Nostr Web Client

Qubes OS 4.3.0 has officially landed—and it looks awesome. Big step forward for privacy and security through isolation and compartmentalization.

Time to upgrade.

https://www.qubes-os.org/news/2025/12/21/qubes-os-4-3-0-has-been-released/

Release notes:

https://doc.qubes-os.org/en/latest/developer/releases/4_3/release-notes.html

Main improvements (from the 4.3 release notes):

Core upgrades

• dom0 upgraded to Fedora 41

• Xen upgraded to 4.19

• Default templates upgraded: Fedora 42, Debian 13, Whonix 18 (with older minimum-supported versions enforced)

• Preloaded disposables for faster DisposableVM startup

• New Devices API (“self-identity oriented” device assignment)

• Qubes Windows Tools (QWT) reintroduced with improved features

UI/UX polish

• New device workflow built around the new Devices API, plus a dedicated Device Assignments page and a redesigned Devices widget

• New/improved flat icons across GUI tools

• Qube Manager cleanup (far-left icons removed)

• Application icons now show in VM Settings

• Option to add the Qubes video companion to the AppMenu

• Better AppMenu keyboard navigation

• Clearer updater wording/settings

• Centralized tray notifications

• Quick-launch root terminal or console terminal from the Domains widget

• Global Config improvements (deep-link to sections, plus a “Saving changes...” dialog)

GUI daemon/agent improvements

• Configurable GUI daemon background color (nice for dark themes)

• Audio daemon won’t connect to recording streams unless recording is explicitly enabled

• Legacy X11 app icons display properly

• Virtual pointing device labeled as absolute (not relative)

• Better global clipboard notifications, plus configurable clipboard size

• Better support for Windows qubes on systems using sys-gui*

Hardware support improvements

• Better support for Advanced Format (4K sector) drives

• Device assignments use full PCI paths instead of bus/slot/function

• Filter input devices with udev rules

• Fixes for graceful reboot on some buggy (U)EFI firmware

• Better Bluetooth + hot-pluggable audio support with dynamic AudioVM switching

Security features

• Templates can request custom kernel cmdline parameters (currently used for Kicksecure/Whonix user-sysmaint-split)

• VMs can specify boot modes intended only for AppVMs or templates

• GRUB2 from Fedora shipped with security patches + Bootloader Specification support

• SSL client cert + GPG key support for private template repositories

• Prevent unsafe third-party template installs via rpm/dnf

• Ability to prohibit start of specific qubes

• UUID support for qubes, including using UUIDs in policies

• “Custom persist” feature to reduce unwanted persistence

Anonymity improvements

• Whonix-Workstation qubes can’t open files/URLs/apps in non-Whonix disposables

• Prevent changing Whonix Workstation netvm to sys-firewall (or other clearnet netvms) to reduce IP leak risk

• kloak: keystroke-level online anonymization kernel

Performance optimizations

• Option to use volumes directly without snapshots

• Retire qubes-rpc-multiplexer and execute commands directly from C

• Cache “system info” for qrexec policy evaluation

• Minimal state qubes to reduce RAM usage for NetVM/USBVM

Updating & upgrading

• Always hide specific templates/standalones from update tools

• pacman hook to notify dom0 after successful manual Archlinux upgrades

• Improved 4.2→4.3 upgrade tool (including using lvmdevices instead of device filter)

New/improved experimental features

• Ansible support

• Qubes Air support

• qrexec protocol extension to send source info to destination

• Better GUIVM support (GUI/Admin split, auto-remove nomodeset when GPU attached)

• Initial steps toward Wayland session-only support in GUIVM (not full GUI agent/daemon Wayland yet)

Other quality-of-life

• Free-form notes on qubes (descriptions/reminders/etc.)

• Auto-clean QubesIncoming if empty

• vm-config.* features to pass external config into a qube

• Admin API to read/write the denied device-interface list

• New Devices API support for salt

Dropped/replaced

• Default screen locker switched from XScreenSaver to xfce4-screensaver

• “Create Qubes VM” retired in favor of “Create New Qube”

• Windows 7 support dropped from QWT

Overall, this feels like a more mature, refined release—better usability and device handling, real performance wins, and tighter guardrails where it matters.

#IKITAO #OPSEC #QubesOS

Reply to this note

Please Login to reply.

Discussion

MoneRogue 1w ago

GOATed OS

crany 👽🧡🗿 1w ago

since it has a Fedora 41 dom0, any idea if a Virtualbox install can run MacOS as a VM?

https://www.virtualbox.org/wiki/Linux_Downloads

Vyram Kraven 1w ago

Does Qube work on ARMS tablets?

Ava 1w ago

No, but this post should help.

nostr:nevent1qqsgm5hq2573ftuqsr9ld5e5y6sfsh922ja2emjs7s4lhh5k88s00rcprdmhxue69uhhyetvv9ujumn0wd68yurvv438xtnrdakj7q3qf6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4ksxpqqqqqqzlvsdjc

Vyram Kraven 1w ago

Dang guess i'll have to put fedora or mint on this tablet.