Qubes OS 4.2.2 has been released!

News
21

9 posts were split to a new topic: Where can the last version of Qubes R4.1.2 still be found?

29

This is not ideal, but I found a working torrent for R3.2.1 (magnet link).

I preferred to spend some time to save it now rather than when it will not be seeded anymore :confused: too bad it’s not on the mirrors.

It’s seeding from 2 extra machines now :+1:

You can verify the torrent files integrity using the qubes os PGP master key, following Verifying signatures | Qubes OS to import it.

Then you can import R3 release key gpg2 --allow-weak-key-signatures --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc and verify it was signed with the master key (it didn’t change since then).

Verify the files using gpg2 -v --verify Qubes-R3.2.1-x86_64.iso.DIGESTS. They matched the signature for me.

edit: it seems the magnet link is not working here, you can copy/paste the link below

magnet:?xt=urn:btih:be0ddcd974d28b8732b3a4dd86812a9479f84bb2&dn=Qubes-R3.2.1-x86_64&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Ftracker.torrent.eu.org%3A451&tr=http%3A%2F%2Ftracker.linuxtracker.org%3A2710%2F00000000000000000000000000000000%2Fannounce&ws=https://ftp.qubes-os.org/iso/&ws=https://mirrors.kernel.org/qubes/iso/
4 Likes
31

I still have a copy of the R3.2.1 ISO and its digital signature. Here’s the signature:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEExSJhvgqCMiHZTKHRyxHKHQP6UIIFAlvmQWAACgkQyxHKHQP6
UIKUTw//SQvoyYVl4WPlhy5nOiUgYm5nSwOrkH536+LsBe79R9JzfeJpoGTi3KTq
2MnR2PEPxUIrzdHmBogIBN1UW/tdNQCnHbDKeF1nIXUd3Gm5HL+jjnF7zjEeBPMr
j++MjD12/QVGV9tLX1ti+g11xVaV7n3LgPNPhB4fp9sqzFt8XTn2RF310iUGOsDg
FA+LMsdeNfGOwbEmltMe99owHT/OHilmWv6X7ylgOPcDRA/ombjnOSh3LAh/OvK0
U0fyJ5Ak5RYDozI7lEbFhRSoXf6gCr+yordC8VxS7WQyEOaZ0Ym7Z+YnbNEGj++7
UGPVYQg7Tu3gH+BmC2unfmkSY6PU7yA3QYRDjPOJnu+eKx61M2bUxtHlFaKFaQgU
IeteKkwHfehSB1hOZPcCuBDPOyhLiWuVR+YBfXW+wA0Q3bE1epHZUt0oRT6C/28g
cAB4oimD9VJ37oYqSEIYTdpkgicXtUBOgFpqLC459c1h40I88R42c6gOyS+gf24v
N0euyPm1OGpXk+xQ/SnYVWLaG02DB/vCd72QRVTK1VP49dKHOUTKkwwW81OG0q7Q
uhEBBt9Bcnakj6uDsJWeGz7E4+mm1SY1TegPLJZQoGvJkDr+CDIhMxv77+h6cMri
Lsec60ExXlNuKCa6zflFhJSvCl1YMVWJyQIMaZSET6mMR/ewRYY=
=q8ru
-----END PGP SIGNATURE-----

If you’d give me a location, I’d gladly upload trhe ISO file the so you could compare it to the torrent version you are working on.

32

FYI, all the ISO digests (going back all the way to Qubes OS R1) are already included in the qubes-secpack:

2 Likes
33

I verified it using Qubes OS PGP keys so it is fine.

34

Should we warn Fedora devs they still support v1 of their porduct.

1 Like
35

I guess, depending on the available resources, definition of “support” can vary, and everyone chooses their own one.

36

I agree. Until we can find written one. Otherwise, let’s not call it like that, at least (I mean let’s not use the word definition)

37

…but links to up-to-date mirrors should still be provided.

Removing the link to R4.1.2 after just some months seems to me somewhat hectic: You still can download VMS V5.5-2, which was used in 1991 and may be needed in some environments! :grin:

Removing the link to R4.1.2 currently is forcing users needing Windows with QWT support to run Windows natively, which surely is much less secure than accepting the risks posed by R4.1.2 with qsb-091 in mind.

1 Like
38

https://invidious.privacyredirect.com/embed/m7ifhsZkVes?t=207

If Woody made QWT right to the v4.2…

2 Likes
39

They already are: https://www.qubes-os.org/downloads/#mirrors

How so? 4.1.2 has already reached EOL. Why would we want to encourage users to use an unsupported release? That sounds like laying a trap for unsuspecting users to try to get them to shoot themselves in the foot.

Sure, and you can still download 4.1.2 from any of the mirrors.

That’s absolutely absurd. In no way is removing a single link (without touching the file it points to and while still leaving other links to it up) forcing users to run Windows natively (willfully ignoring the existence of all other operating systems and methods of virtualization and emulation in the world). I won’t further engage in an argument that isn’t being conducted in good faith.

40

O.K. Thank you for pointing out that the mirror still contain the previous versions.

Here you are touching on a deeper problem: Setting a software version to EOL just half a year after publication of the next version is, in my opinion, too early. In many environments, even a two-year period for upgrading to a new system version is too short (and in the government environments, which I had the ill luck to attend, even 5 years often was too short). This is made more problematic as there are still open issues with R4.2 that did not exist with R4.1.2, especially concerning Windows integration.

Now, setting something to EOL does not magically make it insecure, but the lack of further security updates gradually increases the risk of using it. So the basic question is not what to do after some version has reached EOL, but why support of older versions is terminated so quickly.

The answer to that is simple but sad: It’s the resources available to development, which are so limited in this project and have to be allocated appropriately. But adding more resources is difficult: Not only getting more money is an obstacle, but where to find motivated developers of such extremely high quality as we have now?

1 Like
41

Unfortunately, the more the time passes by, the more I agree with this, except we mean on different resources.

42

Ok so I’ve added rsyncd on content provided by https://qubes.notset.fr/. If someone wants to rsync the whole it can do:

$ rsync -av --progress rsync://qubes.notset.fr/data/
5 Likes