qubes-doc/user/how-to-guides/how-to-update.md
Andrew David Wong 435f2f655e
Update "How to Update"
- Create new "Command-line interface" section
- Move warning about direct commands to new section
- Move info about qubesctl commands and testing repos to new section
- Revise "Upgrading" section
2021-06-20 22:27:43 -07:00

5.0 KiB

lang layout permalink redirect_from ref title
en doc /doc/how-to-update/
/doc/updating-qubes-os/
200 How to Update

This page is about updating your system while staying on the same supported version of Qubes OS. If you're instead looking to upgrade from your current version of Qubes OS to a newer version, see the Upgrade Guides.

Security updates

Security updates are an extremely important part of keeping your Qubes installation secure. When there is an important security issue, we will issue a Qubes Security Bulletin (QSB) via the Qubes Security Pack (qubes-secpack). It is very important to read each new QSB and follow any user instructions it contains. Most of the time, simply updating your system normally will be sufficient to obtain security updates. However, in some cases, special action may be required on your part, which will be explained in the QSB.

Routine updates

It is important to keep your Qubes OS system up-to-date to ensure you have the latest security updates, as well as the latest non-security enhancements and bug fixes.

Fully updating your Qubes OS system means updating:

You can accomplish this using the Qubes Update tool.

Qubes Update

By default, the Qubes Update tool will appear as an icon in the Notification Area when updates are available.

Qube Updates Available

However, you can also start the tool manually by selecting it in the Applications Menu under "System Tools." Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting "Enable updates for qubes without known available updates," then selecting all desired items from the list and clicking "Next."

Command-line interface

Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)

Advanced users may wish to perform updates via the command-line interface. The recommended way to do this is by using the command-line equivalents of the Qubes Update tool.

There are two Salt formulae and two corresponding qubesctl commands:

In addition, advanced user may be interested in learning how to enable the testing repos.

Upgrading to avoid EOL

The above covers updating within a given operating system (OS) release. Eventually, however, most OS releases will reach end-of-life (EOL), after which point they will no longer be supported. This applies to Qubes OS itself as well as OSes used in templates (and standalones, if you have any).

It's very important that you use only supported releases so that you continue to receive security updates. This means that you must periodically upgrade Qubes OS and your templates before they reach EOL. You can always see which versions of Qubes OS and select templates are supported on the Supported Versions page.

In the case of Qubes OS itself, we will make an announcement when a supported Qubes OS release is approaching EOL and another when it has actually reached EOL, and we will provide instructions for upgrading to the next stable supported Qubes OS release.

Periodic upgrades are also important for templates. For example, you might be using a Fedora template. The Fedora Project is independent of the Qubes OS Project. They set their own schedule for when each Fedora release reaches EOL. You can always find out when an OS reaches EOL from the upstream project that maintains it. We also pass along any EOL notices we receive for official template OSes as a convenience to Qubes users (see Supported Versions: Templates).

The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which doesn't have to be upgraded.