From: Raspbian automatic forward porter Date: Wed, 14 Jan 2026 08:39:55 +0000 (+0000) Subject: Merge version 2.68.3-3+rpi1 and 2.71-3 to produce 2.71-3+rpi1 X-Git-Tag: archive/raspbian/2.71-3+rpi1^0 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=621688e45c9e0ec10c241bd4ce917c0174910645;p=snapd.git Merge version 2.68.3-3+rpi1 and 2.71-3 to produce 2.71-3+rpi1 --- 621688e45c9e0ec10c241bd4ce917c0174910645 diff --cc debian/changelog index e0759ee6,31e9b449..de09b9bd --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,323 +1,332 @@@ - snapd (2.68.3-3+rpi1) trixie-staging; urgency=medium ++snapd (2.71-3+rpi1) forky-staging; urgency=medium + + [changes brought forward from 2.27.2-2+rpi1 by Peter Michael Green at Thu, 24 Aug 2017 17:53:18 +0000] + * Treat unknown derivatives the same as Debian. + * Disable testsuite. + * Fix clean target. + - -- Peter Michael Green Thu, 31 Jul 2025 13:03:44 +0000 ++ -- Raspbian forward porter Wed, 14 Jan 2026 08:39:54 +0000 ++ + snapd (2.71-3) unstable; urgency=medium + + * Set nooptee build tag to disable OP-TEE support + + -- Zygmunt Krynicki Thu, 21 Aug 2025 20:46:02 +0000 + + snapd (2.71-2) unstable; urgency=medium + + * Cherry pick a fix for unit test + * Depend on libcap2-bin for setcap + + -- Zygmunt Krynicki Thu, 21 Aug 2025 19:08:54 +0000 + + snapd (2.71-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2118396 + - FDE: auto-repair when recovery key is used + - FDE: revoke keys on shim update + - FDE: revoke old TPM keys when dbx has been updated + - FDE: do not reseal FDE hook keys every time + - FDE: store keys in the kernel keyring when installing from initrd + - FDE: allow disabled DMA on Core + - FDE: snap-bootstrap: do not check for partition in scan-disk on + CVM + - FDE: support secboot preinstall check for 25.10+ hybrid installs + via the /v2/system/{label} endpoint + - FDE: support generating recovery key at install time via the + /v2/systems/{label} endpoint + - FDE: update passphrase quality check at install time via the + /v2/systems/{label} endpoint + - FDE: support replacing recovery key at runtime via the new + /v2/system-volumes endpoint + - FDE: support checking recovery keys at runtime via the /v2/system- + volumes endpoint + - FDE: support enumerating keyslots at runtime via the /v2/system- + volumes endpoint + - FDE: support changing passphrase at runtime via the /v2/system- + volumes endpoint + - FDE: support passphrase quality check at runtime via the + /v2/system-volumes endpoint + - FDE: update secboot to revision 3e181c8edf0f + - Confdb: support lists and indexed paths on read and write + - Confdb: alias references must be wrapped in brackets + - Confdb: support indexed paths in confdb-schema assertion + - Confdb: make API errors consistent with options + - Confdb: fetch confdb-schema assertion on access + - Confdb: prevent --previous from being used in read-side hooks + - Components: fix snap command with multiple components + - Components: set revision of seed components to x1 + - Components: unmount extra kernel-modules components mounts + - AppArmor Prompting: add lifespan "session" for prompting rules + - AppArmor Prompting: support restoring prompts after snapd restart + - AppArmor Prompting: limit the extra information included in probed + AppArmor features and system key + - Notices: refactor notice state internals + - SELinux: look for restorecon/matchpathcon at all known locations + rather than current PATH + - SELinux: update policy to allow watching cgroups (for RAA), and + talking to user session agents (service mgmt/refresh) + - Refresh App Awareness: Fix unexpected inotify file descriptor + cleanup + - snap-confine: workaround for glibc fchmodat() fallback and handle + ENOSYS + - snap-confine: add support for host policy for limiting users able + to run snaps + - LP: #2114923 Reject system key mismatch advise when not yet seeded + - Use separate lanes for essential and non-essential snaps during + seeding and allow non-essential installs to retry + - Fix bug preventing remodel from core18 to core18 when snapd snap + is unchanged + - LP: #2112551 Make removal of last active revision of a snap equal + to snap remove + - LP: #2114779 Allow non-gpt in fallback mode to support RPi + - Switch from using systemd LogNamespace to manually controlled + journal quotas + - Change snap command trace logging to only log the command names + - Grant desktop-launch access to /v2/snaps + - Update code for creating the snap journal stream + - Switch from using core to snapd snap for snap debug connectivity + - LP: #2112544 Fix offline remodel case where we switched to a + channel without an actual refresh + - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed + tarball + - LP: #1952500 Fix snap command progress reporting + - LP: #1849346 Interfaces: kerberos-tickets | add new interface + - Interfaces: u2f | add support for Thetis Pro + - Interfaces: u2f | add OneSpan device and fix older device + - Interfaces: pipewire, audio-playback | support pipewire as system + daemon + - Interfaces: gpg-keys | allow access to GPG agent sockets + - Interfaces: usb-gadget | add new interface + - Interfaces: snap-fde-control, firmware-updater-support | add new + interfaces to support FDE + - Interfaces: timezone-control | extend to support timedatectl + varlink + - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and + procfs directories + - Interfaces: microstack-support | allow SR-IOV attachments + - Interfaces: modify AppArmor template to allow snaps to read their + own systemd credentials + - Interfaces: posix-mq | allow stat on /dev/mqueue + - LP: #2098780 Interfaces: log-observe | add capability + dac_read_search + - Interfaces: block-devices | allow access to ZFS pools and datasets + - LP: #2033883 Interfaces: block-devices | opt-in access to + individual partitions + - Interfaces: accel | add new interface to support accel kernel + subsystem + - Interfaces: shutdown | allow client to bind on its side of dbus + socket + - Interfaces: modify seccomp template to allow pwritev2 + - Interfaces: modify AppArmor template to allow reading + /proc/sys/fs/nr_open + - Packaging: drop snap.failure service for openSUSE + - Packaging: add SELinux support for openSUSE + - Packaging: disable optee when using nooptee build tag + - Packaging: add support for static PIE builds in snapd.mk, drop + pie.patch from openSUSE + - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 + - Packaging: use snapd.mk for packaging on Fedora + - Packaging: exclude .git directory + - Packaging: fix DPKG_PARSECHANGELOG assignment + - Packaging: fix building on Fedora with dpkg installed + + [ Zygmunt Krynicki ] + * Remove auth_requestor.go (secboot) + * Rebase and re-export patches + * Fix typo and clarify what core means + * Remove transitional ubuntu-core-launcher package + * Remove transitional snap-confine package + * Simplify Conflicts: snap to exclude ubuntu version + * Expand the description of golang-github-snapcore-snapd-dev + * Rewrite summary of golang-github-snapcore-snapd-dev + * Move golang-github-snapcore-snapd-dev to golang section + * Update lintian overrides + * Add Static-Built-Using to snapd + * Use Breaks: snap, instead of Conflicts: snap + * Do not ship snapd.recovery-chooser-trigger.service + * Add manual page for snapd.apparmor.service + * Add manual page for snapd.seeded.service + * Add manual page for snapd.service + * Update standards-version to 4.7.2 + + -- Zygmunt Krynicki Thu, 21 Aug 2025 13:57:25 +0000 + + snapd (2.70-1) unstable; urgency=medium + + * New upstream release, LP: #2112209 + - FDE: Fix reseal with v1 hook key format + - FDE: set role in TPM keys + - AppArmor prompting (experimental): add handling for expired + requests or listener in the kernel + - AppArmor prompting: log the notification protocol version + negotiated with the kernel + - AppArmor prompting: implement notification protocol v5 (manually + disabled for now) + - AppArmor prompting: register listener ID with the kernel and + resend notifications after snapd restart (requires protocol v5+) + - AppArmor prompting: select interface from metadata tags and set + request interface accordingly (requires protocol v5+) + - AppArmor prompting: include request PID in prompt + - AppArmor prompting: move the max prompt ID file to a subdirectory + of the snap run directory + - AppArmor prompting: avoid race between closing/reading socket fd + - Confdb (experimental): make save/load hooks mandatory if affecting + ephemeral + - Confdb: clear tx state on failed load + - Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g. + confdb-schema) + - Confdb: add NestedEphemeral to confdb schemas + - Confdb: add early concurrency checks + - Simplify building Arch package + - Enable snapd.apparmor on Fedora + - Build snapd snap with libselinux + - Emit snapd.apparmor warning only when using apparmor backend + - When running snap, on system key mismatch e.g. due to network + attached HOME, trigger and wait for a security profiles + regeneration + - Avoid requiring state lock to get user, warnings, or pending + restarts when handling API requests + - Start/stop ssh.socket for core24+ when enabling/disabling the ssh + service + - Allow providing a different base when overriding snap + - Modify snap-bootstrap to mount snapd snap directly to /snap + - Modify snap-bootstrap to mount /lib/{modules,firmware} from snap + as fallback + - Modify core-initrd to use systemctl reboot instead of /sbin/reboot + - Copy the initramfs 'manifest-initramfs.yaml' to initramfs file + creation directory so it can be copied to the kernel snap + - Build the early initrd from installed ucode packages + - Create drivers tree when remodeling from UC20/22 to UC24 + - Load gpio-aggregator module before the helper-service needs it + - Run 'systemctl start' for mount units to ensure they are run also + when unchanged + - Update godbus version to 'v5 v5.1.0' + - Add support for POST to /v2/system-info with system-key-mismatch + indication from the client + - Add 'snap sign --update-timestamp' flag to update timestamp before + signing + - Add vfs support for snap-update-ns to use to simulate and evaluate + mount sequences + - Add refresh app awareness debug logging + - Add snap-bootstrap scan-disk subcommand to be called from udev + - Add feature to inject proxy store assertions in build image + - Add OP-TEE bindings, enable by default in ARM and ARM64 builds + - Fix systemd dependency options target to go under 'unit' section + - Fix snap-bootstrap reading kernel snap instead of base resulting + in bad modeenv + - Fix a regression during seeding when using early-config + - LP: #2107443 reset SHELL to /bin/bash in non-classic snaps + - Make Azure kernels reboot upon panic + - Fix snap-confine to not drop capabilities if the original user is + already root + - Fix data race when stopping services + - Fix task dependency issue by temporarily disable re-refresh on + prerequisite updates + - Fix compiling against op-tee on armhf + - Fix dbx update when not using FDE + - Fix potential validation set deadlock due to bases waiting on + snaps + - LP: #2104066 Only cancel notices requests on stop/shutdown + - Interfaces: bool-file | fix gpio glob pattern as required for + '[XXXX]*' format + - Interfaces: system-packages-doc | allow access to + /usr/local/share/doc + - Interfaces: ros-snapd-support interface | added new interface + - Interfaces: udisks2 | allow chown capability + - Interfaces: system-observe | allow reading cpu.max + - Interfaces: serial-port | add ttyMAXX to allowed list + - Interfaces: modified seccomp template to disallow + 'O_NOTIFICATION_PIPE' + - Interfaces: fwupd | add support for modem-manager plugin + - Interfaces: gpio-chardev | make unsupported and remove + experimental flag to hide this feature until gpio-aggregator is + available + - Interfaces: hardware-random | fix udev match rule + - Interfaces: timeserver-control | extend to allow timedatectl + timesync commands + - Interfaces: add symlinks backend + - Interfaces: system key mismatch handling + + -- Ernest Lotter Tue, 03 Jun 2025 11:46:44 +0200 + + snapd (2.69-1) unstable; urgency=medium + + * New upstream release, LP: #2105854 + - FDE: re-factor listing of the disks based on run mode model and + model to correctly resolve paths + - FDE: run snapd from snap-failure with the correct keyring mode + - Snap components: allow remodeling back to an old snap revision + that includes components + - Snap components: fix remodel to a kernel snap that is already + installed on the system, but not the current kernel due to a + previous remodel. + - Snap components: fix for snapctl inputs that can crash snapd + - Confdb (experimental): load ephemeral data when reading data via + snapctl get + - Confdb (experimental): load ephemeral data when reading data via + snap get + - Confdb (experimental): rename {plug}-view-changed hook to observe- + view-{plug} + - Confdb (experimental): rename confdb assertion to confdb-schema + - Confdb (experimental): change operator grouping in confdb-control + assertion + - Confdb (experimental): add confdb-control API + - AppArmor: extend the probed features to include the presence of + files, as well as directories + - AppArmor prompting (experimental): simplify the listener + - AppArmor metadata tagging (disabled): probe parser support for + tags + - AppArmor metadata tagging (disabled): implement notification + protocol v5 + - Confidential VMs: sysroot.mount is now dynamically created by + snap-bootstrap instead of being a static file in the initramfs + - Confidential VMs: Add new implementation of snap integrity API + - Non-suid snap-confine: first phase to replace snap-confine suid + with capabilities to achieve the required permissions + - Initial changes for dynamic security profiles updates + - Provide snap icon fallback for /v2/icons without requiring network + access at runtime + - Add eMMC gadget update support + - Support reexec when using /usr/libexec/snapd on the host (Arch + Linux, openSUSE) + - Auto detect snap mount dir location on unknown distributions + - Modify snap-confine AppArmor template to allow all glibc HWCAPS + subdirectories to prevent launch errors + - LP: #2102456 update secboot to bf2f40ea35c4 and modify snap- + bootstrap to remove usage of go templates to reduce size by 4MB + - Fix snap-bootstrap to mount kernel snap from + /sysroot/writable/system-data + - LP: #2106121 fix snap-bootstrap busy loop + - Fix encoding of time.Time by using omitzero instead of omitempty + (on go 1.24+) + - Fix setting snapd permissions through permctl for openSUSE + - Fix snap struct json tags typo + - Fix snap pack configure hook permissions check incorrect file mode + - Fix gadget snap reinstall to honor existing sizes of partitions + - Fix to update command line when re-executing a snapd tool + - Fix 'snap validate' of specific missing newline and add error on + missed case of 'snap validate --refresh' without another action + - Workaround for snapd-confine time_t size differences between + architectures + - Disallow pack and install of snapd, base and os with specific + configure hooks + - Drop udev build dependency that is no longer required and add + missing systemd-dev dependency + - Build snap-bootstrap with nomanagers tag to decrease size by 1MB + - Interfaces: polkit | support custom polkit rules + - Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is + confined by AppArmor + - Interfaces: log-observe | add missing udev rule + - Interfaces: hostname-control | fix call to hostnamectl in core24 + - Interfaces: network-control | allow removing created network + namespaces + - Interfaces: scsi-generic | re-enable base declaration for scsi- + generic plug + - Interfaces: u2f | add support for Arculus AuthentiKey + + -- Ernest Lotter Tue, 08 Apr 2025 12:53:39 +0200 snapd (2.68.3-3) unstable; urgency=medium diff --cc debian/rules index 46d89fe1,3ea1eca1..3736ec7f --- a/debian/rules +++ b/debian/rules @@@ -199,9 -203,12 +199,12 @@@ endi # Generate the real systemd/dbus/env config files $(MAKE) -C data all + printf '[Unit]\nDocumentation=man:%s.5\n' snapd.apparmor.service >>data/systemd/snapd.apparmor.service + printf '[Unit]\nDocumentation=man:%s.5\n' snapd.seeded.service >>data/systemd/snapd.seeded.service + printf '[Unit]\nDocumentation=man:%s.5\n' snapd.service >>data/systemd/snapd.service override_dh_auto_test: - LANG=C.utf-8 LC_ALL=C.utf-8 SNAPD_SKIP_SLOW_TESTS=true GO111MODULE=off dh_auto_test -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/... + #LANG=C.utf-8 LC_ALL=C.utf-8 SNAPD_SKIP_SLOW_TESTS=true GO111MODULE=off dh_auto_test -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/... # a tested default (production) build should have no test keys ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) # check that only the main trusted account-keys are included