Qubes OS 4.2.0-rc1 is available for testing

We’re pleased to announce that the first release candidate for Qubes OS 4.2.0 is now available for testing. This minor release includes several new features and improvements over Qubes OS 4.1.0. Qubes 4.2.0-rc1 is available on the downloads page.

What’s new in Qubes 4.2.0?

• Dom0 upgraded to Fedora 37
• Xen updated to version 4.17
• SELinux support in Fedora templates
• Several GUI applications rewritten, including:
  • Applications Menu
  • Qubes Global Settings
  • Create New Qube
  • Qubes Update
• Unified grub.cfg location for both UEFI and legacy boot
• PipeWire support
• fwupd integration for firmware updates
• Optional automatic clipboard clearing
• Official packages built using Qubes Builder v2
• Split GPG and Split SSH management in Qubes Global Settings

Please see the Qubes OS 4.2.0 release notes for details.

Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in Qubes Canary 032 on 2022-09-14:

We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.

As always, we encourage you to authenticate this canary by verifying its PGP signatures. Specific instructions are also included in the canary announcement.

As with all Qubes signing keys, we also encourage you to authenticate the new Qubes OS Release 4.2 Signing Key, which is available in the Qubes Security Pack (qubes-secpack) as well as on the downloads page under the Qubes OS 4.2.0-rc1 ISO.

Testing Qubes 4.2.0-rc1

If you’re willing to test this release candidate, you can help us improve the eventual stable release by reporting any bugs you encounter. We encourage experienced users to join the testing team.

A full list of known bugs in Qubes 4.2.0 is available here. We strongly recommend updating Qubes OS immediately after installation in order to apply all available bug fixes.

Upgrading to Qubes 4.2.0-rc1

It is not yet possible to perform an in-place upgrade from Qubes 4.1 to Qubes 4.2. For this initial release candidate, a clean installation is required. An in-place upgrade tool is in development.

When is the stable release?

That depends on the number of bugs discovered in this release candidate and their severity. As explained in our release schedule documentation, our usual process after issuing a new release candidate is to collect bug reports, triage the bugs, and fix them. This usually takes around five weeks, depending on the bugs discovered. If warranted, we then issue a new release candidate that includes the fixes and repeat the whole process again. We continue this iterative procedure until we’re left with a release candidate that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many release candidates will be needed before a stable release), but we tend to get a clearer picture of this with each successive release candidate, which we’ll share in this section in future release candidate announcements.

In the case of Qubes 4.2.0 specifically, we already know that there will be a second release candidate (in order to test the in-place upgrade procedure, if nothing else). As mentioned above, we expect to announce that second release candidate in approximately five weeks. The results of that second release candidate will determine whether a third one is required.

What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a stable release, unless significant bugs are discovered in testing. Release candidates are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS supported releases and the version scheme in our documentation.

What is a minor release?

The Qubes OS Project uses the semantic versioning standard. Version numbers are written as ... Hence, releases that increment the second value are known as “minor releases.” Minor releases generally include new features, improvements, and bug fixes that are backward-compatible with earlier versions of the same major release. See our supported releases for a comprehensive list of major and minor releases and our version scheme documentation for more information about how Qubes OS releases are versioned.

The torrent download doesn’t work. I tried using aria2 and qbittorrent, nothing happens and aria2 displays some errors. The ISO for the release works fine as a torrent, so I don’t think my method is wrong.

$ aria2c Qubes-R4.2.0-rc1-x86_64.torrent 

06/03 08:30:13 [NOTICE] Downloading 1 item(s)

06/03 08:30:13 [NOTICE] IPv4 DHT: listening on UDP port 6945

06/03 08:30:13 [NOTICE] IPv4 BitTorrent: listening on TCP port 6990

06/03 08:30:13 [NOTICE] IPv6 BitTorrent: listening on TCP port 6990

06/03 08:30:13 [ERROR] CUID#21 - Download aborted. URI=https://ftp.qubes-os.org/iso/Qubes-R4.2.0-rc1-x86_64/Qubes-R4.2.0-rc1-x86_64.iso
Exception: [AbstractCommand.cc:351] errorCode=3 URI=https://ftp.qubes-os.org/iso/Qubes-R4.2.0-rc1-x86_64/Qubes-R4.2.0-rc1-x86_64.iso
  -> [HttpSkipResponseCommand.cc:218] errorCode=3 Resource not found

06/03 08:30:14 [NOTICE] CUID#20 - Redirecting to https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.2.0-rc1-x86_64/Qubes-R4.2.0-rc1-x86_64.iso
[#4f3ef0 0B/6.0GiB(0%) CN:2 SD:0 DL:0B]                                                                                                                             
06/03 08:30:14 [ERROR] CUID#20 - Download aborted. URI=https://mirrors.kernel.org/qubes/iso/Qubes-R4.2.0-rc1-x86_64/Qubes-R4.2.0-rc1-x86_64.iso
Exception: [AbstractCommand.cc:351] errorCode=3 URI=https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.2.0-rc1-x86_64/Qubes-R4.2.0-rc1-x86_64.iso
  -> [HttpSkipResponseCommand.cc:218] errorCode=3 Resource not found

Is SELinux also supported in Fedora minimal templates?
Would SELinux make Fedora significantly more secure than Debian?

Unable to use WiFi with R4.2.0-rc1 (as with previous R4.2 weekly release).

[sys-net] Connection Failure

Failed to add/activate connection

failure adding connection: error writing to file ‘/etc/NetworkManager/system-connections/{wireless name}.nmconnection’: failed to create file /etc/NetworkManager/system-connections/{wireless name}.nmconnection.46E551: Permission denied

Don’t have access to a LAN connection, so unable to test anything else.

You can open an issue on github so devs will know about this problem and try to fix it:

Is SELinux also supported in Fedora minimal templates?

I think not, I’ve just download fedora-38-minimal and it doesn’t have packages like sestatus or setenforce. But fedora-38-xfce support
SELinux.(Although the disk usage between xfce and og is only about 6MB)

Would SELinux make Fedora significantly more secure than Debian?

I don’t know is Debian template enable Apparmor by default but whether or not SELinux is better than Apparmor in security, but you also may lose some ease of use.
But to be honest I don’t know will it be significantly more secure or not.
For me, I’m more curious on the security between Fedora and Kicksecure. Looking for answer.

Thank you.

Thank you for your reply. I still have a question, one that may not be easy to answer. Is fedora-38 with SELinux more secure than debian minimal or fedora minimal - both of which have smaller attack surface?

On a related topic, does the SecureDrop Workstation use Fedora or Debian templates?

Is it likely that a new installation of the final Qubes 4.2.0 is not necessary, if -rc1 keeps being updated?

A post was split to a new topic: What distro is the SecureDrop workstation based on?

It looks as if we are on the master branch, if I understand correctly, therefore it should be OK to go with -rc1.

Likely, but not definitely.
There could be changes to the installer or organisation that cannot be
resolved by simply updating an installed system.
The same could apply to people updating from an existing 4.1 installation.

i assume it was only for partition layout? any example?
in your free time, please do things for 4.2 so i can test and other gain benefit

good job; works flawless for me

for 4.2: i noticed that whonix 17 template > is waiting for debian bookworm template > is waiting for salt being available in bookworm

“use more bandwith!” - Said the Qubes User uprading to 4.2 and installing debian12 & whonix17 templates afterwards

Bonus Edit:
[FEATURE REQUEST] Add Salt support for Debian 12 · Issue #64223 · saltstack/salt · GitHub Salt themselfs dont offer debian 12 support yet

I use a ProxyVM as a VPN gateway using iptables and CLI scripts.

In Qubes OS 4.2, DomU firewalls have switched to nftables. I have not installed 4.2 yet.

Do the ProxyVM scripts need an update?

2 posts were split to a new topic: Error when opening KDE application menu

Any easy fixes for this error?

KDE installed → Application launcher key →
file:///usr/share/plasma/plasmoids/org.kde.plasma.kickoff/contents/ui/Kickoff.qml:157:34: Type FullRepresentation unavailable file:///usr/share/plasma/plasmoids/org.kde.plasma.kickoff/contents/ui/FullRepresentation.qml:43:5: KickoffButton is not a type

Oops @throwaway11, it looks like I made a mistake! I thought I was reading your post in a different context. I assume you’re testing R4.2 RC1, and your question seems perfectly on-topic. Please disregard my previous post and accept my apologies!

When using KDE Wayland, apps don’t show when launched. KDE X11 works as expected.