Invisible Things Lab pushed out a point release of Qubes OS this week in the form of version 4.0.1
The update, which is effectively a convenient roll-up of the changes made since March 2018’s release of version 4.0, arrived on 9 January. It also includes template VM updates for Debian 9, Fedora 29 and Whonix 14.
If you’ve been a good Qubes user, and kept your version 4 up to date, then you need not apply. However, if you fancy dipping your toe into the compartmentalised waters of the system, then 4.0.1 is a good place to start.
As well as the VM updates, Invisible Things Lab’s Marek Marczykowski-Górecki also directed us to the truckload of changes made to Qubes itself since version 4, the most noticeable being around the GUI with a more responsive Qubes Manager, a tool to perform multiple template updates at once, the ability to switch multiple Qubes to a new template and, more prosaically, a disk-monitoring widget.
A swift look at GitHub shows that 4.0.1 also includes well over 250 bug fixes.
Qubes is a wonderfully compartmentalised operating system, dealing with the thorny issues of security via the use of virtual machines for pretty much every running application (if the user wants), meaning that everything is kept reassuringly isolated. A common GUI allows applications to be viewed on the same desktop, sharing the same screen and input devices. But everything is kept very much in its own box.
Even copying and pasting between the application domains requires the user to give explicit permission.
It has not, however, all been plain sailing in the Qubes world, and the underlying Xen Hypervisor has caused headaches with a steady trickle of bugs, including 2017’s host escape vulnerabilities, which had the potential to punch a hole through the compartmentalised landscape of the system.
The company hoped that version 4 would lower the attack surface of Xen by shifting to hardware-based virtualization (HVM) but those pesky Xen Security Advisories (XSA) have kept on dribbling in. Earlier versions of Qubes are having a harder time of it than version 4 and, with the clock very much ticking on extended support for 3.2.x, the appearance of 4.0.1 is as good as time as ever to kick off a migration. ®