[qubes-users] Qubes OS 4.2.3-rc1 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the first release candidate (RC) for Qubes OS 
4.2.3 is now available for testing. This patch release aims to consolidate all 
the security patches, bug fixes, and other updates that have occurred since the 
previous stable release. Our goal is to provide a secure and convenient way for 
users to install (or reinstall) the latest stable Qubes release with an 
up-to-date ISO. The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.3?

- All security updates to date
- All bug fixes to date

For more information about the changes included in this version, see the [Qubes 
OS 4.2 release notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) 
and the [full list of issues completed since the previous stable 
release](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2024-03-26..2024-09-09+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. If warranted, we then issue a new RC 
that includes the fixes and repeat the process. We continue this iterative 
procedure until we're left with an RC that's good enough to be declared the 
stable release. No one can predict, at the outset, how many iterations will be 
required (and hence how many RCs will be needed before a stable release), but 
we tend to get a clearer picture of this as testing progresses.

## Testing Qubes 4.2.3-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190). The best way 
to test Qubes 4.2.3-rc1 is by performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) with the new 
ISO. We strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

As an alternative to a clean installation, there is also the option of 
performing an in-place upgrade without reinstalling. However, since Qubes 4.2.3 
is simply Qubes 4.2 inclusive of all updates to date, this amounts to simply 
using a fully-updated 4.2 installation. In a sense, then, all current 4.2 users 
who are keeping up with updates are already testing 4.2.3-rc1, but this testing 
is only partial, since it does not cover things like the installation 
procedure. 

## Reminder: new signing key for Qubes 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page.

## What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a 
stable release, unless significant bugs are discovered in testing. RCs are 
intended for more advanced (or adventu

[qubes-users] Qubes Canary 040

[Andrew David Wong]

trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-sec

[qubes-users] XSAs released on 2024-08-13

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS is *not* affected.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-460](https://xenbits.xen.org/xsa/advisory-460.html)
  - Qubes OS does not hot plug/unplug PCI devices.
- [XSA-461](https://xenbits.xen.org/xsa/advisory-461.html)
  - The practical impact with the devices Qubes OS uses for passthrough is 
limited to denial of service only.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/08/14/xsas-released-on-2024-08-13/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3206b6e-788c-4338-837e-ef65f27c3dc4%40qubes-os.org.

[qubes-users] Qubes OS Summit 2024: Tickets now available!

[Andrew David Wong]

Dear Qubes Community,

You can now get [free 
tickets](https://vpub.dasharo.com/e/16/qubes-os-summit-2024/#tickets) to attend 
this year's [Qubes OS 
Summit](https://vpub.dasharo.com/e/16/qubes-os-summit-2024), which will be held 
from September 20 to 22 in Berlin, Germany. Tickets are available for both 
virtual and on-site attendance. Physical seating is limited, so on-site tickets 
will be granted on a first-come, first-served basis. (However, please note that 
failing to attend after obtaining an on-site ticket may prevent you from 
obtaining other on-site tickets for future events, so please refrain from 
obtaining an on-site ticket unless you're serious about joining us in person!)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/08/11/qubes-os-summit-2024-tickets-now-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4e60a96-ae3e-45c7-8a70-b727e2885afb%40qubes-os.org.

[qubes-users] Qubes OS Summit 2024: Last call for proposals

[Andrew David Wong]

Dear Qubes Community,

As [previously 
announced](https://www.qubes-os.org/news/2024/03/13/qubes-os-summit-2024/), 
this year's [Qubes OS 
Summit](https://vpub.dasharo.com/e/16/qubes-os-summit-2024) will be held from 
September 20 to 22 in Berlin, Germany. If you would like to submit a proposal, 
the [call for participation 
(CFP)](https://cfp.3mdeb.com/qubes-os-summit-2024/cfp) closes on 2024-08-07 at 
23:59 CEST (UTC+2).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/08/05/qubes-os-summit-2024-last-call-for-proposals/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a85abd1-d5a6-4fe8-a4d0-fb5fbbc25c05%40qubes-os.org.

[qubes-users] Extended security support for Qubes OS 4.1 has ended

[Andrew David Wong]

Dear Qubes Community,

As [previously 
announced](https://www.qubes-os.org/news/2024/06/18/qubes-os-4-1-has-reached-end-of-life-extended-security-support-continues-until-2024-07-31/),
 extended security support for Qubes OS 4.1 has ended as of yesterday, 
2024-07-31. Qubes 4.1 will no longer receive updates of any kind, including 
security updates. We strongly recommend that any remaining Qubes 4.1 users 
[upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/) immediately.

## Recommended actions

If you're already using Qubes 4.2, then you don't have to do anything. This 
announcement doesn't affect you.

If you're still using Qubes 4.1, then you should upgrade to Qubes 4.2 
immediately. There are two ways to do this:

1. Perform a [clean 
reinstallation](https://www.qubes-os.org/doc/installation-guide/) using the 
latest stable [Qubes OS 4.2.2 ISO](https://www.qubes-os.org/downloads/).
2. Perform an [in-place upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/#in-place-upgrade).

Both of these options are covered in further detail in the [Qubes 4.1 to 4.2 
upgrade guide](https://www.qubes-os.org/doc/upgrade/4.2/). In either case, we 
strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand. If you need help, please consult our [help and 
support](https://www.qubes-os.org/support/) page.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/08/01/extended-security-support-for-qubes-os-4-1-has-ended/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a376b13-8231-4daf-b205-0920f14185b8%40qubes-os.org.

[qubes-users] QSB-104: GUI-related security bugs

[Andrew David Wong]

SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpa

[qubes-users] XSAs released on 2024-07-16

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-458](https://xenbits.xen.org/xsa/advisory-458.html)
  - See [QSB-103](https://www.qubes-os.org/news/2024/07/16/qsb-103/)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-459](https://xenbits.xen.org/xsa/advisory-459.html)
  - Qubes OS does not use Xapi.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/07/16/xsas-released-on-2024-07-16/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a79b4b26-3670-43a8-b6ee-12d77adff481%40qubes-os.org.

[qubes-users] QSB-103: Double unlock in x86 guest IRQ handling (XSA-458)

[Andrew David Wong]

peat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for c

[qubes-users] Qubes OS 4.2.2 has been released!

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce the stable release of Qubes OS 4.2.2! This patch 
release aims to consolidate all the security patches, bug fixes, and other 
updates that have occurred since the previous stable release. Our goal is to 
provide a secure and convenient way for users to install (or reinstall) the 
latest stable Qubes release with an up-to-date ISO. The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.2?

- All security updates to date
- All bug fixes to date
- Included Fedora template upgraded from Fedora 39 to 40
- Fixed [#8332: File-copy qrexec service is overly 
restrictive](https://github.com/QubesOS/qubes-issues/issues/8332) (see below)

For more information about the changes included in this version, see the [Qubes 
OS 4.2 release notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) 
and the [full list of issues completed since the previous stable 
release](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2024-03-26..2024-06-23+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22).

### Copying and moving files between qubes is less restrictive

Qubes 4.2.2 includes a fix for [#8332: File-copy qrexec service is overly 
restrictive](https://github.com/QubesOS/qubes-issues/issues/8332). As explained 
in the issue comments, we introduced a change in Qubes 4.2.0 that caused 
inter-qube file-copy/move actions to reject filenames containing, e.g., 
non-Latin characters and certain symbols. The rationale for this change was to 
mitigate the security risks associated with unusual unicode characters and 
invalid encoding in filenames, which some software might handle in an unsafe 
manner and which might cause confusion for users. Such a change represents a 
trade-off between security and usability.

After the change went live, we received several user reports indicating more 
severe usability problems than we had anticipated. Moreover, these problems 
were prompting users to resort to dangerous workarounds (such as packing files 
into an archive format prior to copying) that carry far more risk than the 
original risk posed by the unrestricted filenames. In addition, we realized 
that this was a backward-incompatible change that should not have been 
introduced in a minor release in the first place.

Therefore, we have decided, for the time being, to restore the original 
(pre-4.2) behavior by introducing a new `allow-all-names` argument for the 
`qubes.Filecopy` service. By default, `qvm-copy` and similar tools will use 
this less restrictive service (`qubes.Filecopy +allow-all-names`) whenever they 
detect any files that would be have been blocked by the more restrictive 
service (`qubes.Filecopy +`). If no such files are detected, they will use the 
more restrictive service.

Users who wish to opt for the more restrictive 4.2.0 and 4.2.1 behavior can do 
so by modifying their RPC policy rules. To switch a single rule to the more 
restrictive behavior, change `*` in the argument column to `+` (i.e., change 
"any argument" to "only empty"). To use the more restrictive behavior globally, 
add the following "deny" rule before all other relevant rules:

```
qubes.Filecopy+allow-all-names@anyvm@anyvmdeny
```

For more information, see [RPC 
policies](https://www.qubes-os.org/doc/rpc-policy/) and [Qube configuration 
interface](https://www.qubes-os.org/doc/vm-interface/#qubes-rpc).

## How to get Qubes 4.2.2

You have a few different options, depending on your situation:

- If you'd like to install Qubes OS for the first time or perform a clean 
reinstallation on an existing system, there's never been a better time to do 
so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.2.2 ISO 
and follow our [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).

- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/).

- If you're currently on Qubes 4.2 (including 4.2.0, 4.2.1, and 4.2.2-rc1), 
[update normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system essentially equivalent to the 
stable Qubes 4.2.2 release. No reinstallation or other special action is 
required.

In all cases, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes 4.2

As a reminder for those upgrading from Qubes 4.1 and earlier, we published the 
following special announcement in [Qubes

[qubes-users] Qubes OS 4.2.2-rc1 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the first release candidate (RC) for Qubes OS 
4.2.2 is now available for testing. This patch release aims to consolidate all 
the security patches, bug fixes, and other updates that have occurred since the 
previous stable release. Our goal is to provide a secure and convenient way for 
users to install (or reinstall) the latest stable Qubes release with an 
up-to-date ISO. The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.2?

- All security updates to date
- All bug fixes to date
- Included Fedora template upgraded from Fedora 39 to 40
- Fixed [#8332: File-copy qrexec service is overly 
restrictive](https://github.com/QubesOS/qubes-issues/issues/8332) (see below)

For more information about the changes included in this version, see the [Qubes 
OS 4.2 release notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) 
and the [full list of issues completed since the previous stable 
release](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2024-03-26..2024-06-23+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22).

### Copying and moving files between qubes is less restrictive

Qubes 4.2.2 includes a fix for [#8332: File-copy qrexec service is overly 
restrictive](https://github.com/QubesOS/qubes-issues/issues/8332). As explained 
in the issue comments, we introduced a change in Qubes 4.2.0 that caused 
inter-qube file-copy/move actions to reject filenames containing, e.g., 
non-Latin characters and certain symbols. The rationale for this change was to 
mitigate the security risks associated with unusual unicode characters and 
invalid encoding in filenames, which some software might handle in an unsafe 
manner and which might cause confusion for users. Such a change represents a 
trade-off between security and usability.

After the change went live, we received several user reports indicating more 
severe usability problems than we had anticipated. Moreover, these problems 
were prompting users to resort to dangerous workarounds (such as packing files 
into an archive format prior to copying) that carry far more risk than the 
original risk posed by the unrestricted filenames. In addition, we realized 
that this was a backward-incompatible change that should not have been 
introduced in a minor release in the first place.

Therefore, we have decided, for the time being, to restore the original 
(pre-4.2) behavior by introducing a new `allow-all-names` argument for the 
`qubes.Filecopy` service. By default, `qvm-copy` and similar tools will use 
this less restrictive service (`qubes.Filecopy+allow-all-names`) whenever they 
detect any files that would be have been blocked by the more restrictive 
service (`qubes.Filecopy+`). If no such files are detected, they will use the 
more restrictive service.

Users who wish to opt for the more restrictive 4.2.0 and 4.2.1 behavior can do 
so by modifying their RPC policy rules. To switch a single rule to the more 
restrictive behavior, change `*` in the argument column to `+` (i.e., change 
"any argument" to "only empty"). To use the more restrictive behavior globally, 
add a "deny" rule for `qubes.Filecopy+allow-all-names` before all other 
relevant rules. For more information, see [RPC 
policies](https://www.qubes-os.org/doc/rpc-policy/) and [Qube configuration 
interface](https://www.qubes-os.org/doc/vm-interface/#qubes-rpc).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. If warranted, we then issue a new RC 
that includes the fixes and repeat the process. We continue this iterative 
procedure until we're left with an RC that's good enough to be declared the 
stable release. No one can predict, at the outset, how many iterations will be 
required (and hence how many RCs will be needed before a stable release), but 
we tend to get a clearer picture of this as testing progresses.

## Testing Qubes 4.2.2-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190). The best way 
to test Qubes 4.2.2-rc1 is by performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) with the ne

[qubes-users] Qubes OS 4.1 has reached end-of-life; extended security support continues until 2024-07-31

[Andrew David Wong]

Dear Qubes Community,

As [previously 
announced](https://www.qubes-os.org/news/2024/03/26/qubes-os-4-1-reaches-eol-on-2024-06-18/),
 the Qubes OS 4.1 release series has officially reached end-of-life (EOL) as of 
today, 2024-06-18. However, Qubes OS 4.1 [will continue to receive extended 
security support until 
2024-07-31](https://www.qubes-os.org/news/2024/05/10/qubes-os-4-1-to-receive-extended-support-until-2024-07-31/).
 We recommend that all remaining Qubes 4.1 users [upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/) at this time.

## Recommended actions

If you're already using Qubes 4.2, then you don't have to do anything. This 
announcement doesn't affect you.

If you're still using Qubes 4.1, then you should upgrade to Qubes 4.2 at your 
earliest convenience but no later than 2024-07-31. There are two ways to do 
this:

1. Perform a [clean 
reinstallation](https://www.qubes-os.org/doc/installation-guide/) using the 
latest stable [Qubes OS 4.2.1 ISO](https://www.qubes-os.org/downloads/).
2. Perform an [in-place upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/#in-place-upgrade).

Both of these options are covered in further detail in the [Qubes 4.1 to 4.2 
upgrade guide](https://www.qubes-os.org/doc/upgrade/4.2/). In either case, we 
strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand. If you need help, please consult our [help and 
support](https://www.qubes-os.org/support/) page.

## What does end-of-life (EOL) mean?

When a Qubes OS release reaches end-of-life (EOL), it is no longer supported. 
In the case of Qubes 4.1, this means that enhancements will no longer be added 
and non-security bugs will no longer be fixed. Security bugs will still be 
fixed until 2024-07-31, since Qubes 4.1 has [extended security 
support](https://www.qubes-os.org/news/2024/05/10/qubes-os-4-1-to-receive-extended-support-until-2024-07-31/)
 until then. After 2024-07-31, Qubes 4.1 will no longer have security support 
either, which means that it will not be supported at all.

## What is extended security support?

Extended security support means that the [Qubes security 
team](https://www.qubes-os.org/security/#qubes-security-team) will continue to 
publish [Qubes security bulletins 
(QSBs)](https://www.qubes-os.org/security/qsb/) and release security updates 
for security vulnerabilities affecting Qubes 4.1, as it deems appropriate, 
until 2024-07-31. Extended security support does *not* cover regular bug fixes, 
improvements, or the implementation of new features.

## What about patch releases?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. When a 
major or minor release reaches EOL, all of its patch releases also reach EOL. 
For example, in this case, when we say that "Qubes 4.1" (without specifying a 
`` number) has reached EOL, we're specifying a particular minor release 
inclusive of all patch releases within it. This means that Qubes 4.1.0, 4.1.1, 
and 4.1.2 have all reached EOL, since they are all patch releases of the same 
minor release.

## How are EOL dates determined?

According to our [support 
policy](https://www.qubes-os.org/doc/supported-releases/), stable Qubes OS 
releases are supported for *six months* after each subsequent [major or minor 
release](https://www.qubes-os.org/doc/version-scheme/). This means that the EOL 
date for Qubes 4.1 was set at the time Qubes 4.2 was released by adding six 
months to the Qubes 4.2 release date. Qubes 4.2.0 was [released on 
2023-12-18](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/).
 Adding six months to this date gives us 2024-06-18, which is Qubes 4.1's EOL 
date.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/06/18/qubes-os-4-1-has-reached-end-of-life-extended-security-support-continues-until-2024-07-31/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa6a7807-f957-4c12-b6fc-344aecce894b%40qubes-os.org.

[qubes-users] Qubes Canary 039

[Andrew David Wong]

n
   $ gpg --fetch-keys 
https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
   gpg: directory '/home/user/.gnupg' created
   gpg: keybox '/home/user/.gnupg/pubring.kbx' created
   gpg: requesting key from 
'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
   gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
   gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
   gpg: Total number processed: 1
   gpg:   imported: 1
   ```

   (For more ways to obtain the QMSK, see [How to import and authenticate the 
Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FB

[qubes-users] Fedora 40 templates available

[Andrew David Wong]

Dear Qubes Community,

New Fedora 40 templates are now available for Qubes OS 4.2 in standard, 
[minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
[Xfce](https://www.qubes-os.org/doc/templates/xfce/) varieties. There are two 
ways to upgrade a template to a new Fedora release:

- *Recommended*: [Install a fresh template to replace an existing 
one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. To see a log of package manager actions, 
open a terminal in the old Fedora template and use the `dnf history` command.

- *Advanced*: [Perform an in-place upgrade of an existing Fedora 
template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

Please note:
- This announcement concerns only Qubes 4.2. Fedora 40 templates will not be 
available for Qubes 4.1.
- No user action is required regarding the OS version in dom0 (see our [note on 
dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/06/12/fedora-40-templates-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/605709a5-f839-439a-ae17-da3260bf3df3%40qubes-os.org.

[qubes-users] Debian 11 (Bullseye) approaching EOL

[Andrew David Wong]

Dear Qubes Community,

The Debian Project currently 
[estimates](https://wiki.debian.org/DebianReleases) that Debian 11 (Bullseye) 
will reach EOL (end-of-life) sometime around July 2024 (approximately two 
months from now). Please upgrade all of your Debian 11 templates and 
standalones to [Debian 12 
(Bookworm)](https://www.qubes-os.org/news/2023/08/27/debian-12-templates-available/)
 by then. For general information about upgrading, see [Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).

There are two ways to upgrade a template to a new Debian release:

- *Recommended*: [Install a fresh template to replace the existing 
one.](https://www.qubes-os.org/doc/templates/debian/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. In the old Debian template, see 
`/var/log/dpkg.log` and `/var/log/apt/history.log` for logs of package manager 
actions.

- *Advanced*: [Perform an in-place upgrade of an existing Debian 
template.](https://www.qubes-os.org/doc/templates/debian/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

## Note on Qubes 4.2

Please note that Qubes 4.2 does not support Debian 11 templates (see [Supported 
releases](https://www.qubes-os.org/doc/supported-releases/#templates) and 
[Qubes OS 4.2 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/#notes)). If you 
have any Debian 11 templates on Qubes 4.2 (e.g., as a result of upgrading from 
Qubes 4.1), please upgrade them to Debian 12 immediately.

## Note on Debian LTS

Debian releases have two EOL dates: regular and [long-term support 
(LTS)](https://wiki.debian.org/LTS). See [Debian Production 
Releases](https://wiki.debian.org/DebianReleases#Production_Releases) for a 
chart that illustrates this. Qubes OS support for Debian templates ends at the 
regular EOL date, not the LTS EOL date.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/05/22/debian-11-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14e8a8e1-190f-41bc-bec4-6e572c992102%40qubes-os.org.

[qubes-users] Qubes OS 4.1 to receive extended security support until 2024-07-31

[Andrew David Wong]

Dear Qubes Community,

Qubes OS 4.1 will reach official end-of-life (EOL) on 2024-06-18. After this 
date, Qubes OS 4.1 will continue to receive extended security support until 
2024-07-31. This security support extension is sponsored by [Freedom of the 
Press Foundation (FPF)](https://freedom.press/) in support of the 
[SecureDrop](https://securedrop.org/) project.

## What's happening?

According to the Qubes OS Project's [release support 
policy](https://www.qubes-os.org/doc/supported-releases/), Qubes OS releases 
are supported for six months after each subsequent [major or minor 
release](https://www.qubes-os.org/doc/version-scheme/). This means that Qubes 
4.1 will reach EOL six months after Qubes 4.2 was released. Since Qubes 4.2 was 
[released](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/)
 on 2023-12-18, Qubes 4.1 is 
[scheduled](https://www.qubes-os.org/news/2024/03/26/qubes-os-4-1-reaches-eol-on-2024-06-18/)
 to reach EOL six months later on 2024-06-18.

[SecureDrop](https://securedrop.org/) currently relies on Qubes 4.1 for the 
[SecureDrop Workstation](https://workstation.securedrop.org/). To allow for 
additional time to ensure full compatibility of the SecureDrop Workstation with 
Qubes 4.2, and to help existing users migrate, FPF has offered to sponsor an 
extension of post-EOL Qubes 4.1 security support until 2024-07-31, and the 
Qubes OS Project has agreed.

## What does extended security support cover?

The [Qubes security 
team](https://www.qubes-os.org/security/#qubes-security-team) will continue to 
publish [Qubes security bulletins 
(QSBs)](https://www.qubes-os.org/security/qsb/) and release security updates 
for security vulnerabilities affecting Qubes 4.1, as it deems appropriate, 
until 2024-07-31. Extended security support does *not* cover regular bug fixes, 
improvements, or the implementation of new features.

In short, if you currently have a Qubes 4.1 installation that serves your 
needs, you may safely continue to use it until 2024-07-31, but we strongly 
recommend [upgrading to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/) 
by that date.

## What's involved in extending security support for Qubes 4.1?

Extending support for a Qubes release is more challenging than it might seem on 
the surface. Here are some of the main considerations involved:

1. *Xen support*: Official support for Xen 4.14 has already ended, which means 
that backporting Xen-related security fixes will require more work than usual.

2. *Template support*: Qubes 4.1 supports Debian 11, which has quite old 
software. This is known to cause problems and to require workarounds (e.g., 
with `salt` and `app-u2f`). There will be no Fedora 40 template for Qubes 4.1, 
but that's okay since Fedora 39 doesn't reach EOL until November.

3. *Other dom0 software*: Qubes 4.1's dom0 is based on Fedora 32, which is now 
quite old. If we end up having to backport any fixes here (e.g., due to an RPM 
or GPG bug), it may be quite complicated.

4. *Whonix support*: Any extension of the support period for a Qubes release 
must also take into consideration Whonix support. Previously, [Whonix 16 
reached 
EOL](https://www.qubes-os.org/news/2023/12/22/whonix-16-approaching-eol/) even 
though Qubes 4.1 has not yet reached EOL. Whonix 17 did not support Qubes 4.1 
at the time, which meant users on Qubes 4.1 were at risk of being left without 
any supported way to continue using Whonix. The Whonix and Qubes teams 
successfully bridged this gap by [making Whonix 17 available on Qubes 
4.1](https://www.qubes-os.org/news/2024/02/05/whonix-17-templates-available-for-qubes-os-4-1/).
 Now, Qubes 4.1 will receive extended security support, which will require a 
commensurate extension of security support for Whonix 17 on Qubes 4.1. FPF and 
the Whonix Project have arranged for the required Whonix 17 support extension 
to be included with the Qubes 4.1 extension, so Whonix 17 security support on 
Qubes 4.1 will continue until 2024-07-31.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/05/10/qubes-os-4-1-to-receive-extended-support-until-2024-07-31/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3cbd722-20c8-4a0a-a437-f22be84ff585%40qubes-os.org.

[qubes-users] XSAs released on 2024-05-07

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS is *not* affected.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-457](https://xenbits.xen.org/xsa/advisory-457.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/05/08/xsas-released-on-2024-05-07/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c0c9522-7f24-489d-88cc-2aa807a01699%40qubes-os.org.

Re: [qubes-users] Some bugs I found?

[Andrew David Wong]

On 4/27/24 7:39 AM, ales...@magenta.de wrote:
> one bug: man page for qube-dom0-update refers to yum instead of dnf.
> 
> another bug: system went to sleep / suspend when it was in the middle of 
> downloading updates with Qubes Update command. Not good. I have to myself 
> disable suspend in settings until it is finished.
> 
> last bug: many of my qubes are staying on 60% CPU use when they are idle. 
> This seems to be happening when they are not running any application, so 
> after they are launched at login and after I close the last application. I 
> can fix it if I restart the qube or run an app from it. But this kills my 
> battery.
> 
> First one must be for all but perhaps last two are just for me?
> 

Please see this page, which explains how to report bugs:

https://www.qubes-os.org/doc/issue-tracking/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d503fda7-e065-4aee-ae81-0a6818625748%40qubes-os.org.

[qubes-users] XSAs released on 2024-04-09

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-455](https://xenbits.xen.org/xsa/advisory-455.html)
  - See [QSB-102](https://www.qubes-os.org/news/2024/04/10/qsb-102/)
- [XSA-456](https://xenbits.xen.org/xsa/advisory-456.html) (At the time of 
publication, this page was missing from the Xen Project website, so we are also 
including a link to the [email announcement for 
XSA-456](https://lists.xenproject.org/archives/html/xen-announce/2024-04/msg4.html).)
  - See [QSB-102](https://www.qubes-os.org/news/2024/04/10/qsb-102/)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-454](https://xenbits.xen.org/xsa/advisory-454.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/04/10/xsas-released-on-2024-04-09/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23faf24b-9c58-48ca-a496-3635efa667ac%40qubes-os.org.

[qubes-users] QSB-102: Multiple speculative-execution vulnerabilities: Spectre-BHB, BTC/SRSO (XSA-455, XSA-456)

[Andrew David Wong]

t and authenticate the 
Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key &quo

Re: [qubes-users] Qubes OS 4.2.1 has been released!

[Andrew David Wong]

On 4/2/24 1:20 AM, qubist wrote:
> On Mon, 1 Apr 2024 16:33:13 -0700 Andrew David Wong wrote:
> 
>> [...] to the average user [...]
> 
> Targeting abstract entities is confusing.
> 

Feel free to replace that part with "to the vast majority of users," then.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe28f939-9cf8-4b2d-ae90-016738d29725%40qubes-os.org.

Re: [qubes-users] Qubes OS 4.2.1 has been released!

[Andrew David Wong]

On 4/1/24 2:38 PM, Demi Marie Obenour wrote:
> On Sun, Mar 31, 2024 at 03:45:29PM -0700, Andrew David Wong wrote:
>> On 3/27/24 2:57 AM, qubist wrote:
>>> On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote:
>>>
>>>> ## What's new in Qubes OS 4.2.1?
>>>>
>>>> [...]
>>>>
>>>> For more information about the changes included [...]
>>>
>>> It would be much better to have a more detailed (yet concise)
>>> changelog. It is highly unlikely that the user will read pages upon
>>> pages of issues on a bug tracker, just to find out what is new.
>>>
>>> My $0.02. :)
>>>
> 
>> The concise changelog is already present, in the part you elided. Unlike 
>> major and minor releases, the primary purpose of patch releases is not to 
>> deliver new features or enhancements worth showcasing. Rather, the primary 
>> purpose is to provide a secure and convenient way for users to install (or 
>> reinstall) the latest stable Qubes release with an up-to-date ISO.
> 
>> Imagine if we had a major or minor release, then we didn't have any further 
>> releases for a year. Users who wanted to (re)install Qubes would have to use 
>> a year-old ISO, then immediately catch up on a year's worth of updates, 
>> which could take quite a long time. Moreover, any bugs that affected the 
>> installation or initial update processes themselves might be complete 
>> blockers for some users. A security vulnerability in the update mechanism 
>> could make that initial update risky.
> 
>> The purpose of these patch releases is mainly just to move up the "starting 
>> point" so that fresh installations don't have as far to "catch up" before 
>> they're on par with existing, regularly-updated installations. That's why 
>> the main summary of changes is just "all the routine updates you would've 
>> gotten if you had installed 4.2.0 and kept it up to date." Some of these 
>> routine updates will be of interest to some users while being of no interest 
>> at all to most other users. There should rarely be any that are of interest 
>> to *all* users. (Those should usually go in major or minor releases instead.)
> 
> With the obvious exception of security patches.

It occurred to me after I sent this that someone would probably point this out. 
Yes, but we already make a separate announcement for each and every QSB, so it 
would be somewhat redundant to repeat that in every patch release announcement. 
I'm not sure why listing the exact QSB patches included in a given patch 
release would be more useful to the average user than just saying "includes all 
security patches to date" (which is entailed by "includes all updates to date").

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01ec459d-876c-46e3-88de-3ef2640a00c4%40qubes-os.org.

Re: [qubes-users] Qubes OS 4.2.1 has been released!

[Andrew David Wong]

On 3/27/24 2:57 AM, qubist wrote:
> On Tue, 26 Mar 2024 14:46:12 -0700 Andrew David Wong wrote:
> 
>> ## What's new in Qubes OS 4.2.1?
>>
>> [...]
>>
>> For more information about the changes included [...]
> 
> It would be much better to have a more detailed (yet concise)
> changelog. It is highly unlikely that the user will read pages upon
> pages of issues on a bug tracker, just to find out what is new.
> 
> My $0.02. :)
> 

The concise changelog is already present, in the part you elided. Unlike major 
and minor releases, the primary purpose of patch releases is not to deliver new 
features or enhancements worth showcasing. Rather, the primary purpose is to 
provide a secure and convenient way for users to install (or reinstall) the 
latest stable Qubes release with an up-to-date ISO.

Imagine if we had a major or minor release, then we didn't have any further 
releases for a year. Users who wanted to (re)install Qubes would have to use a 
year-old ISO, then immediately catch up on a year's worth of updates, which 
could take quite a long time. Moreover, any bugs that affected the installation 
or initial update processes themselves might be complete blockers for some 
users. A security vulnerability in the update mechanism could make that initial 
update risky.

The purpose of these patch releases is mainly just to move up the "starting 
point" so that fresh installations don't have as far to "catch up" before 
they're on par with existing, regularly-updated installations. That's why the 
main summary of changes is just "all the routine updates you would've gotten if 
you had installed 4.2.0 and kept it up to date." Some of these routine updates 
will be of interest to some users while being of no interest at all to most 
other users. There should rarely be any that are of interest to *all* users. 
(Those should usually go in major or minor releases instead.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1aa33712-c69f-47e6-ba8b-63552559d326%40qubes-os.org.

Re: [qubes-users] Star Labs StarBook certified with intel only?

[Andrew David Wong]

On 3/25/24 11:25 AM, 'జిందం వాఐి' via qubes-users wrote:
> * i see an option to purchase
> laptop for amd also on their
> website
> * is this certified with only
> intel?
> 

As far as I know, that's correct, but you should check with Star Labs to be 
sure. The original certification announcement listed the certified 
configuration options at the time:

https://www.qubes-os.org/news/2024/01/10/starlabs-starbook-qubes-certified/

As you can see, only Intel processors are listed. I'm not personally aware of 
any changes since then, but when it comes to Qubes-certified hardware, you 
should always consult the vendor's website for the latest information.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b434b32-7486-4115-aa4c-48b081960837%40qubes-os.org.

[qubes-users] Qubes OS 4.1 reaches EOL on 2024-06-18

[Andrew David Wong]

Dear Qubes Community,

Qubes OS 4.1 is scheduled to reach end-of-life (EOL) on 2024-06-18, 
approximately three months from the date of this announcement.

## Recommended actions

If you're already using Qubes 4.2, then you don't have to do anything. This 
announcement doesn't affect you.

If you're still using Qubes 4.1, then now is the perfect opportunity to 
upgrade, since a brand new [Qubes OS 4.2.1 ISO was just released 
today](https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/)!
 (This is also the best way to get started with Qubes if you don't have it 
installed yet.)

If you'd prefer not to reinstall, you can instead perform an [in-place upgrade 
from Qubes 4.1 to 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/#in-place-upgrade).

Whichever option you choose, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand and ensuring you're on Qubes 4.2 by 2024-06-18.

## What does end-of-life (EOL) mean?

When a Qubes OS release reaches end-of-life (EOL), it is no longer supported. 
This means that bugs discovered in that release will no longer be fixed, and 
enhancements will no longer be added. Most importantly, releases that have 
reached EOL no longer receive security updates, which is why it's critically 
important to upgrade to a supported release.

## What about patch releases?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. When a 
major or minor release reaches EOL, all of its patch releases also reach EOL. 
For example, in this case, when we say that "Qubes 4.1" (without specifying a 
`` number) is approaching EOL, we're specifying a particular minor 
release, inclusive of all patch releases within it. This means that Qubes 
4.1.0, 4.1.1, and 4.1.2 will all reach EOL at the same time (on 2024-06-18), 
since they are all just patch releases of the same minor release.

## How are EOL dates determined?

According to our [support 
policy](https://www.qubes-os.org/doc/supported-releases/), stable Qubes OS 
releases are supported for six months after each subsequent [major or minor 
release](https://www.qubes-os.org/doc/version-scheme/). This means that Qubes 
4.1 reaches EOL six months after Qubes 4.2 was released. Since Qubes 4.2.0 was 
[released on 
2023-12-18](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/),
 Qubes 4.1's EOL date is six months later, on 2024-06-18.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/26/qubes-os-4-1-reaches-eol-on-2024-06-18/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e20b8fa-8d37-485c-b747-8cf51010e31f%40qubes-os.org.

[qubes-users] Qubes OS 4.2.1 has been released!

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce the stable release of Qubes OS 4.2.1! This [patch 
release](#what-is-a-patch-release) aims to consolidate all the security 
patches, bug fixes, and other updates that have occurred since the release of 
Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to 
install (or reinstall) the latest stable Qubes release with an up-to-date ISO. 
The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes OS 4.2.1?

Qubes 4.2.1 includes numerous updates over the initial 4.2.0 release, in 
particular:

- All 4.2 dom0 updates to date
- Fedora 39 template
- Linux 6.6.x as the default kernel, significantly reducing the need for 
`kernel-latest` on newer systems

For more information about the changes included in this version, see the [full 
list of issues completed since the release of 
4.2.0](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).

## How to get Qubes OS 4.2.1

You have a few different options, depending on your situation:

- If you'd like to install Qubes OS for the first time or perform a clean 
reinstallation on an existing system, there's never been a better time to do 
so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.2.1 ISO 
and follow our [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).

- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/).

- If you're currently on Qubes 4.2 (including 4.2.0 and 4.2.1-rc1), [update 
normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system essentially equivalent to the 
stable Qubes 4.2.1 release. No reinstallation or other special action is 
required.

In all cases, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page.

## What is a patch release?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. Hence, we 
refer to releases that increment the third number as "patch releases." A patch 
release does not designate a separate, new major or minor release of Qubes OS. 
Rather, it designates its respective major or minor release (in this case, 4.2) 
inclusive of all updates up to a certain point. (See [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive 
list of major and minor releases.) Installing the initial Qubes 4.2.0 release 
and fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in 
essentially the same system as installing Qubes 4.2.1. You can learn more about 
how Qubes release versioning works in the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.


This announcement 

[qubes-users] Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)

[Andrew David Wong]

he 
Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Doc

[qubes-users] Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)

[Andrew David Wong]

 Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Doc

[qubes-users] Qubes OS 4.2.1-rc1 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the first [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.1 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). This [patch 
release](#what-is-a-patch-release) aims to consolidate all the security 
patches, bug fixes, and other updates that have occurred since the release of 
Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to 
install (or reinstall) the latest stable Qubes release with an up-to-date ISO. 
The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page. For more 
information about the changes included in this version, see the [full list of 
issues completed since the release of 
4.2.0](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. If warranted, we then issue a new RC 
that includes the fixes and repeat the process. We continue this iterative 
procedure until we're left with an RC that's good enough to be declared the 
stable release. No one can predict, at the outset, how many iterations will be 
required (and hence how many RCs will be needed before a stable release), but 
we tend to get a clearer picture of this as testing progresses. Here is the 
latest update:

At this point, we expect the stable release sometime around 2024-03-25.

## Testing Qubes 4.2.1-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190). The best way 
to test Qubes 4.2.1-rc1 is by performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) with the new 
ISO. We strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

As an alternative to a clean installation, there is also the option of 
performing an in-place upgrade without reinstalling. However, since Qubes 4.2.1 
is simply Qubes 4.2.0 inclusive of all updates to date, this amounts to simply 
using a fully-updated 4.2.0 installation. In a sense, then, all current 4.2.0 
users who are keeping up with updates are already testing 4.2.1-rc1, but this 
testing is only partial, since it does not cover things like the installation 
procedure. 

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page under the Qubes 
OS 4.2.0-rc5 ISO.

## What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a 
stable release, unless significant bugs are discovere

[qubes-users] Qubes OS Summit 2024: September 20-22 in Berlin

[Andrew David Wong]

Dear Qubes Community,

In conjunction with [3mdeb](https://3mdeb.com/), the sixth edition of our Qubes 
OS Summit will be held live this year from September 20 to 22 in Berlin, 
Germany! For more information about this event, please see: 


If you would like to submit a proposal, the Call for Participation (CFP) is 
open until August 5: 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/13/qubes-os-summit-2024/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9b4b9d7-7283-44c0-b1db-fe4264d71f6e%40qubes-os.org.

[qubes-users] XSAs released on 2024-03-12

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-452](https://xenbits.xen.org/xsa/advisory-452.html)
  - See [QSB-101](https://www.qubes-os.org/news/2024/03/13/qsb-101/)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-453](https://xenbits.xen.org/xsa/advisory-453.html)
  - The Qubes security team concurs with the Xen security team's assessment in 
the "VULNERABLE SYSTEMS" section of XSA-453.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/13/xsas-released-on-2024-03-12/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/332b7027-9eae-4cb5-9b23-f4456d5f8204%40qubes-os.org.

[qubes-users] QSB-101: Register File Data Sampling (XSA-452)

[Andrew David Wong]

the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c

[qubes-users] Qubes Canary 038

[Andrew David Wong]

   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qub

Re: [qubes-users] 80x24 geometry used by qvm-console-dispvm

[Andrew David Wong]

On 3/6/24 10:37 AM, qubist wrote:
> On Wed, 6 Mar 2024 18:14:53 +0100 Marek Marczykowski-Górecki wrote:
> 
>> The way that console works does not support sending information about
>> window size (changes).
> 
> Do I understand correctly there is no way to change it and it is
> impossible, hence not planned?
> 
> 
>> You must subscribe to qubes-devel mailing list to post there.
> 
> I am subscribed. I was subscribed at the time of posting it, yet it was
> explicitly rejected:
> 
> On Tue, 05 Mar 2024 14:26:01 -0800 Google Groups wrote:
> 
>> Google Groups (https://groups.google.com/d/overview)
>>
>> Unfortunately, your recent post to the qubes-devel  
>> (https://groups.google.com/d/forum/qubes-devel) group
>> was rejected by a group owner or manager.
>>
>> Message from the group owner or manager:
>> Your message to the qubes-devel group has been rejected. For more  
>> information, please see:
>>
>> https://www.qubes-os.org/support/
>>
>> You may wish to send your message to the qubes-users mailing list
>> instead:
>>
>> https://www.qubes-os.org/support/#qubes-users
>>
>> Possible reasons your post was rejected include:
>>* Your post was more relevant to a different group or conversation.
>>* Your post did not conform to the posting guidelines of this
>> group.
>>* Your post needs more information.
>>
>> Google Groups allows you to create and participate in online forums
>> and email-based groups with a rich community experience. You can also
>> use your Group to share documents, pictures, calendars, invitations,
>> and other resources.
>>
>>
>> Visit Google Groups Help Center at  
>> https://support.google.com/groups/answer/46601?hl=en.
> 

I rejected it, because although it contains a "Why did you implement XYZ this 
way...?" question, the rest of the message implies a "How do I...?" request for 
help or support.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a9c8788-b988-4da4-8fef-de839c947c1a%40qubes-os.org.

[qubes-users] Qubes-certified NovaCustom NV41 Series laptop now available with Heads firmware

[Andrew David Wong]

Dear Qubes Community,

Last year, we 
[announced](https://www.qubes-os.org/news/2023/05/03/novacustom-nv41-series-qubes-certified/)
 that the [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) 
became a [Qubes-certified 
computer](https://www.qubes-os.org/doc/certified-hardware) for Qubes OS 4. We 
noted in the announcement that the NV41 Series came with 
[Dasharo](https://www.dasharo.com/) [coreboot](https://www.coreboot.org/) 
open-source firmware.

We are now pleased to announce that the NV41 Series is also available with 
[Heads firmware](https://osresearch.net/). When you [configure your NV41 
Series](https://novacustom.com/product/nv41-series/), you can now choose either 
Dasharo coreboot+EDK-II (default) or Dasharo coreboot+Heads for the firmware. 
Both options are certified for Qubes OS 4. This makes the NV41 Series the first 
modern Qubes-certified computer available with Heads!

Current NV41 Series owners who wish to change from Dasharo coreboot+EDK-II to 
the Heads firmware version can [buy the Dasharo Entry 
Subscription](https://novacustom.com/product/dasharo-entry-subscription/) for 
an easy transition to Heads.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/03/03/novacustom-nv41-series-with-heads-certified/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a4b53ec-6449-4dec-a084-2c0f67ec1a1a%40qubes-os.org.

[qubes-users] XSAs released on 2024-02-27

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-451](https://xenbits.xen.org/xsa/advisory-451.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/27/xsas-released-on-2024-02-27/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d21b067f-877f-4fb7-8625-8a31c04616a4%40qubes-os.org.

Re: [qubes-users] Where do I verify the gpg key? Do the docs need updating?

[Andrew David Wong]

On 2/16/24 12:38 PM, Allen Schultz wrote:
> Hi,
> 
> I''m trying to verify the key I downloaded from the Qubes Download page 
> . According to the documentation on 
> the Verfying Signatures 
> , it looks like 
> there may be a discrepancy between the two.
> 
> The site says the key is:
> 
> 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
> and I have the following:
> 
>  ~  which gpg  
> /usr/bin/gpg
>  ~  ls -al /usr/bin/gpg 
> -rwxr-xr-x 1 root root 1151616 Nov 28 14:24 /usr/bin/gpg
>  ~  ls -al /usr/bin/gpg2
> lrwxrwxrwx 1 root root 3 Nov 28 14:24 /usr/bin/gpg2 -> gpg
>  ~  gpg --import ~/Downloads/ISOs/qubes-release-4.2-signing-key.asc 
> gpg: key 0xE022E58F8E34D89F: 1 signature not checked due to a missing key
> gpg: key 0xE022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" 
> imported
> gpg: Total number processed: 1
> gpg:   imported: 1
> gpg: marginals needed: 3  completes needed: 1  trust model: pgp
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: next trustdb check due at 2025-01-04
>  ~  gpg --fingerprint Qubes
> pub   rsa4096/0xE022E58F8E34D89F 2022-10-04 [SC]
>   Key fingerprint = 9C88 4DF3 F810 64A5 69A4  A9FA E022 E58F 8E34 D89F
> uid   [ unknown] Qubes OS Release 4.2 Signing Key
> 
> Any help will be appreciated.
> 
> Thank you.
> 

You downloaded only the Qubes 4.2 release signing key (RSK), not the Qubes 
Master Signing Key (QMSK). Please carefully read and follow this section:

https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc96fa1a-c29c-4f38-9c04-410e7a85dd36%40qubes-os.org.

[qubes-users] Re: Fedora 39 templates available; Fedora 38 approaching EOL

[Andrew David Wong]

On 2/13/24 4:17 AM, Andrew David Wong wrote:
> Dear Qubes Community,
> 
> New Fedora 39 templates are now available in standard, 
> [minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
> [Xfce](https://www.qubes-os.org/doc/templates/xfce/) varieties. In addition, 
> Fedora 38 is currently 
> [scheduled](https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html)
>  to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
> 2024-05-14 (approximately three months from now). Please upgrade all of your 
> Fedora templates and standalones by that date. For more information, see 
> [Upgrading to avoid 
> EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).
> 
> There are two ways to upgrade a template to a new Fedora release:
> 
> - *Recommended*: [Install a fresh template to replace an existing 
> one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
> may be simpler for less experienced users.* After you install the new 
> template, redo all desired template modifications and [switch everything that 
> was set to the old template to the new 
> template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
> write down the modifications you make to your templates so that you remember 
> what to redo on each fresh install. To see a log of package manager actions, 
> open a terminal in the old Fedora template and use the `dnf history` command.
> 
> - *Advanced*: [Perform an in-place upgrade of an existing Fedora 
> template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
> This option will preserve any modifications you've made to the template, *but 
> it may be more complicated for less experienced users.*
> 
> Please note that no user action is required regarding the OS version in dom0 
> (see our [note on dom0 and 
> EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).
> 

## Special note on updating Fedora 39 templates on Qubes 4.1

In order to update Fedora 39 templates on Qubes 4.1, the default management 
disposable template (`default-mgmt-dvm`) must also be based on a Fedora 39 
template. Here is the recommended order of events:

1. [Install](https://www.qubes-os.org/doc/templates/fedora/#installing) a fresh 
Fedora 39 template.
2. [Switch](https://www.qubes-os.org/doc/templates/#switching) 
`default-mgmt-dvm` to the new Fedora 39 template.
3. [Update](https://www.qubes-os.org/doc/how-to-update/) the Fedora 39 template.

By default, this applies only to Qubes 4.1, since the default update mechanism 
in Qubes 4.2 no longer relies on Salt. (However, if you have configured your 
Qubes 4.2 system so that it uses Salt for updates, then this still applies to 
you.)

> 
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2024/02/13/fedora-39-templates-available-fedora-38-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab13180e-e814-46dc-bfaf-58eda26e9a91%40qubes-os.org.

[qubes-users] Fedora 39 templates available; Fedora 38 approaching EOL

[Andrew David Wong]

Dear Qubes Community,

New Fedora 39 templates are now available in standard, 
[minimal](https://www.qubes-os.org/doc/templates/minimal/), and 
[Xfce](https://www.qubes-os.org/doc/templates/xfce/) varieties. In addition, 
Fedora 38 is currently 
[scheduled](https://fedorapeople.org/groups/schedule/f-38/f-38-key-tasks.html) 
to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
2024-05-14 (approximately three months from now). Please upgrade all of your 
Fedora templates and standalones by that date. For more information, see 
[Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).

There are two ways to upgrade a template to a new Fedora release:

- *Recommended*: [Install a fresh template to replace an existing 
one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. To see a log of package manager actions, 
open a terminal in the old Fedora template and use the `dnf history` command.

- *Advanced*: [Perform an in-place upgrade of an existing Fedora 
template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

Please note that no user action is required regarding the OS version in dom0 
(see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/13/fedora-39-templates-available-fedora-38-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a18436a-3608-4617-a18f-9cb0b22883cc%40qubes-os.org.

[qubes-users] Whonix 17 templates available for Qubes OS 4.1

[Andrew David Wong]

Dear Qubes Community,

Until now, Whonix 17 has been available only on Qubes OS 4.2. Since [Whonix 16 
reached EOL (end-of-life) on 
2024-01-18](https://www.qubes-os.org/news/2023/12/22/whonix-16-approaching-eol/),
 this left users still on Qubes OS 4.1 without a supported way to use Whonix. 
In an effort to accommodate this group of users, the Whonix and Qubes teams 
have now made Whonix 17 available for Qubes OS 4.1.

There are two ways to upgrade to Whonix 17 on Qubes OS 4.1:

- *Recommended*: [Install fresh Whonix templates to replace the existing 
ones.](https://www.whonix.org/wiki/Qubes/Install) After you install the new 
templates, redo all desired template modifications and [switch everything that 
was set to the old templates to the new 
templates](https://www.qubes-os.org/doc/templates/#switching).

- *Advanced*: Perform an [in-place upgrade from Whonix 16 to Whonix 
17](https://www.whonix.org/wiki/Release_Upgrade_16_to_17). This option will 
preserve any modifications you've made to the templates, *but it may be more 
complicated for less experienced users.*

If you wish, you also still have the option of performing a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) of [Qubes OS 
4.2.0](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/),
 which comes with Whonix 17 templates preinstalled (if selected during 
installation).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/whonix-17-templates-available-for-qubes-os-4-1/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7c340e7-a17d-449b-afad-8e60294d540d%40qubes-os.org.

[qubes-users] XSAs released on 2024-01-30

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-449](https://xenbits.xen.org/xsa/advisory-449.html)
  - See [QSB-100](https://www.qubes-os.org/news/2024/01/30/qsb-100/).

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-450](https://xenbits.xen.org/xsa/advisory-450.html)
  - Affects only builds with HVM support disabled

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/xsas-released-on-2024-01-30/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc4bd956-3697-4c60-96d3-f08200e08edd%40qubes-os.org.

[qubes-users] XSAs released on 2024-01-22

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-448](https://xenbits.xen.org/xsa/advisory-448.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2024/02/05/xsas-released-on-2024-01-22/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0551668-8386-4abf-bf48-521d06185670%40qubes-os.org.

[qubes-users] QSB-099: Qrexec policy leak via policy.RegisterArgument service

[Andrew David Wong]

   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`gpg: Good signature from...` followed by an appropriate key. The `[full]` 
indicates full trust, which this key i

[qubes-users] The Star Labs StarBook is Qubes-certified!

[Andrew David Wong]

Dear Qubes Community,

It is our pleasure to announce that the [Star Labs 
StarBook](https://starlabs.systems/pages/starbook) is [officially 
certified](https://www.qubes-os.org/doc/certified-hardware/) for Qubes OS 
Release 4!

## The Star Labs StarBook

The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch 
laptop featuring open-source coreboot and EDK II firmware. In addition, the 
StarBook is currently the *only* Qubes-certified computer with out-of-the-box 
support for `qubes-fwupdmgr`, a new feature in Qubes OS 4.2 that allows Qubes 
OS to securely update the computer's firmware.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)

The Qubes developers have tested and certified the following StarBook 
configuration options for Qubes OS 4.X:

| Component| Qubes-certified options  |
|  |  |
| Processor| 13th Generation Intel Core i3-1315U or i7-1360P  |
| Memory   | 8 GB, 16 GB, 32 GB, or 64 GB RAM |
| Storage  | 512 GB, 1 TB, or 2 TB SSD|
| Graphics | Intel (integrated graphics)  |
| Networking   | Intel Wi-Fi 6 AX210 (no built-in wired Ethernet) |
| Firmware | coreboot 8.97 (2023-10-03)   |
| Operating system | Qubes OS (pre-installation optional) |

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_top.png)](https://starlabs.systems/pages/starbook)

The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD 
resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. 
The backlit keyboard is available in US English, UK English, French, German, 
Nordic, and Spanish layouts.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_side.png)](https://starlabs.systems/pages/starbook)

The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, 
and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo 
jack, and a DC jack for charging. For more information, see the official [Star 
Labs StarBook](https://starlabs.systems/pages/starbook) page.

[![Photo of Star Labs 
StarBook](https://www.qubes-os.org/attachment/posts/starlabs-starbook_back.png)](https://starlabs.systems/pages/starbook)

## Special note regarding the need for `kernel-latest` on Qubes OS 4.1

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. If you purchase a StarBook with Qubes OS 4.2 
preinstalled, you don't have to worry about this, as Qubes OS 4.2 is confirmed 
to work with the default kernel option and does not require `kernel-latest`. 
However, if you plan to install Qubes OS 4.1 on the StarBook, please be aware 
that you will have to select this non-default option.

## About Star Labs

In short, we're just a bunch of geeks. Back in 2016, Star Labs was formed in a 
pub. We all depended on using Linux, all with different laptops and all with 
different complaints about them. It always perplexed us that a laptop had never 
been made specifically for Linux. Whilst many had been "converted" to run Linux 
- they seldom offered the experience that macOS and Windows users had. So, 
after a few pints, we decided to make one. [Read the full story on the Star 
Labs website.](https://us.starlabs.systems/pages/about-us)

## What is Qubes-certified hardware?

[Qubes-certified hardware](https://www.qubes-os.org/doc/certified-hardware/) is 
hardware that has been certified by the Qubes developers as compatible with a 
specific [major release](https://www.qubes-os.org/doc/version-scheme/) of Qubes 
OS. All Qubes-certified devices are available for purchase with Qubes OS 
preinstalled. Beginning with Qubes 4.0, in order to achieve certification, the 
hardware must satisfy a rigorous set of [requirements], and the vendor must 
commit to offering customers the very same configuration (same motherboard, 
same screen, same BIOS version, same Wi-Fi module, etc.) for at least one year.

[Qubes-certified 
computers](https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-computers)
 are specific models that are regularly tested by the Qubes developers to 
ensure compatibility with all of Qubes' features. The developers test all new 
major versions and updates to ensure that no regressions are introduced.

It is important to note, however, that Qubes hardware certification certifies 
only that a particular hardware *configuration* is *supported* by Qubes. The 
Qubes OS Project takes no responsibility for any vendor's manufacturing, 
shipping, payment, or other practices, nor can we control whether physical 
hardware is modified (w

Re: [qubes-users] Some issues during / after upgrading to 4.2.0

[Andrew David Wong]

On 1/9/24 2:11 PM, Ulrich Windl (Google) wrote:
> Hi!
> 
> Sorry for the delay, but attached is what I see.
> 
> Kind regards,
> Ulrich
> 

Thank you for your report. This is a known bug:

https://github.com/QubesOS/qubes-issues/issues/8725

> 06.01.2024 04:10:29 Andrew David Wong :
> 
>> On 1/4/24 3:20 PM, Ulrich Windl wrote:
>>> * fedora-38 is obsolete already? I thought fedora-37 is???
>>>
>>
>> No, Fedora 38 has not reached EOL:
>>
>> https://docs.fedoraproject.org/en-US/releases/eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b045fd81-ce1a-4b03-a206-eac9a5c2edc2%40qubes-os.org.

Re: [qubes-users] Some issues during / after upgrading to 4.2.0

[Andrew David Wong]

On 1/4/24 3:20 PM, Ulrich Windl wrote:
> * fedora-38 is obsolete already? I thought fedora-37 is???
> 

No, Fedora 38 has not reached EOL:

https://docs.fedoraproject.org/en-US/releases/eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b1c06c8-629c-4c53-a05f-12bda46e266f%40qubes-os.org.

[qubes-users] Whonix 16 approaching EOL

[Andrew David Wong]

Dear Qubes Community,

Whonix 16 is currently 
[scheduled](https://www.whonix.org/wiki/About#Qubes_Hosts) to reach EOL 
(end-of-life) on 2024-01-18. We strongly recommend that all Whonix users 
upgrade to Whonix 17 before then. For more information, see [Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol). 
Please note that Whonix 17 is available only on Qubes OS 4.2.

There are three ways to upgrade to Whonix 17:

- *Recommended*: Perform a [clean 
installation](https://www.qubes-os.org/doc/installation-guide/) of [Qubes OS 
4.2.0](https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/),
 which comes with Whonix 17 templates preinstalled (if selected during 
installation).

- *Recommended*: [Install fresh Whonix templates to replace the existing 
ones.](https://www.whonix.org/wiki/Qubes/Install) After you install the new 
templates, redo all desired template modifications and [switch everything that 
was set to the old templates to the new 
templates](https://www.qubes-os.org/doc/templates/#switching).

- *Advanced*: Perform an [in-place upgrade from Whonix 16 to Whonix 
17](https://www.whonix.org/wiki/Release_Upgrade_16_to_17). This option will 
preserve any modifications you've made to the templates, *but it may be more 
complicated for less experienced users.*


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/12/22/whonix-16-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75e1a980-1fb5-4b19-b59c-8de642e5707d%40qubes-os.org.

[qubes-users] Qubes OS 4.2.0 has been released!

[Andrew David Wong]

Dear Qubes Community,

Qubes OS 4.2.0 brings a host of new features, major improvements, and numerous 
bug fixes. The ISO and associated [verification 
files](https://www.qubes-os.org/security/verifying-signatures/) are available 
on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes OS 4.2.0?

- Dom0 upgraded to Fedora 37 
([#6982](https://github.com/QubesOS/qubes-issues/issues/6982))
- Xen upgraded to version 4.17
- Default Debian template upgraded to Debian 12
- Default Fedora and Debian templates use Xfce instead of GNOME 
([#7784](https://github.com/QubesOS/qubes-issues/issues/7784))
- SELinux support in Fedora templates 
([#4239](https://github.com/QubesOS/qubes-issues/issues/4239))
- Several GUI applications rewritten, including:
  - Applications Menu (also available as preview in R4.1) 
([#6665](https://github.com/QubesOS/qubes-issues/issues/6665)), 
([#5677](https://github.com/QubesOS/qubes-issues/issues/5677))
  - Qubes Global Settings 
([#6898](https://github.com/QubesOS/qubes-issues/issues/6898))
  - Create New Qube
  - Qubes Update ([#7443](https://github.com/QubesOS/qubes-issues/issues/7443))
- Unified `grub.cfg` location for both UEFI and legacy boot 
([#7985](https://github.com/QubesOS/qubes-issues/issues/7985))
- PipeWire support 
([#6358](https://github.com/QubesOS/qubes-issues/issues/6358))
- fwupd integration for firmware updates 
([#4855](https://github.com/QubesOS/qubes-issues/issues/4855))
- Optional automatic clipboard clearing 
([#3415](https://github.com/QubesOS/qubes-issues/issues/3415))
- Official packages built using Qubes Builder v2 
([#6486](https://github.com/QubesOS/qubes-issues/issues/6486))
- Split GPG management in Qubes Global Settings
- Qrexec services use new qrexec policy format by default (but old format is 
still supported) ([#8000](https://github.com/QubesOS/qubes-issues/issues/8000))

For further details, see the [Qubes 4.2 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) and the [full 
list of issues completed for Qubes 
4.2](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+milestone%3A%22Release+4.2%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+).

## Known issues in Qubes OS 4.2.0

DomU firewalls have completely switched to nftables. Users should add their 
custom rules to the `custom-input` and `custom-forward` chains. (For more 
information, see issues 
[#5031](https://github.com/QubesOS/qubes-issues/issues/5031) and 
[#6062](https://github.com/QubesOS/qubes-issues/issues/6062).)

Also see the [full list of open bug reports affecting Qubes 
4.2](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2+label%3A%22T%3A+bug%22+is%3Aopen).

We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## How to get Qubes OS 4.2.0

- If you don't have Qubes OS installed, or if you're currently on Qubes 4.0 or 
earlier, follow the [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).
- If you're currently on Qubes 4.1, learn [how to upgrade to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/).
- If you're currently on a Qubes 4.2 release candidate (RC), [update 
normally](https://www.qubes-os.org/doc/how-to-update/).

In all cases, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new release signing key for Qubes 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.

Re: [qubes-users] Re: Introducing Qubes 3.0 LiveUSB (alpha)

[Andrew David Wong]

On 12/17/23 3:24 PM, leore...@gmail.com wrote:
> Hello Joanna there is any iso more recent?
> 

The "LiveUSB" version of Qubes is discontinued. However, you can install Qubes 
OS onto a USB drive and run it from there. Please see the installation guide 
for details:

https://www.qubes-os.org/doc/installation-guide/#installation-destination

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2dae55fd-f4ca-43e3-8c19-60dcb2e96d78%40qubes-os.org.

[qubes-users] QSB-098: CPU microcode updates not loaded with dom0 kernel version 6.6.x

[Andrew David Wong]

 QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing ke

[qubes-users] XSAs released on 2023-12-12

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-447](https://xenbits.xen.org/xsa/advisory-447.html)
  - Qubes OS does not support ARM.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/12/12/xsas-released-on-2023-12-12/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa81e468-6e1c-4343-acaa-df59cc3e8d3a%40qubes-os.org.

[qubes-users] Qubes Canary 037

[Andrew David Wong]

DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F4

[qubes-users] Qubes OS 4.2.0-rc5 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the fifth [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page. For 
more information about the changes included in this version, see the [Qubes OS 
4.2.0 release notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) 
and the [full list of bugs affecting Qubes 4.2 that have been 
fixed](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+label%3Aaffects-4.2+label%3A%22T%3A+bug%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement. Here is 
the latest update:

At this point, we are hopeful that RC5 will be the final RC.

## Testing Qubes 4.2.0-rc5

Thank you to everyone who tested the previous Qubes 4.2.0 RCs! Due to your 
efforts, this new RC includes fixes for several bugs that were present in the 
previous RCs.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc5

If you're currently running any Qubes 4.2.0 RC, you can upgrade to the latest 
RC by [updating normally](https://www.qubes-os.org/doc/how-to-update/). 
However, please note that there have been some recent template changes, which 
are detailed in the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

If you're currently on Qubes 4.1 and wish to test 4.2, please see [how to 
upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/), which details 
both clean installation and in-place upgrade options. As always, we strongly 
recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is ava

[qubes-users] QSB-097: "Reptar" Intel redundant prefix vulnerability

[Andrew David Wong]

aster Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. For more 
information, see [How to import and authenticate the Qubes Master Signing 
Key](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski

[qubes-users] XSAs released on 2023-11-14

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected* by at least one of these XSAs.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-446](https://xenbits.xen.org/xsa/advisory-446.html)
  - For more information, see 
[QSB-096](https://www.qubes-os.org/news/2023/11/14/qsb-096/).

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-445](https://xenbits.xen.org/xsa/advisory-445.html)
  - Qubes OS uses only "basic" quarantine mode.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/11/14/xsas-released-on-2023-11-14/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6750749-011a-4bbc-be8c-c5f1963c59b9%40qubes-os.org.

[qubes-users] QSB-096: BTC/SRSO fixes not fully effective (XSA-446)

[Andrew David Wong]

s://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key).

   *Tip*: After you have authenticated the QMSK out-of-band to your 
satisfaction, record the QMSK fingerprint in a safe place (or several) so that 
you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  sign

Re: [qubes-users] Fedora 37 approaching EOL

[Andrew David Wong]

On 10/22/23 8:31 AM, Ulrich Windl (Google) wrote:
> Hi!
> 
> Wondering about "Dom0 upgraded to Fedora 37 
> (#6982[https://github.com/QubesOS/qubes-issues/issues/6982])":
> Is it planned to upgrade before final release?
> 
> Regards,
> Ulrich
> 

No, please see our note on dom0 and EOL:

https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6f8eff9-34f3-4ac8-b2f6-9cf1076d2ed1%40qubes-os.org.

[qubes-users] Qubes OS 4.2.0-rc4 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the fourth [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page.

## Main changes from RC3 to RC4

- Fixed: ["qvm-move fails, deletes origin file anyway" 
(#8516)](https://github.com/QubesOS/qubes-issues/issues/8516)
- Fixed: ["`90-default.policy` not upgraded after in-place upgrade from 4.1 to 
4.2" (#8458)](https://github.com/QubesOS/qubes-issues/issues/8458)
- Fixed: ["Qube Manager freezes while opening settings" 
(#8387)](https://github.com/QubesOS/qubes-issues/issues/8387)
- Fixed: ["Error when attempting to update dom0 in the Qube Manager" 
(#8117)](https://github.com/QubesOS/qubes-issues/issues/8117)
- Fixed: ["XScreenSaver & XScreenSaver Settings not opening window" 
(#8266)](https://github.com/QubesOS/qubes-issues/issues/8266)
- Fixed: ["Setting no-strict-reset option via salt on already attached devices 
doesn't work" (#8514)](https://github.com/QubesOS/qubes-issues/issues/8514)
- Fixed: ["qvm-copy-to-vm incorrect progress report" 
(#1519)](https://github.com/QubesOS/qubes-issues/issues/1519)
- Fixed: ["qubes-video-companion-receiver missing dependency on acl package" 
(#8426)](https://github.com/QubesOS/qubes-issues/issues/8426)
- Fixed: ["OpenBSD 7.3 ISO doesn't boot anymore" 
(#8502)](https://github.com/QubesOS/qubes-issues/issues/8502)
- Fixed: ["Kernel compile bogs down rest of system" 
(#8176)](https://github.com/QubesOS/qubes-issues/issues/8176)
- Fixed: ["rpm-oxide makes unjustified assumptions about RPM ABI" 
(#8522)](https://github.com/QubesOS/qubes-issues/issues/8522)
- Fixed: ["yk-auth YubiKey PAM script incorrectly expects \0 to be appended to 
hash" (#8517)](https://github.com/QubesOS/qubes-issues/issues/8517)
- Fixed: ["Qubes Application Menu isn't updated when using salt to modify 
menu-items" (#8494)](https://github.com/QubesOS/qubes-issues/issues/8494)
- Fixed: ["Different values for `menu-items` and `default-menu-items` are not 
preserved when cloning templates" 
(#8518)](https://github.com/QubesOS/qubes-issues/issues/8518)
- Fixed: ["Fix handling of menu items in GUI VM" 
(#8528)](https://github.com/QubesOS/qubes-issues/issues/8528)
- Fixed: ["Firefox does not start on 4.2-rc3 after upgrading template" 
(#8571)](https://github.com/QubesOS/qubes-issues/issues/8571)
- Fixed: ["Qubes R4.2.0-rc2 Qubes OS Global Config tool not see qubes-u2f 
installed in sys-usb" 
(#8463)](https://github.com/QubesOS/qubes-issues/issues/8463)
- Fixed: ["global config: policy rules for U2F incorrectly assume wildcard 
argument" (#8525)](https://github.com/QubesOS/qubes-issues/issues/8525)
- Fixed: ["Pipewire on some systems causes a lot of underruns" 
(#8576)](https://github.com/QubesOS/qubes-issues/issues/8576)
- Fixed: ["Listing PCI devices breaks when there is some with non- PCI 
domain" (#6932)](https://github.com/QubesOS/qubes-issues/issues/6932)
- Done: ["Prepare R4.1 -> R4.2 upgrade tool" 
(#7832)](https://github.com/QubesOS/qubes-issues/issues/7832)
- Done: ["Phase out legacy qrexec policy files" 
(#8000)](https://github.com/QubesOS/qubes-issues/issues/8000)
- Done: ["Better qrexec service configuration format" 
(#8153)](https://github.com/QubesOS/qubes-issues/issues/8153)
- Done: ["QRexec services should be able to specify the user they must run as" 
(#6354)](https://github.com/QubesOS/qubes-issues/issues/6354)
- Done: ["Qube Manager: Enable the 'restart qube' button for named disposables" 
(#8382)](https://github.com/QubesOS/qubes-issues/issues/8382)
- Done: ["Utilize memory hotplug to add VM memory by qmemman" 
(#7956)](https://github.com/QubesOS/qubes-issues/issues/7956)

For an overview of major changes from Qubes 4.1 to 4.2, please see the [Qubes 
OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement. Here is 
the latest update:

At this point, we are hopeful tha

[qubes-users] Fedora 37 approaching EOL

[Andrew David Wong]

Dear Qubes Community,

Fedora 37 is currently 
[scheduled](https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html) 
to reach EOL ([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 
2023-11-21. We strongly recommend that all users 
[upgrade](https://www.qubes-os.org/doc/templates/fedora/#upgrading) their 
Fedora templates and standalones to [Fedora 
38](https://www.qubes-os.org/news/2023/05/26/fedora-38-templates-available/) 
before then. For more information, see [Upgrading to avoid 
EOL](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol).

There are two ways to upgrade your template to a new Fedora release:

- *Recommended*: [Install a fresh template to replace the existing 
one.](https://www.qubes-os.org/doc/templates/fedora/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. To see a log of package manager actions, 
open a terminal in the old Fedora template and use the `dnf history` command.

- *Advanced*: [Perform an in-place upgrade of an existing Fedora 
template.](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template 
releases](https://www.qubes-os.org/doc/supported-releases/#templates). Please 
note that no user action is required regarding the OS version in dom0 (see our 
[note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/10/12/fedora-37-approaching-eol/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/24a1cbd8-c6e8-46fb-839b-57af7a3086f2%40qubes-os.org.

[qubes-users] XSAs released on 2023-10-10

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-442](https://xenbits.xen.org/xsa/advisory-442.html)
  - Please see [QSB-095](https://www.qubes-os.org/news/2023/10/10/qsb-095/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-440](https://xenbits.xen.org/xsa/advisory-440.html)
  - Denial of service (DoS) only
- [XSA-441](https://xenbits.xen.org/xsa/advisory-441.html)
  - Denial of service (DoS) only
- [XSA-443](https://xenbits.xen.org/xsa/advisory-443.html)
  - Qubes OS does not use pygrub.
- [XSA-444](https://xenbits.xen.org/xsa/advisory-444.html)
  - Denial of service (DoS) only

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/10/10/xsas-released-on-2023-10-10/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cdb04e5-735c-4eb9-bdf5-9f77b48d1127%40qubes-os.org.

[qubes-users] QSB-095: Missing IOMMU TLB flushing on x86 AMD systems

[Andrew David Wong]

, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:

[qubes-users] XSAs released on 2023-09-25

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-439](https://xenbits.xen.org/xsa/advisory-439.html)
  - Please see [QSB-094](https://www.qubes-os.org/news/2023/09/27/qsb-094/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/27/xsas-released-on-2023-09-25/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5c334e27-25fb-4b75-16da-def3dbf8a298%40qubes-os.org.

[qubes-users] QSB-094: x86/AMD: Divide speculative information leak

[Andrew David Wong]

. Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`

Re: [qubes-users] Update problem with a 'debian-12-minimal' based template

[Andrew David Wong]

On 9/26/23 10:29 PM, Viktor Ransmayr wrote:
> Hello community,
> 
> I've started to update my Debian-based VMs from 11 to 12.
> 
> As part of this exercise, I also switched from 'debian-11' to 
> 'debian-12-minimal' as the initial template to clone from.
> 
> In general I'm quite happy with the results in one working Test-VM. - 
> However, when the system tries to update the new template, I consistently 
> get the following error:
> 
> 
> 
> Updating debian-12-vrsq
> 
> Error on updating debian-12-vrsq: Command '['sudo', 'qubesctl', 
> '--skip-dom0', '--targets=debian-12-vrsq', '--show-output', 'state.sls', 
> 'update.qubes-vm']' returned non-zero exit status 20.
> debian-12-vrsq:
>   --
>   _error:
>   Failed to return clean data
>   retcode:
>   1
>   stderr:
>   Traceback (most recent call last):
> File "/var/tmp/.root_dd8a91_salt/salt-call", line 27, in 
> 
>   salt_call()
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/scripts.py", line 
> 437, in salt_call
>   import salt.cli.call
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/call.py", line 
> 3, in 
>   import salt.cli.caller
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py", 
> line 12, in 
>   import salt.channel.client
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/channel/client.py", 
> line 13, in 
>   import salt.crypt
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/crypt.py", line 26, 
> in 
>   import salt.payload
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/payload.py", line 
> 12, in 
>   import salt.loader.context
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/loader/__init__.py", line 15, in 
> 
>   import salt.config
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 107, in 
> 
>   _DFLT_IPC_WBUFFER = int(_gather_buffer_space() * 0.5)
>   ^^
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 95, in 
> _gather_buffer_space
>   import salt.grains.core
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/grains/core.py", 
> line 30, in 
>   import salt.modules.cmdmod
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/modules/cmdmod.py", 
> line 32, in 
>   import salt.utils.templates
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/utils/templates.py", line 21, in 
> 
>   import salt.utils.http
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/utils/http.py", 
> line 27, in 
>   import salt.ext.tornado.simple_httpclient
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/simple_httpclient.py", 
> line 9, in 
>   from salt.ext.tornado.http1connection import HTTP1Connection, 
> HTTP1ConnectionParameters
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/http1connection.py", 
> line 31, in 
>   from salt.ext.tornado import iostream
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/ext/tornado/iostream.py", line 42, 
> in 
>   import urllib3.util.ssl_match_hostname
>   ModuleNotFoundError: No module named 'urllib3'
>   [ERROR   ] An un-handled exception was caught by Salt's global 
> exception handler:
>   ModuleNotFoundError: No module named 'urllib3'
>   Traceback (most recent call last):
> File "/var/tmp/.root_dd8a91_salt/salt-call", line 27, in 
> 
>   salt_call()
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/scripts.py", line 
> 437, in salt_call
>   import salt.cli.call
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/call.py", line 
> 3, in 
>   import salt.cli.caller
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/cli/caller.py", 
> line 12, in 
>   import salt.channel.client
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/channel/client.py", 
> line 13, in 
>   import salt.crypt
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/crypt.py", line 26, 
> in 
>   import salt.payload
> File "/var/tmp/.root_dd8a91_salt/pyall/salt/payload.py", line 
> 12, in 
>   import salt.loader.context
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/loader/__init__.py", line 15, in 
> 
>   import salt.config
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 107, in 
> 
>   _DFLT_IPC_WBUFFER = int(_gather_buffer_space() * 0.5)
>   ^^
> File 
> "/var/tmp/.root_dd8a91_salt/pyall/salt/config/__init__.py", line 95, in 
> _gather_buffer_space
>   import sa

[qubes-users] XSAs released on 2023-09-20

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-438](https://xenbits.xen.org/xsa/advisory-438.html)
  - Shadow paging is not built-in.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/20/xsas-released-on-2023-09-20/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6fc17a42-23b1-dc44-1886-48c6c0e7e174%40qubes-os.org.

[qubes-users] Tickets for Qubes OS Summit 2023 are now available!

[Andrew David Wong]

Dear Qubes Community,

The following announcement is from 3mdeb:

[![Tickets are available for Qubes OS Summit 
2023](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023-tickets.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023-tickets.png)

We have options for everyone:

- Virtual Qubes Pass for online attendees
- On-site Qubes Pass for those ready to join us in Berlin

Number of the On-site Qubes Passes is limited, so book only if you will be 
there. Both tickets are free. Read more at: 


Have insights to share?   
Want to be a sponsor? 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/19/tickets-for-qubes-os-summit-2023-now-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67264932-83a1-a0f8-390a-a117cfc5423a%40qubes-os.org.

[qubes-users] Qubes Canary 036

[Andrew David Wong]

 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired:

Re: [qubes-users] Re: The NitroPC Pro is Qubes-certified!

[Andrew David Wong]

On 9/7/23 1:38 PM, Leo28C wrote:
> Is it "not certified" as in it doesn't run at all, or is it just to stop
> people from paying an extra 3 grand when the OS is software-rendered?
> 

When Nitrokey asked for the NitroPC Pro to be Qubes-certified, they did not ask 
for any discrete graphics configurations to be included in the evaluation, so 
the Qubes hardware certification team has not tested any such configuration.

On 9/7/23 5:15 PM, Sven Semmler wrote:
> Certification includes giving one machine to the Qubes OS team, so it can be 
> used in ongoing regression testing. It appears Nitrokey has provided the 
> variant without the discrete GPU [...]
> 

This is correct, except that it is actually two units:

https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-process

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d04e85fb-dc7b-d55c-4429-0a07e7791af8%40qubes-os.org.

[qubes-users] Re: The NitroPC Pro is Qubes-certified!

[Andrew David Wong]

On 9/6/23 10:57 AM, Andrew David Wong wrote:
> Dear Qubes Community,
> 
> It is our pleasure to announce that the [NitroPC 
> Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is [officially 
> certified](https://www.qubes-os.org/doc/certified-hardware/) for Qubes OS 
> Release 4!
> 
> ## The NitroPC Pro: a secure, powerful workstation
> 
> The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is 
> a workstation for high security and performance requirements. The open-source 
> [Dasharo coreboot](https://github.com/Dasharo/coreboot) firmware ensures high 
> transparency and security while avoiding backdoors and security holes in the 
> firmware. The device is certified for compatibility with Qubes OS 4.X by the 
> Qubes developers. Carefully selected components ensure high performance, 
> stability, and durability. The Dasharo Entry Subscription guarantees 
> continuous firmware development and fast firmware updates. 
> 
> [![Photo of NitroPC 
> Pro](https://www.qubes-os.org/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
> 
> Here's a summary of the main component options available for this mid-tower 
> desktop PC:
> 
> | Component| Options  
> |
> |- | 
>  |
> | Motherboard  | MSI PRO Z690-A DDR5 (Wi-Fi optional) 
> |
> | Processor| 12th Generation Intel Core i5-12600K or 
> i9-12900K|
> | Memory   | 16 GB to 128 GB DDR5 
> |
> | NVMe storage (optional)  | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB 
> each |
> | SATA storage (optional)  | Up to two SATA SSDs, up to 7.68 TB each  
> |
> | Integrated graphics  | Intel UHD 770
> |
> | Discrete graphics (optional) | Nvidia Geforce RTX 4070 or 4090  
> |
> | Wireless (optional)  | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, 
> Bluetooth 5.2 |
> | Operating system (optional)  | Qubes OS 4.1 or Ubuntu 22.04 LTS 
> |
> 
> [...]
> 

*Important addendum*: As indicated in the table above, when configuring your 
NitroPC Pro on the Nitrokey website, there is an option for a discrete graphics 
card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics 
(e.g., Intel UHD 770, which is always included because it is physically built 
into the CPU). Please note that NitroPC Pro configurations that include 
discrete graphics cards are *not* Qubes-certified. The only NitroPC Pro 
configurations that are Qubes-certified are those that contain *only* 
integrated graphics.

> 
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2023/09/06/nitropc-pro-qubes-certified/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43000146-1ac7-8419-0e9f-9565f970db97%40qubes-os.org.

[qubes-users] XSAs released on 2023-09-05

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-437](https://xenbits.xen.org/xsa/advisory-437.html)
  - This affects only 32-bit ARM processors, which Qubes OS does not support.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/09/05/xsas-released-on-2023-09-05/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39fa7f7b-7920-c77e-18e5-4ffac09ea7a2%40qubes-os.org.

[qubes-users] Qubes OS 4.2.0-rc3 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the third [release candidate 
(RC)](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available for 
[testing](https://www.qubes-os.org/doc/testing/). The ISO and associated 
[verification files](https://www.qubes-os.org/security/verifying-signatures/) 
are available on the [downloads](https://www.qubes-os.org/downloads/) page.

## Explanation for the early RC

We [announced 
RC2](https://www.qubes-os.org/news/2023/08/28/qubes-os-4-2-0-rc2-available-for-testing/)
 approximately one week ago. Normally, RC2 would have been tested for 
[approximately five 
weeks](https://www.qubes-os.org/doc/version-scheme/#release-schedule) before we 
announced RC3. However, RC2 contained several bugs (listed below), some of 
which prevented certain users from testing it. These bugs have been fixed in 
RC3. We've decided to release RC3 early, as an exception to our usual policy, 
in order to get these fixes out as quickly as possible so that more users can 
test 4.2 for longer before the eventual stable release.

## Main changes from RC2 to RC3

- Fixed: ["Installer in R4.2 does not warn about incompatible hardware" 
(#8345)](https://github.com/QubesOS/qubes-issues/issues/8345)
- Fixed: ["Wi-Fi firmware missing from default templates on 4.2.0-rc2 ISO" 
(#8452)](https://github.com/QubesOS/qubes-issues/issues/8452)
- Fixed: ["Qubes R4.2.0-rc2 cannot be installed on legacy BIOS system" 
(#8462)](https://github.com/QubesOS/qubes-issues/issues/8462)
- Fixed: ["R4.2 (rc1, rc2) unable to boot on Thinkpad T430 when UEFI is 
enabled" (#8464)](https://github.com/QubesOS/qubes-issues/issues/8464)

For an overview of major changes from Qubes 4.1 to 4.2, please see the [Qubes 
OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

## When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As 
explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new RC is to collect bug 
reports, triage the bugs, and fix them. This usually takes around five weeks, 
depending on the bugs discovered. If warranted, we then issue a new RC that 
includes the fixes and repeat the whole process again. We continue this 
iterative procedure until we're left with an RC that's good enough to be 
declared the stable release. No one can predict, at the outset, how many 
iterations will be required (and hence how many RCs will be needed before a 
stable release), but we tend to get a clearer picture of this with each 
successive RC, which we share in this section in each RC announcement.

At this point, we can say that there will be at least one more RC after this 
one.

## Testing Qubes 4.2.0-rc3

Thank you to everyone who tested the previous Qubes 4.2.0 RCs! Due to your 
efforts, this new RC includes fixes for several bugs that were present in the 
previous RCs.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new RC, 
you can help us improve the eventual stable release by [reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc3

If you're currently running any Qubes 4.2.0 RC, you can upgrade to the latest 
RC by [updating normally](https://www.qubes-os.org/doc/how-to-update/). 
However, please note that there have been some recent template changes, which 
are detailed in the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/).

If you're currently on Qubes 4.1 and wish to test 4.2, please see [how to 
upgrade to Qubes 4.2](https://www.qubes-os.org/doc/upgrade/4.2/), which details 
both clean installation and in-place upgrade options. As always, we strongly 
recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the crypt

Re: [qubes-users] Error installing Debian-12 template

[Andrew David Wong]

On 8/28/23 1:53 PM, Ulrich Windl wrote:
> Hi!
> 
> Following the instructions at 
> https://www.qubes-os.org/doc/templates/debian/#installing I repeatedly got 
> this error messages:
> 
> $ sudo qubes-dom0-update qubes-template-debian-12
> Redirecting to 'qvm-template install  debian-12'
> Downloading 'qubes-template-debian-12-0:4.0.6-202307240307'...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:01 ?B/s
> 'qubes-template-debian-12-0:4.0.6-202307240307' download failed, retrying...
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/sError canonicalizing file: failed to fill whole buffer
> qubes-template-debian-12-0:4.0.6-202307240307:   0%| | 0.00/1.50G [00:00 ?B/s
> Error: 'qubes-template-debian-12-0:4.0.6-202307240307' download failed.
> 
> I have no idea what might be wrong. Most likely the instructions are 
> incomplete.
> 
> 
> Kind regards,
> 
> Ulrich
> 

Marek posted about this on the forum:

https://forum.qubes-os.org/t/debian-12-templates-available/20604/9

I think it should be working now, since it's past 22:00 UTC. Could you try 
again?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af000bcf-e6ff-2f5e-ffc2-9f45a69fb85b%40qubes-os.org.

[qubes-users] Qubes OS 4.2.0-rc2 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the second [release 
candidate](#what-is-a-release-candidate) (RC) for Qubes OS 4.2.0 is now 
available for [testing](https://www.qubes-os.org/doc/testing/). Qubes 4.2.0-rc2 
is available on the [downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.0-rc2?

- Dom0 upgraded to Fedora 37
- Xen updated to version 4.17
- Default Debian template upgraded to Debian 12
- Default Fedora and Debian templates use Xfce instead of GNOME
- SELinux support in Fedora templates
- Several GUI applications rewritten, including:
  - Applications Menu
  - Qubes Global Settings
  - Create New Qube
  - Qubes Update
- Unified `grub.cfg` location for both UEFI and legacy boot
- PipeWire support
- fwupd integration for firmware updates
- Optional automatic clipboard clearing
- Official packages built using Qubes Builder v2
- Split GPG and Split SSH management in Qubes Global Settings

Please see the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) for details.

## When is the stable release?

That depends on the number of bugs discovered in this release candidate and 
their severity. As explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new release candidate is to 
collect bug reports, triage the bugs, and fix them. This usually takes around 
five weeks, depending on the bugs discovered. If warranted, we then issue a new 
release candidate that includes the fixes and repeat the whole process again. 
We continue this iterative procedure until we're left with a release candidate 
that's good enough to be declared the stable release. No one can predict, at 
the outset, how many iterations will be required (and hence how many release 
candidates will be needed before a stable release), but we tend to get a 
clearer picture of this with each successive release candidate, which we'll 
share in this section in future release candidate announcements. The feedback 
we receive on this release candidate will determine whether another one is 
required.

## Testing Qubes 4.2.0-rc2

Thank you to everyone who tested 4.2.0-rc1! Due to your efforts, this new 
release candidate includes fixes for several bugs that were present in the 
first release candidate.

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this new 
release candidate, you can help us improve the eventual stable release by 
[reporting any bugs you 
encounter](https://www.qubes-os.org/doc/issue-tracking/). We encourage 
experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of issues affecting Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+label%3Aaffects-4.2).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc2

[In-place upgrades from Qubes 4.1 to Qubes 
4.2](https://www.qubes-os.org/doc/upgrade/4.2/) are now implemented and ready 
for testing! As always, we strongly recommend [making a full 
backup](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) 
beforehand.

Current Qubes 4.2.0-rc1 systems should be [updated 
normally](https://www.qubes-os.org/doc/how-to-update/), but please note that 
some templates have changed from the first release candidate. These changes are 
listed [above](#whats-new-in-qubes-420-rc2).

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-impo

[qubes-users] Re: Debian 12 templates available

[Andrew David Wong]

> [supported template releases]

Link: https://www.qubes-os.org/doc/supported-releases/#templates

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7c83cfc-b52c-3edb-4edd-1b174d658fb9%40qubes-os.org.

[qubes-users] Debian 12 templates available

[Andrew David Wong]

Dear Qubes Community,

The following new templates are now available:

*Qube OS 4.1*
- Debian 12
- Debian 12 [minimal](https://www.qubes-os.org/doc/templates/minimal/)

*Qubes OS 4.2-rc1*
- Debian 12
- Debian 12 [minimal](https://www.qubes-os.org/doc/templates/minimal/)
- Debian 12 [Xfce](https://www.qubes-os.org/doc/templates/xfce/)

There are two ways to upgrade your template to a new Debian release:

- *Recommended*: [Install a fresh template to replace the existing 
one.](https://www.qubes-os.org/doc/templates/debian/#installing) *This option 
may be simpler for less experienced users.* After you install the new template, 
redo all desired template modifications and [switch everything that was set to 
the old template to the new 
template](https://www.qubes-os.org/doc/templates/#switching). You may want to 
write down the modifications you make to your templates so that you remember 
what to redo on each fresh install. In the old Debian template, see 
`/var/log/dpkg.log` and `/var/log/apt/history.log` for logs of package manager 
actions.

- *Advanced*: [Perform an in-place upgrade of an existing Debian 
template.](https://www.qubes-os.org/doc/templates/debian/in-place-upgrade/) 
This option will preserve any modifications you've made to the template, *but 
it may be more complicated for less experienced users.*

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template releases]. Please note that no user 
action is required regarding the OS version in dom0 (see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol)).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/27/debian-12-templates-available/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd4c2c8f-a747-be3c-63b4-5eacf2365dc8%40qubes-os.org.

Re: [qubes-users] "GVFS is not available"

[Andrew David Wong]

On 8/27/23 10:43 AM, Demi Marie Obenour wrote:
> On Sat, Aug 26, 2023 at 10:39:22PM -0700, Andrew David Wong wrote:
>> On 8/26/23 8:55 AM, ales...@magenta.de wrote:
>>> Steve Coleman:
>>>>
>>>>
>>>> On Sat, Aug 12, 2023, 12:54 PM >>> <mailto:ales...@magenta.de>> wrote:
>>>>
>>>> ales...@magenta.de <mailto:ales...@magenta.de>:
>>>>  > I am using a fresh installation of Qubes 4.1.1.
>>>>  >
>>>>  > When I use the File Manager Preferences tab there is a message
>>>>  > indicating that GVFS is not available.
>>>>
>>>>
>>>> You need to install the gvfs package in the template you are using for 
>>>> your AppVM.
>>>>
>>>> It's not a standard package installed by default because it relies on many 
>>>> other packages. Do a search in your flavor repository (fedora,debian,etc) 
>>>> for the package and install it in your template, and then restart your 
>>>> AppVM.
>>>>
>>>>
>>>> https://wiki.gnome.org/Projects/gvfs <https://wiki.gnome.org/Projects/gvfs>
>>>
>>> But this is not an AppVM or a template, I think. I am seeing this message 
>>> from Dom0 environment.
>>>
>>> Troubleshooting Steps:
>>> a) Boot Qubes 4 and enter password to start login session
>>> b) Open Qubes menu in top panel
>>> c) Open System Tools, File Manager Settings
>>> d) Open Advanced tab
>>>
>>> The window title is "[Dom0] File Manager Preferences".
>>>
>>> Here is the message under a title "Missing dependencies" and inside a blue 
>>> box:
>>>
>>>> It looks like gvfs is not available.
>>>> Important features ... will not work.
>>>
>>> It seems like this must be a problem I must fix.
>>>
> 
>> No. It is recommended to avoid using the GUI file manager in dom0.
> 
> Should the default install omit the GUI file manager in dom0?  Having it
> and telling people not to use it is rather strange.

Yes: https://github.com/QubesOS/qubes-issues/issues/2458

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c835b83b-6c17-b11b-c069-7fc276d2ae57%40qubes-os.org.

Re: [qubes-users] "GVFS is not available"

[Andrew David Wong]

On 8/26/23 8:55 AM, ales...@magenta.de wrote:
> Steve Coleman:
>>
>>
>> On Sat, Aug 12, 2023, 12:54 PM > > wrote:
>>
>>     ales...@magenta.de :
>>  > I am using a fresh installation of Qubes 4.1.1.
>>  >
>>  > When I use the File Manager Preferences tab there is a message
>>  > indicating that GVFS is not available.
>>
>>
>> You need to install the gvfs package in the template you are using for your 
>> AppVM.
>>
>> It's not a standard package installed by default because it relies on many 
>> other packages. Do a search in your flavor repository (fedora,debian,etc) 
>> for the package and install it in your template, and then restart your AppVM.
>>
>>
>> https://wiki.gnome.org/Projects/gvfs 
> 
> But this is not an AppVM or a template, I think. I am seeing this message 
> from Dom0 environment.
> 
> Troubleshooting Steps:
> a) Boot Qubes 4 and enter password to start login session
> b) Open Qubes menu in top panel
> c) Open System Tools, File Manager Settings
> d) Open Advanced tab
> 
> The window title is "[Dom0] File Manager Preferences".
> 
> Here is the message under a title "Missing dependencies" and inside a blue 
> box:
> 
>> It looks like gvfs is not available.
>> Important features ... will not work.
> 
> It seems like this must be a problem I must fix.
> 

No. It is recommended to avoid using the GUI file manager in dom0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c95a5da8-c67c-04df-abcf-860ebf37e6e8%40qubes-os.org.

[qubes-users] CORRECTION: Qubes OS Summit 2023: OCTOBER 6-8 in Berlin

[Andrew David Wong]

Dear Qubes Community,

_My apologies for the incorrect subject line in my previous email. The correct 
month is OCTOBER, not September!_

In conjunction with [3mdeb](https://3mdeb.com/), the fifth edition of our Qubes 
OS Summit will be held live this year from October 6 to 8 in Berlin, Germany! 
For more information about this event, including the CFP (which is open until 
October 2), please see: 

[![Qubes OS Summit 2023 
poster](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/25/qubes-os-summit-2023/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d1e397d-9d25-d6a7-9be9-9a30a9d2db81%40qubes-os.org.

[qubes-users] Qubes OS Summit 2023: September 6-8 in Berlin

[Andrew David Wong]

Dear Qubes Community,

In conjunction with [3mdeb](https://3mdeb.com/), the fifth edition of our Qubes 
OS Summit will be held live this year from October 6 to 8 in Berlin, Germany! 
For more information about this event, including the CFP (which is open until 
October 2), please see: 

[![Qubes OS Summit 2023 
poster](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)](https://www.qubes-os.org/attachment/posts/qubes-os-summit-2023.png)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/25/qubes-os-summit-2023/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8bdb30a5-93cb-fb09-5d60-d62005cf37e0%40qubes-os.org.

[qubes-users] XSAs released on 2023-08-08

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-432](https://xenbits.xen.org/xsa/advisory-432.html): See 
[QSB-092](https://www.qubes-os.org/news/2023/08/08/qsb-092/) for details.
- [XSA-434](https://xenbits.xen.org/xsa/advisory-434.html): See 
[QSB-093](https://www.qubes-os.org/news/2023/08/09/qsb-093/) for details.
- [XSA-435](https://xenbits.xen.org/xsa/advisory-435.html): See 
[QSB-093](https://www.qubes-os.org/news/2023/08/09/qsb-093/) for details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/09/xsas-released-on-2023-08-08/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1977072f-92f4-40da-811e-953472551c73%40qubes-os.org.

[qubes-users] QSB-093: Transient execution vulnerabilities in AMD and Intel CPUs

[Andrew David Wong]

ome/user/.gnupg' created
   gpg: keybox '/home/user/.gnupg/pubring.kbx' created
   gpg: requesting key from 
'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
   gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
   gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
   gpg: Total number processed: 1
   gpg:   imported: 1
   ```

   (See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more ways to obtain the QMSK.)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "

[qubes-users] Changing the way we use milestones in the issue tracker

[Andrew David Wong]

## Summary

Issues will no longer be assigned to milestones by default. Most issues won't 
have milestones. The Qubes developers will manually assign issues to 
milestones. We'll use labels like "affects-4.1" and "affects-4.2" to represent 
affected releases instead of milestones. The "Release TBD" and "Non-release" 
milestones are being phased out, as are milestones of the form "Release X.Y 
updates." Read on for a more detailed explanation.

## How milestones work right now

Currently, our milestone guidelines are as follows:

- Every issue should be assigned to *exactly one* milestone.
- For *bug reports*, the milestone designates the *earliest supported release* 
in which that bug is believed to exist.
- For *enhancements* and *tasks*, the milestone indicates that the goal is to 
implement or do that thing *in* or *for* that release.

For example, if you were to report a bug that affects both 4.1 and 4.2 right 
now, it would be assigned to the "Release 4.1 updates" milestone, because 4.1 
is the earliest supported release that the bug is believed to affect. As 
another example, if you were to open an enhancement issue right now, it would 
most likely be assigned to the "Release TBD" milestone, which means something 
like, "This enhancement, if it is ever implemented, will be implement in some 
Qubes release or other, but it has not yet been determined which specific Qubes 
release that will be." If it were decided that this enhancement would be 
implemented for 4.2, for example, then the issue's milestone would be changed 
to "Release 4.2."

## Problems with the current system

Some people find our current use of milestones to be counterintuitive. For 
example, suppose that a bug is reported that affects both 4.1 and 4.2. The 
Qubes devs decide that it's not too serious, so it's okay just to fix it in 4.2 
and leave it be in 4.1. Some people have the intuition that the issue should be 
reassigned to the 4.2 milestone, since the devs just decided that's where it'll 
be fixed. However, under the current rules, that would be wrong, since the bug 
still affects 4.1, and 4.1 is the earliest affected supported release.

Similarly, suppose that someone reported a bug against 4.0, but it's one of 
those "we'll get around to fixing it someday, maybe" sort of bugs. Some people 
would be tempted to assign this issue to the "Release TBD" milestone on the 
grounds that the plan is to fix it at some yet-to-be-determined point in the 
distant future. However, this would again be wrong under the current rules, 
since the milestone for a bug report is supposed to represent the earliest 
supported release in which the bug is believed to exist, which is 4.0.

The current method also presents problems when it comes time to close old 
issues. As many of you have probably noticed, I recently closed a large number 
of issues that were on the "Release 4.0 updates" milestone, since 4.0 reached 
EOL over one year ago, and those issues had not seen any activity in over a 
year. The problem arises when an issue affects more than one release. For 
example, there were some issues that affected both 4.0 and 4.1. In accordance 
with our milestone rules, those issues were assigned to the 4.0 milestone. When 
it came time to bulk-close the old 4.0 issues, issues were closed even though 
they also affect 4.1, which is still supported. The fact that those issues also 
affect 4.1 wasn't represented in a label or milestone (just in a free-text 
comment), so I had no way to filter them out when performing the bulk close 
action.

Finally, each milestone has a progress indicator that shows the percentage of 
completed issues on that milestone, but this indicator isn't very useful when 
every issue that affects a given release gets assigned to that milestone, 
regardless of whether the devs actually plan to act on it. When every release 
ships with a partially-completed milestone, it becomes an unreliable indicator.

## Analyzing the nature of milestones

Let's step back for a moment and think about what milestones are and what 
purpose they're supposed to serve. An issue tracking system doesn't actually 
*have* to have milestones at all. They're an optional feature. All an issue 
tracking system really needs is a single type of "tag" functionality (what 
GitHub calls "labels"). You can re-create almost any other type of issue 
tracking functionality (including milestones) with just tags. From this 
perspective, GitHub's milestones are basically the same as labels, except for 
two distinctive features:

- Unlike labels, milestones are mutually exclusive. An issue can have an 
unlimited number of labels, but it can be assigned to at most one milestone.
- Unlike labels, milestones have progress indicators.

So, if we're going to use milestones, it makes sense to use them in a way that 
takes advantage of these distinctive features.

## How we plan to use milestones going forward

Issues will no longer immediately be assigned to milestones. Inst

[qubes-users] QSB-092: Buffer overrun in Linux netback driver (XSA-432)

[Andrew David Wong]

import-and-authenticate-the-qubes-master-signing-key)
 for more ways to obtain the QMSK.)

2. View the fingerprint of the PGP key you just imported. (Note: `gpg>` 
indicates a prompt inside of the GnuPG program. Type what appears after it when 
prompted.)

   ```shell_session
   $ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
   gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg:

[qubes-users] Update for QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

[Andrew David Wong]

imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simo

[qubes-users] XSAs released on 2023-08-01

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-436](https://xenbits.xen.org/xsa/advisory-436.html)
  - This affects only ARM processors, which Qubes OS does not support.

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/08/01/xsas-released-on-2023-08-01/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d78c1ed3-28ce-6134-1ad9-074cdc1f477d%40qubes-os.org.

Re: [qubes-users] Disabling Hibernation universally

[Andrew David Wong]

On 7/29/23 8:48 AM, ales...@magenta.de wrote:
> I am still in the process of configuring Qubes (4.1.1). I am trying now to 
> disable Hibernation at all level of the system.
> 
> I couldn't find any reference of Hibernation in the official documentation or 
> the Wiki. Could someone describe the way to disable it universally?
> 

Xen does not hibernation, so it is already "disabled" by default.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1601b435-abc4-5d3e-c08a-c265259336f9%40qubes-os.org.

[qubes-users] QSB-091: Windows PV drivers potentially compromised

[Andrew David Wong]

) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   gpg> fpr
   pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36

[qubes-users] XSAs released on 2023-07-24

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- [XSA-433](https://xenbits.xen.org/xsa/advisory-433.html)
  - See [QSB-090](https://www.qubes-os.org/news/2023/07/24/qsb-090/) for 
details.

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- (none)

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/07/24/xsas-released-on-2023-07-24/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9bc749c-703f-8c92-7e41-52f5e118bfa8%40qubes-os.org.

[qubes-users] QSB-090: Zenbleed (CVE-2023-20593, XSA-433)

[Andrew David Wong]

and. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 

Re: [qubes-users] QubesIncoming folder in /tmp ??

[Andrew David Wong]

On 6/30/23 3:27 AM, haaber wrote:
> Hi I was wondering if it would not me preferable (at least in some VM's)
> to delocalise the QubesIncoming folder in /tmp to have it "cleaned up"
> regularly. It's a pain to do so manually. Is there a problem doing so ? 
> What would be the cleanest way to do it? A symlink ??  thank you, Bernhard
> 

I thought there was already an open issue for this, but I couldn't find one, so 
I just opened this:

https://github.com/QubesOS/qubes-issues/issues/8307

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/155da573-87c0-1c9e-6c4b-66f8edcc%40qubes-os.org.

Re: [qubes-users] split firefox & thunderbird credentials?

[Andrew David Wong]

On 6/22/23 7:38 AM, haaber wrote:
> I was wondering if the awesome split-ssh and split-gpg  family could be
> extended by a split-mozilla brother, that outsources passwords to vault
> without exposing them? The lack of such a feature obliges me *not* to
> save them within the two apps, which is a terrible pain, of corse 
> 
> thanks in advance
> 

Rusty wrote this:

https://github.com/rustybird/qubes-app-split-browser

(Disclaimers: It's unofficial. I haven't tried it myself.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1326f48c-856d-5a66-c838-b8a250fec2e8%40qubes-os.org.

Re: [qubes-users] Q4.1 xfce - "clicks in the void"

[Andrew David Wong]

On 6/5/23 3:39 AM, haaber wrote:
> I often experience clicks that get lost "in the void" meaning that the
> actual xfce windows does not seem to receive them.
> 
> Typical example: I use firefox, and a noscript pop-up ("load
> anonymously") with a button to click on: but I can't. What helps then,
> is changing the virtual screen (go away) and coming back: after this, 
> the click arrives again at the destination window. Very annoying!
> 
> Am I alone with this problem???  Best, Bernhard
> 

There's a longstanding bug where certain types of windows sometimes can't be 
clicked until focus is removed from that window, then given back again. I 
usually alt+tab to another window, then back to the original window to fix 
this. I'm not sure if you're experiencing the same thing, but it sounds 
similar. Also, I'm not sure if this is the right issue for what I'm describing, 
but it seems to fit:

https://github.com/QubesOS/qubes-issues/issues/3267

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e20a937-deef-665a-f9dc-56b519d840df%40qubes-os.org.

[qubes-users] Qubes OS 4.2.0-rc1 is available for testing

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce that the first [release 
candidate](#what-is-a-release-candidate) for Qubes OS 4.2.0 is now available 
for [testing](https://www.qubes-os.org/doc/testing/). This [minor 
release](#what-is-a-minor-release) includes several new features and 
improvements over Qubes OS 4.1.0. Qubes 4.2.0-rc1 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.

## What's new in Qubes 4.2.0?

- Dom0 upgraded to Fedora 37
- Xen updated to version 4.17
- SELinux support in Fedora templates
- Several GUI applications rewritten, including:
  - Applications Menu
  - Qubes Global Settings
  - Create New Qube
  - Qubes Update
- Unified `grub.cfg` location for both UEFI and legacy boot
- PipeWire support
- fwupd integration for firmware updates
- Optional automatic clipboard clearing
- Official packages built using Qubes Builder v2

Please see the [Qubes OS 4.2.0 release 
notes](https://www.qubes-os.org/doc/releases/4.2/release-notes/) for details.

## Reminder: new signing key for Qubes OS 4.2

As a reminder, we published the following special announcement in [Qubes Canary 
032](https://www.qubes-os.org/news/2022/09/14/canary-032/) on 2022-09-14:

> We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, 
> we have only one RSK for each major release. However, for the 4.2 release, we 
> will be using Qubes Builder version 2, which is a complete rewrite of the 
> Qubes Builder. Out of an abundance of caution, we would like to isolate the 
> build processes of the current stable 4.1 release and the upcoming 4.2 
> release from each other at the cryptographic level in order to minimize the 
> risk of a vulnerability in one affecting the other. We are including this 
> notice as a canary special announcement since introducing a new RSK for a 
> minor release is an exception to our usual RSK management policy.

As always, we encourage you to 
[authenticate](https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate)
 this canary by [verifying its PGP 
signatures](https://www.qubes-os.org/security/verifying-signatures/). Specific 
instructions are also included in the [canary 
announcement](https://www.qubes-os.org/news/2022/09/14/canary-032/).

As with all Qubes signing keys, we also encourage you to 
[authenticate](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys)
 the new Qubes OS Release 4.2 Signing Key, which is available in the [Qubes 
Security Pack (qubes-secpack)](https://www.qubes-os.org/security/pack/) as well 
as on the [downloads](https://www.qubes-os.org/downloads/) page under the Qubes 
OS 4.2.0-rc1 ISO.

## Testing Qubes 4.2.0-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this release 
candidate, you can help us improve the eventual stable release by [reporting 
any bugs you encounter](https://www.qubes-os.org/doc/issue-tracking/). We 
encourage experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190).

A full list of known bugs in Qubes 4.2.0 is available 
[here](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.2%22+label%3A%22T%3A+bug%22).
 We strongly recommend [updating Qubes 
OS](https://www.qubes-os.org/doc/how-to-update/) immediately after installation 
in order to apply all available bug fixes.

## Upgrading to Qubes 4.2.0-rc1

It is not yet possible to perform an in-place upgrade from Qubes 4.1 to Qubes 
4.2. For this initial release candidate, a clean installation is required. An 
in-place upgrade tool is in development.

## When is the stable release?

That depends on the number of bugs discovered in this release candidate and 
their severity. As explained in our [release 
schedule](https://www.qubes-os.org/doc/version-scheme/#release-schedule) 
documentation, our usual process after issuing a new release candidate is to 
collect bug reports, triage the bugs, and fix them. This usually takes around 
five weeks, depending on the bugs discovered. If warranted, we then issue a new 
release candidate that includes the fixes and repeat the whole process again. 
We continue this iterative procedure until we're left with a release candidate 
that's good enough to be declared the stable release. No one can predict, at 
the outset, how many iterations will be required (and hence how many release 
candidates will be needed before a stable release), but we tend to get a 
clearer picture of this with each successive release candidate, which we'll 
share in this section in future release candidate announcements.

In the case of Qubes 4.2.0 specifically, we already know that there will be a 
second release candidate (in order to test the in-place upgrade procedure, if 
nothing else). As mentioned above, we expect to announce that second release 
candidate in approximately five weeks. The results of that second release 
candidate will determine whe

[qubes-users] Qubes Canary 035

[Andrew David Wong]

0-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494
   ```

3. *Important*: At this point, you still don't know whether the key you just 
imported is the genuine QMSK or a forgery. In order for this entire procedure 
to provide meaningful security benefits, you *must* authenticate the QMSK 
out-of-band. *Do not skip this step*! The standard method is to obtain the QMSK 
fingerprint from *multiple independent sources in several different ways* and 
check to see whether they match the key you just imported. See 
[here](https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key)
 for more details and ideas for how to do that.

   *Tip*: Record the genuine QMSK fingerprint in a safe place (or several) so 
that you don't have to repeat this step in the future.

4. Once you are satisfied that you have the genuine QMSK, set its trust level 
to 5 ("ultimate"), then quit GnuPG with `q`.

   ```shell_session
   gpg> trust
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: unknown   validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   
   Please decide how far you trust this user to correctly verify other users' 
keys
   (by looking at passports, checking fingerprints from different sources, etc.)
   
 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu
   
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
   pub  rsa4096/DDFA1A3E36879494
created: 2010-04-01  expires: never   usage: SC
trust: ultimate  validity: unknown
   [ unknown] (1). Qubes Master Signing Key
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> q
   ```

5. Use Git to clone the qubes-secpack repo.

   ```shell_session
   $ git clone https://github.com/QubesOS/qubes-secpack.git
   Cloning into 'qubes-secpack'...
   remote: Enumerating objects: 4065, done.
   remote: Counting objects: 100% (1474/1474), done.
   remote: Compressing objects: 100% (742/742), done.
   remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
   Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public k

[qubes-users] XSAs released on 2023-05-16

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.

## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)

## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- [XSA-431](https://xenbits.xen.org/xsa/advisory-431.html)
  - Qubes OS 4.1 uses an unaffected version of Xen (4.14).

## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/05/16/xsas-released-on-2023-05-16/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/034437ff-1944-fa19-76c9-fd4f673b509a%40qubes-os.org.

Re: [qubes-users] Best practice VPN in Qubes

[Andrew David Wong]

On 5/13/23 7:33 AM, taran1s wrote:
> 
> 
> Demi Marie Obenour:
>> On Sat, May 13, 2023 at 10:57:00AM +, Qubes OS Users Mailing List wrote:
>>> Andrew David Wong:
>>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to 
>>>>> sys-whonix it doesn't connect to internet. If one uses Debian or Fedora 
>>>>> based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>>
>>>>> Any ideas how to solve this?
>>>>>
>>>>
>>>> I think that's by design. Whonix does that to protect you from 
>>>> accidentally compromising your own privacy.
>>
> 
> The answer below was meant to you David. I misidentified Patrick as the 
> author of the answer.
> 

You can call me "Andrew." "David" is my middle name. :)

>>
>>> Thank you for the answer Patrick. It is possible. The question is how does
>>> one use VPN over Tor in this case with Torbrowser that doesn't compromise
>>> the privacy (see the use case below please).
>>> The use case is to connect to a service like Twitter that is not Tor
>>> friendly from a static non-tor IP address (VPN), but at the same time hide
>>> my real IP address from the VPN provider by using Tor before I connect to
>>> the VPN.
>>
>>> Some services, like Twitter even if they have onion site keep forcing me to
>>> reset password periodically, reminding me that there is a suspicious
>>> behavior (just by connecting from Tor, not even posting anything) in an
>>> endless loop.
>>
>>> I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
>>> for connection to that particular account only and nothing else, no other
>>> apps or even websites ever used in that anon-whonix-twitter AppVM.
>>
>>> Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
>>> to work in the VPN over Tor scenario?
>>
>> I would use the onion service and deal with the Twitter-side brokenness.
> 

You should read this, then decide whether you still think this setup would be a 
good idea for you:

https://www.whonix.org/wiki/Tunnels/Introduction

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1780d3b7-c915-9a75-0a0a-fa01cf8a9aae%40qubes-os.org.

Re: [qubes-users] Best practice VPN in Qubes

[Andrew David Wong]

On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
> If anon-whonix AppVM is set to use mullvad-VPN that is connected to 
> sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based 
> AppVM and runs vanilla Firefox, it works like a breeze.
> 
> Any ideas how to solve this?
> 

I think that's by design. Whonix does that to protect you from accidentally 
compromising your own privacy.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1855e2e4-f9f2-7c37-735b-f6a36e112533%40qubes-os.org.

Re: [qubes-users] Re: QSB-089: Qrexec: Memory corruption in service request handling

[Andrew David Wong]

On 5/11/23 11:00 PM, Vít Šesták wrote:
> If the process is not reused, just an update without restarting anything is 
> enough, isn't it? (This wouldn't be the case if the process was forking 
> from a zygote.)

Marek has previously told me that only Xen and Kernel updates require a reboot. 
FWIW, `needs-restarting -r` also didn't detect anything requiring a restart.

> After the update, I got a shower of notifications “Failed to execute 
> qubes.WindowIconUdater (from  to dom0)”, probably for each 
> running domU qube. 

Same.

> But this looks like a temporary issue, as QRPc seems to 
> continue working, either for newly launched qubes and for qubes launched 
> before update.

I haven't noticed any unusual behavior either.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b3d8443-454f-045c-dcec-4156d34c96bd%40qubes-os.org.

[qubes-users] Fedora 36 reaches EOL on 2023-05-16

[Andrew David Wong]

Dear Qubes Community,

The Fedora Project has 
[announced](https://lists.fedoraproject.org/archives/list/annou...@lists.fedoraproject.org/thread/4GXBZJSGQ2PEKIBM2APCTLXBS6IDKSOP/)
 that Fedora 36 will reach EOL 
([end-of-life](https://fedoraproject.org/wiki/End_of_life)) on 2023-05-16. We 
strongly recommend that all users 
[upgrade](https://www.qubes-os.org/doc/templates/fedora/#upgrading) their 
Fedora templates and standalones to [Fedora 
37](https://www.qubes-os.org/news/2023/03/03/fedora-37-templates-available/) no 
later than 2023-05-16.

We provide fresh Fedora 37 template packages through the official Qubes 
repositories, which you can install in dom0 by following the standard 
[installation 
instructions](https://www.qubes-os.org/doc/templates/fedora/#installing). 
Alternatively, we also provide step-by-step instructions for [performing an 
in-place 
upgrade](https://www.qubes-os.org/doc/templates/fedora/in-place-upgrade/) of an 
existing Fedora template. After upgrading your templates, please remember to 
[switch all qubes that were using the old template to use the new 
one](https://www.qubes-os.org/doc/templates/#switching).

For a complete list of template releases that are supported for your specific 
Qubes release, see our [supported template 
releases](https://www.qubes-os.org/doc/supported-releases/#templates).

Please note that no user action is required regarding the OS version in dom0. 
For details, please see our [note on dom0 and 
EOL](https://www.qubes-os.org/doc/supported-releases/#note-on-dom0-and-eol).


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/05/11/fedora-36-reaches-eol-on-2023-05-16/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1201eea6-25ed-8305-a050-d9638c57c29d%40qubes-os.org.

[qubes-users] QSB-089: Qrexec: Memory corruption in service request handling

[Andrew David Wong]

065/4065), 1.64 MiB | 2.53 MiB/s, done.
   Resolving deltas: 100% (1910/1910), done.
   ```

6. Import the included PGP keys. (See our [PGP key 
policies](https://www.qubes-os.org/security/pack/#pgp-key-policies) for 
important information about these keys.)

   ```shell_session
   $ gpg --import qubes-secpack/keys/*/*
   gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS 
signing key)" imported
   gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
   gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
   gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" 
imported
   gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
   gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes 
Documentation Signing Key)" imported
   gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & 
Documentation Signing)" imported
   gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation 
Signing Key)" imported
   gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes 
Documentation Signing Key)" imported
   gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation 
Signing Key)" imported
   gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
   gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation 
Signing Key)" imported
   gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing 
Key)" imported
   gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
   gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS 
documentation signing key)" imported
   gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
   gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing 
Key)" imported
   gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
   gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" 
imported
   gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes 
security pack)" imported
   gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
   gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
   gpg: no valid OpenPGP data found.
   gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack 
signing key)" imported
   gpg: Total number processed: 17
   gpg:   imported: 16
   gpg:  unchanged: 1
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u
   ```

7. Verify signed Git tags.

   ```shell_session
   $ cd qubes-secpack/
   $ git tag -v `git describe`
   object 266e14a6fae57c9a91362c9ac784d3a891f4d351
   type commit
   tag marmarek_sec_266e14a6
   tagger Marek Marczykowski-Górecki 1677757924 +0100
   
   Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
   gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   ```

   The exact output will differ, but the final line should always start with 
`gpg: Good signature from...` followed by an appropriate key. The `[full]` 
indicates full trust, which this key inherits in virtue of being validly signed 
by the QMSK.

8. Verify PGP signatures, e.g.:

   ```shell_session
   $ cd QSBs/
   $ gpg --verify qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
   gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   $ gpg --verify qsb-087-2022.txt.sig.simon qsb-087-2022.txt
   gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
   gpg:using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
   gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" 
[full]
   $ cd ../canaries/
   $ gpg --verify canary-034-2023.txt.sig.marmarek canary-034-2023.txt
   gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
   gpg:using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
   gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" 
[full]
   $ gpg --verify canary-034-2023.txt.sig.simon canary-034-2023.txt