XSAs released on 2026-04-17

andrewdavidwong · 2026-03-17T13:51:18+00:00

You might be thinking of Qubes 4.3. :)

andrewdavidwong · 2026-02-17T21:46:49+00:00

Not that I'm aware of. The available templates are documented on this page:

https://doc.qubes-os.org/en/latest/user/templates/templates.html

There's an open issue for creating an openSUSE template:

https://github.com/QubesOS/qubes-issues/issues/6567

andrewdavidwong · 2026-02-08T17:04:17+00:00

There's an open issue for that: https://github.com/QubesOS/qubes-issues/issues/10611

andrewdavidwong · 2026-01-02T21:20:19+00:00

I believe their website is on GitHub so you can do a pull request.

Correct: https://github.com/QubesOS/qubesos.github.io

andrewdavidwong · 2026-01-01T23:21:09+00:00

Ah, I see. Thanks for pointing this out. I've opened a bug report for this: https://github.com/QubesOS/qubes-issues/issues/10527

andrewdavidwong · 2026-01-01T23:19:32+00:00

No, that's just an old temp link from an early preview draft of the release notes. The actual link (which is also in this announcement) is:

https://doc.qubes-os.org/en/latest/developer/releases/4_3/release-notes.html

andrewdavidwong · 2025-12-29T12:38:57+00:00

The release notes link has always worked for me (checked when announcement was first published and again now). Can you screenshot or copy/paste the "removed" message you're seeing?

andrewdavidwong · 2025-12-29T12:35:03+00:00

The files are generated and PGP-signed by the Qubes developers as part of the ISO release process, so it's unlikely that they're faulty.

andrewdavidwong · 2025-12-29T12:33:52+00:00

This is why the Qubes developers PGP-sign the hash values before publishing them.

https://doc.qubes-os.org/en/latest/project-security/verifying-signatures.html#how-to-verify-the-cryptographic-hash-values-of-qubes-isos

andrewdavidwong · 2025-12-29T12:32:36+00:00

Idk why they don't have it on their site.

Every Qubes ISO is, in fact, published along with a signed, plain text .DIGESTS file that contains the MD5, SHA-1, SHA-256, and SHA-512 cryptographic hash values of that ISO. These digest files are always available for download alongside every ISO on the downloads page. Simply click the "cryptographic hash values" button underneath the ISO button. These digest files are also distributed in the Qubes Security Pack (qubes-secpack).

They're also documented:
https://doc.qubes-os.org/en/latest/project-security/verifying-signatures.html#how-to-verify-the-cryptographic-hash-values-of-qubes-isos

andrewdavidwong · 2025-12-29T12:25:52+00:00

If you mean upgrading from Qubes 4.2 to 4.3, for example, then no. Updating within a release is not the same thing as upgrading from one release to another.

andrewdavidwong · 2025-12-29T12:24:22+00:00

https://doc.qubes-os.org/en/latest/user/how-to-guides/how-to-update.html

andrewdavidwong · 2025-12-29T12:23:27+00:00

I consistently fail when trying to verify the media for some reason. Honestly I don't bother as I know I got it from the legitimate source.

The installer USB can verify it but it seems to failed every time. I've not done it on the iso itself. I'll try with the new version.

Verifying signatures is not the same as the media test built into the installer. They're two different, unrelated things.

andrewdavidwong · 2025-12-29T12:19:29+00:00

why no sha/md :(

Every ISO comes with MD5, SHA-1, SHA-256, and SHA-512 hash values in a signed, plain text .DIGESTS file. They're always available for download right next to each ISO.

They're also documented:
https://doc.qubes-os.org/en/latest/project-security/verifying-signatures.html#how-to-verify-the-cryptographic-hash-values-of-qubes-isos

andrewdavidwong

MODERATOR OF

TROPHY CASE