diff --git a/.gitignore b/.gitignore index 981b550..6db0575 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,2 @@ -/snapd_2.71.no-vendor.tar.xz -/snapd_2.71.only-vendor.tar.xz -/snapd_2.72.no-vendor.tar.xz -/snapd_2.72.only-vendor.tar.xz +/snapd_2.70.no-vendor.tar.xz +/snapd_2.70.only-vendor.tar.xz diff --git a/snapd.spec b/snapd.spec index 073ba90..dd8f459 100644 --- a/snapd.spec +++ b/snapd.spec @@ -52,14 +52,9 @@ %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} -%global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target +%global snappy_svcs snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target %global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket -# Note that packaging for Fedora does omit cap_setgid and cap_setuid that are -# only required to use snapd in user namespaces when the host system uses -# cgroup-v1 hierarchy. Since no actively supported Fedora release uses cgroup -# v1, those capabilities are omitted. -%global snap_confine_caps cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p # Until we have a way to add more extldflags to gobuild macro... # Always use external linking when building static binaries. %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -88,7 +83,7 @@ %{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: snapd -Version: 2.72 +Version: 2.70 Release: 1%{?dist} Summary: A transactional software package manager License: GPL-3.0-only @@ -164,7 +159,6 @@ BuildRequires: golang(gopkg.in/tomb.v2) BuildRequires: golang(gopkg.in/yaml.v2) BuildRequires: golang(gopkg.in/yaml.v3) %endif -BuildRequires: go-rpm-macros %description Snappy is a modern, cross-distribution, transactional package manager @@ -232,6 +226,7 @@ BuildArch: noarch %endif %if ! 0%{?with_bundled} +Requires: golang(go.etcd.io/bbolt) Requires: golang(github.com/bmatcuk/doublestar/v4) Requires: golang(github.com/coreos/go-systemd/activation) Requires: golang(github.com/godbus/dbus/v5) @@ -241,12 +236,9 @@ Requires: golang(github.com/jessevdk/go-flags) Requires: golang(github.com/juju/ratelimit) Requires: golang(github.com/kr/pretty) Requires: golang(github.com/kr/text) -Requires: golang(github.com/mattn/go-runewidth) Requires: golang(github.com/mvo5/goconfigparser) -Requires: golang(github.com/rivo/uniseg) Requires: golang(github.com/seccomp/libseccomp-golang) Requires: golang(github.com/snapcore/go-gettext) -Requires: golang(go.etcd.io/bbolt) Requires: golang(golang.org/x/crypto/openpgp/armor) Requires: golang(golang.org/x/crypto/openpgp/packet) Requires: golang(golang.org/x/crypto/sha3) @@ -263,6 +255,8 @@ Requires: golang(gopkg.in/yaml.v3) %else # These Provides are unversioned because the sources in # the bundled tarball are unversioned (they go by git commit) +# *sigh*... I hate golang... +Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(github.com/bmatcuk/doublestar/v4)) Provides: bundled(golang(github.com/coreos/go-systemd/activation)) Provides: bundled(golang(github.com/godbus/dbus/v5)) @@ -272,12 +266,9 @@ Provides: bundled(golang(github.com/jessevdk/go-flags)) Provides: bundled(golang(github.com/juju/ratelimit)) Provides: bundled(golang(github.com/kr/pretty)) Provides: bundled(golang(github.com/kr/text)) -Provides: bundled(golang(github.com/mattn/go-runewidth)) Provides: bundled(golang(github.com/mvo5/goconfigparser)) -Provides: bundled(golang(github.com/rivo/uniseg)) Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) Provides: bundled(golang(github.com/snapcore/go-gettext)) -Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(golang.org/x/crypto/openpgp/armor)) Provides: bundled(golang(golang.org/x/crypto/openpgp/packet)) Provides: bundled(golang(golang.org/x/crypto/sha3)) @@ -485,7 +476,7 @@ providing packages with %{import_path} prefix. %if ! 0%{?with_bundled} %setup -q # Ensure there's no bundled stuff accidentally leaking in... -rm -rf vendor c-vendor +rm -rf vendor/* %else # Extract each tarball properly %setup -q -D -b 1 @@ -509,95 +500,48 @@ export GOPATH=$(pwd):%{gopath} # FIXME: move spec file really to a go.mod world instead of this hack rm -f go.mod export GO111MODULE=off -# Ensure we do not pass -mod=foo argument to go, as we disable modules and go -# does not allow us to do both. -sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' packaging/snapd2.mk # Generate version files -cat <snapdtool/version_generated.go -package snapdtool +./mkversion.sh "%{version}-%{release}" -func init() { - Version = "%{version}-%{release}" -} -EOF - -cat <cmd/VERSION -%{version}-%{release} -EOF - -cat <data/info -VERSION=%{version}-%{release} -SNAPD_APPARMOR_REEXEC=0 -SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' -EOF +# see https://github.com/gofed/go-macros/blob/master/rpm/macros.d/macros.go-compilers-golang +BUILDTAGS= +%if 0%{?with_test_keys} +BUILDTAGS="withtestkeys nosecboot structuredlogging" +%else +BUILDTAGS="nosecboot" +%endif %if ! 0%{?with_bundled} # We don't need the snapcore fork for bolt - it is just a fix on ppc sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go %endif +# We have to build snapd first to prevent the build from +# building various things from the tree without additional +# set tags. +%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd +BUILDTAGS="${BUILDTAGS} nomanagers" +%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap +%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure +%gobuild -o bin/snapd-apparmor $GOFLAGS %{import_path}/cmd/snapd-apparmor + +# To ensure things work correctly with base snaps, +# snap-exec, snap-update-ns, and snapctl need to be built statically +( %if 0%{?rhel} >= 7 # since RH Developer tools 2018.4 (and later releases), # the go-toolset module is built with FIPS compliance that # defaults to using libcrypto.so which gets loaded at runtime via dlopen(), # disable that functionality for statically built binaries - EXTRA_TAGS="${EXTRA_TAGS} no_openssl" + BUILDTAGS="${BUILDTAGS} no_openssl" %endif + %gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec + %gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns + %gobuild_static -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl +) -# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a -# number of variable definitions that are set based on their RPM equivalents. -# Since we can apply any conditional overrides here in the spec file we can -# maintain one consistent set of variables across the spec and makefile worlds. -cat >snapd.defines.mk <<__DEFINES__ -# This file is generated by Fedora's snapd.spec -# Directory variables. -prefix = %{_prefix} -bindir = %{_bindir} -sbindir = %{_sbindir} -libexecdir = %{_libexecdir} -mandir = %{_mandir} -datadir = %{_datadir} -localstatedir = %{_localstatedir} -sharedstatedir = %{_sharedstatedir} -unitdir = %{_unitdir} -builddir = %{_builddir} -# Build configuration -with_core_bits = 0 -with_alt_snap_mount_dir = 1 -with_apparmor = 1 -with_testkeys = %{with_test_keys} -with_vendor = %{with_bundled} -# follow what %%gobuild does -EXTRA_GO_BUILD_FLAGS = -v -x -compiler gc -EXTRA_GO_LDFLAGS = -linkmode external -extldflags '%__global_ldflags' -EXTRA_GO_STATIC_LDFLAGS = -linkmode external -extldflags '%__global_ldflags -static' -EXTRA_GO_BUILD_TAGS = rpm_crashtraceback $EXTRA_TAGS -__DEFINES__ - -# Generate version files - -cat <snapdtool/version_generated.go -package snapdtool - -// generated by snapd.spec; do not edit - -func init() { - Version = "%{version}-%{release}" -} -EOF - -cat <cmd/VERSION -%{version}-%{release} -EOF - -# FIXME: We paste a fixed string but we should run some go code to generate the -# real value. We don't want to do that as that code needs to use host's -# libraries without talking to the proxy. -cat <data/info -SNAPD_APPARMOR_REEXEC=0 -SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' -EOF +%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp ( %if 0%{?rhel} == 7 @@ -633,11 +577,6 @@ autoreconf --force --install --verbose %make_build %{!?with_valgrind:HAVE_VALGRIND=} popd -# Build snap, snapd and other tools -%make_build -f packaging/snapd2.mk \ - SNAPD_DEFINES_DIR=$PWD \ - all - # Build systemd units, dbus services, and env files pushd ./data make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" DATADIR="%{_datadir}" \ @@ -682,10 +621,25 @@ install -d -p %{buildroot}%{_datadir}/polkit-1/actions install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib install -d -p %{buildroot}%{_datadir}/selinux/packages +# Install snap and snapd +install -p -m 0755 bin/snap %{buildroot}%{_bindir} +install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd +install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd +install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd +install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd +install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd +install -p -m 0755 bin/snapd-apparmor %{buildroot}%{_libexecdir}/snapd +# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl +install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl +ln -sf %{_libexecdir}/snapd/snapctl %{buildroot}%{_bindir}/snapctl + # Install SELinux module install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages +# Install snap(8) man page +bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8 + # Install the "info" data file with snapd version install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info @@ -715,12 +669,6 @@ pushd ./data SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd" popd -# Install snap, snapd and tools -# auto-remove unnecessary files and service units -%make_install -f packaging/snapd2.mk \ - SNAPD_DEFINES_DIR=$PWD \ - install - %if 0%{?rhel} == 7 # Install kernel tweaks # See: https://access.redhat.com/articles/3128691 @@ -728,7 +676,14 @@ install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap. %endif # Remove snappy core specific units -rm -fv %{buildroot}%{_unitdir}/snapd.failure.service +rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service +rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.* +rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.* +rm -fv %{buildroot}%{_unitdir}/snapd.recovery-chooser-trigger.service + +# Remove snappy core specific scripts and binaries +rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh +rm %{buildroot}%{_libexecdir}/snapd/system-shutdown # Remove gpio-chardev ordering target rm -f %{buildroot}%{_unitdir}/snapd.gpio-chardev-setup.target @@ -782,14 +737,19 @@ sort -u -o devel.file-list devel.file-list %check for binary in snap-exec snap-update-ns snapctl; do - ldd %{_builddir}/$binary 2>&1 | grep 'not a dynamic executable' + ldd bin/$binary 2>&1 | grep 'not a dynamic executable' done # snapd tests %if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel} -%make_build -f packaging/snapd2.mk \ - SNAPD_DEFINES_DIR=$PWD \ - check +%if ! 0%{?with_bundled} +export GOPATH=%{buildroot}/%{gopath}:%{gopath} +%else +export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} +%endif +# FIXME: we are in the go.mod world now but without this things fall apart +export GO111MODULE=off +%gotest %{import_path}/... %endif # snap-confine tests (these always run!) @@ -812,6 +772,7 @@ make -C data -k check %{_libexecdir}/snapd/snapctl %{_libexecdir}/snapd/snapd %{_libexecdir}/snapd/snap-exec +%{_libexecdir}/snapd/snap-failure %{_libexecdir}/snapd/info %{_libexecdir}/snapd/snap-mgmt %{_libexecdir}/snapd/snapd-apparmor @@ -828,6 +789,8 @@ make -C data -k check %{_systemd_system_env_generator_dir}/snapd-env-generator %{_unitdir}/snapd.socket %{_unitdir}/snapd.service +%{_unitdir}/snapd.autoimport.service +%{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.apparmor.service %{_unitdir}/snapd.mounts.target @@ -866,19 +829,13 @@ make -C data -k check %dir %{_sharedstatedir}/snapd/mount %dir %{_sharedstatedir}/snapd/seccomp %dir %{_sharedstatedir}/snapd/seccomp/bpf -%ghost %{_sharedstatedir}/snapd/seccomp/bpf/global.bin %dir %{_sharedstatedir}/snapd/snaps %dir %{_sharedstatedir}/snapd/snap %ghost %dir %{_sharedstatedir}/snapd/snap/bin -%ghost %{_sharedstatedir}/snapd/state.json -%ghost %{_sharedstatedir}/snapd/system-key -%ghost %{_sharedstatedir}/snapd/snap/bin -%ghost %{_sharedstatedir}/snapd/snap/README %dir %{_localstatedir}/cache/snapd -%ghost %{_localstatedir}/cache/snapd/commands -%ghost %{_localstatedir}/cache/snapd/names -%ghost %{_localstatedir}/cache/snapd/sections %dir %{_localstatedir}/snap +%ghost %{_sharedstatedir}/snapd/state.json +%ghost %{_sharedstatedir}/snapd/snap/README # this is typically owned by zsh, but we do not want to explicitly require zsh %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions @@ -889,9 +846,8 @@ make -C data -k check %doc cmd/snap-confine/PORTING %license COPYING %dir %{_libexecdir}/snapd -%caps(%{snap_confine_caps}) %{_libexecdir}/snapd/snap-confine +%caps(cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace=p) %{_libexecdir}/snapd/snap-confine %{_libexecdir}/snapd/snap-confine.caps -%{_libexecdir}/snapd/snap-confine.v2-only.caps %{_libexecdir}/snapd/snap-device-helper %{_libexecdir}/snapd/snap-discard-ns %{_libexecdir}/snapd/snap-gdb-shim @@ -991,233 +947,6 @@ if [ $1 -eq 0 ]; then fi %changelog -* Thu Nov 13 2025 Ernest Lotter -- New upstream release 2.72 - - FDE: support replacing TPM protected keys at runtime via the - /v2/system-volumes endpoint - - FDE: support secboot preinstall check fix actions for 25.10+ - hybrid installs via the /v2/system/{label} endpoint - - FDE: tweak polkit message to remove jargon - - FDE: ensure proper sealing with kernel command line defaults - - FDE: provide generic reseal function - - FDE: support using OPTEE for protecting keys, as an alternative to - existing fde-setup hooks (Ubuntu Core only) - - Confdb: 'snapctl get --view' supports passing default values - - Confdb: content sub-rules in confdb-schemas inherit their parent - rule's "access" - - Confdb: make confdb error kinds used in API more generic - - Confdb: fully support lists and indexed paths (including unset) - - Prompting: add notice backend for prompting types (unused for now) - - Prompting: include request cgroup in prompt - - Prompting: handle unsupported xattrs - - Prompting: add permission mapping for the camera interface - - Notices: read notices from state without state lock - - Notices: add methods to get notice fields and create, reoccur, and - deepcopy notice - - Notices: add notice manager to coordinate separate notice backends - - Notices: support draining notices from state when notice backend - registered as producer of a particular notice type - - Notices: query notice manager from daemon instead of querying - state for notices directly - - Packaging: Ubuntu | ignore .git directory - - Packaging: FIPS | bump deb Go FIPS to 1.23 - - Packaging: snap | bump FIPS toolchain to 1.23 - - Packaging: debian | sync most upstream changes - - Packaging: debian-sid | depends on libcap2-bin for postint - - Packaging: Fedora | drop fakeroot - - Packaging: snap | modify snapd.mk to pass build tags when running - unit tests - - Packaging: snap | modify snapd.mk to pass nooptee build tag - - Packaging: modify Makefile.am to fix snap-confine install profile - with 'make hack' - - Packaging: modify Makefile.am to fix out-of-tree use of 'make - hack' - - LP: #2122054 Snap installation: skip snap icon download when - running in a cloud or using a proxy store - - Snap installation: add timeout to http client when downloading - snap icon - - Snap installation: use http(s) proxy for icon downloads - - LP: #2117558 snap-confine: fix error message with /root/snap not - accessible - - snap-confine: fix non-suid limitation by switching to root:root to - operate v1 freezer - - core-initrd: do not use writable-paths when not available - - core-initrd: remove debian folder - - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev - interface now with the more robust gpio-aggregator configfs kernel - interface - - Interfaces: gpio-chardev | exclusive snap connections, raise a - conflict when both gpio-chardev and gpio are connected - - Interfaces: gpio-chardev | fix gpio-aggregator module load order - - Interfaces: ros-snapd-support | grant access to /v2/changes - - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs, - opengl-driver-libs, opengles-driver-libs | new interfaces to - support nvidia driver components - - Interfaces: microstack-support | allow DPDK (hugepage related - permissions) - - Interfaces: system-observe | allow reading additional files in - /proc, needed by node-exporter - - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key - and Kensington VeriMark DT Fingerprint Key to device list - - Interfaces: snap-interfaces-requests-control | allow shell API - control - - Interfaces: fwupd | allow access to Intel CVS sysfs - - Interfaces: hardware-observe | allow read access to Kernel - Samepage Merging (KSM) - - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP - - Interfaces: spi | relax sysfs permission rules to allow access to - SPI device node attributes - - Interfaces: content | introduce compatibility label - - LP: #2121238 Interfaces: do not expose Kerberos tickets for - classic snaps - - Interfaces: ssh-public-keys | allow ro access to public host keys - with ssh-key - - Interfaces: Modify AppArmor template to allow listing systemd - credentials and invoking systemd-creds - - Interfaces: modify AppArmor template with workarounds for Go 1.35 - cgroup aware GOMAXPROCS - - Interfaces: modify seccomp template to allow landlock_* - - Prevent snap hooks from running while relevant snaps are unlinked - - Make refreshes wait before unlinking snaps if running hooks can be - affected - - Fix systemd unit generation by moving "WantedBy=" from section - "unit" to "install" - - Add opt-in logging support for snap-update-ns - - Unhide 'snap help' sign and export-key under Development category - - LP: #2117121 Cleanly support socket activation for classic snap - - Add architecture to 'snap version' output - - Add 'snap debug api' option to disable authentication through - auth.json - - Show grade in notes for 'snap info --verbose' - - Fix preseeding failure due to scan-disk issue on RPi - - Support 'snap debug api' queries to user session agents - - LP: #2112626 Improve progress reporting for snap install/refresh - - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files - - Fix /v2/apps error for root user when user services are present - - LP: #2114704 Extend output to indicate when snap data snapshot was - created during remove - - Improve how we handle emmc volumes - - Improve handling of system-user extra assertions - -* Fri Oct 10 2025 Alejandro Sáez - 2.71-1 -- rebuild - -* Fri Aug 22 2025 Ernest Lotter -- New upstream release 2.71 - - FDE: auto-repair when recovery key is used - - FDE: revoke keys on shim update - - FDE: revoke old TPM keys when dbx has been updated - - FDE: do not reseal FDE hook keys every time - - FDE: store keys in the kernel keyring when installing from initrd - - FDE: allow disabled DMA on Core - - FDE: snap-bootstrap: do not check for partition in scan-disk on - CVM - - FDE: support secboot preinstall check for 25.10+ hybrid installs - via the /v2/system/{label} endpoint - - FDE: support generating recovery key at install time via the - /v2/systems/{label} endpoint - - FDE: update passphrase quality check at install time via the - /v2/systems/{label} endpoint - - FDE: support replacing recovery key at runtime via the new - /v2/system-volumes endpoint - - FDE: support checking recovery keys at runtime via the /v2/system- - volumes endpoint - - FDE: support enumerating keyslots at runtime via the /v2/system- - volumes endpoint - - FDE: support changing passphrase at runtime via the /v2/system- - volumes endpoint - - FDE: support passphrase quality check at runtime via the - /v2/system-volumes endpoint - - FDE: update secboot to revision 3e181c8edf0f - - Confdb: support lists and indexed paths on read and write - - Confdb: alias references must be wrapped in brackets - - Confdb: support indexed paths in confdb-schema assertion - - Confdb: make API errors consistent with options - - Confdb: fetch confdb-schema assertion on access - - Confdb: prevent --previous from being used in read-side hooks - - Components: fix snap command with multiple components - - Components: set revision of seed components to x1 - - Components: unmount extra kernel-modules components mounts - - AppArmor Prompting: add lifespan "session" for prompting rules - - AppArmor Prompting: support restoring prompts after snapd restart - - AppArmor Prompting: limit the extra information included in probed - AppArmor features and system key - - Notices: refactor notice state internals - - SELinux: look for restorecon/matchpathcon at all known locations - rather than current PATH - - SELinux: update policy to allow watching cgroups (for RAA), and - talking to user session agents (service mgmt/refresh) - - Refresh App Awareness: Fix unexpected inotify file descriptor - cleanup - - snap-confine: workaround for glibc fchmodat() fallback and handle - ENOSYS - - snap-confine: add support for host policy for limiting users able - to run snaps - - LP: #2114923 Reject system key mismatch advise when not yet seeded - - Use separate lanes for essential and non-essential snaps during - seeding and allow non-essential installs to retry - - Fix bug preventing remodel from core18 to core18 when snapd snap - is unchanged - - LP: #2112551 Make removal of last active revision of a snap equal - to snap remove - - LP: #2114779 Allow non-gpt in fallback mode to support RPi - - Switch from using systemd LogNamespace to manually controlled - journal quotas - - Change snap command trace logging to only log the command names - - Grant desktop-launch access to /v2/snaps - - Update code for creating the snap journal stream - - Switch from using core to snapd snap for snap debug connectivity - - LP: #2112544 Fix offline remodel case where we switched to a - channel without an actual refresh - - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed - tarball - - LP: #1952500 Fix snap command progress reporting - - LP: #1849346 Interfaces: kerberos-tickets | add new interface - - Interfaces: u2f | add support for Thetis Pro - - Interfaces: u2f | add OneSpan device and fix older device - - Interfaces: pipewire, audio-playback | support pipewire as system - daemon - - Interfaces: gpg-keys | allow access to GPG agent sockets - - Interfaces: usb-gadget | add new interface - - Interfaces: snap-fde-control, firmware-updater-support | add new - interfaces to support FDE - - Interfaces: timezone-control | extend to support timedatectl - varlink - - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and - procfs directories - - Interfaces: microstack-support | allow SR-IOV attachments - - Interfaces: modify AppArmor template to allow snaps to read their - own systemd credentials - - Interfaces: posix-mq | allow stat on /dev/mqueue - - LP: #2098780 Interfaces: log-observe | add capability - dac_read_search - - Interfaces: block-devices | allow access to ZFS pools and datasets - - LP: #2033883 Interfaces: block-devices | opt-in access to - individual partitions - - Interfaces: accel | add new interface to support accel kernel - subsystem - - Interfaces: shutdown | allow client to bind on its side of dbus - socket - - Interfaces: modify seccomp template to allow pwritev2 - - Interfaces: modify AppArmor template to allow reading - /proc/sys/fs/nr_open - - Packaging: drop snap.failure service for openSUSE - - Packaging: add SELinux support for openSUSE - - Packaging: disable optee when using nooptee build tag - - Packaging: add support for static PIE builds in snapd.mk, drop - pie.patch from openSUSE - - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 - - Packaging: use snapd.mk for packaging on Fedora - - Packaging: exclude .git directory - - Packaging: fix DPKG_PARSECHANGELOG assignment - - Packaging: fix building on Fedora with dpkg installed - -* Fri Aug 15 2025 Maxwell G - 2.70-3 -- Rebuild for golang-1.25.0 - -* Fri Jul 25 2025 Fedora Release Engineering - 2.70-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - * Tue Jun 03 2025 Ernest Lotter - New upstream release 2.70 - FDE: Fix reseal with v1 hook key format @@ -1639,6 +1368,9 @@ fi * Tue Dec 03 2024 Orion Poplawski - Drop RestartMode from snapd.service on EL8 (rhbz#2315759) +* Tue Dec 3 2024 Zygmunt Krynicki +- Constrain dependency on xdelta to EPEL-9 + * Fri Nov 29 2024 Zygmunt Krynicki - Re-cherry pick fix for SELinux timedatex problem from upstream as it was not released in 2.66.1, sorry. diff --git a/sources b/sources index 5ba5479..cd873e5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.72.no-vendor.tar.xz) = fb556bdb60877a2536cd8e53a7e137935ba27afb5b04efff06d8f858c47cec82a8f1df01fb621f644f0c2abe056a2b0612fabd70ae2d909b2e960692763b8bff -SHA512 (snapd_2.72.only-vendor.tar.xz) = f80b5def82553c044027fbb208fc5d5f76633afe71a8210abc33b48b189fd9347fd1d04bc868c58dc5d0b7fe8c68f6e316edbb6d2a2e060f375a5cdc851c2278 +SHA512 (snapd_2.70.no-vendor.tar.xz) = f4864658793d2f6e11823b604c85cadc204a231e7efc5d9302d395c6afc7b500f389317cd3066a39a1d9f138aef5c8a0c2eff07dfb1c5b4473dfa5b489356689 +SHA512 (snapd_2.70.only-vendor.tar.xz) = b6e0309bc56a1573a3edea2e35b3feb313f8220633a64f11f6d0a5b155d39b1b3a2b058edc2d01aca0bf04f4515a17f9011cb49b5c7aa96a5a4610d0032cddcb