Qubes OS 4.3.0 has officially landed—and it looks awesome. Big step forward for privacy and security through isolation and compartmentalization.
Time to upgrade.
Qubes OS
Qubes OS 4.3.0 has been released!
We’re pleased to announce the stable release of Qubes OS 4.3.0! This minor release includes a host of new features, improvements, and bug fixes. ...
Release notes:
Qubes OS
Qubes OS 4.3 release notes
Major features and improvements since Qubes 4.2: Dom0 upgraded to Fedora 41 (#9402)., Xen upgraded to version 4.19 (#9420)., Default Fedora templat...
Main improvements (from the 4.3 release notes):
Core upgrades
• dom0 upgraded to Fedora 41
• Xen upgraded to 4.19
• Default templates upgraded: Fedora 42, Debian 13, Whonix 18 (with older minimum-supported versions enforced)
• Preloaded disposables for faster DisposableVM startup
• New Devices API (“self-identity oriented” device assignment)
• Qubes Windows Tools (QWT) reintroduced with improved features
UI/UX polish
• New device workflow built around the new Devices API, plus a dedicated Device Assignments page and a redesigned Devices widget
• New/improved flat icons across GUI tools
• Qube Manager cleanup (far-left icons removed)
• Application icons now show in VM Settings
• Option to add the Qubes video companion to the AppMenu
• Better AppMenu keyboard navigation
• Clearer updater wording/settings
• Centralized tray notifications
• Quick-launch root terminal or console terminal from the Domains widget
• Global Config improvements (deep-link to sections, plus a “Saving changes...” dialog)
GUI daemon/agent improvements
• Configurable GUI daemon background color (nice for dark themes)
• Audio daemon won’t connect to recording streams unless recording is explicitly enabled
• Legacy X11 app icons display properly
• Virtual pointing device labeled as absolute (not relative)
• Better global clipboard notifications, plus configurable clipboard size
• Better support for Windows qubes on systems using sys-gui*
Hardware support improvements
• Better support for Advanced Format (4K sector) drives
• Device assignments use full PCI paths instead of bus/slot/function
• Filter input devices with udev rules
• Fixes for graceful reboot on some buggy (U)EFI firmware
• Better Bluetooth + hot-pluggable audio support with dynamic AudioVM switching
Security features
• Templates can request custom kernel cmdline parameters (currently used for Kicksecure/Whonix user-sysmaint-split)
• VMs can specify boot modes intended only for AppVMs or templates
• GRUB2 from Fedora shipped with security patches + Bootloader Specification support
• SSL client cert + GPG key support for private template repositories
• Prevent unsafe third-party template installs via rpm/dnf
• Ability to prohibit start of specific qubes
• UUID support for qubes, including using UUIDs in policies
• “Custom persist” feature to reduce unwanted persistence
Anonymity improvements
• Whonix-Workstation qubes can’t open files/URLs/apps in non-Whonix disposables
• Prevent changing Whonix Workstation netvm to sys-firewall (or other clearnet netvms) to reduce IP leak risk
• kloak: keystroke-level online anonymization kernel
Performance optimizations
• Option to use volumes directly without snapshots
• Retire qubes-rpc-multiplexer and execute commands directly from C
• Cache “system info” for qrexec policy evaluation
• Minimal state qubes to reduce RAM usage for NetVM/USBVM
Updating & upgrading
• Always hide specific templates/standalones from update tools
• pacman hook to notify dom0 after successful manual Archlinux upgrades
• Improved 4.2→4.3 upgrade tool (including using lvmdevices instead of device filter)
New/improved experimental features
• Ansible support
• Qubes Air support
• qrexec protocol extension to send source info to destination
• Better GUIVM support (GUI/Admin split, auto-remove nomodeset when GPU attached)
• Initial steps toward Wayland session-only support in GUIVM (not full GUI agent/daemon Wayland yet)
Other quality-of-life
• Free-form notes on qubes (descriptions/reminders/etc.)
• Auto-clean QubesIncoming if empty
• vm-config.* features to pass external config into a qube
• Admin API to read/write the denied device-interface list
• New Devices API support for salt
Dropped/replaced
• Default screen locker switched from XScreenSaver to xfce4-screensaver
• “Create Qubes VM” retired in favor of “Create New Qube”
• Windows 7 support dropped from QWT
Overall, this feels like a more mature, refined release—better usability and device handling, real performance wins, and tighter guardrails where it matters.
#IKITAO #OPSEC #QubesOS
#IKITAO #Moxie #Sphynx #Cat