Qubes 4.3 base compatibility #1373
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
6 times, most recently
from
5dfd030 to
3ecdfbb
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
2 times, most recently
from
cd02e0b to
8eeae1a
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
11 times, most recently
from
9d9303f to
e31a66b
Compare
Contributor
Author
|
This is now passing installation with a few hacks. It's only running into issues in the tests, but I haven't taken a look at those yet. |
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
e45451c to
66bceaa
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
66bceaa to
7fad531
Compare
This was referenced Oct 23, 2025
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
2 times, most recently
from
ffef033 to
31a1e00
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
fb4a50c to
501505c
Compare
Contributor
Author
|
The hanging CI jobs are due to the fact that these made mandatory by policy, but their names have changed. 
This is similar to https://github.com/freedomofpress/infrastructure/issues/6177 (internal). Once the new names / arguments are OK from the reviewer's standpoint, we can file a ticket with infra to fix these. |
3 tasks
Contributor
Author
|
The previous test was failing on the keyring. It should go away once I rebase on top of #1533. |
Contributor
Author
|
I'm rebasing and testing on 4.3 locally. I'll force-push once that's one. |
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
501505c to
de93d9c
Compare
Contributor
Author
|
I was running into issues with |
Launcher tests showed a warning about warnings that should use 'warning' instead of 'warn()'
When running "sdw-admin --apply" "run-prep-upgrade-scripts" in "sd-upgrade-templates.sls" and "sd-remove-unused-templates" as it fails with the message: stdout: Please specify prepare or remove This indicated that the 'args' parameter is not being properly recognized. I looked at the saltstack documentation for the cmd module and nothing indicates an 'args' parameters change. I've checked with changelogs as well comparing the version in Qubes 4.2 with the one in Qubes 4.3. Instead of investigating how to get "cmd.script" this simply uses another way to call the command as a temporary fix. For a more permanent solution we need to fix this in all different places and if we choose to go the 'cmd.run' route, we should place the script in some place other than '/srv/salt/'. Fixes #1499
Preloaded qubes do not need to be configured as they automatically get restarted when its template is changed and saved to disk. These preloaded sd-viewer qubes were getting included for configuration due to the inheritance of the 'sd-workstation' tag. Fruthermore, this attempt at configuration was causing issues as preloaded qubes would time-out when ordered to shut down (See #1475). The implementation choice was to include this fix in configure() rather than pre-filtering out preloaded qubes from the list of targets before passing them on to the 'configure()' function. This was due to the fact that the calling function should not need to be aware that preloaded qubes do not (and should not) have configurations applied to them. Fixes #1475
Presence of preloaded qubes was interfering with the expected test results [1]. For the most part, preloaded qubes are background elements, whose management can be largely ignore.
Build the correct RPM for the dom0 Fedora version in dom0. If building
on Qubes 4.3, it'll internall call 'build-rpm' with 'FEDORA_VERSION=41'.
This is implemented in a way that should work also for future Qubes
versions (assuming dom0 is still Fedora, of course).
Implementation takes advantage of '%{fedora}' RPM macro, made available
by the qubes-release package [1].
[1]: https://github.com/QubesOS/qubes-qubes-release/blob/26f2a3c/qubes-release.spec.in#L97
Upon test failure, from an error message, it's not possible to easily understand what VM failed: > assert not policy_exists(vm, "sd-log", "securedrop.Log") E AssertionError: assert not True E + where True = policy_exists(<qubesadmin.vm.QubesVM object at 0x77effbba0d10>, 'sd-log', 'securedrop.Log') In the future, this will be made more apparent with the use of pytest fixture, but for the time being, this is already an improvement, without modifying much of test code (out of scope for this PR).
Used in strategy matrix to ensure there is one single place where the Qubes version needs to be updated.
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
de93d9c to
575fc06
Compare
deeplow
added
4.2-openqa-pending
Contributor
Author
|
NOTE: while running locally on 4.2 I was sometimes running into test failures on |
This was referenced Jan 30, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
Towards #1245. Base Qubes 4.3 compatibility. Opening so we can iterate on OpenQA.
NOTES:
Testing
Requirements:
Preparation:
debian-12-minimalin Qubes 4.3 has held broken Packages QubesOS/qubes-issues#10598 is in the stable repos, you need to enabledebian-12-minimal's testing repos:debian-12-minimaltemplate manuallydom0:qvm-run -u root debian-12-minimal xtermsudo apt update && sudo apt upgradesd-dev:poetry env use python3.13dom0:make clonemake devTesting:
make devsucceedsDeployment
Any special considerations for deployment? Consider both:
Checklist
If you have made changes to the provisioning logic
make test) pass indom0If you have added or removed files
MANIFEST.inandrpm-build/SPECS/securedrop-workstation-dom0-config.specIf documentation is required