Qubes OS 4.2.1 has been released!

We’re pleased to announce the stable release of Qubes OS 4.2.1! This patch release aims to consolidate all the security patches, bug fixes, and other updates that have occurred since the release of Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. The ISO and associated verification files are available on the downloads page.

What’s new in Qubes OS 4.2.1?

Qubes 4.2.1 includes numerous updates over the initial 4.2.0 release, in particular:

• All 4.2 dom0 updates to date
• Fedora 39 template
• Linux 6.6.x as the default kernel, significantly reducing the need for kernel-latest on newer systems

For more information about the changes included in this version, see the full list of issues completed since the release of 4.2.0.

How to get Qubes OS 4.2.1

You have a few different options, depending on your situation:

• If you’d like to install Qubes OS for the first time or perform a clean reinstallation on an existing system, there’s never been a better time to do so! Simply download the Qubes 4.2.1 ISO and follow our installation guide.

• If you’re currently on Qubes 4.1, learn how to upgrade to Qubes 4.2.

• If you’re currently on Qubes 4.2 (including 4.2.0 and 4.2.1-rc1), update normally (which includes upgrading any EOL templates you might have) in order to make your system essentially equivalent to the stable Qubes 4.2.1 release. No reinstallation or other special action is required.

In all cases, we strongly recommend making a full backup beforehand.

Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in Qubes Canary 032 on 2022-09-14:

We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.

As always, we encourage you to authenticate this canary by verifying its PGP signatures. Specific instructions are also included in the canary announcement.

As with all Qubes signing keys, we also encourage you to authenticate the new Qubes OS Release 4.2 Signing Key, which is available in the Qubes Security Pack (qubes-secpack) as well as on the downloads page.

What is a patch release?

The Qubes OS Project uses the semantic versioning standard. Version numbers are written as ... Hence, we refer to releases that increment the third number as “patch releases.” A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See supported releases for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully updating it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the version scheme documentation.

Thank you.

Where to check the roadmap and plans for 4.3?

I would say that it’s the closest thing we can get for future planed features/fixes:

Thanks for the link.
I see roadmap as something completely different, though

This update literally saved me a bunch of $$$$ that was going to be spent on new hardware which would’ve allowed me to have a multi monitor setup. Simply because it fixed everything that was wrong with an Nvidia-HDMI driver in my machine which previously only showed a black/frozen screen when connected to the external display.
I’ve never been more grateful for a software update this much in my life before!

Great to hear

My kernel has the version 6.1.x
How can I see the available kernels? How can I update it to 6.6.x?

True, I also don’t see any 6.6 here…

It is currently in the testing repository. Once it is uploaded to stable, it will change from 6.1.x to 6.6.x.

@marmarek, is it supposed to still be in testing?

Doesn’t this statement of yours contradict the release notes?
It’s stated unequivocally “Linux 6.6.x as the default kernel, […]”

Probably. It’s included in the ISO itself, but it’s not yet available for already installed systems.

Yes, it is on the ISO for fresh installs, but still in testing for existing users. I expect there might be some regressions regarding hardware support (although nobody using current-testing reported yet) and I don’t want Linux 6.7+ warning: "Interrupt for port 107, but apparently not enabled" · Issue #8914 · QubesOS/qubes-issues · GitHub to obscure the logs (it’s harmless but very verbose warning). That issue was fixed upstream in 6.6.23 (released two days ago), so this one should reach stable repo in about a week.

Thanks for the clarification. So fresh installs will get kernel 6.6

I assume existing users just upgrade the template themselves, right?

Yes.

https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol:

It’s very important that you use only supported releases so that you continue to receive security updates. This means that you must periodically upgrade Qubes OS and your templates before they reach EOL. You can always see which versions of Qubes OS and select templates are supported on Supported releases.

In the case of Qubes OS itself, we will make an announcement when a supported Qubes OS release is approaching EOL and another when it has actually reached EOL, and we will provide instructions for upgrading to the next stable supported Qubes OS release.

Periodic upgrades are also important for templates. For example, you might be using a Fedora template. The Fedora Project is independent of the Qubes OS Project. They set their own schedule for when each Fedora release reaches EOL. You can always find out when an OS reaches EOL from the upstream project that maintains it. We also pass along any EOL notices we receive for official template OSes as a convenience to Qubes users (see the supported template releases).

The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which doesn’t have to be upgraded.

https://www.qubes-os.org/doc/templates/fedora/#upgrading:

There are two ways to upgrade your template to a new Fedora release:

• Recommended: Install a fresh template to replace the existing one. This option may be simpler for less experienced users. After you install the new template, redo all desired template modifications and switch everything that was set to the old template to the new template. You may want to write down the modifications you make to your templates so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the old Fedora template and use the dnf history command.
• Advanced: Perform an in-place upgrade of an existing Fedora template. This option will preserve any modifications you’ve made to the template, but it may be more complicated for less experienced users.

so the ISO is based on Testing or is there another reason the ISO has 6.6 but not out of testing yet?

Timing issue I would guess. It’s now available in the stable repository.

Qubes is awesome. I hope there will be a way to prevent powerhammer attacks.