Qubes OS 4.2 Signed Weekly Builds

switching sys-net to debian template fixed that for me.

Point is that this mitigation should not be needed anymore from Qubes-4.2.202308270121-x86_64.iso on, including the latest rc3

1 Like


Torrents NOT working AGAIN. Stalled!

Please open a Tribler Channel or post on i2p. If you don’t check your torrents, I will try calling you names AGAIN… remember. You deserve it!

This is a personal repo, no obligation that anything works on it, that’s the whole point of “testing”.
If you want Qubes 4.2, download the torrent file from the official website.


That would be a CoC violation with intent and announcement: instaban.

Ask nicely or do something to improve the situation yourself. Entitled foul mouths are not welcome and won’t be tolerated. This is an official warning.


Would it be possible @deeplow @marmarek for the Weekly Builds Signing Key to be signed by the (Ultimately trusted) Qubes Master Signing Key? Or any other key connected to the Qubes project?

Now that Testing new releases and updates | Qubes OS is recommended on the Qubes website, this would encourage good security practices around distrusting the infrastructure. Esp. since qubes.notset.fr distributes both the .iso files and the signing .key, and doesn’t even use HTTPS :heart:

Thank you!

It has https support.

1 Like

@qc0 I can confirm this. The redirection is not automatic on the first visit, but if you ask for HTTPS, you get it: https://qubes.notset.fr/

And HSTS is enabled, so your browser should upgrade to HTTPS automatically on subsequent visits. (source)

Note that I don’t think any of this makes your point moot! (Even if I suspect that the solution you propose may not be practical, but I’ll let folks who know, rather than suppose answer that.)

1 Like

By the QMSK? No. They are images built outwith the build infrastructure
AFAIK. fepitre has been clear about the build infrastructure and risks.
They are , however, signed by fepitre-bot.

It does use HTTPS

1 Like

okay, thank you for the thoughtful replies! FYI @fepitre the current weekly build key is not signed by fepitre-bot (the previous weekly key is, however).

clarifying the risks in the top post I think would be helpful, as would making the signing key (or its fingerprint) available on github.



1 Like

Mister Sven,
The way I look at it!
If the torrents are working I can have a test machine in 2 hours that includes test VMs and template (maybe hundreds of testers).
If Ferpitre has a Tribler channel or i2p pool, I can have a test machine in 1 hour because I can subscribe and run those networks.(maybe more than 1000 testers)
If I have to download 4-5 hours… I’m out! Same with building from scratch.
As master Yoda said: Enqule do or not do don’t send me on some road to Katin or Arheim like the brave Polak army. With sugar on top: Don’t f with good things.

You are talking about an unofficial repo. The official Qubes website offers a torrent file with seeders. You are being aggressive for no reason at all.



You are threading a fine line.

You’ve made clear that you would find convenient if other people made things convenient for you. Everybody gets that, who wouldn’t.

You are not entitled to anyone’s work, though. By participating in this forum, however, you agree to follow some rules. You’ve been reminded of the rules and given an official warning.

I know you know that everybody can make mistakes, and what’s important is to get past them. With that in mind, the right time to let go and bring the tone down is now, so we can all keep enjoying the conversation.


This post was flagged by the community and is temporarily hidden.