qubes-doc/user/common-tasks/updating-qubes-os.md
Andrew David Wong 78e9d77401
Add section on security updates
Also some minor language and syntax improvements
2021-06-14 21:46:52 -07:00

5.5 KiB

lang layout permalink ref title
en doc /doc/updating-qubes-os/ 200 Updating Qubes OS

Updating Qubes OS

This page is about updating your system while staying on the same supported version of Qubes OS. If you're instead looking to upgrade from your current version of Qubes OS to a newer version, see the Upgrade Guides.

Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)

Security updates

Security updates are an extremely important part of keeping your Qubes installation secure. When there is an important security issue, we will issue a Qubes Security Bulletin (QSB) via the Qubes Security Pack (qubes-secpack). It is very important to read each new QSB and follow any user instructions it contains. Most of the time, simply updating your system normally will be sufficient to obtain security updates. However, in some cases, special action may be required on your part, which will be explained in the QSB.

Routine updates

It is important to keep your Qubes OS system up-to-date to ensure you have the latest security updates, as well as the latest non-security enhancements and bug fixes.

Fully updating your Qubes OS system means updating:

You can accomplish this using the Qubes Update tool.

Qubes Update

By default, the Qubes Update tool will appear as an icon in the Notification Area when updates are available.

Qube Updates Available

However, you can also start the tool manually by selecting it in the Applications Menu under "System Tools." Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting "Enable updates for qubes without known available updates," then selecting all desired items from the list and clicking "Next."

Advanced users and developers: For the command-line equivalents of using the Qubes Update tool, see the Salt formulae update.qubes-dom0 and update.qubes-vm. For enabling testing repos, see Testing new releases and updates.

Upgrading to stay on a supported release

The above covers updating within a given operating system release. Eventually, however, most operating system releases will reach end-of-life (EOL), after which point they will no longer be supported. This applies to Qubes OS itself as well as operating systems used for TemplateVMs and StandaloneVMs, such as Fedora and Debian. It is very important to use only supported releases, since generally only supported releases receive security updates. This means that you must periodically upgrade to a newer release before your current release reaches EOL.

In the case of Qubes OS itself, we will always announce when a given Qubes OS release is approaching and has reached EOL, and we will provide instructions for upgrading to the next stable supported Qubes OS release. Again, you can always see the current support status for all Qubes OS releases here.

Periodic upgrades are also important for TemplateVMs and StandaloneVMs. For example, you might be using a Fedora TemplateVM. The Fedora Project is independent of the Qubes OS Project. They set their own schedule for when each Fedora release reaches EOL. You can always find out when an operating system reaches EOL from the upstream project that maintains it, but we also make EOL announcements and publish guides for official TemplateVM operating systems as a convenience to Qubes users. When this happens, you should make sure to follow the guide to upgrade to a supported version of that operating system (see the Fedora upgrade guides and the Debian upgrade guides).

The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which doesn't have to be upgraded.