diff --git a/.gitignore b/.gitignore index 981b550..05d4ccc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,2 @@ /snapd_2.71.no-vendor.tar.xz /snapd_2.71.only-vendor.tar.xz -/snapd_2.72.no-vendor.tar.xz -/snapd_2.72.only-vendor.tar.xz diff --git a/snapd.spec b/snapd.spec index 073ba90..ab66e69 100644 --- a/snapd.spec +++ b/snapd.spec @@ -55,11 +55,6 @@ %global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target %global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket -# Note that packaging for Fedora does omit cap_setgid and cap_setuid that are -# only required to use snapd in user namespaces when the host system uses -# cgroup-v1 hierarchy. Since no actively supported Fedora release uses cgroup -# v1, those capabilities are omitted. -%global snap_confine_caps cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p # Until we have a way to add more extldflags to gobuild macro... # Always use external linking when building static binaries. %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -88,8 +83,8 @@ %{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: snapd -Version: 2.72 -Release: 1%{?dist} +Version: 2.71 +Release: 0%{?dist} Summary: A transactional software package manager License: GPL-3.0-only URL: https://%{provider_prefix} @@ -485,7 +480,7 @@ providing packages with %{import_path} prefix. %if ! 0%{?with_bundled} %setup -q # Ensure there's no bundled stuff accidentally leaking in... -rm -rf vendor c-vendor +rm -rf vendor %else # Extract each tarball properly %setup -q -D -b 1 @@ -509,28 +504,10 @@ export GOPATH=$(pwd):%{gopath} # FIXME: move spec file really to a go.mod world instead of this hack rm -f go.mod export GO111MODULE=off -# Ensure we do not pass -mod=foo argument to go, as we disable modules and go -# does not allow us to do both. -sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' packaging/snapd2.mk +sed -e 's/-mod=readonly//g' packaging/snapd2.mk # Generate version files -cat <snapdtool/version_generated.go -package snapdtool - -func init() { - Version = "%{version}-%{release}" -} -EOF - -cat <cmd/VERSION -%{version}-%{release} -EOF - -cat <data/info -VERSION=%{version}-%{release} -SNAPD_APPARMOR_REEXEC=0 -SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' -EOF +./mkversion.sh "%{version}-%{release}" %if ! 0%{?with_bundled} # We don't need the snapcore fork for bolt - it is just a fix on ppc @@ -889,9 +866,8 @@ make -C data -k check %doc cmd/snap-confine/PORTING %license COPYING %dir %{_libexecdir}/snapd -%caps(%{snap_confine_caps}) %{_libexecdir}/snapd/snap-confine +%caps(cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace=p) %{_libexecdir}/snapd/snap-confine %{_libexecdir}/snapd/snap-confine.caps -%{_libexecdir}/snapd/snap-confine.v2-only.caps %{_libexecdir}/snapd/snap-device-helper %{_libexecdir}/snapd/snap-discard-ns %{_libexecdir}/snapd/snap-gdb-shim @@ -991,117 +967,6 @@ if [ $1 -eq 0 ]; then fi %changelog -* Thu Nov 13 2025 Ernest Lotter -- New upstream release 2.72 - - FDE: support replacing TPM protected keys at runtime via the - /v2/system-volumes endpoint - - FDE: support secboot preinstall check fix actions for 25.10+ - hybrid installs via the /v2/system/{label} endpoint - - FDE: tweak polkit message to remove jargon - - FDE: ensure proper sealing with kernel command line defaults - - FDE: provide generic reseal function - - FDE: support using OPTEE for protecting keys, as an alternative to - existing fde-setup hooks (Ubuntu Core only) - - Confdb: 'snapctl get --view' supports passing default values - - Confdb: content sub-rules in confdb-schemas inherit their parent - rule's "access" - - Confdb: make confdb error kinds used in API more generic - - Confdb: fully support lists and indexed paths (including unset) - - Prompting: add notice backend for prompting types (unused for now) - - Prompting: include request cgroup in prompt - - Prompting: handle unsupported xattrs - - Prompting: add permission mapping for the camera interface - - Notices: read notices from state without state lock - - Notices: add methods to get notice fields and create, reoccur, and - deepcopy notice - - Notices: add notice manager to coordinate separate notice backends - - Notices: support draining notices from state when notice backend - registered as producer of a particular notice type - - Notices: query notice manager from daemon instead of querying - state for notices directly - - Packaging: Ubuntu | ignore .git directory - - Packaging: FIPS | bump deb Go FIPS to 1.23 - - Packaging: snap | bump FIPS toolchain to 1.23 - - Packaging: debian | sync most upstream changes - - Packaging: debian-sid | depends on libcap2-bin for postint - - Packaging: Fedora | drop fakeroot - - Packaging: snap | modify snapd.mk to pass build tags when running - unit tests - - Packaging: snap | modify snapd.mk to pass nooptee build tag - - Packaging: modify Makefile.am to fix snap-confine install profile - with 'make hack' - - Packaging: modify Makefile.am to fix out-of-tree use of 'make - hack' - - LP: #2122054 Snap installation: skip snap icon download when - running in a cloud or using a proxy store - - Snap installation: add timeout to http client when downloading - snap icon - - Snap installation: use http(s) proxy for icon downloads - - LP: #2117558 snap-confine: fix error message with /root/snap not - accessible - - snap-confine: fix non-suid limitation by switching to root:root to - operate v1 freezer - - core-initrd: do not use writable-paths when not available - - core-initrd: remove debian folder - - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev - interface now with the more robust gpio-aggregator configfs kernel - interface - - Interfaces: gpio-chardev | exclusive snap connections, raise a - conflict when both gpio-chardev and gpio are connected - - Interfaces: gpio-chardev | fix gpio-aggregator module load order - - Interfaces: ros-snapd-support | grant access to /v2/changes - - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs, - opengl-driver-libs, opengles-driver-libs | new interfaces to - support nvidia driver components - - Interfaces: microstack-support | allow DPDK (hugepage related - permissions) - - Interfaces: system-observe | allow reading additional files in - /proc, needed by node-exporter - - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key - and Kensington VeriMark DT Fingerprint Key to device list - - Interfaces: snap-interfaces-requests-control | allow shell API - control - - Interfaces: fwupd | allow access to Intel CVS sysfs - - Interfaces: hardware-observe | allow read access to Kernel - Samepage Merging (KSM) - - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP - - Interfaces: spi | relax sysfs permission rules to allow access to - SPI device node attributes - - Interfaces: content | introduce compatibility label - - LP: #2121238 Interfaces: do not expose Kerberos tickets for - classic snaps - - Interfaces: ssh-public-keys | allow ro access to public host keys - with ssh-key - - Interfaces: Modify AppArmor template to allow listing systemd - credentials and invoking systemd-creds - - Interfaces: modify AppArmor template with workarounds for Go 1.35 - cgroup aware GOMAXPROCS - - Interfaces: modify seccomp template to allow landlock_* - - Prevent snap hooks from running while relevant snaps are unlinked - - Make refreshes wait before unlinking snaps if running hooks can be - affected - - Fix systemd unit generation by moving "WantedBy=" from section - "unit" to "install" - - Add opt-in logging support for snap-update-ns - - Unhide 'snap help' sign and export-key under Development category - - LP: #2117121 Cleanly support socket activation for classic snap - - Add architecture to 'snap version' output - - Add 'snap debug api' option to disable authentication through - auth.json - - Show grade in notes for 'snap info --verbose' - - Fix preseeding failure due to scan-disk issue on RPi - - Support 'snap debug api' queries to user session agents - - LP: #2112626 Improve progress reporting for snap install/refresh - - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files - - Fix /v2/apps error for root user when user services are present - - LP: #2114704 Extend output to indicate when snap data snapshot was - created during remove - - Improve how we handle emmc volumes - - Improve handling of system-user extra assertions - -* Fri Oct 10 2025 Alejandro Sáez - 2.71-1 -- rebuild - * Fri Aug 22 2025 Ernest Lotter - New upstream release 2.71 - FDE: auto-repair when recovery key is used diff --git a/sources b/sources index 5ba5479..b2f48cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.72.no-vendor.tar.xz) = fb556bdb60877a2536cd8e53a7e137935ba27afb5b04efff06d8f858c47cec82a8f1df01fb621f644f0c2abe056a2b0612fabd70ae2d909b2e960692763b8bff -SHA512 (snapd_2.72.only-vendor.tar.xz) = f80b5def82553c044027fbb208fc5d5f76633afe71a8210abc33b48b189fd9347fd1d04bc868c58dc5d0b7fe8c68f6e316edbb6d2a2e060f375a5cdc851c2278 +SHA512 (snapd_2.71.no-vendor.tar.xz) = 3cb250aff6ecf75236736e844da2cbb2a0275993a5da8f4dda3b25141719aea5d9db429191dada1c627b46687513d288f0a52c73d46004f8675bb2a38f1369a2 +SHA512 (snapd_2.71.only-vendor.tar.xz) = 413f73d163e6b15550c012f97e77cd754a1c631f290ddcc64526fd34ccf5e5e8f12242ccd3af56bf18633b7f635aa093f9f9645d3959d208708048c1f43d0b9b