Qubes OS 4.2.1 has been released!
62 views
Skip to first unread message
Andrew David Wong
Mar 26, 2024, 5:46:19 PM3/26/24
to qubes-announce, qubes-devel, qubes-users
Dear Qubes Community,
We're pleased to announce the stable release of Qubes OS 4.2.1! This [patch release](#what-is-a-patch-release) aims to consolidate all the security patches, bug fixes, and other updates that have occurred since the release of Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. The ISO and associated [verification files](https://www.qubes-os.org/security/verifying-signatures/) are available on the [downloads](https://www.qubes-os.org/downloads/) page.
## What's new in Qubes OS 4.2.1?
Qubes 4.2.1 includes numerous updates over the initial 4.2.0 release, in particular:
- All 4.2 dom0 updates to date
- Fedora 39 template
- Linux 6.6.x as the default kernel, significantly reducing the need for `kernel-latest` on newer systems
For more information about the changes included in this version, see the [full list of issues completed since the release of 4.2.0](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).
## How to get Qubes OS 4.2.1
You have a few different options, depending on your situation:
- If you'd like to install Qubes OS for the first time or perform a clean reinstallation on an existing system, there's never been a better time to do so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.2.1 ISO and follow our [installation guide](https://www.qubes-os.org/doc/installation-guide/).
- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/).
- If you're currently on Qubes 4.2 (including 4.2.0 and 4.2.1-rc1), [update normally](https://www.qubes-os.org/doc/how-to-update/) (which includes [upgrading any EOL templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) you might have) in order to make your system essentially equivalent to the stable Qubes 4.2.1 release. No reinstallation or other special action is required.
In all cases, we strongly recommend [making a full backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) beforehand.
## Reminder: new signing key for Qubes OS 4.2
As a reminder, we published the following special announcement in [Qubes Canary 032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:
> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.
As always, we encourage you to [authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate) this canary by [verifying its PGP signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific instructions are also included in the [canary announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).
As with all Qubes signing keys, we also encourage you to [authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys) the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well as on the [downloads](https://www.qubes-os.org/downloads/) page.
## What is a patch release?
The Qubes OS Project uses the [semantic versioning](https://semver.org/) standard. Version numbers are written as `<major>.<minor>.<patch>`. Hence, we refer to releases that increment the third number as "patch releases." A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See [supported releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the [version scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/
We're pleased to announce the stable release of Qubes OS 4.2.1! This [patch release](#what-is-a-patch-release) aims to consolidate all the security patches, bug fixes, and other updates that have occurred since the release of Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. The ISO and associated [verification files](https://www.qubes-os.org/security/verifying-signatures/) are available on the [downloads](https://www.qubes-os.org/downloads/) page.
## What's new in Qubes OS 4.2.1?
Qubes 4.2.1 includes numerous updates over the initial 4.2.0 release, in particular:
- All 4.2 dom0 updates to date
- Fedora 39 template
- Linux 6.6.x as the default kernel, significantly reducing the need for `kernel-latest` on newer systems
For more information about the changes included in this version, see the [full list of issues completed since the release of 4.2.0](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).
## How to get Qubes OS 4.2.1
You have a few different options, depending on your situation:
- If you'd like to install Qubes OS for the first time or perform a clean reinstallation on an existing system, there's never been a better time to do so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.2.1 ISO and follow our [installation guide](https://www.qubes-os.org/doc/installation-guide/).
- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/).
- If you're currently on Qubes 4.2 (including 4.2.0 and 4.2.1-rc1), [update normally](https://www.qubes-os.org/doc/how-to-update/) (which includes [upgrading any EOL templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) you might have) in order to make your system essentially equivalent to the stable Qubes 4.2.1 release. No reinstallation or other special action is required.
In all cases, we strongly recommend [making a full backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) beforehand.
## Reminder: new signing key for Qubes OS 4.2
As a reminder, we published the following special announcement in [Qubes Canary 032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:
> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.
As always, we encourage you to [authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate) this canary by [verifying its PGP signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific instructions are also included in the [canary announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).
As with all Qubes signing keys, we also encourage you to [authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys) the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well as on the [downloads](https://www.qubes-os.org/downloads/) page.
## What is a patch release?
The Qubes OS Project uses the [semantic versioning](https://semver.org/) standard. Version numbers are written as `<major>.<minor>.<patch>`. Hence, we refer to releases that increment the third number as "patch releases." A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See [supported releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the [version scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/
qubist
Mar 27, 2024, 5:58:12 AM3/27/24
to qubes...@googlegroups.com
On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote:
> ## What's new in Qubes OS 4.2.1?
>
> [...]
> ## What's new in Qubes OS 4.2.1?
>
>
> For more information about the changes included [...]
It would be much better to have a more detailed (yet concise)
changelog. It is highly unlikely that the user will read pages upon
pages of issues on a bug tracker, just to find out what is new.
My $0.02. :)
Andrew David Wong
Mar 31, 2024, 6:45:36 PM3/31/24
to qubes...@googlegroups.com
Imagine if we had a major or minor release, then we didn't have any further releases for a year. Users who wanted to (re)install Qubes would have to use a year-old ISO, then immediately catch up on a year's worth of updates, which could take quite a long time. Moreover, any bugs that affected the installation or initial update processes themselves might be complete blockers for some users. A security vulnerability in the update mechanism could make that initial update risky.
The purpose of these patch releases is mainly just to move up the "starting point" so that fresh installations don't have as far to "catch up" before they're on par with existing, regularly-updated installations. That's why the main summary of changes is just "all the routine updates you would've gotten if you had installed 4.2.0 and kept it up to date." Some of these routine updates will be of interest to some users while being of no interest at all to most other users. There should rarely be any that are of interest to *all* users. (Those should usually go in major or minor releases instead.)
qubist
Apr 1, 2024, 1:21:53 PM4/1/24
to qubes...@googlegroups.com
Thanks for explaining.
Demi Marie Obenour
Apr 1, 2024, 5:38:46 PM4/1/24
to Andrew David Wong, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
With the obvious exception of security patches.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYLKVsACgkQsoi1X/+c
IsF/+A//UsDrsR/wwgeSJgGgIVkElvB+W4TWMCOsx7NSTjZ4yWXw7e63hOTvVGTo
6tegSUDcfYMUty27KJKSsjc9difhQUuDco/CEvK2DOLDpEKO8IJtHU18+3zrk+0N
xweBTXuPD1T/FNbJAH3dKSdSsvXXmcqHW3FW6+q7AsnY3icg6zmdAsnqKVh7dylq
b3NwWLva/JOn1sxa214kxJmRkfG53o01jv9QTDviYqmGb0FBJ7P6tXFIp9sEMNlX
AqEGHF6Tj0fxQdvml3HlBZT0XZ265e6Th4xVhuA6titwML7HlIZDYu3AZP72u02E
NPOOZ29rgrUwTQsNPgDzJe3eAgxEiynOnAiabLSwF4HW8A0yJVgR02Lm46Vr+Npg
/LLxrmh4jRurhlpElvwA44nIenKpjprG5wFz48JHhrK+vyktxteyWTdvhE343nZh
tQYUEj9hsNscPuiwuNmbxqAhsuNMndhRHAcL/H/r6Sw88NmYj0YiWH7+NtrilVAs
Lp9S3oBeSjX+5QaD2abH8KnbjH7VdbynRFK1o3wXwUG/05KkT35RYw7eIojtDbCy
QWJpykgJfy50xn97s5Mtm5TvkN5TnE9TQx1UIOia/36IZBwatdPtO/lPZGCpSaDZ
9IF64BucZGcZts2xJnwV0s9VPfPpG9XN4IiB1EZzg6ko0XLrsVA=
=HFwF
-----END PGP SIGNATURE-----
Hash: SHA512
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmYLKVsACgkQsoi1X/+c
IsF/+A//UsDrsR/wwgeSJgGgIVkElvB+W4TWMCOsx7NSTjZ4yWXw7e63hOTvVGTo
6tegSUDcfYMUty27KJKSsjc9difhQUuDco/CEvK2DOLDpEKO8IJtHU18+3zrk+0N
xweBTXuPD1T/FNbJAH3dKSdSsvXXmcqHW3FW6+q7AsnY3icg6zmdAsnqKVh7dylq
b3NwWLva/JOn1sxa214kxJmRkfG53o01jv9QTDviYqmGb0FBJ7P6tXFIp9sEMNlX
AqEGHF6Tj0fxQdvml3HlBZT0XZ265e6Th4xVhuA6titwML7HlIZDYu3AZP72u02E
NPOOZ29rgrUwTQsNPgDzJe3eAgxEiynOnAiabLSwF4HW8A0yJVgR02Lm46Vr+Npg
/LLxrmh4jRurhlpElvwA44nIenKpjprG5wFz48JHhrK+vyktxteyWTdvhE343nZh
tQYUEj9hsNscPuiwuNmbxqAhsuNMndhRHAcL/H/r6Sw88NmYj0YiWH7+NtrilVAs
Lp9S3oBeSjX+5QaD2abH8KnbjH7VdbynRFK1o3wXwUG/05KkT35RYw7eIojtDbCy
QWJpykgJfy50xn97s5Mtm5TvkN5TnE9TQx1UIOia/36IZBwatdPtO/lPZGCpSaDZ
9IF64BucZGcZts2xJnwV0s9VPfPpG9XN4IiB1EZzg6ko0XLrsVA=
=HFwF
-----END PGP SIGNATURE-----
Andrew David Wong
Apr 1, 2024, 7:33:20 PM4/1/24
to Demi Marie Obenour, qubes...@googlegroups.com
On 4/1/24 2:38 PM, Demi Marie Obenour wrote:
> On Sun, Mar 31, 2024 at 03:45:29PM -0700, Andrew David Wong wrote:
>> On 3/27/24 2:57 AM, qubist wrote:
>>> On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote:
>>>
>>>> ## What's new in Qubes OS 4.2.1?
>>>>
>>>> [...]
>>>>
>>>> For more information about the changes included [...]
>>>
>>> It would be much better to have a more detailed (yet concise)
>>> changelog. It is highly unlikely that the user will read pages upon
>>> pages of issues on a bug tracker, just to find out what is new.
>>>
>>> My $0.02. :)
>>>
>
>> The concise changelog is already present, in the part you elided. Unlike major and minor releases, the primary purpose of patch releases is not to deliver new features or enhancements worth showcasing. Rather, the primary purpose is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO.
>
>> Imagine if we had a major or minor release, then we didn't have any further releases for a year. Users who wanted to (re)install Qubes would have to use a year-old ISO, then immediately catch up on a year's worth of updates, which could take quite a long time. Moreover, any bugs that affected the installation or initial update processes themselves might be complete blockers for some users. A security vulnerability in the update mechanism could make that initial update risky.
>
>> The purpose of these patch releases is mainly just to move up the "starting point" so that fresh installations don't have as far to "catch up" before they're on par with existing, regularly-updated installations. That's why the main summary of changes is just "all the routine updates you would've gotten if you had installed 4.2.0 and kept it up to date." Some of these routine updates will be of interest to some users while being of no interest at all to most other users. There should rarely be any that are of interest to *all* users. (Those should usually go in major or minor releases instead.)
>
> With the obvious exception of security patches.
It occurred to me after I sent this that someone would probably point this out. Yes, but we already make a separate announcement for each and every QSB, so it would be somewhat redundant to repeat that in every patch release announcement. I'm not sure why listing the exact QSB patches included in a given patch release would be more useful to the average user than just saying "includes all security patches to date" (which is entailed by "includes all updates to date").
> On Sun, Mar 31, 2024 at 03:45:29PM -0700, Andrew David Wong wrote:
>> On 3/27/24 2:57 AM, qubist wrote:
>>> On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote:
>>>
>>>> ## What's new in Qubes OS 4.2.1?
>>>>
>>>> [...]
>>>>
>>>> For more information about the changes included [...]
>>>
>>> It would be much better to have a more detailed (yet concise)
>>> changelog. It is highly unlikely that the user will read pages upon
>>> pages of issues on a bug tracker, just to find out what is new.
>>>
>>> My $0.02. :)
>>>
>
>> The concise changelog is already present, in the part you elided. Unlike major and minor releases, the primary purpose of patch releases is not to deliver new features or enhancements worth showcasing. Rather, the primary purpose is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO.
>
>> Imagine if we had a major or minor release, then we didn't have any further releases for a year. Users who wanted to (re)install Qubes would have to use a year-old ISO, then immediately catch up on a year's worth of updates, which could take quite a long time. Moreover, any bugs that affected the installation or initial update processes themselves might be complete blockers for some users. A security vulnerability in the update mechanism could make that initial update risky.
>
>> The purpose of these patch releases is mainly just to move up the "starting point" so that fresh installations don't have as far to "catch up" before they're on par with existing, regularly-updated installations. That's why the main summary of changes is just "all the routine updates you would've gotten if you had installed 4.2.0 and kept it up to date." Some of these routine updates will be of interest to some users while being of no interest at all to most other users. There should rarely be any that are of interest to *all* users. (Those should usually go in major or minor releases instead.)
>
> With the obvious exception of security patches.
qubist
Apr 2, 2024, 4:20:42 AM4/2/24
to qubes...@googlegroups.com
On Mon, 1 Apr 2024 16:33:13 -0700 Andrew David Wong wrote:
> [...] to the average user [...]
Targeting abstract entities is confusing.
> [...] to the average user [...]
Targeting abstract entities is confusing.
Andrew David Wong
Apr 2, 2024, 6:53:11 PM4/2/24
to qubes...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages