rpms/snapd
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: rpms:f40
Branches Tags
rpms:rawhide
rpms:epel8
rpms:epel9
rpms:epel10
rpms:f41
rpms:f42
rpms:f43
rpms:main
rpms:snapd-2.71
rpms:epel10.1
rpms:epel10.0
rpms:f40
rpms:f39
rpms:epel7
rpms:f38
rpms:bump-2.61.1
rpms:fix/tests
rpms:fix/xdelta
rpms:f36
rpms:f37
rpms:f35
rpms:f34
rpms:f33
rpms:bboozzoo/update-2.51-mass-rebuild
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
...
pull from: rpms:rawhide
Branches Tags
rpms:epel8
rpms:epel9
rpms:epel10
rpms:f41
rpms:f42
rpms:f43
rpms:main
rpms:rawhide
rpms:snapd-2.71
rpms:epel10.1
rpms:epel10.0
rpms:f40
rpms:f39
rpms:epel7
rpms:f38
rpms:bump-2.61.1
rpms:fix/tests
rpms:fix/xdelta
rpms:f36
rpms:f37
rpms:f35
rpms:f34
rpms:f33
rpms:bboozzoo/update-2.51-mass-rebuild
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
Sign in to create a new pull request.

10 commits
f40 ... rawhide

Author SHA1 Message Date
Zygmunt Krynicki
c0b6ac858c Update to snapd 2.72 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-11-13 14:54:24 +01:00
Alejandro Sáez
b039f9bdde rebuild 2025-10-10 15:11:25 +02:00
Zygmunt Krynicki
f5a846262a Do not call mkversion.sh 
Instead, generate the required data by hand. This avoids the need to
"go run" during the build process.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-09-01 14:53:43 +02:00
Zygmunt Krynicki
219b5fd946 Fix typo: vendor 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-09-01 14:52:53 +02:00
Zygmunt Krynicki
9f2b3ebfd0 Remove c-vendor directory 
When we remove the vendor directory, remove the C quivalent as well.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-09-01 14:51:00 +02:00
Zygmunt Krynicki
90e21ec4fe Update to snapd 2.71 
One more hack was needed to let the package to build in the current
form, without proper support for Go modules. I've filed an internal
tracking ticket for the next release so that we re-do the package with
new Go helpers, remove a lot of generated content that is instead
generated at build time, and actually support Go modules for real.

https://warthogs.atlassian.net/browse/SNAPDENG-35431 (not visible to the
public, apologies, this helps only a limited audience).

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-09-01 10:14:46 +02:00
Maxwell G
b45e346b44 Rebuild for golang-1.25.0 2025-08-15 18:38:59 -05:00
Fedora Release Engineering
10ef87264c Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild 2025-07-25 18:28:19 +00:00
Zygmunt Krynicki
1b8eb3321a New upstream release 2.70 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-07-14 13:47:32 +02:00
Zygmunt Krynicki
6665271b35 New upstream release 2.68.3 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
 2025-03-25 13:55:04 +01:00
3 changed files with 708 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.gitignore vendored
View file

@ -1,2 +1,4 @@
/snapd_2.67.no-vendor.tar.xz
/snapd_2.67.only-vendor.tar.xz
/snapd_2.71.no-vendor.tar.xz
/snapd_2.71.only-vendor.tar.xz
/snapd_2.72.no-vendor.tar.xz
/snapd_2.72.only-vendor.tar.xz

791
snapd.spec
View file

@ -52,27 +52,32 @@
%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
%global import_path %{provider_prefix}
%global snappy_svcs snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service snapd.mounts.target snapd.mounts-pre.target
%global snappy_svcs snapd.service snapd.socket snapd.seeded.service snapd.apparmor.service snapd.mounts.target snapd.mounts-pre.target
%global snappy_user_svcs snapd.session-agent.service snapd.session-agent.socket
# Note that packaging for Fedora does omit cap_setgid and cap_setuid that are
# only required to use snapd in user namespaces when the host system uses
# cgroup-v1 hierarchy. Since no actively supported Fedora release uses cgroup
# v1, those capabilities are omitted.
%global snap_confine_caps cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
# Until we have a way to add more extldflags to gobuild macro...
# Always use external linking when building static binaries.
%if 0%{?fedora} || 0%{?rhel} >= 8
%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags -static'" -a -v %{?**};
%endif
%if 0%{?rhel} == 7
# no pass PIE flags due to https://bugzilla.redhat.com/show_bug.cgi?id=1634486
%define gobuild_static(o:) go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
%define gobuild_static(o:) go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags -static'" -a -v %{?**};
%endif
# These macros are missing BUILDTAGS in RHEL 8/9, see RHBZ#1825138
%if 0%{?rhel} >= 8
%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags'" -a -v -x %{?**};
%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags'" -a -v %{?**};
%endif
# These macros are not defined in RHEL 7
%if 0%{?rhel} == 7
%define gobuild(o:) go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags'" -a -v -x %{?**};
%define gobuild(o:) go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags'" -a -v %{?**};
%define gotest() go test -compiler gc %{?**};
%endif
@ -83,8 +88,8 @@
%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
Name: snapd
Version: 2.67
Release: 0%{?dist}
Version: 2.72
Release: 1%{?dist}
Summary: A transactional software package manager
License: GPL-3.0-only
URL: https://%{provider_prefix}
@ -135,8 +140,8 @@ Provides: %{name}-login-service%{?_isa} = 1.33
BuildRequires: golang(go.etcd.io/bbolt)
BuildRequires: golang(github.com/bmatcuk/doublestar/v4)
BuildRequires: golang(github.com/coreos/go-systemd/activation)
BuildRequires: golang(github.com/godbus/dbus)
BuildRequires: golang(github.com/godbus/dbus/introspect)
BuildRequires: golang(github.com/godbus/dbus/v5)
BuildRequires: golang(github.com/godbus/dbus/v5/introspect)
BuildRequires: golang(github.com/gorilla/mux)
BuildRequires: golang(github.com/jessevdk/go-flags)
BuildRequires: golang(github.com/juju/ratelimit)
@ -159,6 +164,7 @@ BuildRequires: golang(gopkg.in/tomb.v2)
BuildRequires: golang(gopkg.in/yaml.v2)
BuildRequires: golang(gopkg.in/yaml.v3)
%endif
BuildRequires: go-rpm-macros
%description
Snappy is a modern, cross-distribution, transactional package manager
@ -226,19 +232,21 @@ BuildArch: noarch
%endif
%if ! 0%{?with_bundled}
Requires: golang(go.etcd.io/bbolt)
Requires: golang(github.com/bmatcuk/doublestar/v4)
Requires: golang(github.com/coreos/go-systemd/activation)
Requires: golang(github.com/godbus/dbus)
Requires: golang(github.com/godbus/dbus/introspect)
Requires: golang(github.com/godbus/dbus/v5)
Requires: golang(github.com/godbus/dbus/v5/introspect)
Requires: golang(github.com/gorilla/mux)
Requires: golang(github.com/jessevdk/go-flags)
Requires: golang(github.com/juju/ratelimit)
Requires: golang(github.com/kr/pretty)
Requires: golang(github.com/kr/text)
Requires: golang(github.com/mattn/go-runewidth)
Requires: golang(github.com/mvo5/goconfigparser)
Requires: golang(github.com/rivo/uniseg)
Requires: golang(github.com/seccomp/libseccomp-golang)
Requires: golang(github.com/snapcore/go-gettext)
Requires: golang(go.etcd.io/bbolt)
Requires: golang(golang.org/x/crypto/openpgp/armor)
Requires: golang(golang.org/x/crypto/openpgp/packet)
Requires: golang(golang.org/x/crypto/sha3)
@ -255,20 +263,21 @@ Requires: golang(gopkg.in/yaml.v3)
%else
# These Provides are unversioned because the sources in
# the bundled tarball are unversioned (they go by git commit)
# *sigh*... I hate golang...
Provides: bundled(golang(go.etcd.io/bbolt))
Provides: bundled(golang(github.com/bmatcuk/doublestar/v4))
Provides: bundled(golang(github.com/coreos/go-systemd/activation))
Provides: bundled(golang(github.com/godbus/dbus))
Provides: bundled(golang(github.com/godbus/dbus/introspect))
Provides: bundled(golang(github.com/godbus/dbus/v5))
Provides: bundled(golang(github.com/godbus/dbus/v5/introspect))
Provides: bundled(golang(github.com/gorilla/mux))
Provides: bundled(golang(github.com/jessevdk/go-flags))
Provides: bundled(golang(github.com/juju/ratelimit))
Provides: bundled(golang(github.com/kr/pretty))
Provides: bundled(golang(github.com/kr/text))
Provides: bundled(golang(github.com/mattn/go-runewidth))
Provides: bundled(golang(github.com/mvo5/goconfigparser))
Provides: bundled(golang(github.com/rivo/uniseg))
Provides: bundled(golang(github.com/seccomp/libseccomp-golang))
Provides: bundled(golang(github.com/snapcore/go-gettext))
Provides: bundled(golang(go.etcd.io/bbolt))
Provides: bundled(golang(golang.org/x/crypto/openpgp/armor))
Provides: bundled(golang(golang.org/x/crypto/openpgp/packet))
Provides: bundled(golang(golang.org/x/crypto/sha3))
@ -476,7 +485,7 @@ providing packages with %{import_path} prefix.
%if ! 0%{?with_bundled}
%setup -q
# Ensure there's no bundled stuff accidentally leaking in...
rm -rf vendor/*
rm -rf vendor c-vendor
%else
# Extract each tarball properly
%setup -q -D -b 1
@ -500,47 +509,95 @@ export GOPATH=$(pwd):%{gopath}
# FIXME: move spec file really to a go.mod world instead of this hack
rm -f go.mod
export GO111MODULE=off
# Ensure we do not pass -mod=foo argument to go, as we disable modules and go
# does not allow us to do both.
sed -e 's/-mod=readonly//g' -e 's/-mod=vendor//g' <packaging/snapd.mk >packaging/snapd2.mk
# Generate version files
./mkversion.sh "%{version}-%{release}"
cat <<EOF >snapdtool/version_generated.go
package snapdtool
# see https://github.com/gofed/go-macros/blob/master/rpm/macros.d/macros.go-compilers-golang
BUILDTAGS=
%if 0%{?with_test_keys}
BUILDTAGS="withtestkeys nosecboot"
%else
BUILDTAGS="nosecboot"
%endif
func init() {
Version = "%{version}-%{release}"
}
EOF
cat <<EOF >cmd/VERSION
%{version}-%{release}
EOF
cat <<EOF >data/info
VERSION=%{version}-%{release}
SNAPD_APPARMOR_REEXEC=0
SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}'
EOF
%if ! 0%{?with_bundled}
# We don't need the snapcore fork for bolt - it is just a fix on ppc
sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
%endif
# We have to build snapd first to prevent the build from
# building various things from the tree without additional
# set tags.
%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
BUILDTAGS="${BUILDTAGS} nomanagers"
%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
# To ensure things work correctly with base snaps,
# snap-exec, snap-update-ns, and snapctl need to be built statically
(
%if 0%{?rhel} >= 7
# since RH Developer tools 2018.4 (and later releases),
# the go-toolset module is built with FIPS compliance that
# defaults to using libcrypto.so which gets loaded at runtime via dlopen(),
# disable that functionality for statically built binaries
BUILDTAGS="${BUILDTAGS} no_openssl"
EXTRA_TAGS="${EXTRA_TAGS} no_openssl"
%endif
%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
%gobuild_static -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
)
%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
# Generate snapd.defines.mk, this file is included by snapd.mk. It contains a
# number of variable definitions that are set based on their RPM equivalents.
# Since we can apply any conditional overrides here in the spec file we can
# maintain one consistent set of variables across the spec and makefile worlds.
cat >snapd.defines.mk <<__DEFINES__
# This file is generated by Fedora's snapd.spec
# Directory variables.
prefix = %{_prefix}
bindir = %{_bindir}
sbindir = %{_sbindir}
libexecdir = %{_libexecdir}
mandir = %{_mandir}
datadir = %{_datadir}
localstatedir = %{_localstatedir}
sharedstatedir = %{_sharedstatedir}
unitdir = %{_unitdir}
builddir = %{_builddir}
# Build configuration
with_core_bits = 0
with_alt_snap_mount_dir = 1
with_apparmor = 1
with_testkeys = %{with_test_keys}
with_vendor = %{with_bundled}
# follow what %%gobuild does
EXTRA_GO_BUILD_FLAGS = -v -x -compiler gc
EXTRA_GO_LDFLAGS = -linkmode external -extldflags '%__global_ldflags'
EXTRA_GO_STATIC_LDFLAGS = -linkmode external -extldflags '%__global_ldflags -static'
EXTRA_GO_BUILD_TAGS = rpm_crashtraceback $EXTRA_TAGS
__DEFINES__
# Generate version files
cat <<EOF >snapdtool/version_generated.go
package snapdtool
// generated by snapd.spec; do not edit
func init() {
Version = "%{version}-%{release}"
}
EOF
cat <<EOF >cmd/VERSION
%{version}-%{release}
EOF
# FIXME: We paste a fixed string but we should run some go code to generate the
# real value. We don't want to do that as that code needs to use host's
# libraries without talking to the proxy.
cat <<EOF >data/info
SNAPD_APPARMOR_REEXEC=0
SNAPD_ASSERTS_FORMATS='{"account-key":1,"snap-declaration":6,"system-user":2}'
EOF
(
%if 0%{?rhel} == 7
@ -561,7 +618,6 @@ BUILDTAGS="${BUILDTAGS} nomanagers"
# Build snap-confine
pushd ./cmd
autoreconf --force --install --verbose
# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
%configure \
--disable-apparmor \
--enable-selinux \
@ -577,6 +633,11 @@ autoreconf --force --install --verbose
%make_build %{!?with_valgrind:HAVE_VALGRIND=}
popd
# Build snap, snapd and other tools
%make_build -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
all
# Build systemd units, dbus services, and env files
pushd ./data
make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" DATADIR="%{_datadir}" \
@ -621,24 +682,10 @@ install -d -p %{buildroot}%{_datadir}/polkit-1/actions
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -d -p %{buildroot}%{_datadir}/selinux/packages
# Install snap and snapd
install -p -m 0755 bin/snap %{buildroot}%{_bindir}
install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
ln -sf %{_libexecdir}/snapd/snapctl %{buildroot}%{_bindir}/snapctl
# Install SELinux module
install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
# Install snap(8) man page
bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
# Install the "info" data file with snapd version
install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@ -668,6 +715,12 @@ pushd ./data
SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
popd
# Install snap, snapd and tools
# auto-remove unnecessary files and service units
%make_install -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
install
%if 0%{?rhel} == 7
# Install kernel tweaks
# See: https://access.redhat.com/articles/3128691
@ -675,21 +728,19 @@ install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.
%endif
# Remove snappy core specific units
rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
rm -fv %{buildroot}%{_unitdir}/snapd.recovery-chooser-trigger.service
rm -fv %{buildroot}%{_unitdir}/snapd.failure.service
# Remove snappy core specific scripts and binaries
rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
rm %{buildroot}%{_libexecdir}/snapd/system-shutdown
# Remove snapd apparmor service
rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
# Remove gpio-chardev ordering target
rm -f %{buildroot}%{_unitdir}/snapd.gpio-chardev-setup.target
# Disable re-exec by default
echo 'SNAP_REEXEC=0' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
cat <<'EOF' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
# Snapd daemon can reexec into the binary from the snapd snap, if
# it is newer than the version installed through distro packaging.
# Set to 1 to enable reexec. The default is 0.
#SNAP_REEXEC=0
EOF
# Create state.json and the README file to be ghosted
touch %{buildroot}%{_sharedstatedir}/snapd/state.json
@ -731,25 +782,20 @@ sort -u -o devel.file-list devel.file-list
%check
for binary in snap-exec snap-update-ns snapctl; do
ldd bin/$binary 2>&1 | grep 'not a dynamic executable'
ldd %{_builddir}/$binary 2>&1 | grep 'not a dynamic executable'
done
# snapd tests
%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
%if ! 0%{?with_bundled}
export GOPATH=%{buildroot}/%{gopath}:%{gopath}
%else
export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
%endif
# FIXME: we are in the go.mod world now but without this things fall apart
export GO111MODULE=off
%gotest %{import_path}/...
%make_build -f packaging/snapd2.mk \
SNAPD_DEFINES_DIR=$PWD \
check
%endif
# snap-confine tests (these always run!)
pushd ./cmd
make check
popd
make -C cmd -k check
# and data files
make -C data -k check
%files
#define license tag if not already defined
@ -766,9 +812,9 @@ popd
%{_libexecdir}/snapd/snapctl
%{_libexecdir}/snapd/snapd
%{_libexecdir}/snapd/snap-exec
%{_libexecdir}/snapd/snap-failure
%{_libexecdir}/snapd/info
%{_libexecdir}/snapd/snap-mgmt
%{_libexecdir}/snapd/snapd-apparmor
%{_libexecdir}/snapd/snap-mgmt-selinux
%{_mandir}/man8/snap.8*
%{_datadir}/applications/snap-handle-link.desktop
@ -782,9 +828,8 @@ popd
%{_systemd_system_env_generator_dir}/snapd-env-generator
%{_unitdir}/snapd.socket
%{_unitdir}/snapd.service
%{_unitdir}/snapd.autoimport.service
%{_unitdir}/snapd.failure.service
%{_unitdir}/snapd.seeded.service
%{_unitdir}/snapd.apparmor.service
%{_unitdir}/snapd.mounts.target
%{_unitdir}/snapd.mounts-pre.target
%{_userunitdir}/snapd.session-agent.service
@ -821,13 +866,19 @@ popd
%dir %{_sharedstatedir}/snapd/mount
%dir %{_sharedstatedir}/snapd/seccomp
%dir %{_sharedstatedir}/snapd/seccomp/bpf
%ghost %{_sharedstatedir}/snapd/seccomp/bpf/global.bin
%dir %{_sharedstatedir}/snapd/snaps
%dir %{_sharedstatedir}/snapd/snap
%ghost %dir %{_sharedstatedir}/snapd/snap/bin
%dir %{_localstatedir}/cache/snapd
%dir %{_localstatedir}/snap
%ghost %{_sharedstatedir}/snapd/state.json
%ghost %{_sharedstatedir}/snapd/system-key
%ghost %{_sharedstatedir}/snapd/snap/bin
%ghost %{_sharedstatedir}/snapd/snap/README
%dir %{_localstatedir}/cache/snapd
%ghost %{_localstatedir}/cache/snapd/commands
%ghost %{_localstatedir}/cache/snapd/names
%ghost %{_localstatedir}/cache/snapd/sections
%dir %{_localstatedir}/snap
# this is typically owned by zsh, but we do not want to explicitly require zsh
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
@ -838,9 +889,9 @@ popd
%doc cmd/snap-confine/PORTING
%license COPYING
%dir %{_libexecdir}/snapd
# For now, we can't use caps
# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
%attr(4755,root,root) %{_libexecdir}/snapd/snap-confine
%caps(%{snap_confine_caps}) %{_libexecdir}/snapd/snap-confine
%{_libexecdir}/snapd/snap-confine.caps
%{_libexecdir}/snapd/snap-confine.v2-only.caps
%{_libexecdir}/snapd/snap-device-helper
%{_libexecdir}/snapd/snap-discard-ns
%{_libexecdir}/snapd/snap-gdb-shim
@ -940,6 +991,554 @@ if [ $1 -eq 0 ]; then
fi
%changelog
* Thu Nov 13 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.72
- FDE: support replacing TPM protected keys at runtime via the
/v2/system-volumes endpoint
- FDE: support secboot preinstall check fix actions for 25.10+
hybrid installs via the /v2/system/{label} endpoint
- FDE: tweak polkit message to remove jargon
- FDE: ensure proper sealing with kernel command line defaults
- FDE: provide generic reseal function
- FDE: support using OPTEE for protecting keys, as an alternative to
existing fde-setup hooks (Ubuntu Core only)
- Confdb: 'snapctl get --view' supports passing default values
- Confdb: content sub-rules in confdb-schemas inherit their parent
rule's "access"
- Confdb: make confdb error kinds used in API more generic
- Confdb: fully support lists and indexed paths (including unset)
- Prompting: add notice backend for prompting types (unused for now)
- Prompting: include request cgroup in prompt
- Prompting: handle unsupported xattrs
- Prompting: add permission mapping for the camera interface
- Notices: read notices from state without state lock
- Notices: add methods to get notice fields and create, reoccur, and
deepcopy notice
- Notices: add notice manager to coordinate separate notice backends
- Notices: support draining notices from state when notice backend
registered as producer of a particular notice type
- Notices: query notice manager from daemon instead of querying
state for notices directly
- Packaging: Ubuntu | ignore .git directory
- Packaging: FIPS | bump deb Go FIPS to 1.23
- Packaging: snap | bump FIPS toolchain to 1.23
- Packaging: debian | sync most upstream changes
- Packaging: debian-sid | depends on libcap2-bin for postint
- Packaging: Fedora | drop fakeroot
- Packaging: snap | modify snapd.mk to pass build tags when running
unit tests
- Packaging: snap | modify snapd.mk to pass nooptee build tag
- Packaging: modify Makefile.am to fix snap-confine install profile
with 'make hack'
- Packaging: modify Makefile.am to fix out-of-tree use of 'make
hack'
- LP: #2122054 Snap installation: skip snap icon download when
running in a cloud or using a proxy store
- Snap installation: add timeout to http client when downloading
snap icon
- Snap installation: use http(s) proxy for icon downloads
- LP: #2117558 snap-confine: fix error message with /root/snap not
accessible
- snap-confine: fix non-suid limitation by switching to root:root to
operate v1 freezer
- core-initrd: do not use writable-paths when not available
- core-initrd: remove debian folder
- LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev
interface now with the more robust gpio-aggregator configfs kernel
interface
- Interfaces: gpio-chardev | exclusive snap connections, raise a
conflict when both gpio-chardev and gpio are connected
- Interfaces: gpio-chardev | fix gpio-aggregator module load order
- Interfaces: ros-snapd-support | grant access to /v2/changes
- Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,
opengl-driver-libs, opengles-driver-libs | new interfaces to
support nvidia driver components
- Interfaces: microstack-support | allow DPDK (hugepage related
permissions)
- Interfaces: system-observe | allow reading additional files in
/proc, needed by node-exporter
- Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key
and Kensington VeriMark DT Fingerprint Key to device list
- Interfaces: snap-interfaces-requests-control | allow shell API
control
- Interfaces: fwupd | allow access to Intel CVS sysfs
- Interfaces: hardware-observe | allow read access to Kernel
Samepage Merging (KSM)
- Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP
- Interfaces: spi | relax sysfs permission rules to allow access to
SPI device node attributes
- Interfaces: content | introduce compatibility label
- LP: #2121238 Interfaces: do not expose Kerberos tickets for
classic snaps
- Interfaces: ssh-public-keys | allow ro access to public host keys
with ssh-key
- Interfaces: Modify AppArmor template to allow listing systemd
credentials and invoking systemd-creds
- Interfaces: modify AppArmor template with workarounds for Go 1.35
cgroup aware GOMAXPROCS
- Interfaces: modify seccomp template to allow landlock_*
- Prevent snap hooks from running while relevant snaps are unlinked
- Make refreshes wait before unlinking snaps if running hooks can be
affected
- Fix systemd unit generation by moving "WantedBy=" from section
"unit" to "install"
- Add opt-in logging support for snap-update-ns
- Unhide 'snap help' sign and export-key under Development category
- LP: #2117121 Cleanly support socket activation for classic snap
- Add architecture to 'snap version' output
- Add 'snap debug api' option to disable authentication through
auth.json
- Show grade in notes for 'snap info --verbose'
- Fix preseeding failure due to scan-disk issue on RPi
- Support 'snap debug api' queries to user session agents
- LP: #2112626 Improve progress reporting for snap install/refresh
- Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files
- Fix /v2/apps error for root user when user services are present
- LP: #2114704 Extend output to indicate when snap data snapshot was
created during remove
- Improve how we handle emmc volumes
- Improve handling of system-user extra assertions
* Fri Oct 10 2025 Alejandro Sáez <asm@redhat.com> - 2.71-1
- rebuild
* Fri Aug 22 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.71
- FDE: auto-repair when recovery key is used
- FDE: revoke keys on shim update
- FDE: revoke old TPM keys when dbx has been updated
- FDE: do not reseal FDE hook keys every time
- FDE: store keys in the kernel keyring when installing from initrd
- FDE: allow disabled DMA on Core
- FDE: snap-bootstrap: do not check for partition in scan-disk on
CVM
- FDE: support secboot preinstall check for 25.10+ hybrid installs
via the /v2/system/{label} endpoint
- FDE: support generating recovery key at install time via the
/v2/systems/{label} endpoint
- FDE: update passphrase quality check at install time via the
/v2/systems/{label} endpoint
- FDE: support replacing recovery key at runtime via the new
/v2/system-volumes endpoint
- FDE: support checking recovery keys at runtime via the /v2/system-
volumes endpoint
- FDE: support enumerating keyslots at runtime via the /v2/system-
volumes endpoint
- FDE: support changing passphrase at runtime via the /v2/system-
volumes endpoint
- FDE: support passphrase quality check at runtime via the
/v2/system-volumes endpoint
- FDE: update secboot to revision 3e181c8edf0f
- Confdb: support lists and indexed paths on read and write
- Confdb: alias references must be wrapped in brackets
- Confdb: support indexed paths in confdb-schema assertion
- Confdb: make API errors consistent with options
- Confdb: fetch confdb-schema assertion on access
- Confdb: prevent --previous from being used in read-side hooks
- Components: fix snap command with multiple components
- Components: set revision of seed components to x1
- Components: unmount extra kernel-modules components mounts
- AppArmor Prompting: add lifespan "session" for prompting rules
- AppArmor Prompting: support restoring prompts after snapd restart
- AppArmor Prompting: limit the extra information included in probed
AppArmor features and system key
- Notices: refactor notice state internals
- SELinux: look for restorecon/matchpathcon at all known locations
rather than current PATH
- SELinux: update policy to allow watching cgroups (for RAA), and
talking to user session agents (service mgmt/refresh)
- Refresh App Awareness: Fix unexpected inotify file descriptor
cleanup
- snap-confine: workaround for glibc fchmodat() fallback and handle
ENOSYS
- snap-confine: add support for host policy for limiting users able
to run snaps
- LP: #2114923 Reject system key mismatch advise when not yet seeded
- Use separate lanes for essential and non-essential snaps during
seeding and allow non-essential installs to retry
- Fix bug preventing remodel from core18 to core18 when snapd snap
is unchanged
- LP: #2112551 Make removal of last active revision of a snap equal
to snap remove
- LP: #2114779 Allow non-gpt in fallback mode to support RPi
- Switch from using systemd LogNamespace to manually controlled
journal quotas
- Change snap command trace logging to only log the command names
- Grant desktop-launch access to /v2/snaps
- Update code for creating the snap journal stream
- Switch from using core to snapd snap for snap debug connectivity
- LP: #2112544 Fix offline remodel case where we switched to a
channel without an actual refresh
- LP: #2112332 Exclude snap/snapd/preseeding when generating preseed
tarball
- LP: #1952500 Fix snap command progress reporting
- LP: #1849346 Interfaces: kerberos-tickets | add new interface
- Interfaces: u2f | add support for Thetis Pro
- Interfaces: u2f | add OneSpan device and fix older device
- Interfaces: pipewire, audio-playback | support pipewire as system
daemon
- Interfaces: gpg-keys | allow access to GPG agent sockets
- Interfaces: usb-gadget | add new interface
- Interfaces: snap-fde-control, firmware-updater-support | add new
interfaces to support FDE
- Interfaces: timezone-control | extend to support timedatectl
varlink
- Interfaces: cpu-control | fix rules for accessing IRQ sysfs and
procfs directories
- Interfaces: microstack-support | allow SR-IOV attachments
- Interfaces: modify AppArmor template to allow snaps to read their
own systemd credentials
- Interfaces: posix-mq | allow stat on /dev/mqueue
- LP: #2098780 Interfaces: log-observe | add capability
dac_read_search
- Interfaces: block-devices | allow access to ZFS pools and datasets
- LP: #2033883 Interfaces: block-devices | opt-in access to
individual partitions
- Interfaces: accel | add new interface to support accel kernel
subsystem
- Interfaces: shutdown | allow client to bind on its side of dbus
socket
- Interfaces: modify seccomp template to allow pwritev2
- Interfaces: modify AppArmor template to allow reading
/proc/sys/fs/nr_open
- Packaging: drop snap.failure service for openSUSE
- Packaging: add SELinux support for openSUSE
- Packaging: disable optee when using nooptee build tag
- Packaging: add support for static PIE builds in snapd.mk, drop
pie.patch from openSUSE
- Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
- Packaging: use snapd.mk for packaging on Fedora
- Packaging: exclude .git directory
- Packaging: fix DPKG_PARSECHANGELOG assignment
- Packaging: fix building on Fedora with dpkg installed
* Fri Aug 15 2025 Maxwell G <maxwell@gtmx.me> - 2.70-3
- Rebuild for golang-1.25.0
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.70-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 03 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.70
- FDE: Fix reseal with v1 hook key format
- FDE: set role in TPM keys
- AppArmor prompting (experimental): add handling for expired
requests or listener in the kernel
- AppArmor prompting: log the notification protocol version
negotiated with the kernel
- AppArmor prompting: implement notification protocol v5 (manually
disabled for now)
- AppArmor prompting: register listener ID with the kernel and
resend notifications after snapd restart (requires protocol v5+)
- AppArmor prompting: select interface from metadata tags and set
request interface accordingly (requires protocol v5+)
- AppArmor prompting: include request PID in prompt
- AppArmor prompting: move the max prompt ID file to a subdirectory
of the snap run directory
- AppArmor prompting: avoid race between closing/reading socket fd
- Confdb (experimental): make save/load hooks mandatory if affecting
ephemeral
- Confdb: clear tx state on failed load
- Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g.
confdb-schema)
- Confdb: add NestedEphemeral to confdb schemas
- Confdb: add early concurrency checks
- Simplify building Arch package
- Enable snapd.apparmor on Fedora
- Build snapd snap with libselinux
- Emit snapd.apparmor warning only when using apparmor backend
- When running snap, on system key mismatch e.g. due to network
attached HOME, trigger and wait for a security profiles
regeneration
- Avoid requiring state lock to get user, warnings, or pending
restarts when handling API requests
- Start/stop ssh.socket for core24+ when enabling/disabling the ssh
service
- Allow providing a different base when overriding snap
- Modify snap-bootstrap to mount snapd snap directly to /snap
- Modify snap-bootstrap to mount /lib/{modules,firmware} from snap
as fallback
- Modify core-initrd to use systemctl reboot instead of /sbin/reboot
- Copy the initramfs 'manifest-initramfs.yaml' to initramfs file
creation directory so it can be copied to the kernel snap
- Build the early initrd from installed ucode packages
- Create drivers tree when remodeling from UC20/22 to UC24
- Load gpio-aggregator module before the helper-service needs it
- Run 'systemctl start' for mount units to ensure they are run also
when unchanged
- Update godbus version to 'v5 v5.1.0'
- Add support for POST to /v2/system-info with system-key-mismatch
indication from the client
- Add 'snap sign --update-timestamp' flag to update timestamp before
signing
- Add vfs support for snap-update-ns to use to simulate and evaluate
mount sequences
- Add refresh app awareness debug logging
- Add snap-bootstrap scan-disk subcommand to be called from udev
- Add feature to inject proxy store assertions in build image
- Add OP-TEE bindings, enable by default in ARM and ARM64 builds
- Fix systemd dependency options target to go under 'unit' section
- Fix snap-bootstrap reading kernel snap instead of base resulting
in bad modeenv
- Fix a regression during seeding when using early-config
- LP: #2107443 reset SHELL to /bin/bash in non-classic snaps
- Make Azure kernels reboot upon panic
- Fix snap-confine to not drop capabilities if the original user is
already root
- Fix data race when stopping services
- Fix task dependency issue by temporarily disable re-refresh on
prerequisite updates
- Fix compiling against op-tee on armhf
- Fix dbx update when not using FDE
- Fix potential validation set deadlock due to bases waiting on
snaps
- LP: #2104066 Only cancel notices requests on stop/shutdown
- Interfaces: bool-file | fix gpio glob pattern as required for
'[XXXX]*' format
- Interfaces: system-packages-doc | allow access to
/usr/local/share/doc
- Interfaces: ros-snapd-support interface | added new interface
- Interfaces: udisks2 | allow chown capability
- Interfaces: system-observe | allow reading cpu.max
- Interfaces: serial-port | add ttyMAXX to allowed list
- Interfaces: modified seccomp template to disallow
'O_NOTIFICATION_PIPE'
- Interfaces: fwupd | add support for modem-manager plugin
- Interfaces: gpio-chardev | make unsupported and remove
experimental flag to hide this feature until gpio-aggregator is
available
- Interfaces: hardware-random | fix udev match rule
- Interfaces: timeserver-control | extend to allow timedatectl
timesync commands
- Interfaces: add symlinks backend
- Interfaces: system key mismatch handling
* Tue Apr 08 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.69
- FDE: re-factor listing of the disks based on run mode model and
model to correctly resolve paths
- FDE: run snapd from snap-failure with the correct keyring mode
- Snap components: allow remodeling back to an old snap revision
that includes components
- Snap components: fix remodel to a kernel snap that is already
installed on the system, but not the current kernel due to a
previous remodel.
- Snap components: fix for snapctl inputs that can crash snapd
- Confdb (experimental): load ephemeral data when reading data via
snapctl get
- Confdb (experimental): load ephemeral data when reading data via
snap get
- Confdb (experimental): rename {plug}-view-changed hook to observe-
view-{plug}
- Confdb (experimental): rename confdb assertion to confdb-schema
- Confdb (experimental): change operator grouping in confdb-control
assertion
- Confdb (experimental): add confdb-control API
- AppArmor: extend the probed features to include the presence of
files, as well as directories
- AppArmor prompting (experimental): simplify the listener
- AppArmor metadata tagging (disabled): probe parser support for
tags
- AppArmor metadata tagging (disabled): implement notification
protocol v5
- Confidential VMs: sysroot.mount is now dynamically created by
snap-bootstrap instead of being a static file in the initramfs
- Confidential VMs: Add new implementation of snap integrity API
- Non-suid snap-confine: first phase to replace snap-confine suid
with capabilities to achieve the required permissions
- Initial changes for dynamic security profiles updates
- Provide snap icon fallback for /v2/icons without requiring network
access at runtime
- Add eMMC gadget update support
- Support reexec when using /usr/libexec/snapd on the host (Arch
Linux, openSUSE)
- Auto detect snap mount dir location on unknown distributions
- Modify snap-confine AppArmor template to allow all glibc HWCAPS
subdirectories to prevent launch errors
- LP: #2102456 update secboot to bf2f40ea35c4 and modify snap-
bootstrap to remove usage of go templates to reduce size by 4MB
- Fix snap-bootstrap to mount kernel snap from
/sysroot/writable/system-data
- LP: #2106121 fix snap-bootstrap busy loop
- Fix encoding of time.Time by using omitzero instead of omitempty
(on go 1.24+)
- Fix setting snapd permissions through permctl for openSUSE
- Fix snap struct json tags typo
- Fix snap pack configure hook permissions check incorrect file mode
- Fix gadget snap reinstall to honor existing sizes of partitions
- Fix to update command line when re-executing a snapd tool
- Fix 'snap validate' of specific missing newline and add error on
missed case of 'snap validate --refresh' without another action
- Workaround for snapd-confine time_t size differences between
architectures
- Disallow pack and install of snapd, base and os with specific
configure hooks
- Drop udev build dependency that is no longer required and add
missing systemd-dev dependency
- Build snap-bootstrap with nomanagers tag to decrease size by 1MB
- Interfaces: polkit | support custom polkit rules
- Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is
confined by AppArmor
- Interfaces: log-observe | add missing udev rule
- Interfaces: hostname-control | fix call to hostnamectl in core24
- Interfaces: network-control | allow removing created network
namespaces
- Interfaces: scsi-generic | re-enable base declaration for scsi-
generic plug
- Interfaces: u2f | add support for Arculus AuthentiKey
* Wed Apr 02 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68.4
- Snap components: LP: #2104933 workaround for classic 24.04/24.10
models that incorrectly specify core22 instead of core24
- Update build dependencies
* Mon Mar 10 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68.3
- FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to
old keyring path
- Fix Plucky snapd deb build issue related to /var/lib/snapd/void
permissions
- Fix snapd deb build complaint about ifneq with extra bracket
* Thu Feb 27 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68.2
- FDE: use boot mode for FDE hooks
- FDE: add snap-bootstrap compatibility check to prevent image
creation with incompatible snapd and kernel snap
- FDE: add argon2 out-of-process KDF support
- FDE: have separate mutex for the sections writing a fresh modeenv
- FDE: LP: #2099709 update secboot to e07f4ae48e98
- Confdb: support pruning ephemeral data and process alternative
types in order
- core-initrd: look at env to mount directly to /sysroot
- core-initrd: prepare for Plucky build and split out 24.10
(Oracular)
- Fix missing primed packages in snapd snap manifest
- Interfaces: posix-mq | fix incorrect clobbering of global variable
and make interface more precise
- Interfaces: opengl | add more kernel fusion driver files
* Mon Feb 24 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68.1
- Fix snap-confine type specifier type mismatch on armhf
* Thu Feb 13 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68
- FDE: add support for new and more extensible key format that is
unified between TPM and FDE hook
- FDE: add support for adding passphrases during installation
- FDE: update secboot to 30317622bbbc
- Snap components: make kernel components available on firstboot
after either initramfs or ephemeral rootfs style install
- Snap components: mount drivers tree from initramfs so kernel
modules are available in early boot stages
- Snap components: support remodeling to models that contain
components
- Snap components: support offline remodeling to models that contain
components
- Snap components: support creating new recovery systems with
components
- Snap components: support downloading components with 'snap
download' command
- Snap components: support sideloading asserted components
- AppArmor Prompting(experimental): improve version checks and
handling of listener notification protocol for communication with
kernel AppArmor
- AppArmor Prompting(experimental): make prompt replies idempotent,
and have at most one rule for any given path pattern, with
potentially mixed outcomes and lifespans
- AppArmor Prompting(experimental): timeout unresolved prompts after
a period of client inactivity
- AppArmor Prompting(experimental): return an error if a patch
request to the API would result in a rule without any permissions
- AppArmor Prompting(experimental): warn if there is no prompting
client present but prompting is enabled, or if a prompting-related
error occurs during snapd startup
- AppArmor Prompting(experimental): do not log error when converting
empty permissions to AppArmor permissions
- Confdb(experimental): rename registries to confdbs (including API
/v2/registries => /v2/confdb)
- Confdb(experimental): support marking confdb schemas as ephemeral
- Confdb(experimental): add confdb-control assertion and feature
flag
- Refresh App Awareness(experimental): LP: #2089195 prevent
possibility of incorrect notification that snap will quit and
update
- Confidential VMs: snap-bootstrap support for loading partition
information from a manifest file for cloudimg-rootfs mode
- Confidential VMs: snap-bootstrap support for setting up cloudimg-
rootfs as an overlayfs with integrity protection
- dm-verity for essential snaps: add support for snap-integrity
assertion
- Interfaces: modify AppArmor template to allow owner read on
@{PROC}/@{pid}/fdinfo/*
- Interfaces: LP: #2072987 modify AppArmor template to allow using
setpriv to run daemon as non-root user
- Interfaces: add configfiles backend that ensures the state of
configuration files in the filesystem
- Interfaces: add ldconfig backend that exposes libraries coming
from snaps to either the rootfs or to other snaps
- Interfaces: LP: #1712808 LP: 1865503 disable udev backend when
inside a container
- Interfaces: add auditd-support interface that grants audit_control
capability and required paths for auditd to function
- Interfaces: add checkbox-support interface that allows
unrestricted access to all devices
- Interfaces: fwupd | allow access to dell bios recovery
- Interfaces: fwupd | allow access to shim and fallback shim
- Interfaces: mount-control | add mount option validator to detect
mount option conflicts early
- Interfaces: cpu-control | add read access to /sys/kernel/irq/
- Interfaces: locale-control | changed to be implicit on Ubuntu Core
Desktop
- Interfaces: microstack-support | support for utilizing of AMD SEV
capabilities
- Interfaces: u2f | added missing OneSpan device product IDs
- Interfaces: auditd-support | grant seccomp setpriority
- Interfaces: opengl interface | enable parsing of nvidia driver
information files
- Allow mksquashfs 'xattrs' when packing snap types os, core, base
and snapd as part of work to support non-root snap-confine
- Upstream/downstream packaging changes and build updates
- Improve error logs for malformed desktop files to also show which
desktop file is at fault
- Provide more precise error message when overriding channels with
grade during seed creation
- Expose 'snap prepare-image' validation parameter
- Add snap-seccomp 'dump' command that dumps the filter rules from a
compiled profile
- Add fallback release info location /etc/initrd-release
- Added core-initrd to snapd repo and fixed issues with ubuntu-core-
initramfs deb builds
- Remove stale robust-mount-namespace-updates experimental feature
flag
- Remove snapd-snap experimental feature (rejected) and it's feature
flag
- Changed snap-bootstrap to mount base directly on /sysroot
- Mount ubuntu-seed mounted as no-{suid,exec,dev}
- Mapping volumes to disks: add support for volume-assignments in
gadget
- Fix silently broken binaries produced by distro patchelf 0.14.3 by
using locally build patchelf 0.18
- Fix mismatch between listed refresh candidates and actual refresh
due to outdated validation sets
- Fix 'snap get' to produce compact listing for tty
- Fix missing store-url by keeping it as part of auxiliary store
info
- Fix snap-confine attempting to retrieve device cgroup setup inside
container where it is not available
- Fix 'snap set' and 'snap get' panic on empty strings with early
error checking
- Fix logger debug entries to show correct caller and file
information
- Fix issue preventing hybrid systems from being seeded on first
boot
- LP: #1966203 remove auto-import udev rules not required by deb
package to avoid unwanted syslog errors
- LP: #1886414 fix progress reporting when stdout is on a tty, but
stdin is not
* Wed Jan 22 2025 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
- The changelog date and author have been modified to maintain linearity.
- Drop 0001-data-selinux-remove-timedatex.patch - applied upstream.
@ -1023,6 +1622,20 @@ fi
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.66.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Wed Jan 15 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.67.1
- Fix apparmor permissions to allow snaps access to kernel modules
and firmware on UC24, which also fixes the kernel-modules-control
interface on UC24
- AppArmor prompting (experimental): disallow /./ and /../ in path
patterns
- Fix 'snap run' getent based user lookup in case of bad PATH
- Fix snapd using the incorrect AppArmor version during undo of an
refresh for regenerating snap profiles
- Add new syscalls to base templates
- hardware-observe interface: allow riscv_hwprobe syscall
- mount-observe interface: allow listmount and statmount syscalls
* Tue Dec 03 2024 Orion Poplawski <orion@nwra.com>
- Drop RestartMode from snapd.service on EL8 (rhbz#2315759)

4
sources
View file

@ -1,2 +1,2 @@
SHA512 (snapd_2.67.no-vendor.tar.xz) = 517b8559edf2a1792f551ca4ccb3c1b026ea2f56b58c95c3cdaa4bdce690629dc9e917b388718b3c76d2fdf314ba6eaea16ba1c9fd8f910f3cb22880810aabb8
SHA512 (snapd_2.67.only-vendor.tar.xz) = 56642733f89fe62a81081856eb878186d0bd6269af31aa453d65478934b4032dce1e04c8682d1164ad9a371f48da014cb5a5a6a27062cda27a93d6fe0541f4d5
SHA512 (snapd_2.72.no-vendor.tar.xz) = fb556bdb60877a2536cd8e53a7e137935ba27afb5b04efff06d8f858c47cec82a8f1df01fb621f644f0c2abe056a2b0612fabd70ae2d909b2e960692763b8bff
SHA512 (snapd_2.72.only-vendor.tar.xz) = f80b5def82553c044027fbb208fc5d5f76633afe71a8210abc33b48b189fd9347fd1d04bc868c58dc5d0b7fe8c68f6e316edbb6d2a2e060f375a5cdc851c2278