Qubes OS is a free and open-source, security-oriented operating system for
single-user desktop computing. Qubes OS leverages
-
+
Xen-based virtualization to allow for the creation and management of
isolated compartments called qubes.
diff --git a/introduction/issue-tracking.md b/introduction/issue-tracking.md
index 46c038fd..5326e698 100644
--- a/introduction/issue-tracking.md
+++ b/introduction/issue-tracking.md
@@ -41,7 +41,7 @@ Great! Thank you for taking the time and effort to help improve Qubes! To ensure
1. Carefully read our issue tracking [guidelines](#guidelines). If your issue would violate any of the guidelines, **stop**. Please do not submit it.
2. [Search through the existing issues](#search-tips), both open and closed, to see if your issue already exists. If it does, **stop**. [Do not open a duplicate.](/doc/issue-tracking/#new-issues-should-not-be-duplicates-of-existing-issues) Instead, comment on the existing issue.
3. Go [here](https://github.com/QubesOS/qubes-issues/issues/new/choose).
- 4. Select the [type](#type) of issue you want to open.
+ 4. Select the [type](#types) of issue you want to open.
5. Enter a descriptive title.
6. Do not delete the provided issue template. Fill out every applicable section.
7. Make sure to mention any relevant documentation and other issues you've already seen. We don't know what you've seen unless you tell us. If you don't list it, we'll assume you haven't seen it.
diff --git a/user/advanced-topics/config-files.md b/user/advanced-topics/config-files.md
index 3ffdfd55..37ee7c03 100644
--- a/user/advanced-topics/config-files.md
+++ b/user/advanced-topics/config-files.md
@@ -11,8 +11,7 @@ ref: 180
title: Config files
---
-Qubes-specific VM config files
-------------------------------
+## Qubes-specific VM config files
These files are placed in `/rw`, which survives a VM restart.
That way, they can be used to customize a single VM instead of all VMs based on the same template.
@@ -76,8 +75,7 @@ Note that scripts need to be executable (`chmod +x`) to be used.
Also, take a look at [bind-dirs](/doc/bind-dirs) for instructions on how to easily modify arbitrary system files in an app qube and have those changes persist.
-GUI and audio configuration in dom0
------------------------------------
+## GUI and audio configuration in dom0
The GUI configuration file `/etc/qubes/guid.conf` in one of a few not managed by `qubes-prefs` or the Qubes Manager tool.
Sample config (included in default installation):
diff --git a/user/advanced-topics/resize-disk-image.md b/user/advanced-topics/resize-disk-image.md
index b7805bd2..c06eaa1b 100644
--- a/user/advanced-topics/resize-disk-image.md
+++ b/user/advanced-topics/resize-disk-image.md
@@ -32,7 +32,8 @@ In most cases, the GUI tool Qube Settings (available for every qube from the Sta
-In case of standalone qubes and templates, just change the Disk Storage settings above.
+In case of standalone qubes and templates, just change the Disk Storage settings above. If the standalone fails to start, temporarily increase the `qrexec_timeout`, [as described here](https://github.com/QubesOS/qubes-issues/issues/9251#issuecomment-2121596415).
+
In case of template-based qubes, the private storage (the /home directory and user files) can be changed in the qube's own settings, but the system root image is [inherited from the template](/doc/getting-started/), and so it must be changed in the template settings.
If you are increasing the disk image size for Linux-based qubes installed from Qubes OS repositories in Qubes 4.0 or later, changing the settings above is all you need to do - in other cases, you may need to do more, according to instructions below.
See also the OS-specific follow-up instructions below.
diff --git a/user/advanced-topics/volume-backup-revert.md b/user/advanced-topics/volume-backup-revert.md
index 85bb4062..f06f1ca8 100644
--- a/user/advanced-topics/volume-backup-revert.md
+++ b/user/advanced-topics/volume-backup-revert.md
@@ -31,7 +31,7 @@ qvm-volume info vmname:private
The output of the above command will also display the "Available revisions
(for revert)" at the bottom. For a very large volume in a small pool,
-revisions_to_keep should probably be set to the minimum value of 1 to minimize
+revisions_to_keep should probably be set to the maximum value of 1 to minimize
the possibility of the pool being accidentally filled up by snapshots. For a
smaller volume for which you would like to have the future option of reverting,
revisions_to_keep should probably be set to at least 2. To set
diff --git a/user/downloading-installing-upgrading/installation-guide.md b/user/downloading-installing-upgrading/installation-guide.md
index 6e3a07d9..8623d185 100644
--- a/user/downloading-installing-upgrading/installation-guide.md
+++ b/user/downloading-installing-upgrading/installation-guide.md
@@ -43,7 +43,7 @@ Even on supported hardware, you must ensure that [IOMMU-based virtualization](ht
### Copying the ISO onto the installation medium
-Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. [Download](/downloads/) a Qubes ISO.
+Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. [Download](/downloads/) a Qubes ISO. If your Internet connection is unstable and the download is interrupted, you could resume the partial download with `wget --continue` in case you are currently using wget for downloading or use a download-manager with resume capability. Alternatively you can download installation ISO via BitTorrent that sometimes enables higher download speeds and more reliable downloads of large files.
diff --git a/user/hardware/system-requirements.md b/user/hardware/system-requirements.md
index 63aabd50..552da7a0 100644
--- a/user/hardware/system-requirements.md
+++ b/user/hardware/system-requirements.md
@@ -37,9 +37,9 @@ title: System requirements
- [Intel VT-x](https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29) with [EPT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation#Extended_Page_Tables)
- [Intel VT-d](https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-d)
- For security, we recommend processors that are recent enough to still be
- receiving microcode updates (see [below](#important-updates) for details).
+ receiving microcode updates (see [below](#important-notes) for details).
- AMD processors are not recommended due to inconsistent security support on
- client platforms (see [below](#important-updates) for details).
+ client platforms (see [below](#important-notes) for details).
- **Memory:** 16 GB RAM
diff --git a/user/how-to-guides/how-to-enter-fullscreen-mode.md b/user/how-to-guides/how-to-enter-fullscreen-mode.md
index 201d6d2e..2ff92990 100644
--- a/user/how-to-guides/how-to-enter-fullscreen-mode.md
+++ b/user/how-to-guides/how-to-enter-fullscreen-mode.md
@@ -11,20 +11,17 @@ ref: 205
title: How to enter fullscreen mode
---
-What is fullscreen mode?
--------------------------
+## What is fullscreen mode?
Normally, the Qubes GUI virtualization daemon restricts the VM from "owning" the full screen, ensuring that there are always clearly marked decorations drawn by the trusted Window Manager around each of the VMs window.
This allows the user to easily realize to which domain a specific window belongs.
See the [screenshots](/doc/QubesScreenshots/) page for examples.
-Why is fullscreen mode potentially dangerous?
-----------------------------------------------
+## Why is fullscreen mode potentially dangerous?
If one allowed one of the VMs to "own" the full screen, e.g. to show a movie on a full screen, it might not be possible for the user to know if the applications/VM really "released" the full screen, or if it has started emulating the whole desktop and is pretending to be the trusted Window Manager, drawing shapes on the screen that look e.g. like other windows, belonging to other domains (e.g. to trick the user into entering a secret passphrase into a window that looks like belonging to some trusted domain).
-Secure use of fullscreen mode
-------------------------------
+## Secure use of fullscreen mode
However, it is possible to deal with fullscreen mode in a secure way assuming there are mechanisms that can be used at any time to switch between windows or show the full desktop and that cannot be intercepted by the VM.
The simplest example is the use of Alt+Tab for switching between windows, which is a shortcut handled by dom0.
@@ -33,8 +30,7 @@ Other examples such mechanisms are the KDE "Present Windows" and "Desktop Grid"
Those effects are enabled by default in KDE once Compositing gets enabled in KDE (System Settings -\> Desktop -\> Enable Desktop Effects), which is recommended anyway.
By default, they are triggered by Ctrl-F8 and Ctrl-F9 key combinations, but can also be reassigned to other shortcuts.
-Enabling fullscreen mode for select VMs
-----------------------------------------
+## Enabling fullscreen mode for select VMs
You can always put a window into fullscreen mode in Xfce4 using the trusted window manager by right-clicking on a window's title bar and selecting "Fullscreen" or pressing `alt` + `f11`.
This functionality should still be considered safe, since a VM window still can't voluntarily enter fullscreen mode.
diff --git a/user/how-to-guides/how-to-update.md b/user/how-to-guides/how-to-update.md
index 2462bafb..8e865234 100644
--- a/user/how-to-guides/how-to-update.md
+++ b/user/how-to-guides/how-to-update.md
@@ -26,24 +26,26 @@ Security updates are an extremely important part of keeping your Qubes installat
By default, the **Qubes Update** tool will appear as an icon in the Notification Area when updates are available.
-[](/attachment/doc/r4.0-qube-updates-available.png)
+[](/attachment/doc/r4.2-qube-updates-available.png)
-However, you can also start the tool manually by selecting it in the Applications Menu under "Qubes Tools." Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting "Enable updates for qubes without known available updates," then selecting all desired items from the list and clicking "Next."
+However, you can also start the tool manually by selecting it in the Applications Menu under "Qubes Tools." Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting all desired items from the list and clicking "Update".
-By default, most qubes that are connected to the internet will periodically check for updates for their parent templates. If updates are available, you will receive a notification as described above. However, if you have any templates that do *not* have any online child qubes, you will *not* receive update notifications for them. Therefore, you should regularly update such templates manually instead.
+By default, most qubes that are connected to the internet will periodically check for updates for their parent templates. You can check the date of the last update check in the "last checked" column. If updates are available for any qube, you will receive a notification as described above, and in the "Updates available" column you will see "YES" for that qube(s). If the update check did not find any new updates, "NO" will appear in the column. Respectively, for qubes that are no longer supported, "OBSOLETE" will be displayed. However, if you have any templates that do *not* have any online child qubes, you will *not* receive update notifications for them. By default, after a week, if updates for a given qube have not been checked, the value in the "Updates available" column will be set to "MAYBE".
## Installing updates
The standard way to install updates is with the **Qubes Update** tool. (However, you can also perform the same action via the [command-line interface](#command-line-interface).)
-[](/attachment/doc/r4.0-software-update.png)
+[](/attachment/doc/r4.2-software-update.png)
-Simply follow the on-screen instructions, and the tool will download and install all available updates for you. Note that if you are downloading updates over Tor (`sys-whonix`), this can take a very long time, especially if there are a lot of updates available.
+You can easily decide which qubes to update by clicking on the checkbox in the column header. At startup, only the qubes for which updates are known are selected for updating, but clicking on the mentioned checkbox will also select all qubes with the "MAYBE" status. It is recommended to update all qubes with the statuses "YES" and "MAYBE".
+
+Then simply follow the on-screen instructions, and the tool will download and install all available updates for you. Note that if you are downloading updates over Tor (`sys-whonix`), this can take a very long time, especially if there are a lot of updates available.
## Restarting after updating
@@ -53,7 +55,7 @@ Certain updates require certain components to be restarted in order for the upda
- Dom0 should be restarted after all **Xen** and **kernel** updates.
- On Intel systems, dom0 should be restarted after all `microcode_ctl` updates.
- On AMD systems, dom0 should be restarted after all `linux-firmware` updates.
-- After updating a template, first shut down the template, then restart all running qubes based on that template.
+- After updating a template, first shut down the template, then restart all running qubes based on that template. The updater will try to do this for you automatically in the last step of updating. Remember to save all your data before restarting!
## AEM resealing after updating
@@ -63,15 +65,10 @@ If you use [Anti Evil Maid (AEM)](/doc/anti-evil-maid/), you'll have to "reseal"
-
Warning: Updating with direct commands such as
qubes-dom0-update,
dnf update, and
apt update is
not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the
Qubes Update tool or its command-line equivalents, as described below. (By contrast,
installing packages using direct package manager commands is fine.)
+
Warning: Updating with direct commands such as
dnf update, and
apt update is
not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the
Qubes Update tool or its command-line equivalents, as described below. (By contrast,
installing packages using direct package manager commands is fine.)
-Advanced users may wish to perform updates via the command-line interface. The recommended way to do this is by applying the following two Salt states. **Applying these two Salt states is the same as updating via the Qubes Update tool.**
-
- - [update.qubes-dom0](/doc/salt/#updatequbes-dom0)
- - [update.qubes-vm](/doc/salt/#updatequbes-vm)
-
-In your update qube, a terminal window opens that displays the progress of operations and output as it is logged. At the end of the process, logs are sent back to dom0. You answer any yes/no prompts in your dom0 terminal window.
+Advanced users may wish to perform updates via the command-line interface. To update templates and standalones non-interactively, use the command `qubes-vm-update`, and to update dom0, use `qubes-dom0-update`. If you want to perform an update with more advanced user-configurable options (e.g., custom pre- or post-update scripts, custom workarounds), see: [update.qubes-dom0](/doc/salt/#updatequbes-dom0) and [update.qubes-vm](/doc/salt/#updatequbes-vm).
Advanced users may also be interested in learning [how to enable the testing repos](/doc/testing/).
diff --git a/user/security-in-qubes/ctap-proxy.md b/user/security-in-qubes/ctap-proxy.md
index 92e127dc..4c858532 100644
--- a/user/security-in-qubes/ctap-proxy.md
+++ b/user/security-in-qubes/ctap-proxy.md
@@ -85,7 +85,7 @@ $ sudo qubes-dom0-update qubes-ctap-dom0
$ qvm-service --enable work qubes-ctap-proxy
```
-The above assumes a `work` qube in which you would like to enable ctap. Repeat the `qvm-service` command for all qubes that should have the proxy enabled. Alternatively, you can add `qubes-ctap-proxy` in VM settings -> Services in the Qube Manager of each qube you would like to enable the service.
+The above assumes a `work` qube in which you would like to enable ctap. Repeat the `qvm-service` command for all qubes that should have the client proxy enabled. Alternatively, you can add `qubes-ctap-proxy` in VM settings -> Services in the Qube Manager of each qube you would like to enable the service. Attempting to start the `qubes-ctap-proxy` service in the device-hosting qube (`sys-usb`) will fail.
In Fedora templates: