How to update
This page is about updating your system while staying on the same supported version of Qubes OS. If you’re instead looking to upgrade from your current version of Qubes OS to a newer version, see the Upgrade Guides.
Security updates are an extremely important part of keeping your Qubes
installation secure. When there is an important security issue, we will issue a
Qubes Security Bulletin (QSB) via the Qubes Security
qubes-secpack). It is very important to read each new
QSB and follow any user instructions it contains. Most of the time, simply
updating your system normally will be sufficient to obtain
security updates. However, in some cases, special action may be required on
your part, which will be explained in the QSB.
It is important to keep your Qubes OS system up-to-date to ensure you have the latest security updates, as well as the latest non-security enhancements and bug fixes.
Fully updating your Qubes OS system means updating:
You can accomplish this using the Qubes Update tool.
By default, the Qubes Update tool will appear as an icon in the Notification Area when updates are available.
However, you can also start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
dnf update, and
apt updateis not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)
Advanced users may wish to perform updates via the command-line interface. The recommended way to do this is by applying the following two Salt states. Applying these two Salt states is the same as updating via the Qubes Update tool.
In your update qube, a terminal window opens that displays the progress of operations and output as it is logged. At the end of the process, logs are sent back to dom0. You answer any yes/no prompts in your dom0 terminal window.
Advanced users may also be interested in learning how to enable the testing repos.
Upgrading to avoid EOL
The above covers updating within a given operating system (OS) release. Eventually, however, most OS releases will reach end-of-life (EOL), after which point they will no longer be supported. This applies to Qubes OS itself as well as OSes used in templates (and standalones, if you have any).
It’s very important that you use only supported releases so that you continue to receive security updates. This means that you must periodically upgrade Qubes OS and your templates before they reach EOL. You can always see which versions of Qubes OS and select templates are supported on the Supported Versions page.
In the case of Qubes OS itself, we will make an announcement when a supported Qubes OS release is approaching EOL and another when it has actually reached EOL, and we will provide instructions for upgrading to the next stable supported Qubes OS release.
Periodic upgrades are also important for templates. For example, you might be using a Fedora template. The Fedora Project is independent of the Qubes OS Project. They set their own schedule for when each Fedora release reaches EOL. You can always find out when an OS reaches EOL from the upstream project that maintains it. We also pass along any EOL notices we receive for official template OSes as a convenience to Qubes users (see Supported Versions: Templates).
The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which doesn’t have to be upgraded.