIbo4VZY3OrhC9GJa0meW/HLo4nskBlTu/GwglPDlKaddkniou7BtVUFelsxv
Rw7IQ2Yr95g9TJWxjYuW9Qfqo53YEvgYvF3QttOnR2Uvf1b3bTfATJ5RedUV7YG4
mzbfpBFNdZwMBSv9mumlwe0I5Hq4xeQ6qaq3URmLTOJlh/VpqzA=
=JLcN
-----END PGP SIGNATURE-----
Source: qsb-108-2025.txt.sig.simon (https://github.com/QubesOS/qubes-secpack/blob/5da25fc8fbece540ad4594235cf7ee5e7a751fbb/QSBs/qsb-108-2025.txt.sig.simon)
What is the purpose of this announcement?
The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published.
What is a Qubes security bulletin (QSB)?
A Qubes security bulletin (QSB) is a security announcement issued by the Qubes security team (https://www.qubes-os.org/security/#qubes-security-team). A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see Qubes security bulletins (QSBs) (https://www.qubes-os.org/security/qsb/).
Why should I care about QSBs?
QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by updating normally (https://www.qubes-os.org/doc/how-to-update/). However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs.
What are the PGP signatures that accompany QSBs?
A PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic digital signature (https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the OpenPGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like GNU Privacy Guard (GPG) (https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures.
Why should I care whether a QSB is authentic?
A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project.
How do I verify the PGP signatures on a QSB?
The following command-line instructions assume a Linux system with git and gpg installed. (For Windows and Mac options, see OpenPGP software (https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).)
Obtain the Qubes Master Signing Key (QMSK), e.g.:
$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
(For more ways to obtain the QMSK, see How to import and authenticate the Qubes Master Signing Key (https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).)
View the fingerprint of the PGP key you just imported. (Note: gpg> indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.)
$ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
Important: At this point, you still don’t know whether the key you just imported is the genuine QMSK or a forgery. In order for this entire procedure to provide meaningful security benefits, you must authenticate the QMSK out-of-band. Do not skip this step! The standard method is to obtain the QMSK fingerprint from multiple independent sources in several different ways and check to see whether they match the key you just imported. For more information, see How to import and authenticate the Qubes Master Signing Key (https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).
What are the PGP signatures that accompany QSBs?
A PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signature is a cryptographic digital signature (https://en.wikipedia.org/wiki/Digital_signature) made in accordance with the OpenPGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP) standard. PGP signatures can be cryptographically verified with programs like GNU Privacy Guard (GPG) (https://gnupg.org/). The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures.
Why should I care whether a QSB is authentic?
A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project.
How do I verify the PGP signatures on a QSB?
The following command-line instructions assume a Linux system with git and gpg installed. (For Windows and Mac options, see OpenPGP software (https://www.qubes-os.org/security/verifying-signatures/#openpgp-software).)
Obtain the Qubes Master Signing Key (QMSK), e.g.:
$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
(For more ways to obtain the QMSK, see How to import and authenticate the Qubes Master Signing Key (https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).)
View the fingerprint of the PGP key you just imported. (Note: gpg> indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.)
$ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
gpg> fpr
pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
Important: At this point, you still don’t know whether the key you just imported is the genuine QMSK or a forgery. In order for this entire procedure to provide meaningful security benefits, you must authenticate the QMSK out-of-band. Do not skip this step! The standard method is to obtain the QMSK fingerprint from multiple independent sources in several different ways and check to see whether they match the key you just imported. For more information, see How to import and authenticate the Qubes Master Signing Key (https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).
Tip: After you have authenticated the QMSK out-of-band to your satisfaction, record the QMSK fingerprint in a safe place (or several) so that you don’t have to repeat this step in the future.
Once you are satisfied that you have the genuine QMSK, set its trust level to 5 (“ultimate”), then quit GnuPG with q.
gpg> trust
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> q
Use Git to clone the qubes-secpack repo.
$ git clone https://github.com/QubesOS/qubes-secpack.git
Cloning into 'qubes-secpack'...
remote: Enumerating objects: 4065, done.
remote: Counting objects: 100% (1474/1474), done.
remote: Compressing objects: 100% (742/742), done.
remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
Resolving deltas: 100% (1910/1910), done.
Import the included PGP keys. (See our PGP key policies (https://www.qubes-os.org/security/pack/#pgp-key-policies) for important information about these keys.)
$ gpg --import qubes-secpack/keys/*/*
gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS signing key)" imported
gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" imported
gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes Documentation Signing Key)" imported
gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & Documentation Signing)" imported
gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation Signing Key)" imported
gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes Documentation Signing Key)" imported
gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation Signing Key)" imported
gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation Signing Key)" imported
gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing Key)" imported
gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS documentation signing key)" imported
gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing Key)" imported
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes security pack)" imported
gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
Once you are satisfied that you have the genuine QMSK, set its trust level to 5 (“ultimate”), then quit GnuPG with q.
gpg> trust
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> q
Use Git to clone the qubes-secpack repo.
$ git clone https://github.com/QubesOS/qubes-secpack.git
Cloning into 'qubes-secpack'...
remote: Enumerating objects: 4065, done.
remote: Counting objects: 100% (1474/1474), done.
remote: Compressing objects: 100% (742/742), done.
remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
Resolving deltas: 100% (1910/1910), done.
Import the included PGP keys. (See our PGP key policies (https://www.qubes-os.org/security/pack/#pgp-key-policies) for important information about these keys.)
$ gpg --import qubes-secpack/keys/*/*
gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS signing key)" imported
gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" imported
gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes Documentation Signing Key)" imported
gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & Documentation Signing)" imported
gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation Signing Key)" imported
gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes Documentation Signing Key)" imported
gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation Signing Key)" imported
gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation Signing Key)" imported
gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing Key)" imported
gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS documentation signing key)" imported
gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing Key)" imported
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes security pack)" imported
gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack signing key)" imported
gpg: Total number processed: 17
gpg: imported: 16
gpg: unchanged: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 6 signed: 0 trust: 6-, 0q, 0n, 0m, 0f, 0u
Verify signed Git tags.
$ cd qubes-secpack/
$ git tag -v `git describe`
object 266e14a6fae57c9a91362c9ac784d3a891f4d351
type commit
tag marmarek_sec_266e14a6
tagger Marek Marczykowski-Górecki 1677757924 +0100
Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
The exact output will differ, but the final line should always start with gpg: Good signature from... followed by an appropriate key. The [full] indicates full trust, which this key inherits in virtue of being validly signed by the QMSK.
Verify PGP signatures, e.g.:
$ cd QSBs/
$ gpg --verify qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify qsb-087-2022.txt.sig.simon qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
$ cd ../canaries/
$ gpg --verify canary-034-2023.txt.sig.marmarek canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify canary-034-2023.txt.sig.simon canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 01:47:52 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
Again, the exact output will differ, but the final line of output from each gpg --verify command should always start with gpg: Good signature from... followed by an appropriate key.
For this announcement (QSB-108), the commands are:
$ gpg --verify qsb-108-2025.txt.sig.marmarek qsb-108-2025.txt
$ gpg --verify qsb-108-2025.txt.sig.simon qsb-108-2025.txt
You can also verify the signatures directly from this announcement in addition to or instead of verifying the files from the qubes-secpack. Simply copy and paste the QSB-108 text into a plain text file and do the same for both signature files. Then, perform the same authentication steps as listed above, substituting the filenames above with the names of the files you just created.
gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack signing key)" imported
gpg: Total number processed: 17
gpg: imported: 16
gpg: unchanged: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 6 signed: 0 trust: 6-, 0q, 0n, 0m, 0f, 0u
Verify signed Git tags.
$ cd qubes-secpack/
$ git tag -v `git describe`
object 266e14a6fae57c9a91362c9ac784d3a891f4d351
type commit
tag marmarek_sec_266e14a6
tagger Marek Marczykowski-Górecki 1677757924 +0100
Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
The exact output will differ, but the final line should always start with gpg: Good signature from... followed by an appropriate key. The [full] indicates full trust, which this key inherits in virtue of being validly signed by the QMSK.
Verify PGP signatures, e.g.:
$ cd QSBs/
$ gpg --verify qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify qsb-087-2022.txt.sig.simon qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
$ cd ../canaries/
$ gpg --verify canary-034-2023.txt.sig.marmarek canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify canary-034-2023.txt.sig.simon canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 01:47:52 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
Again, the exact output will differ, but the final line of output from each gpg --verify command should always start with gpg: Good signature from... followed by an appropriate key.
For this announcement (QSB-108), the commands are:
$ gpg --verify qsb-108-2025.txt.sig.marmarek qsb-108-2025.txt
$ gpg --verify qsb-108-2025.txt.sig.simon qsb-108-2025.txt
You can also verify the signatures directly from this announcement in addition to or instead of verifying the files from the qubes-secpack. Simply copy and paste the QSB-108 text into a plain text file and do the same for both signature files. Then, perform the same authentication steps as listed above, substituting the filenames above with the names of the files you just created.
Qubes OS Summit 2025: Tickets for sale and Call for Participation open!
https://www.qubes-os.org/news/2025/07/17/qubes-os-summit-2025-tickets-now-available/
You can now purchase on-site tickets to attend Qubes OS Summit 2025 (https://events.dasharo.com/event/2/qubes-os-summit-2025) in person! Please note that a limited number of on-site tickets are available, and tickets are more heavily discounted the earlier they’re purchased.
For those who would prefer to participate remotely instead, the event will be broadcast live on YouTube, where anyone can watch with no ticket required. We’ll also use Jitsi for remote attendees who wish to participate actively without using YouTube (including remote speakers). This latter option requires a free virtual ticket.
https://www.qubes-os.org/news/2025/07/17/qubes-os-summit-2025-tickets-now-available/
You can now purchase on-site tickets to attend Qubes OS Summit 2025 (https://events.dasharo.com/event/2/qubes-os-summit-2025) in person! Please note that a limited number of on-site tickets are available, and tickets are more heavily discounted the earlier they’re purchased.
For those who would prefer to participate remotely instead, the event will be broadcast live on YouTube, where anyone can watch with no ticket required. We’ll also use Jitsi for remote attendees who wish to participate actively without using YouTube (including remote speakers). This latter option requires a free virtual ticket.
In addition, the Call for Participation (CFP) for Qubes OS Summit 2025 (https://cfp.3mdeb.com/qubes-os-summit-2025/cfp) is now open! If you’d like to speak at the summit, we invite you to submit a proposal. The deadline for proposals is 2025-07-31 23:59 (UTC), which is approximately two weeks from now.
https://www.qubes-os.org/news/2025/07/23/qubes-documentation-migrating-to-read-the-docs/
We’re pleased to announce that we’re officially migrating to Read the Docs (https://readthedocs.com/) as our documentation generation and hosting platform. Our documentation source files will continue to reside in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository with PGP-signed tags and commits (https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits), and the live documentation published on the web will continue to be located on the official Qubes website, but Read the Docs will handle generating the documentation from our source files and hosting the generated documentation on the backend so that it can be served to Qubes website visitors. Migrating to Read the Docs will enable us to localize the documentation, maintain release-specific documentation, support offline documentation, and more. Today marks the beginning of a 20-day community testing period for the new documentation, which is already live at https://doc.qubes-os.org/en/latest/.
What is Read the Docs?
Read the Docs (https://readthedocs.com/) is an open-source platform that hosts software documentation. It’s a popular choice among open-source projects, because it simplifies the process of generating documentation from Git repositories and offers many useful features that would be difficult for small projects to implement themselves in a polished way, such as versioning, integrated search, and pull request previews.
Why is the documentation migrating?
There are new and increasing demands on the Qubes documentation, such as localization (i.e., translations), release-specific documentation, and offline documentation. With these new demands, it has become increasingly difficult for the current system to meet our needs. Before we tried to address these kinds of needs, our documentation setup was simpler and served us well. The backend was smaller, easier to understand, and easier to maintain, since it didn’t need to do much. There was only a single, canonical version of every documentation page.
However, the reality is that not all Qubes users read English, not everyone uses the same version of Qubes OS at the same time, and not everyone is comfortable cloning a Git repo and sorting through plain text files written in a lightweight markup language. We have users and contributors of all technical levels from around the world, and we sometimes support multiple Qubes releases simultaneously. Even when there’s only one currently-supported release, there’s usually a new one in development or testing that folks want to start documenting. This means that we have to support a separate version of each relevant documentation page for every translated language and for every supported and in-development Qubes version, not to mention historical documentation for releases that have reached end of life (EOL). We also have users who want to be able to access the documentation offline in a user-friendly format, such as HTML, PDF, or EPUB.
Trying to implement all of these features and manage all of this complexity manually by ourselves isn’t practical. We need a system that’s designed for managing complex software documentation, and that’s precisely what Read the Docs is.
How is the documentation currently set up, and what will change?
At present, the official Qubes documentation consists of a set of plain text Markdown (https://en.wikipedia.org/wiki/Markdown) source files that are stored in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository, which is a subrepository of the Qubes website repository, qubesos.github.io (https://github.com/QubesOS/qubesos.github.io). We then use GitHub Pages (https://pages.github.com/) to generate the Qubes website (https://www.qubes-os.org/), which includes the current documentation (https://www.qubes-os.org/doc/).
We’re pleased to announce that we’re officially migrating to Read the Docs (https://readthedocs.com/) as our documentation generation and hosting platform. Our documentation source files will continue to reside in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository with PGP-signed tags and commits (https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits), and the live documentation published on the web will continue to be located on the official Qubes website, but Read the Docs will handle generating the documentation from our source files and hosting the generated documentation on the backend so that it can be served to Qubes website visitors. Migrating to Read the Docs will enable us to localize the documentation, maintain release-specific documentation, support offline documentation, and more. Today marks the beginning of a 20-day community testing period for the new documentation, which is already live at https://doc.qubes-os.org/en/latest/.
What is Read the Docs?
Read the Docs (https://readthedocs.com/) is an open-source platform that hosts software documentation. It’s a popular choice among open-source projects, because it simplifies the process of generating documentation from Git repositories and offers many useful features that would be difficult for small projects to implement themselves in a polished way, such as versioning, integrated search, and pull request previews.
Why is the documentation migrating?
There are new and increasing demands on the Qubes documentation, such as localization (i.e., translations), release-specific documentation, and offline documentation. With these new demands, it has become increasingly difficult for the current system to meet our needs. Before we tried to address these kinds of needs, our documentation setup was simpler and served us well. The backend was smaller, easier to understand, and easier to maintain, since it didn’t need to do much. There was only a single, canonical version of every documentation page.
However, the reality is that not all Qubes users read English, not everyone uses the same version of Qubes OS at the same time, and not everyone is comfortable cloning a Git repo and sorting through plain text files written in a lightweight markup language. We have users and contributors of all technical levels from around the world, and we sometimes support multiple Qubes releases simultaneously. Even when there’s only one currently-supported release, there’s usually a new one in development or testing that folks want to start documenting. This means that we have to support a separate version of each relevant documentation page for every translated language and for every supported and in-development Qubes version, not to mention historical documentation for releases that have reached end of life (EOL). We also have users who want to be able to access the documentation offline in a user-friendly format, such as HTML, PDF, or EPUB.
Trying to implement all of these features and manage all of this complexity manually by ourselves isn’t practical. We need a system that’s designed for managing complex software documentation, and that’s precisely what Read the Docs is.
How is the documentation currently set up, and what will change?
At present, the official Qubes documentation consists of a set of plain text Markdown (https://en.wikipedia.org/wiki/Markdown) source files that are stored in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository, which is a subrepository of the Qubes website repository, qubesos.github.io (https://github.com/QubesOS/qubesos.github.io). We then use GitHub Pages (https://pages.github.com/) to generate the Qubes website (https://www.qubes-os.org/), which includes the current documentation (https://www.qubes-os.org/doc/).
👍1
Read the Docs also generates documentation from plain text source files in Git repositories. However, it primarily uses reStructuredText (https://en.wikipedia.org/wiki/ReStructuredText) instead of Markdown. Furthermore, Read the Docs hosts HTML content that is usually generated using tools like Sphinx (https://www.sphinx-doc.org/), whereas GitHub Pages uses Jekyll (https://jekyllrb.com/) for static site generation.
Accordingly, the Qubes documentation source files will continue to reside in the qubes-doc (https://github.com/QubesOS/qubes-doc) repository, but the Markdown content is being converted to reStructuredText. Furthermore, the documentation will be generated using Sphinx and hosted by Read the Docs rather than generated using Jekyll and hosted by GitHub. The web version of the new documentation will continue to be located on the Qubes website, but it will be under a new subdomain (https://doc.qubes-os.org (https://doc.qubes-os.org/)). In addition, images and other binary files used in the documentation will be stored in qubes-doc (https://github.com/QubesOS/qubes-doc) rather than the qubes-attachment (https://github.com/QubesOS/qubes-attachment) repository.
How will this affect the security of the documentation?
The source files for all official Qubes documentation will continue to be stored in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository with PGP-signed tags and commits (https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits), just as they are now. In that sense, the security of the documentation won’t change at all. The main change is that Read the Docs will replace GitHub as the platform that generates the documentation from the source files and hosts the generated documentation.
How will the migration proceed?
Over the next 20 days, between now and 2025-08-12, the community will test the new documentation. During this period, the current documentation will be frozen, which means that no pull requests will be merged. After the testing period has concluded, the documentation team will evaluate the results and make any changes that are needed. Once the migration is complete, we’ll make a final announcement, and the new documentation hosted on Read the Docs will officially replace the current documentation.
What can I do to help?
Please review the new documentation located at https://doc.qubes-os.org/en/latest/. It would be especially helpful to compare the new documentation to the current documentation located at https://qubes-os.org/doc and point out any inconsistencies. (When doing this, please focus on accuracy and correctness rather than visual aspects.)
There’s a full list of new documentation pages to be reviewed in issue #8180 (https://github.com/QubesOS/qubes-issues/issues/8180). After you’ve reviewed a page, please leave a comment on that issue to let us know your findings. You can simply copy the entries you reviewed from that list into your comment and add a brief note on what you found problematic, found acceptable, and so on. If you’d like to report a more significant bug or request a feature, you can also open a separate issue (https://www.qubes-os.org/doc/issue-tracking/). If you’re familiar with reStructuredText and would like to submit a change to the new documentation, please open a pull request against this branch: https://github.com/QubesOS/qubes-doc/tree/rst.
While we want to know about any problems you spot, please feel free to share any positive feedback you have, as well!
Acknowledgments
This migration is the culmination of many hours of work over the course of several years, for which the Qubes OS Project owes a debt of gratitude. The Sphinx conversion tooling was done by Maiska (aka m) (https://www.qubes-os.org/team/#m), with support from Marek Marczykowski-Górecki (https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki). Tobias Killer (aka tokidev)
Accordingly, the Qubes documentation source files will continue to reside in the qubes-doc (https://github.com/QubesOS/qubes-doc) repository, but the Markdown content is being converted to reStructuredText. Furthermore, the documentation will be generated using Sphinx and hosted by Read the Docs rather than generated using Jekyll and hosted by GitHub. The web version of the new documentation will continue to be located on the Qubes website, but it will be under a new subdomain (https://doc.qubes-os.org (https://doc.qubes-os.org/)). In addition, images and other binary files used in the documentation will be stored in qubes-doc (https://github.com/QubesOS/qubes-doc) rather than the qubes-attachment (https://github.com/QubesOS/qubes-attachment) repository.
How will this affect the security of the documentation?
The source files for all official Qubes documentation will continue to be stored in the qubes-doc (https://github.com/QubesOS/qubes-doc) Git repository with PGP-signed tags and commits (https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits), just as they are now. In that sense, the security of the documentation won’t change at all. The main change is that Read the Docs will replace GitHub as the platform that generates the documentation from the source files and hosts the generated documentation.
How will the migration proceed?
Over the next 20 days, between now and 2025-08-12, the community will test the new documentation. During this period, the current documentation will be frozen, which means that no pull requests will be merged. After the testing period has concluded, the documentation team will evaluate the results and make any changes that are needed. Once the migration is complete, we’ll make a final announcement, and the new documentation hosted on Read the Docs will officially replace the current documentation.
What can I do to help?
Please review the new documentation located at https://doc.qubes-os.org/en/latest/. It would be especially helpful to compare the new documentation to the current documentation located at https://qubes-os.org/doc and point out any inconsistencies. (When doing this, please focus on accuracy and correctness rather than visual aspects.)
There’s a full list of new documentation pages to be reviewed in issue #8180 (https://github.com/QubesOS/qubes-issues/issues/8180). After you’ve reviewed a page, please leave a comment on that issue to let us know your findings. You can simply copy the entries you reviewed from that list into your comment and add a brief note on what you found problematic, found acceptable, and so on. If you’d like to report a more significant bug or request a feature, you can also open a separate issue (https://www.qubes-os.org/doc/issue-tracking/). If you’re familiar with reStructuredText and would like to submit a change to the new documentation, please open a pull request against this branch: https://github.com/QubesOS/qubes-doc/tree/rst.
While we want to know about any problems you spot, please feel free to share any positive feedback you have, as well!
Acknowledgments
This migration is the culmination of many hours of work over the course of several years, for which the Qubes OS Project owes a debt of gratitude. The Sphinx conversion tooling was done by Maiska (aka m) (https://www.qubes-os.org/team/#m), with support from Marek Marczykowski-Górecki (https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki). Tobias Killer (aka tokidev)
👍1
(https://www.qubes-os.org/team/#tobias-killer) thoroughly and repeatedly tested the converted and deployed reStructuredText documentation. More recently, unman (https://www.qubes-os.org/team/#unman) and Solène Rapenne (https://www.qubes-os.org/team/#sol%C3%A8ne-rapenne) have supported the transition in the capacities as documentation maintainers.
🔥1
Fedora 42 templates available
https://www.qubes-os.org/news/2025/07/26/fedora-42-templates-available/
New Fedora 42 templates are now available for Qubes OS 4.2 in standard, minimal (https://www.qubes-os.org/doc/templates/minimal/), and Xfce (https://www.qubes-os.org/doc/templates/xfce/) varieties. There are two ways to upgrade a template to a new Fedora release:
Recommended: Install a fresh template to replace an existing one. (https://www.qubes-os.org/doc/templates/fedora/#installing) This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template (https://www.qubes-os.org/doc/templates/#switching). If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the template and use the dnf history command.
Advanced: Perform an in-place upgrade of an existing Fedora template. (https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) This option will preserve any modifications you’ve made to the template, but it may be more complicated for less experienced users.
Note: No user action is required regarding the OS version in dom0 (see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).
https://www.qubes-os.org/news/2025/07/26/fedora-42-templates-available/
New Fedora 42 templates are now available for Qubes OS 4.2 in standard, minimal (https://www.qubes-os.org/doc/templates/minimal/), and Xfce (https://www.qubes-os.org/doc/templates/xfce/) varieties. There are two ways to upgrade a template to a new Fedora release:
Recommended: Install a fresh template to replace an existing one. (https://www.qubes-os.org/doc/templates/fedora/#installing) This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template (https://www.qubes-os.org/doc/templates/#switching). If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the template and use the dnf history command.
Advanced: Perform an in-place upgrade of an existing Fedora template. (https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) This option will preserve any modifications you’ve made to the template, but it may be more complicated for less experienced users.
Note: No user action is required regarding the OS version in dom0 (see our note on dom0 and EOL (https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).
👍1
We’re pleased to announce that the first release candidate (RC) for Qubes OS 4.3.0 is now available for testing. This minor release includes many new features and improvements over Qubes OS 4.2.
What’s new in Qubes 4.3?
Dom0 upgraded to Fedora 41 (#9402 (https://github.com/QubesOS/qubes-issues/issues/9402)).
Xen upgraded to version 4.19 (#9420 (https://github.com/QubesOS/qubes-issues/issues/9420)).
Default Fedora template upgraded to Fedora 42 (older releases not supported).
Default Debian template upgraded to Debian 13 (older releases not supported).
Default Whonix templates upgraded to Whonix 17.4.3 (versions older than release 17 not supported).
Preloaded disposables (#1512 (https://github.com/QubesOS/qubes-issues/issues/1512))
Device “self-identity oriented” assignment (a.k.a. New Devices API) (#9325 (https://github.com/QubesOS/qubes-issues/issues/9325))
Qubes Windows Tools reintroduced with improved features (#1861 (https://github.com/QubesOS/qubes-issues/issues/1861)).
These are just a few highlights from the many changes included in this release. For a more comprehensive list of changes, see the Qubes OS 4.3 release notes (https://qubes-doc--1504.org.readthedocs.build/en/1504/developer/releases/4_3/release-notes.html). (This is a temporary link to an early preview of the release notes, which are continually being updated as we progress toward the eventual stable release.)
When is the stable release?
That depends on the number of bugs discovered in this RC and their severity. As explained in our release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule) documentation, our usual process after issuing a new RC is to collect bug reports, triage the bugs, and fix them. If warranted, we then issue a new RC that includes the fixes and repeat the process. We continue this iterative procedure until we’re left with an RC that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many RCs will be needed before a stable release), but we tend to get a clearer picture of this as testing progresses.
How to test Qubes 4.3.0-rc1
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help us improve the eventual stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/). You can upgrade to Qubes 4.3.0-rc1 (https://qubes-doc--1504.org.readthedocs.build/en/1504/user/downloading-installing-upgrading/upgrade/4_3.html) with either a clean installation or an in-place upgrade from Qubes 4.2. (Note for in-place upgrade testers: qubes-dist-upgrade now requires --releasever=4.3 and may require --enable-current-testing for testing releases like this RC.) As always, we strongly recommend making a full backup (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) beforehand and updating Qubes OS (https://www.qubes-os.org/doc/how-to-update/) immediately afterward in order to apply all available bug fixes. We encourage experienced users to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190).
Known issues in Qubes OS 4.3.0-rc1
Templates restored in 4.3.0-rc1 from a pre-4.3 backup continue to target their original Qubes OS release repos. This does not affect fresh templates on a clean 4.3.0-rc1 installation. For more information, see issue #8701 (https://github.com/QubesOS/qubes-issues/issues/8701).
View the full list of known bugs affecting Qubes 4.3 (https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20type%3ABug%20label%3Aaffects-4.3%20-label%3A%22R%3A%20cannot%20reproduce%22%20-label%3A%22R%3A%20declined%22%20-label%3A%22R%3A%20duplicate%22%20-label%3A%22R%3A%20not%20applicable%22%20-label%3A%22R%3A%20self-closed%22%20-label%3A%22R%3A%20upstream%20issue%22) in our issue tracker (https://www.qubes-os.org/doc/issue-tracking/).
What’s a release candidate?
What’s new in Qubes 4.3?
Dom0 upgraded to Fedora 41 (#9402 (https://github.com/QubesOS/qubes-issues/issues/9402)).
Xen upgraded to version 4.19 (#9420 (https://github.com/QubesOS/qubes-issues/issues/9420)).
Default Fedora template upgraded to Fedora 42 (older releases not supported).
Default Debian template upgraded to Debian 13 (older releases not supported).
Default Whonix templates upgraded to Whonix 17.4.3 (versions older than release 17 not supported).
Preloaded disposables (#1512 (https://github.com/QubesOS/qubes-issues/issues/1512))
Device “self-identity oriented” assignment (a.k.a. New Devices API) (#9325 (https://github.com/QubesOS/qubes-issues/issues/9325))
Qubes Windows Tools reintroduced with improved features (#1861 (https://github.com/QubesOS/qubes-issues/issues/1861)).
These are just a few highlights from the many changes included in this release. For a more comprehensive list of changes, see the Qubes OS 4.3 release notes (https://qubes-doc--1504.org.readthedocs.build/en/1504/developer/releases/4_3/release-notes.html). (This is a temporary link to an early preview of the release notes, which are continually being updated as we progress toward the eventual stable release.)
When is the stable release?
That depends on the number of bugs discovered in this RC and their severity. As explained in our release schedule (https://www.qubes-os.org/doc/version-scheme/#release-schedule) documentation, our usual process after issuing a new RC is to collect bug reports, triage the bugs, and fix them. If warranted, we then issue a new RC that includes the fixes and repeat the process. We continue this iterative procedure until we’re left with an RC that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many RCs will be needed before a stable release), but we tend to get a clearer picture of this as testing progresses.
How to test Qubes 4.3.0-rc1
If you’re willing to test (https://www.qubes-os.org/doc/testing/) this release candidate, you can help us improve the eventual stable release by reporting any bugs you encounter (https://www.qubes-os.org/doc/issue-tracking/). You can upgrade to Qubes 4.3.0-rc1 (https://qubes-doc--1504.org.readthedocs.build/en/1504/user/downloading-installing-upgrading/upgrade/4_3.html) with either a clean installation or an in-place upgrade from Qubes 4.2. (Note for in-place upgrade testers: qubes-dist-upgrade now requires --releasever=4.3 and may require --enable-current-testing for testing releases like this RC.) As always, we strongly recommend making a full backup (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) beforehand and updating Qubes OS (https://www.qubes-os.org/doc/how-to-update/) immediately afterward in order to apply all available bug fixes. We encourage experienced users to join the testing team (https://forum.qubes-os.org/t/joining-the-testing-team/5190).
Known issues in Qubes OS 4.3.0-rc1
Templates restored in 4.3.0-rc1 from a pre-4.3 backup continue to target their original Qubes OS release repos. This does not affect fresh templates on a clean 4.3.0-rc1 installation. For more information, see issue #8701 (https://github.com/QubesOS/qubes-issues/issues/8701).
View the full list of known bugs affecting Qubes 4.3 (https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20type%3ABug%20label%3Aaffects-4.3%20-label%3A%22R%3A%20cannot%20reproduce%22%20-label%3A%22R%3A%20declined%22%20-label%3A%22R%3A%20duplicate%22%20-label%3A%22R%3A%20not%20applicable%22%20-label%3A%22R%3A%20self-closed%22%20-label%3A%22R%3A%20upstream%20issue%22) in our issue tracker (https://www.qubes-os.org/doc/issue-tracking/).
What’s a release candidate?
👍3
A release candidate (RC) is a software build that has the potential to become a stable release, unless significant bugs are discovered in testing. RCs are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS supported releases (https://www.qubes-os.org/doc/supported-releases/) and the version scheme (https://www.qubes-os.org/doc/version-scheme/) in our documentation.
What’s a minor release?
The Qubes OS Project uses the semantic versioning (https://semver.org/) standard. Version numbers are written as ... Hence, releases that increment the second value are known as “minor releases.” Minor releases generally include new features, improvements, and bug fixes that are backward-compatible with earlier versions of the same major release. See our supported releases (https://www.qubes-os.org/doc/supported-releases/) for a comprehensive list of major and minor releases and our version scheme (https://www.qubes-os.org/doc/version-scheme/) documentation for more information about how Qubes OS releases are versioned.
What’s a minor release?
The Qubes OS Project uses the semantic versioning (https://semver.org/) standard. Version numbers are written as ... Hence, releases that increment the second value are known as “minor releases.” Minor releases generally include new features, improvements, and bug fixes that are backward-compatible with earlier versions of the same major release. See our supported releases (https://www.qubes-os.org/doc/supported-releases/) for a comprehensive list of major and minor releases and our version scheme (https://www.qubes-os.org/doc/version-scheme/) documentation for more information about how Qubes OS releases are versioned.
👍4