From 36bbcd2dff3c4ab5ccbcb7f8ebe9d35f8058f55f Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 1 Sep 2025 08:40:34 +0200 Subject: [PATCH 1/7] Update to snapd 2.71 One more hack was needed to let the package to build in the current form, without proper support for Go modules. I've filed an internal tracking ticket for the next release so that we re-do the package with new Go helpers, remove a lot of generated content that is instead generated at build time, and actually support Go modules for real. https://warthogs.atlassian.net/browse/SNAPDENG-35431 (not visible to the public, apologies, this helps only a limited audience). Signed-off-by: Zygmunt Krynicki --- .gitignore | 4 +- snapd.spec | 270 +++++++++++++++++++++++++++++++++++++++-------------- sources | 4 +- 3 files changed, 204 insertions(+), 74 deletions(-) diff --git a/.gitignore b/.gitignore index 6db0575..05d4ccc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -/snapd_2.70.no-vendor.tar.xz -/snapd_2.70.only-vendor.tar.xz +/snapd_2.71.no-vendor.tar.xz +/snapd_2.71.only-vendor.tar.xz diff --git a/snapd.spec b/snapd.spec index c34c5fe..ab66e69 100644 --- a/snapd.spec +++ b/snapd.spec @@ -52,7 +52,7 @@ %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} -%global snappy_svcs snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target +%global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target %global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket # Until we have a way to add more extldflags to gobuild macro... @@ -83,8 +83,8 @@ %{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: snapd -Version: 2.70 -Release: 3%{?dist} +Version: 2.71 +Release: 0%{?dist} Summary: A transactional software package manager License: GPL-3.0-only URL: https://%{provider_prefix} @@ -159,6 +159,7 @@ BuildRequires: golang(gopkg.in/tomb.v2) BuildRequires: golang(gopkg.in/yaml.v2) BuildRequires: golang(gopkg.in/yaml.v3) %endif +BuildRequires: go-rpm-macros %description Snappy is a modern, cross-distribution, transactional package manager @@ -226,7 +227,6 @@ BuildArch: noarch %endif %if ! 0%{?with_bundled} -Requires: golang(go.etcd.io/bbolt) Requires: golang(github.com/bmatcuk/doublestar/v4) Requires: golang(github.com/coreos/go-systemd/activation) Requires: golang(github.com/godbus/dbus/v5) @@ -236,9 +236,12 @@ Requires: golang(github.com/jessevdk/go-flags) Requires: golang(github.com/juju/ratelimit) Requires: golang(github.com/kr/pretty) Requires: golang(github.com/kr/text) +Requires: golang(github.com/mattn/go-runewidth) Requires: golang(github.com/mvo5/goconfigparser) +Requires: golang(github.com/rivo/uniseg) Requires: golang(github.com/seccomp/libseccomp-golang) Requires: golang(github.com/snapcore/go-gettext) +Requires: golang(go.etcd.io/bbolt) Requires: golang(golang.org/x/crypto/openpgp/armor) Requires: golang(golang.org/x/crypto/openpgp/packet) Requires: golang(golang.org/x/crypto/sha3) @@ -255,8 +258,6 @@ Requires: golang(gopkg.in/yaml.v3) %else # These Provides are unversioned because the sources in # the bundled tarball are unversioned (they go by git commit) -# *sigh*... I hate golang... -Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(github.com/bmatcuk/doublestar/v4)) Provides: bundled(golang(github.com/coreos/go-systemd/activation)) Provides: bundled(golang(github.com/godbus/dbus/v5)) @@ -266,9 +267,12 @@ Provides: bundled(golang(github.com/jessevdk/go-flags)) Provides: bundled(golang(github.com/juju/ratelimit)) Provides: bundled(golang(github.com/kr/pretty)) Provides: bundled(golang(github.com/kr/text)) +Provides: bundled(golang(github.com/mattn/go-runewidth)) Provides: bundled(golang(github.com/mvo5/goconfigparser)) +Provides: bundled(golang(github.com/rivo/uniseg)) Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) Provides: bundled(golang(github.com/snapcore/go-gettext)) +Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(golang.org/x/crypto/openpgp/armor)) Provides: bundled(golang(golang.org/x/crypto/openpgp/packet)) Provides: bundled(golang(golang.org/x/crypto/sha3)) @@ -476,7 +480,7 @@ providing packages with %{import_path} prefix. %if ! 0%{?with_bundled} %setup -q # Ensure there's no bundled stuff accidentally leaking in... -rm -rf vendor/* +rm -rf vendor %else # Extract each tarball properly %setup -q -D -b 1 @@ -500,48 +504,77 @@ export GOPATH=$(pwd):%{gopath} # FIXME: move spec file really to a go.mod world instead of this hack rm -f go.mod export GO111MODULE=off +sed -e 's/-mod=readonly//g' packaging/snapd2.mk # Generate version files ./mkversion.sh "%{version}-%{release}" -# see https://github.com/gofed/go-macros/blob/master/rpm/macros.d/macros.go-compilers-golang -BUILDTAGS= -%if 0%{?with_test_keys} -BUILDTAGS="withtestkeys nosecboot structuredlogging" -%else -BUILDTAGS="nosecboot" -%endif - %if ! 0%{?with_bundled} # We don't need the snapcore fork for bolt - it is just a fix on ppc sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go %endif -# We have to build snapd first to prevent the build from -# building various things from the tree without additional -# set tags. -%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd -BUILDTAGS="${BUILDTAGS} nomanagers" -%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap -%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure -%gobuild -o bin/snapd-apparmor $GOFLAGS %{import_path}/cmd/snapd-apparmor - -# To ensure things work correctly with base snaps, -# snap-exec, snap-update-ns, and snapctl need to be built statically -( %if 0%{?rhel} >= 7 # since RH Developer tools 2018.4 (and later releases), # the go-toolset module is built with FIPS compliance that # defaults to using libcrypto.so which gets loaded at runtime via dlopen(), # disable that functionality for statically built binaries - BUILDTAGS="${BUILDTAGS} no_openssl" + EXTRA_TAGS="${EXTRA_TAGS} no_openssl" %endif - %gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec - %gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns - %gobuild_static -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl -) -%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp +# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a +# number of variable definitions that are set based on their RPM equivalents. +# Since we can apply any conditional overrides here in the spec file we can +# maintain one consistent set of variables across the spec and makefile worlds. +cat >snapd.defines.mk <<__DEFINES__ +# This file is generated by Fedora's snapd.spec +# Directory variables. +prefix = %{_prefix} +bindir = %{_bindir} +sbindir = %{_sbindir} +libexecdir = %{_libexecdir} +mandir = %{_mandir} +datadir = %{_datadir} +localstatedir = %{_localstatedir} +sharedstatedir = %{_sharedstatedir} +unitdir = %{_unitdir} +builddir = %{_builddir} +# Build configuration +with_core_bits = 0 +with_alt_snap_mount_dir = 1 +with_apparmor = 1 +with_testkeys = %{with_test_keys} +with_vendor = %{with_bundled} +# follow what %%gobuild does +EXTRA_GO_BUILD_FLAGS = -v -x -compiler gc +EXTRA_GO_LDFLAGS = -linkmode external -extldflags '%__global_ldflags' +EXTRA_GO_STATIC_LDFLAGS = -linkmode external -extldflags '%__global_ldflags -static' +EXTRA_GO_BUILD_TAGS = rpm_crashtraceback $EXTRA_TAGS +__DEFINES__ + +# Generate version files + +cat <snapdtool/version_generated.go +package snapdtool + +// generated by snapd.spec; do not edit + +func init() { + Version = "%{version}-%{release}" +} +EOF + +cat <cmd/VERSION +%{version}-%{release} +EOF + +# FIXME: We paste a fixed string but we should run some go code to generate the +# real value. We don't want to do that as that code needs to use host's +# libraries without talking to the proxy. +cat <data/info +SNAPD_APPARMOR_REEXEC=0 +SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' +EOF ( %if 0%{?rhel} == 7 @@ -577,6 +610,11 @@ autoreconf --force --install --verbose %make_build %{!?with_valgrind:HAVE_VALGRIND=} popd +# Build snap, snapd and other tools +%make_build -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + all + # Build systemd units, dbus services, and env files pushd ./data make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" DATADIR="%{_datadir}" \ @@ -621,25 +659,10 @@ install -d -p %{buildroot}%{_datadir}/polkit-1/actions install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib install -d -p %{buildroot}%{_datadir}/selinux/packages -# Install snap and snapd -install -p -m 0755 bin/snap %{buildroot}%{_bindir} -install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snapd-apparmor %{buildroot}%{_libexecdir}/snapd -# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl -install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl -ln -sf %{_libexecdir}/snapd/snapctl %{buildroot}%{_bindir}/snapctl - # Install SELinux module install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages -# Install snap(8) man page -bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8 - # Install the "info" data file with snapd version install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info @@ -669,6 +692,12 @@ pushd ./data SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd" popd +# Install snap, snapd and tools +# auto-remove unnecessary files and service units +%make_install -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + install + %if 0%{?rhel} == 7 # Install kernel tweaks # See: https://access.redhat.com/articles/3128691 @@ -676,14 +705,7 @@ install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap. %endif # Remove snappy core specific units -rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service -rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.* -rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.* -rm -fv %{buildroot}%{_unitdir}/snapd.recovery-chooser-trigger.service - -# Remove snappy core specific scripts and binaries -rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh -rm %{buildroot}%{_libexecdir}/snapd/system-shutdown +rm -fv %{buildroot}%{_unitdir}/snapd.failure.service # Remove gpio-chardev ordering target rm -f %{buildroot}%{_unitdir}/snapd.gpio-chardev-setup.target @@ -737,19 +759,14 @@ sort -u -o devel.file-list devel.file-list %check for binary in snap-exec snap-update-ns snapctl; do - ldd bin/$binary 2>&1 | grep 'not a dynamic executable' + ldd %{_builddir}/$binary 2>&1 | grep 'not a dynamic executable' done # snapd tests %if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel} -%if ! 0%{?with_bundled} -export GOPATH=%{buildroot}/%{gopath}:%{gopath} -%else -export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} -%endif -# FIXME: we are in the go.mod world now but without this things fall apart -export GO111MODULE=off -%gotest %{import_path}/... +%make_build -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + check %endif # snap-confine tests (these always run!) @@ -772,7 +789,6 @@ make -C data -k check %{_libexecdir}/snapd/snapctl %{_libexecdir}/snapd/snapd %{_libexecdir}/snapd/snap-exec -%{_libexecdir}/snapd/snap-failure %{_libexecdir}/snapd/info %{_libexecdir}/snapd/snap-mgmt %{_libexecdir}/snapd/snapd-apparmor @@ -789,8 +805,6 @@ make -C data -k check %{_systemd_system_env_generator_dir}/snapd-env-generator %{_unitdir}/snapd.socket %{_unitdir}/snapd.service -%{_unitdir}/snapd.autoimport.service -%{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.apparmor.service %{_unitdir}/snapd.mounts.target @@ -829,13 +843,19 @@ make -C data -k check %dir %{_sharedstatedir}/snapd/mount %dir %{_sharedstatedir}/snapd/seccomp %dir %{_sharedstatedir}/snapd/seccomp/bpf +%ghost %{_sharedstatedir}/snapd/seccomp/bpf/global.bin %dir %{_sharedstatedir}/snapd/snaps %dir %{_sharedstatedir}/snapd/snap %ghost %dir %{_sharedstatedir}/snapd/snap/bin -%dir %{_localstatedir}/cache/snapd -%dir %{_localstatedir}/snap %ghost %{_sharedstatedir}/snapd/state.json +%ghost %{_sharedstatedir}/snapd/system-key +%ghost %{_sharedstatedir}/snapd/snap/bin %ghost %{_sharedstatedir}/snapd/snap/README +%dir %{_localstatedir}/cache/snapd +%ghost %{_localstatedir}/cache/snapd/commands +%ghost %{_localstatedir}/cache/snapd/names +%ghost %{_localstatedir}/cache/snapd/sections +%dir %{_localstatedir}/snap # this is typically owned by zsh, but we do not want to explicitly require zsh %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions @@ -947,6 +967,116 @@ if [ $1 -eq 0 ]; then fi %changelog +* Fri Aug 22 2025 Ernest Lotter +- New upstream release 2.71 + - FDE: auto-repair when recovery key is used + - FDE: revoke keys on shim update + - FDE: revoke old TPM keys when dbx has been updated + - FDE: do not reseal FDE hook keys every time + - FDE: store keys in the kernel keyring when installing from initrd + - FDE: allow disabled DMA on Core + - FDE: snap-bootstrap: do not check for partition in scan-disk on + CVM + - FDE: support secboot preinstall check for 25.10+ hybrid installs + via the /v2/system/{label} endpoint + - FDE: support generating recovery key at install time via the + /v2/systems/{label} endpoint + - FDE: update passphrase quality check at install time via the + /v2/systems/{label} endpoint + - FDE: support replacing recovery key at runtime via the new + /v2/system-volumes endpoint + - FDE: support checking recovery keys at runtime via the /v2/system- + volumes endpoint + - FDE: support enumerating keyslots at runtime via the /v2/system- + volumes endpoint + - FDE: support changing passphrase at runtime via the /v2/system- + volumes endpoint + - FDE: support passphrase quality check at runtime via the + /v2/system-volumes endpoint + - FDE: update secboot to revision 3e181c8edf0f + - Confdb: support lists and indexed paths on read and write + - Confdb: alias references must be wrapped in brackets + - Confdb: support indexed paths in confdb-schema assertion + - Confdb: make API errors consistent with options + - Confdb: fetch confdb-schema assertion on access + - Confdb: prevent --previous from being used in read-side hooks + - Components: fix snap command with multiple components + - Components: set revision of seed components to x1 + - Components: unmount extra kernel-modules components mounts + - AppArmor Prompting: add lifespan "session" for prompting rules + - AppArmor Prompting: support restoring prompts after snapd restart + - AppArmor Prompting: limit the extra information included in probed + AppArmor features and system key + - Notices: refactor notice state internals + - SELinux: look for restorecon/matchpathcon at all known locations + rather than current PATH + - SELinux: update policy to allow watching cgroups (for RAA), and + talking to user session agents (service mgmt/refresh) + - Refresh App Awareness: Fix unexpected inotify file descriptor + cleanup + - snap-confine: workaround for glibc fchmodat() fallback and handle + ENOSYS + - snap-confine: add support for host policy for limiting users able + to run snaps + - LP: #2114923 Reject system key mismatch advise when not yet seeded + - Use separate lanes for essential and non-essential snaps during + seeding and allow non-essential installs to retry + - Fix bug preventing remodel from core18 to core18 when snapd snap + is unchanged + - LP: #2112551 Make removal of last active revision of a snap equal + to snap remove + - LP: #2114779 Allow non-gpt in fallback mode to support RPi + - Switch from using systemd LogNamespace to manually controlled + journal quotas + - Change snap command trace logging to only log the command names + - Grant desktop-launch access to /v2/snaps + - Update code for creating the snap journal stream + - Switch from using core to snapd snap for snap debug connectivity + - LP: #2112544 Fix offline remodel case where we switched to a + channel without an actual refresh + - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed + tarball + - LP: #1952500 Fix snap command progress reporting + - LP: #1849346 Interfaces: kerberos-tickets | add new interface + - Interfaces: u2f | add support for Thetis Pro + - Interfaces: u2f | add OneSpan device and fix older device + - Interfaces: pipewire, audio-playback | support pipewire as system + daemon + - Interfaces: gpg-keys | allow access to GPG agent sockets + - Interfaces: usb-gadget | add new interface + - Interfaces: snap-fde-control, firmware-updater-support | add new + interfaces to support FDE + - Interfaces: timezone-control | extend to support timedatectl + varlink + - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and + procfs directories + - Interfaces: microstack-support | allow SR-IOV attachments + - Interfaces: modify AppArmor template to allow snaps to read their + own systemd credentials + - Interfaces: posix-mq | allow stat on /dev/mqueue + - LP: #2098780 Interfaces: log-observe | add capability + dac_read_search + - Interfaces: block-devices | allow access to ZFS pools and datasets + - LP: #2033883 Interfaces: block-devices | opt-in access to + individual partitions + - Interfaces: accel | add new interface to support accel kernel + subsystem + - Interfaces: shutdown | allow client to bind on its side of dbus + socket + - Interfaces: modify seccomp template to allow pwritev2 + - Interfaces: modify AppArmor template to allow reading + /proc/sys/fs/nr_open + - Packaging: drop snap.failure service for openSUSE + - Packaging: add SELinux support for openSUSE + - Packaging: disable optee when using nooptee build tag + - Packaging: add support for static PIE builds in snapd.mk, drop + pie.patch from openSUSE + - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 + - Packaging: use snapd.mk for packaging on Fedora + - Packaging: exclude .git directory + - Packaging: fix DPKG_PARSECHANGELOG assignment + - Packaging: fix building on Fedora with dpkg installed + * Fri Aug 15 2025 Maxwell G - 2.70-3 - Rebuild for golang-1.25.0 diff --git a/sources b/sources index cd873e5..b2f48cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.70.no-vendor.tar.xz) = f4864658793d2f6e11823b604c85cadc204a231e7efc5d9302d395c6afc7b500f389317cd3066a39a1d9f138aef5c8a0c2eff07dfb1c5b4473dfa5b489356689 -SHA512 (snapd_2.70.only-vendor.tar.xz) = b6e0309bc56a1573a3edea2e35b3feb313f8220633a64f11f6d0a5b155d39b1b3a2b058edc2d01aca0bf04f4515a17f9011cb49b5c7aa96a5a4610d0032cddcb +SHA512 (snapd_2.71.no-vendor.tar.xz) = 3cb250aff6ecf75236736e844da2cbb2a0275993a5da8f4dda3b25141719aea5d9db429191dada1c627b46687513d288f0a52c73d46004f8675bb2a38f1369a2 +SHA512 (snapd_2.71.only-vendor.tar.xz) = 413f73d163e6b15550c012f97e77cd754a1c631f290ddcc64526fd34ccf5e5e8f12242ccd3af56bf18633b7f635aa093f9f9645d3959d208708048c1f43d0b9b From 90e21ec4fe69da06a848c2c758179cdf6a586081 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 1 Sep 2025 08:40:34 +0200 Subject: [PATCH 2/7] Update to snapd 2.71 One more hack was needed to let the package to build in the current form, without proper support for Go modules. I've filed an internal tracking ticket for the next release so that we re-do the package with new Go helpers, remove a lot of generated content that is instead generated at build time, and actually support Go modules for real. https://warthogs.atlassian.net/browse/SNAPDENG-35431 (not visible to the public, apologies, this helps only a limited audience). Signed-off-by: Zygmunt Krynicki --- .gitignore | 4 +- snapd.spec | 270 +++++++++++++++++++++++++++++++++++++++-------------- sources | 4 +- 3 files changed, 204 insertions(+), 74 deletions(-) diff --git a/.gitignore b/.gitignore index 6db0575..05d4ccc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -/snapd_2.70.no-vendor.tar.xz -/snapd_2.70.only-vendor.tar.xz +/snapd_2.71.no-vendor.tar.xz +/snapd_2.71.only-vendor.tar.xz diff --git a/snapd.spec b/snapd.spec index c34c5fe..d6d327b 100644 --- a/snapd.spec +++ b/snapd.spec @@ -52,7 +52,7 @@ %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} -%global snappy_svcs snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target +%global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target %global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket # Until we have a way to add more extldflags to gobuild macro... @@ -83,8 +83,8 @@ %{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: snapd -Version: 2.70 -Release: 3%{?dist} +Version: 2.71 +Release: 0%{?dist} Summary: A transactional software package manager License: GPL-3.0-only URL: https://%{provider_prefix} @@ -159,6 +159,7 @@ BuildRequires: golang(gopkg.in/tomb.v2) BuildRequires: golang(gopkg.in/yaml.v2) BuildRequires: golang(gopkg.in/yaml.v3) %endif +BuildRequires: go-rpm-macros %description Snappy is a modern, cross-distribution, transactional package manager @@ -226,7 +227,6 @@ BuildArch: noarch %endif %if ! 0%{?with_bundled} -Requires: golang(go.etcd.io/bbolt) Requires: golang(github.com/bmatcuk/doublestar/v4) Requires: golang(github.com/coreos/go-systemd/activation) Requires: golang(github.com/godbus/dbus/v5) @@ -236,9 +236,12 @@ Requires: golang(github.com/jessevdk/go-flags) Requires: golang(github.com/juju/ratelimit) Requires: golang(github.com/kr/pretty) Requires: golang(github.com/kr/text) +Requires: golang(github.com/mattn/go-runewidth) Requires: golang(github.com/mvo5/goconfigparser) +Requires: golang(github.com/rivo/uniseg) Requires: golang(github.com/seccomp/libseccomp-golang) Requires: golang(github.com/snapcore/go-gettext) +Requires: golang(go.etcd.io/bbolt) Requires: golang(golang.org/x/crypto/openpgp/armor) Requires: golang(golang.org/x/crypto/openpgp/packet) Requires: golang(golang.org/x/crypto/sha3) @@ -255,8 +258,6 @@ Requires: golang(gopkg.in/yaml.v3) %else # These Provides are unversioned because the sources in # the bundled tarball are unversioned (they go by git commit) -# *sigh*... I hate golang... -Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(github.com/bmatcuk/doublestar/v4)) Provides: bundled(golang(github.com/coreos/go-systemd/activation)) Provides: bundled(golang(github.com/godbus/dbus/v5)) @@ -266,9 +267,12 @@ Provides: bundled(golang(github.com/jessevdk/go-flags)) Provides: bundled(golang(github.com/juju/ratelimit)) Provides: bundled(golang(github.com/kr/pretty)) Provides: bundled(golang(github.com/kr/text)) +Provides: bundled(golang(github.com/mattn/go-runewidth)) Provides: bundled(golang(github.com/mvo5/goconfigparser)) +Provides: bundled(golang(github.com/rivo/uniseg)) Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) Provides: bundled(golang(github.com/snapcore/go-gettext)) +Provides: bundled(golang(go.etcd.io/bbolt)) Provides: bundled(golang(golang.org/x/crypto/openpgp/armor)) Provides: bundled(golang(golang.org/x/crypto/openpgp/packet)) Provides: bundled(golang(golang.org/x/crypto/sha3)) @@ -476,7 +480,7 @@ providing packages with %{import_path} prefix. %if ! 0%{?with_bundled} %setup -q # Ensure there's no bundled stuff accidentally leaking in... -rm -rf vendor/* +rm -rf vendor %else # Extract each tarball properly %setup -q -D -b 1 @@ -500,48 +504,77 @@ export GOPATH=$(pwd):%{gopath} # FIXME: move spec file really to a go.mod world instead of this hack rm -f go.mod export GO111MODULE=off +sed -e 's/-mod=readonly//g' -e 's/-mod=vedor//g' packaging/snapd2.mk # Generate version files ./mkversion.sh "%{version}-%{release}" -# see https://github.com/gofed/go-macros/blob/master/rpm/macros.d/macros.go-compilers-golang -BUILDTAGS= -%if 0%{?with_test_keys} -BUILDTAGS="withtestkeys nosecboot structuredlogging" -%else -BUILDTAGS="nosecboot" -%endif - %if ! 0%{?with_bundled} # We don't need the snapcore fork for bolt - it is just a fix on ppc sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go %endif -# We have to build snapd first to prevent the build from -# building various things from the tree without additional -# set tags. -%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd -BUILDTAGS="${BUILDTAGS} nomanagers" -%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap -%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure -%gobuild -o bin/snapd-apparmor $GOFLAGS %{import_path}/cmd/snapd-apparmor - -# To ensure things work correctly with base snaps, -# snap-exec, snap-update-ns, and snapctl need to be built statically -( %if 0%{?rhel} >= 7 # since RH Developer tools 2018.4 (and later releases), # the go-toolset module is built with FIPS compliance that # defaults to using libcrypto.so which gets loaded at runtime via dlopen(), # disable that functionality for statically built binaries - BUILDTAGS="${BUILDTAGS} no_openssl" + EXTRA_TAGS="${EXTRA_TAGS} no_openssl" %endif - %gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec - %gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns - %gobuild_static -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl -) -%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp +# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a +# number of variable definitions that are set based on their RPM equivalents. +# Since we can apply any conditional overrides here in the spec file we can +# maintain one consistent set of variables across the spec and makefile worlds. +cat >snapd.defines.mk <<__DEFINES__ +# This file is generated by Fedora's snapd.spec +# Directory variables. +prefix = %{_prefix} +bindir = %{_bindir} +sbindir = %{_sbindir} +libexecdir = %{_libexecdir} +mandir = %{_mandir} +datadir = %{_datadir} +localstatedir = %{_localstatedir} +sharedstatedir = %{_sharedstatedir} +unitdir = %{_unitdir} +builddir = %{_builddir} +# Build configuration +with_core_bits = 0 +with_alt_snap_mount_dir = 1 +with_apparmor = 1 +with_testkeys = %{with_test_keys} +with_vendor = %{with_bundled} +# follow what %%gobuild does +EXTRA_GO_BUILD_FLAGS = -v -x -compiler gc +EXTRA_GO_LDFLAGS = -linkmode external -extldflags '%__global_ldflags' +EXTRA_GO_STATIC_LDFLAGS = -linkmode external -extldflags '%__global_ldflags -static' +EXTRA_GO_BUILD_TAGS = rpm_crashtraceback $EXTRA_TAGS +__DEFINES__ + +# Generate version files + +cat <snapdtool/version_generated.go +package snapdtool + +// generated by snapd.spec; do not edit + +func init() { + Version = "%{version}-%{release}" +} +EOF + +cat <cmd/VERSION +%{version}-%{release} +EOF + +# FIXME: We paste a fixed string but we should run some go code to generate the +# real value. We don't want to do that as that code needs to use host's +# libraries without talking to the proxy. +cat <data/info +SNAPD_APPARMOR_REEXEC=0 +SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' +EOF ( %if 0%{?rhel} == 7 @@ -577,6 +610,11 @@ autoreconf --force --install --verbose %make_build %{!?with_valgrind:HAVE_VALGRIND=} popd +# Build snap, snapd and other tools +%make_build -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + all + # Build systemd units, dbus services, and env files pushd ./data make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" DATADIR="%{_datadir}" \ @@ -621,25 +659,10 @@ install -d -p %{buildroot}%{_datadir}/polkit-1/actions install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib install -d -p %{buildroot}%{_datadir}/selinux/packages -# Install snap and snapd -install -p -m 0755 bin/snap %{buildroot}%{_bindir} -install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd -install -p -m 0755 bin/snapd-apparmor %{buildroot}%{_libexecdir}/snapd -# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl -install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl -ln -sf %{_libexecdir}/snapd/snapctl %{buildroot}%{_bindir}/snapctl - # Install SELinux module install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages -# Install snap(8) man page -bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8 - # Install the "info" data file with snapd version install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info @@ -669,6 +692,12 @@ pushd ./data SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd" popd +# Install snap, snapd and tools +# auto-remove unnecessary files and service units +%make_install -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + install + %if 0%{?rhel} == 7 # Install kernel tweaks # See: https://access.redhat.com/articles/3128691 @@ -676,14 +705,7 @@ install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap. %endif # Remove snappy core specific units -rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service -rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.* -rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.* -rm -fv %{buildroot}%{_unitdir}/snapd.recovery-chooser-trigger.service - -# Remove snappy core specific scripts and binaries -rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh -rm %{buildroot}%{_libexecdir}/snapd/system-shutdown +rm -fv %{buildroot}%{_unitdir}/snapd.failure.service # Remove gpio-chardev ordering target rm -f %{buildroot}%{_unitdir}/snapd.gpio-chardev-setup.target @@ -737,19 +759,14 @@ sort -u -o devel.file-list devel.file-list %check for binary in snap-exec snap-update-ns snapctl; do - ldd bin/$binary 2>&1 | grep 'not a dynamic executable' + ldd %{_builddir}/$binary 2>&1 | grep 'not a dynamic executable' done # snapd tests %if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel} -%if ! 0%{?with_bundled} -export GOPATH=%{buildroot}/%{gopath}:%{gopath} -%else -export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath} -%endif -# FIXME: we are in the go.mod world now but without this things fall apart -export GO111MODULE=off -%gotest %{import_path}/... +%make_build -f packaging/snapd2.mk \ + SNAPD_DEFINES_DIR=$PWD \ + check %endif # snap-confine tests (these always run!) @@ -772,7 +789,6 @@ make -C data -k check %{_libexecdir}/snapd/snapctl %{_libexecdir}/snapd/snapd %{_libexecdir}/snapd/snap-exec -%{_libexecdir}/snapd/snap-failure %{_libexecdir}/snapd/info %{_libexecdir}/snapd/snap-mgmt %{_libexecdir}/snapd/snapd-apparmor @@ -789,8 +805,6 @@ make -C data -k check %{_systemd_system_env_generator_dir}/snapd-env-generator %{_unitdir}/snapd.socket %{_unitdir}/snapd.service -%{_unitdir}/snapd.autoimport.service -%{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.apparmor.service %{_unitdir}/snapd.mounts.target @@ -829,13 +843,19 @@ make -C data -k check %dir %{_sharedstatedir}/snapd/mount %dir %{_sharedstatedir}/snapd/seccomp %dir %{_sharedstatedir}/snapd/seccomp/bpf +%ghost %{_sharedstatedir}/snapd/seccomp/bpf/global.bin %dir %{_sharedstatedir}/snapd/snaps %dir %{_sharedstatedir}/snapd/snap %ghost %dir %{_sharedstatedir}/snapd/snap/bin -%dir %{_localstatedir}/cache/snapd -%dir %{_localstatedir}/snap %ghost %{_sharedstatedir}/snapd/state.json +%ghost %{_sharedstatedir}/snapd/system-key +%ghost %{_sharedstatedir}/snapd/snap/bin %ghost %{_sharedstatedir}/snapd/snap/README +%dir %{_localstatedir}/cache/snapd +%ghost %{_localstatedir}/cache/snapd/commands +%ghost %{_localstatedir}/cache/snapd/names +%ghost %{_localstatedir}/cache/snapd/sections +%dir %{_localstatedir}/snap # this is typically owned by zsh, but we do not want to explicitly require zsh %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions @@ -947,6 +967,116 @@ if [ $1 -eq 0 ]; then fi %changelog +* Fri Aug 22 2025 Ernest Lotter +- New upstream release 2.71 + - FDE: auto-repair when recovery key is used + - FDE: revoke keys on shim update + - FDE: revoke old TPM keys when dbx has been updated + - FDE: do not reseal FDE hook keys every time + - FDE: store keys in the kernel keyring when installing from initrd + - FDE: allow disabled DMA on Core + - FDE: snap-bootstrap: do not check for partition in scan-disk on + CVM + - FDE: support secboot preinstall check for 25.10+ hybrid installs + via the /v2/system/{label} endpoint + - FDE: support generating recovery key at install time via the + /v2/systems/{label} endpoint + - FDE: update passphrase quality check at install time via the + /v2/systems/{label} endpoint + - FDE: support replacing recovery key at runtime via the new + /v2/system-volumes endpoint + - FDE: support checking recovery keys at runtime via the /v2/system- + volumes endpoint + - FDE: support enumerating keyslots at runtime via the /v2/system- + volumes endpoint + - FDE: support changing passphrase at runtime via the /v2/system- + volumes endpoint + - FDE: support passphrase quality check at runtime via the + /v2/system-volumes endpoint + - FDE: update secboot to revision 3e181c8edf0f + - Confdb: support lists and indexed paths on read and write + - Confdb: alias references must be wrapped in brackets + - Confdb: support indexed paths in confdb-schema assertion + - Confdb: make API errors consistent with options + - Confdb: fetch confdb-schema assertion on access + - Confdb: prevent --previous from being used in read-side hooks + - Components: fix snap command with multiple components + - Components: set revision of seed components to x1 + - Components: unmount extra kernel-modules components mounts + - AppArmor Prompting: add lifespan "session" for prompting rules + - AppArmor Prompting: support restoring prompts after snapd restart + - AppArmor Prompting: limit the extra information included in probed + AppArmor features and system key + - Notices: refactor notice state internals + - SELinux: look for restorecon/matchpathcon at all known locations + rather than current PATH + - SELinux: update policy to allow watching cgroups (for RAA), and + talking to user session agents (service mgmt/refresh) + - Refresh App Awareness: Fix unexpected inotify file descriptor + cleanup + - snap-confine: workaround for glibc fchmodat() fallback and handle + ENOSYS + - snap-confine: add support for host policy for limiting users able + to run snaps + - LP: #2114923 Reject system key mismatch advise when not yet seeded + - Use separate lanes for essential and non-essential snaps during + seeding and allow non-essential installs to retry + - Fix bug preventing remodel from core18 to core18 when snapd snap + is unchanged + - LP: #2112551 Make removal of last active revision of a snap equal + to snap remove + - LP: #2114779 Allow non-gpt in fallback mode to support RPi + - Switch from using systemd LogNamespace to manually controlled + journal quotas + - Change snap command trace logging to only log the command names + - Grant desktop-launch access to /v2/snaps + - Update code for creating the snap journal stream + - Switch from using core to snapd snap for snap debug connectivity + - LP: #2112544 Fix offline remodel case where we switched to a + channel without an actual refresh + - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed + tarball + - LP: #1952500 Fix snap command progress reporting + - LP: #1849346 Interfaces: kerberos-tickets | add new interface + - Interfaces: u2f | add support for Thetis Pro + - Interfaces: u2f | add OneSpan device and fix older device + - Interfaces: pipewire, audio-playback | support pipewire as system + daemon + - Interfaces: gpg-keys | allow access to GPG agent sockets + - Interfaces: usb-gadget | add new interface + - Interfaces: snap-fde-control, firmware-updater-support | add new + interfaces to support FDE + - Interfaces: timezone-control | extend to support timedatectl + varlink + - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and + procfs directories + - Interfaces: microstack-support | allow SR-IOV attachments + - Interfaces: modify AppArmor template to allow snaps to read their + own systemd credentials + - Interfaces: posix-mq | allow stat on /dev/mqueue + - LP: #2098780 Interfaces: log-observe | add capability + dac_read_search + - Interfaces: block-devices | allow access to ZFS pools and datasets + - LP: #2033883 Interfaces: block-devices | opt-in access to + individual partitions + - Interfaces: accel | add new interface to support accel kernel + subsystem + - Interfaces: shutdown | allow client to bind on its side of dbus + socket + - Interfaces: modify seccomp template to allow pwritev2 + - Interfaces: modify AppArmor template to allow reading + /proc/sys/fs/nr_open + - Packaging: drop snap.failure service for openSUSE + - Packaging: add SELinux support for openSUSE + - Packaging: disable optee when using nooptee build tag + - Packaging: add support for static PIE builds in snapd.mk, drop + pie.patch from openSUSE + - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 + - Packaging: use snapd.mk for packaging on Fedora + - Packaging: exclude .git directory + - Packaging: fix DPKG_PARSECHANGELOG assignment + - Packaging: fix building on Fedora with dpkg installed + * Fri Aug 15 2025 Maxwell G - 2.70-3 - Rebuild for golang-1.25.0 diff --git a/sources b/sources index cd873e5..b2f48cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.70.no-vendor.tar.xz) = f4864658793d2f6e11823b604c85cadc204a231e7efc5d9302d395c6afc7b500f389317cd3066a39a1d9f138aef5c8a0c2eff07dfb1c5b4473dfa5b489356689 -SHA512 (snapd_2.70.only-vendor.tar.xz) = b6e0309bc56a1573a3edea2e35b3feb313f8220633a64f11f6d0a5b155d39b1b3a2b058edc2d01aca0bf04f4515a17f9011cb49b5c7aa96a5a4610d0032cddcb +SHA512 (snapd_2.71.no-vendor.tar.xz) = 3cb250aff6ecf75236736e844da2cbb2a0275993a5da8f4dda3b25141719aea5d9db429191dada1c627b46687513d288f0a52c73d46004f8675bb2a38f1369a2 +SHA512 (snapd_2.71.only-vendor.tar.xz) = 413f73d163e6b15550c012f97e77cd754a1c631f290ddcc64526fd34ccf5e5e8f12242ccd3af56bf18633b7f635aa093f9f9645d3959d208708048c1f43d0b9b From 9f2b3ebfd0e212b1b4228acd6f0bf9238b4f0b79 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 1 Sep 2025 14:51:00 +0200 Subject: [PATCH 3/7] Remove c-vendor directory When we remove the vendor directory, remove the C quivalent as well. Signed-off-by: Zygmunt Krynicki --- snapd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapd.spec b/snapd.spec index d6d327b..f021579 100644 --- a/snapd.spec +++ b/snapd.spec @@ -480,7 +480,7 @@ providing packages with %{import_path} prefix. %if ! 0%{?with_bundled} %setup -q # Ensure there's no bundled stuff accidentally leaking in... -rm -rf vendor +rm -rf vendor c-vendor %else # Extract each tarball properly %setup -q -D -b 1 From 219b5fd9465aa409b4cd3824c7e432d98ed7d205 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 1 Sep 2025 14:52:53 +0200 Subject: [PATCH 4/7] Fix typo: vendor Signed-off-by: Zygmunt Krynicki --- snapd.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/snapd.spec b/snapd.spec index f021579..6a96704 100644 --- a/snapd.spec +++ b/snapd.spec @@ -504,7 +504,9 @@ export GOPATH=$(pwd):%{gopath} # FIXME: move spec file really to a go.mod world instead of this hack rm -f go.mod export GO111MODULE=off -sed -e 's/-mod=readonly//g' -e 's/-mod=vedor//g' packaging/snapd2.mk +# Ensure we do not pass -mod=foo argument to go, as we disable modules and go +# does not allow us to do both. +sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' packaging/snapd2.mk # Generate version files ./mkversion.sh "%{version}-%{release}" From f5a846262ad9bbabcabad46c08ee1f18d0e63343 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 1 Sep 2025 14:53:43 +0200 Subject: [PATCH 5/7] Do not call mkversion.sh Instead, generate the required data by hand. This avoids the need to "go run" during the build process. Signed-off-by: Zygmunt Krynicki --- snapd.spec | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/snapd.spec b/snapd.spec index 6a96704..10d58d6 100644 --- a/snapd.spec +++ b/snapd.spec @@ -509,7 +509,23 @@ export GO111MODULE=off sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' packaging/snapd2.mk # Generate version files -./mkversion.sh "%{version}-%{release}" +cat <snapdtool/version_generated.go +package snapdtool + +func init() { + Version = "%{version}-%{release}" +} +EOF + +cat <cmd/VERSION +%{version}-%{release} +EOF + +cat <data/info +VERSION=%{version}-%{release} +SNAPD_APPARMOR_REEXEC=0 +SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}' +EOF %if ! 0%{?with_bundled} # We don't need the snapcore fork for bolt - it is just a fix on ppc From b039f9bddeb72587da66a00685781586e7041ee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= Date: Fri, 10 Oct 2025 15:11:25 +0200 Subject: [PATCH 6/7] rebuild --- snapd.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/snapd.spec b/snapd.spec index 10d58d6..a548072 100644 --- a/snapd.spec +++ b/snapd.spec @@ -84,7 +84,7 @@ Name: snapd Version: 2.71 -Release: 0%{?dist} +Release: 1%{?dist} Summary: A transactional software package manager License: GPL-3.0-only URL: https://%{provider_prefix} @@ -985,6 +985,9 @@ if [ $1 -eq 0 ]; then fi %changelog +* Fri Oct 10 2025 Alejandro Sáez - 2.71-1 +- rebuild + * Fri Aug 22 2025 Ernest Lotter - New upstream release 2.71 - FDE: auto-repair when recovery key is used From c0b6ac858c8dacec9f460ac3726b30768d2be7e0 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Thu, 13 Nov 2025 14:50:24 +0100 Subject: [PATCH 7/7] Update to snapd 2.72 Signed-off-by: Zygmunt Krynicki --- .gitignore | 2 + snapd.spec | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++- sources | 4 +- 3 files changed, 120 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 05d4ccc..981b550 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ /snapd_2.71.no-vendor.tar.xz /snapd_2.71.only-vendor.tar.xz +/snapd_2.72.no-vendor.tar.xz +/snapd_2.72.only-vendor.tar.xz diff --git a/snapd.spec b/snapd.spec index a548072..073ba90 100644 --- a/snapd.spec +++ b/snapd.spec @@ -55,6 +55,11 @@ %global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target %global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket +# Note that packaging for Fedora does omit cap_setgid and cap_setuid that are +# only required to use snapd in user namespaces when the host system uses +# cgroup-v1 hierarchy. Since no actively supported Fedora release uses cgroup +# v1, those capabilities are omitted. +%global snap_confine_caps cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p # Until we have a way to add more extldflags to gobuild macro... # Always use external linking when building static binaries. %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -83,7 +88,7 @@ %{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: snapd -Version: 2.71 +Version: 2.72 Release: 1%{?dist} Summary: A transactional software package manager License: GPL-3.0-only @@ -884,8 +889,9 @@ make -C data -k check %doc cmd/snap-confine/PORTING %license COPYING %dir %{_libexecdir}/snapd -%caps(cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace=p) %{_libexecdir}/snapd/snap-confine +%caps(%{snap_confine_caps}) %{_libexecdir}/snapd/snap-confine %{_libexecdir}/snapd/snap-confine.caps +%{_libexecdir}/snapd/snap-confine.v2-only.caps %{_libexecdir}/snapd/snap-device-helper %{_libexecdir}/snapd/snap-discard-ns %{_libexecdir}/snapd/snap-gdb-shim @@ -985,6 +991,114 @@ if [ $1 -eq 0 ]; then fi %changelog +* Thu Nov 13 2025 Ernest Lotter +- New upstream release 2.72 + - FDE: support replacing TPM protected keys at runtime via the + /v2/system-volumes endpoint + - FDE: support secboot preinstall check fix actions for 25.10+ + hybrid installs via the /v2/system/{label} endpoint + - FDE: tweak polkit message to remove jargon + - FDE: ensure proper sealing with kernel command line defaults + - FDE: provide generic reseal function + - FDE: support using OPTEE for protecting keys, as an alternative to + existing fde-setup hooks (Ubuntu Core only) + - Confdb: 'snapctl get --view' supports passing default values + - Confdb: content sub-rules in confdb-schemas inherit their parent + rule's "access" + - Confdb: make confdb error kinds used in API more generic + - Confdb: fully support lists and indexed paths (including unset) + - Prompting: add notice backend for prompting types (unused for now) + - Prompting: include request cgroup in prompt + - Prompting: handle unsupported xattrs + - Prompting: add permission mapping for the camera interface + - Notices: read notices from state without state lock + - Notices: add methods to get notice fields and create, reoccur, and + deepcopy notice + - Notices: add notice manager to coordinate separate notice backends + - Notices: support draining notices from state when notice backend + registered as producer of a particular notice type + - Notices: query notice manager from daemon instead of querying + state for notices directly + - Packaging: Ubuntu | ignore .git directory + - Packaging: FIPS | bump deb Go FIPS to 1.23 + - Packaging: snap | bump FIPS toolchain to 1.23 + - Packaging: debian | sync most upstream changes + - Packaging: debian-sid | depends on libcap2-bin for postint + - Packaging: Fedora | drop fakeroot + - Packaging: snap | modify snapd.mk to pass build tags when running + unit tests + - Packaging: snap | modify snapd.mk to pass nooptee build tag + - Packaging: modify Makefile.am to fix snap-confine install profile + with 'make hack' + - Packaging: modify Makefile.am to fix out-of-tree use of 'make + hack' + - LP: #2122054 Snap installation: skip snap icon download when + running in a cloud or using a proxy store + - Snap installation: add timeout to http client when downloading + snap icon + - Snap installation: use http(s) proxy for icon downloads + - LP: #2117558 snap-confine: fix error message with /root/snap not + accessible + - snap-confine: fix non-suid limitation by switching to root:root to + operate v1 freezer + - core-initrd: do not use writable-paths when not available + - core-initrd: remove debian folder + - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev + interface now with the more robust gpio-aggregator configfs kernel + interface + - Interfaces: gpio-chardev | exclusive snap connections, raise a + conflict when both gpio-chardev and gpio are connected + - Interfaces: gpio-chardev | fix gpio-aggregator module load order + - Interfaces: ros-snapd-support | grant access to /v2/changes + - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs, + opengl-driver-libs, opengles-driver-libs | new interfaces to + support nvidia driver components + - Interfaces: microstack-support | allow DPDK (hugepage related + permissions) + - Interfaces: system-observe | allow reading additional files in + /proc, needed by node-exporter + - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key + and Kensington VeriMark DT Fingerprint Key to device list + - Interfaces: snap-interfaces-requests-control | allow shell API + control + - Interfaces: fwupd | allow access to Intel CVS sysfs + - Interfaces: hardware-observe | allow read access to Kernel + Samepage Merging (KSM) + - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP + - Interfaces: spi | relax sysfs permission rules to allow access to + SPI device node attributes + - Interfaces: content | introduce compatibility label + - LP: #2121238 Interfaces: do not expose Kerberos tickets for + classic snaps + - Interfaces: ssh-public-keys | allow ro access to public host keys + with ssh-key + - Interfaces: Modify AppArmor template to allow listing systemd + credentials and invoking systemd-creds + - Interfaces: modify AppArmor template with workarounds for Go 1.35 + cgroup aware GOMAXPROCS + - Interfaces: modify seccomp template to allow landlock_* + - Prevent snap hooks from running while relevant snaps are unlinked + - Make refreshes wait before unlinking snaps if running hooks can be + affected + - Fix systemd unit generation by moving "WantedBy=" from section + "unit" to "install" + - Add opt-in logging support for snap-update-ns + - Unhide 'snap help' sign and export-key under Development category + - LP: #2117121 Cleanly support socket activation for classic snap + - Add architecture to 'snap version' output + - Add 'snap debug api' option to disable authentication through + auth.json + - Show grade in notes for 'snap info --verbose' + - Fix preseeding failure due to scan-disk issue on RPi + - Support 'snap debug api' queries to user session agents + - LP: #2112626 Improve progress reporting for snap install/refresh + - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files + - Fix /v2/apps error for root user when user services are present + - LP: #2114704 Extend output to indicate when snap data snapshot was + created during remove + - Improve how we handle emmc volumes + - Improve handling of system-user extra assertions + * Fri Oct 10 2025 Alejandro Sáez - 2.71-1 - rebuild diff --git a/sources b/sources index b2f48cb..5ba5479 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.71.no-vendor.tar.xz) = 3cb250aff6ecf75236736e844da2cbb2a0275993a5da8f4dda3b25141719aea5d9db429191dada1c627b46687513d288f0a52c73d46004f8675bb2a38f1369a2 -SHA512 (snapd_2.71.only-vendor.tar.xz) = 413f73d163e6b15550c012f97e77cd754a1c631f290ddcc64526fd34ccf5e5e8f12242ccd3af56bf18633b7f635aa093f9f9645d3959d208708048c1f43d0b9b +SHA512 (snapd_2.72.no-vendor.tar.xz) = fb556bdb60877a2536cd8e53a7e137935ba27afb5b04efff06d8f858c47cec82a8f1df01fb621f644f0c2abe056a2b0612fabd70ae2d909b2e960692763b8bff +SHA512 (snapd_2.72.only-vendor.tar.xz) = f80b5def82553c044027fbb208fc5d5f76633afe71a8210abc33b48b189fd9347fd1d04bc868c58dc5d0b7fe8c68f6e316edbb6d2a2e060f375a5cdc851c2278