From a8803202ca8ba3677a61c13f922efbd67649fc90 Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Thu, 21 Aug 2025 20:46:02 +0000 Subject: [PATCH] Import snapd_2.71-3.debian.tar.xz [dgit import tarball snapd 2.71-3 snapd_2.71-3.debian.tar.xz] --- README.Source | 35 + changelog | 11655 ++++++++++++++++ control | 121 + copyright | 22 + gbp.conf | 4 + golang-github-snapcore-snapd-dev.install | 1 + ...ithub-snapcore-snapd-dev.lintian-overrides | 5 + not-installed | 1 + ...kip-tests-depending-on-text-wrapping.patch | 128 + ...Debian-Trixie-to-autopkgtest-entries.patch | 43 + ...xattrs-to-unsquashfs-unpacking-files.patch | 34 + ...e-tag-nosecboot-on-reseal_sb_test.go.patch | 19 + ...-localizations-to-avoid-dependencies.patch | 287 + ...developer1-to-older-github.com-jesse.patch | 29 + ...dd-autopkgtest-section-for-Debian-14.patch | 39 + ...-prompting-handle-unsupported-xattrs.patch | 78 + patches/0010-man-page-sections.patch | 35 + patches/multilib.patch | 143 + patches/series | 10 + rules | 305 + salsa-ci.yml | 3 + snapd.apparmor.service.5 | 18 + snapd.autoimport.udev | 3 + snapd.dirs | 15 + snapd.install | 31 + snapd.links | 5 + snapd.lintian-overrides | 19 + snapd.maintscript | 6 + snapd.manpages | 4 + snapd.postinst | 45 + snapd.postrm | 167 + snapd.prerm | 44 + snapd.seeded.service.5 | 25 + snapd.service.5 | 12 + source/format | 1 + source/lintian-overrides | 14 + source/options | 1 + tests/README.md | 10 + tests/control | 19 + tests/integrationtests | 64 + tests/testconfig.json | 3 + watch | 5 + 42 files changed, 13508 insertions(+) create mode 100644 README.Source create mode 100644 changelog create mode 100644 control create mode 100644 copyright create mode 100644 gbp.conf create mode 100644 golang-github-snapcore-snapd-dev.install create mode 100644 golang-github-snapcore-snapd-dev.lintian-overrides create mode 100644 not-installed create mode 100644 patches/0004-cmd-snap-skip-tests-depending-on-text-wrapping.patch create mode 100644 patches/0005-Add-Debian-Trixie-to-autopkgtest-entries.patch create mode 100644 patches/0005-snap-pass-no-xattrs-to-unsquashfs-unpacking-files.patch create mode 100644 patches/0006-o-fdestate-tag-nosecboot-on-reseal_sb_test.go.patch create mode 100644 patches/0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch create mode 100644 patches/0007-tests-adjust-gendeveloper1-to-older-github.com-jesse.patch create mode 100644 patches/0009-spread-add-autopkgtest-section-for-Debian-14.patch create mode 100644 patches/0010-interfaces-prompting-handle-unsupported-xattrs.patch create mode 100644 patches/0010-man-page-sections.patch create mode 100644 patches/multilib.patch create mode 100644 patches/series create mode 100755 rules create mode 100644 salsa-ci.yml create mode 100644 snapd.apparmor.service.5 create mode 100644 snapd.autoimport.udev create mode 100644 snapd.dirs create mode 100644 snapd.install create mode 100644 snapd.links create mode 100644 snapd.lintian-overrides create mode 100644 snapd.maintscript create mode 100644 snapd.manpages create mode 100644 snapd.postinst create mode 100644 snapd.postrm create mode 100755 snapd.prerm create mode 100644 snapd.seeded.service.5 create mode 100644 snapd.service.5 create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100644 source/options create mode 100644 tests/README.md create mode 100644 tests/control create mode 100755 tests/integrationtests create mode 100644 tests/testconfig.json create mode 100644 watch diff --git a/README.Source b/README.Source new file mode 100644 index 00000000..2a4c1231 --- /dev/null +++ b/README.Source @@ -0,0 +1,35 @@ +# Overview + +The packaging is maintained in the upstream git repo at + +github.com/snapcore/snapd in the packaging/debian-sid dir + +Please push any debian changes back there to make packaging +easier. + +## Release a new version + +To release a new upstream version the following steps are +recommended: + + # one time setup + $ git clone git@salsa.debian.org:debian/snapd + $ cd snapd + $ git remote add upstream https://github.com/snapcore/snapd + + # releasing a new version + $ git fetch upstream + $ git merge upstream/ # e.g. upstream/2.44 + $ cp -ar packaging/debian-sid/* debian/ + # ensure to git add any new files + # set debian/changelog to UNRELEASED + $ git commit -a -m 'debian: sync packaging changes from upstream' + # update changelog + $ debcommit -ar + $ gbp buildpackage -S -d + # testbuild + $ pbuilder-dist sid update + $ pbuilder-dist sid build ../build-area/snapd_.dsc + $ dput ftp-master ../build-area/snapd__source.changes + + -- Michael Vogt , Wed, 18 Mar 2020 13:11:03 +0100 diff --git a/changelog b/changelog new file mode 100644 index 00000000..31e9b449 --- /dev/null +++ b/changelog @@ -0,0 +1,11655 @@ +snapd (2.71-3) unstable; urgency=medium + + * Set nooptee build tag to disable OP-TEE support + + -- Zygmunt Krynicki Thu, 21 Aug 2025 20:46:02 +0000 + +snapd (2.71-2) unstable; urgency=medium + + * Cherry pick a fix for unit test + * Depend on libcap2-bin for setcap + + -- Zygmunt Krynicki Thu, 21 Aug 2025 19:08:54 +0000 + +snapd (2.71-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2118396 + - FDE: auto-repair when recovery key is used + - FDE: revoke keys on shim update + - FDE: revoke old TPM keys when dbx has been updated + - FDE: do not reseal FDE hook keys every time + - FDE: store keys in the kernel keyring when installing from initrd + - FDE: allow disabled DMA on Core + - FDE: snap-bootstrap: do not check for partition in scan-disk on + CVM + - FDE: support secboot preinstall check for 25.10+ hybrid installs + via the /v2/system/{label} endpoint + - FDE: support generating recovery key at install time via the + /v2/systems/{label} endpoint + - FDE: update passphrase quality check at install time via the + /v2/systems/{label} endpoint + - FDE: support replacing recovery key at runtime via the new + /v2/system-volumes endpoint + - FDE: support checking recovery keys at runtime via the /v2/system- + volumes endpoint + - FDE: support enumerating keyslots at runtime via the /v2/system- + volumes endpoint + - FDE: support changing passphrase at runtime via the /v2/system- + volumes endpoint + - FDE: support passphrase quality check at runtime via the + /v2/system-volumes endpoint + - FDE: update secboot to revision 3e181c8edf0f + - Confdb: support lists and indexed paths on read and write + - Confdb: alias references must be wrapped in brackets + - Confdb: support indexed paths in confdb-schema assertion + - Confdb: make API errors consistent with options + - Confdb: fetch confdb-schema assertion on access + - Confdb: prevent --previous from being used in read-side hooks + - Components: fix snap command with multiple components + - Components: set revision of seed components to x1 + - Components: unmount extra kernel-modules components mounts + - AppArmor Prompting: add lifespan "session" for prompting rules + - AppArmor Prompting: support restoring prompts after snapd restart + - AppArmor Prompting: limit the extra information included in probed + AppArmor features and system key + - Notices: refactor notice state internals + - SELinux: look for restorecon/matchpathcon at all known locations + rather than current PATH + - SELinux: update policy to allow watching cgroups (for RAA), and + talking to user session agents (service mgmt/refresh) + - Refresh App Awareness: Fix unexpected inotify file descriptor + cleanup + - snap-confine: workaround for glibc fchmodat() fallback and handle + ENOSYS + - snap-confine: add support for host policy for limiting users able + to run snaps + - LP: #2114923 Reject system key mismatch advise when not yet seeded + - Use separate lanes for essential and non-essential snaps during + seeding and allow non-essential installs to retry + - Fix bug preventing remodel from core18 to core18 when snapd snap + is unchanged + - LP: #2112551 Make removal of last active revision of a snap equal + to snap remove + - LP: #2114779 Allow non-gpt in fallback mode to support RPi + - Switch from using systemd LogNamespace to manually controlled + journal quotas + - Change snap command trace logging to only log the command names + - Grant desktop-launch access to /v2/snaps + - Update code for creating the snap journal stream + - Switch from using core to snapd snap for snap debug connectivity + - LP: #2112544 Fix offline remodel case where we switched to a + channel without an actual refresh + - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed + tarball + - LP: #1952500 Fix snap command progress reporting + - LP: #1849346 Interfaces: kerberos-tickets | add new interface + - Interfaces: u2f | add support for Thetis Pro + - Interfaces: u2f | add OneSpan device and fix older device + - Interfaces: pipewire, audio-playback | support pipewire as system + daemon + - Interfaces: gpg-keys | allow access to GPG agent sockets + - Interfaces: usb-gadget | add new interface + - Interfaces: snap-fde-control, firmware-updater-support | add new + interfaces to support FDE + - Interfaces: timezone-control | extend to support timedatectl + varlink + - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and + procfs directories + - Interfaces: microstack-support | allow SR-IOV attachments + - Interfaces: modify AppArmor template to allow snaps to read their + own systemd credentials + - Interfaces: posix-mq | allow stat on /dev/mqueue + - LP: #2098780 Interfaces: log-observe | add capability + dac_read_search + - Interfaces: block-devices | allow access to ZFS pools and datasets + - LP: #2033883 Interfaces: block-devices | opt-in access to + individual partitions + - Interfaces: accel | add new interface to support accel kernel + subsystem + - Interfaces: shutdown | allow client to bind on its side of dbus + socket + - Interfaces: modify seccomp template to allow pwritev2 + - Interfaces: modify AppArmor template to allow reading + /proc/sys/fs/nr_open + - Packaging: drop snap.failure service for openSUSE + - Packaging: add SELinux support for openSUSE + - Packaging: disable optee when using nooptee build tag + - Packaging: add support for static PIE builds in snapd.mk, drop + pie.patch from openSUSE + - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 + - Packaging: use snapd.mk for packaging on Fedora + - Packaging: exclude .git directory + - Packaging: fix DPKG_PARSECHANGELOG assignment + - Packaging: fix building on Fedora with dpkg installed + + [ Zygmunt Krynicki ] + * Remove auth_requestor.go (secboot) + * Rebase and re-export patches + * Fix typo and clarify what core means + * Remove transitional ubuntu-core-launcher package + * Remove transitional snap-confine package + * Simplify Conflicts: snap to exclude ubuntu version + * Expand the description of golang-github-snapcore-snapd-dev + * Rewrite summary of golang-github-snapcore-snapd-dev + * Move golang-github-snapcore-snapd-dev to golang section + * Update lintian overrides + * Add Static-Built-Using to snapd + * Use Breaks: snap, instead of Conflicts: snap + * Do not ship snapd.recovery-chooser-trigger.service + * Add manual page for snapd.apparmor.service + * Add manual page for snapd.seeded.service + * Add manual page for snapd.service + * Update standards-version to 4.7.2 + + -- Zygmunt Krynicki Thu, 21 Aug 2025 13:57:25 +0000 + +snapd (2.70-1) unstable; urgency=medium + + * New upstream release, LP: #2112209 + - FDE: Fix reseal with v1 hook key format + - FDE: set role in TPM keys + - AppArmor prompting (experimental): add handling for expired + requests or listener in the kernel + - AppArmor prompting: log the notification protocol version + negotiated with the kernel + - AppArmor prompting: implement notification protocol v5 (manually + disabled for now) + - AppArmor prompting: register listener ID with the kernel and + resend notifications after snapd restart (requires protocol v5+) + - AppArmor prompting: select interface from metadata tags and set + request interface accordingly (requires protocol v5+) + - AppArmor prompting: include request PID in prompt + - AppArmor prompting: move the max prompt ID file to a subdirectory + of the snap run directory + - AppArmor prompting: avoid race between closing/reading socket fd + - Confdb (experimental): make save/load hooks mandatory if affecting + ephemeral + - Confdb: clear tx state on failed load + - Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g. + confdb-schema) + - Confdb: add NestedEphemeral to confdb schemas + - Confdb: add early concurrency checks + - Simplify building Arch package + - Enable snapd.apparmor on Fedora + - Build snapd snap with libselinux + - Emit snapd.apparmor warning only when using apparmor backend + - When running snap, on system key mismatch e.g. due to network + attached HOME, trigger and wait for a security profiles + regeneration + - Avoid requiring state lock to get user, warnings, or pending + restarts when handling API requests + - Start/stop ssh.socket for core24+ when enabling/disabling the ssh + service + - Allow providing a different base when overriding snap + - Modify snap-bootstrap to mount snapd snap directly to /snap + - Modify snap-bootstrap to mount /lib/{modules,firmware} from snap + as fallback + - Modify core-initrd to use systemctl reboot instead of /sbin/reboot + - Copy the initramfs 'manifest-initramfs.yaml' to initramfs file + creation directory so it can be copied to the kernel snap + - Build the early initrd from installed ucode packages + - Create drivers tree when remodeling from UC20/22 to UC24 + - Load gpio-aggregator module before the helper-service needs it + - Run 'systemctl start' for mount units to ensure they are run also + when unchanged + - Update godbus version to 'v5 v5.1.0' + - Add support for POST to /v2/system-info with system-key-mismatch + indication from the client + - Add 'snap sign --update-timestamp' flag to update timestamp before + signing + - Add vfs support for snap-update-ns to use to simulate and evaluate + mount sequences + - Add refresh app awareness debug logging + - Add snap-bootstrap scan-disk subcommand to be called from udev + - Add feature to inject proxy store assertions in build image + - Add OP-TEE bindings, enable by default in ARM and ARM64 builds + - Fix systemd dependency options target to go under 'unit' section + - Fix snap-bootstrap reading kernel snap instead of base resulting + in bad modeenv + - Fix a regression during seeding when using early-config + - LP: #2107443 reset SHELL to /bin/bash in non-classic snaps + - Make Azure kernels reboot upon panic + - Fix snap-confine to not drop capabilities if the original user is + already root + - Fix data race when stopping services + - Fix task dependency issue by temporarily disable re-refresh on + prerequisite updates + - Fix compiling against op-tee on armhf + - Fix dbx update when not using FDE + - Fix potential validation set deadlock due to bases waiting on + snaps + - LP: #2104066 Only cancel notices requests on stop/shutdown + - Interfaces: bool-file | fix gpio glob pattern as required for + '[XXXX]*' format + - Interfaces: system-packages-doc | allow access to + /usr/local/share/doc + - Interfaces: ros-snapd-support interface | added new interface + - Interfaces: udisks2 | allow chown capability + - Interfaces: system-observe | allow reading cpu.max + - Interfaces: serial-port | add ttyMAXX to allowed list + - Interfaces: modified seccomp template to disallow + 'O_NOTIFICATION_PIPE' + - Interfaces: fwupd | add support for modem-manager plugin + - Interfaces: gpio-chardev | make unsupported and remove + experimental flag to hide this feature until gpio-aggregator is + available + - Interfaces: hardware-random | fix udev match rule + - Interfaces: timeserver-control | extend to allow timedatectl + timesync commands + - Interfaces: add symlinks backend + - Interfaces: system key mismatch handling + + -- Ernest Lotter Tue, 03 Jun 2025 11:46:44 +0200 + +snapd (2.69-1) unstable; urgency=medium + + * New upstream release, LP: #2105854 + - FDE: re-factor listing of the disks based on run mode model and + model to correctly resolve paths + - FDE: run snapd from snap-failure with the correct keyring mode + - Snap components: allow remodeling back to an old snap revision + that includes components + - Snap components: fix remodel to a kernel snap that is already + installed on the system, but not the current kernel due to a + previous remodel. + - Snap components: fix for snapctl inputs that can crash snapd + - Confdb (experimental): load ephemeral data when reading data via + snapctl get + - Confdb (experimental): load ephemeral data when reading data via + snap get + - Confdb (experimental): rename {plug}-view-changed hook to observe- + view-{plug} + - Confdb (experimental): rename confdb assertion to confdb-schema + - Confdb (experimental): change operator grouping in confdb-control + assertion + - Confdb (experimental): add confdb-control API + - AppArmor: extend the probed features to include the presence of + files, as well as directories + - AppArmor prompting (experimental): simplify the listener + - AppArmor metadata tagging (disabled): probe parser support for + tags + - AppArmor metadata tagging (disabled): implement notification + protocol v5 + - Confidential VMs: sysroot.mount is now dynamically created by + snap-bootstrap instead of being a static file in the initramfs + - Confidential VMs: Add new implementation of snap integrity API + - Non-suid snap-confine: first phase to replace snap-confine suid + with capabilities to achieve the required permissions + - Initial changes for dynamic security profiles updates + - Provide snap icon fallback for /v2/icons without requiring network + access at runtime + - Add eMMC gadget update support + - Support reexec when using /usr/libexec/snapd on the host (Arch + Linux, openSUSE) + - Auto detect snap mount dir location on unknown distributions + - Modify snap-confine AppArmor template to allow all glibc HWCAPS + subdirectories to prevent launch errors + - LP: #2102456 update secboot to bf2f40ea35c4 and modify snap- + bootstrap to remove usage of go templates to reduce size by 4MB + - Fix snap-bootstrap to mount kernel snap from + /sysroot/writable/system-data + - LP: #2106121 fix snap-bootstrap busy loop + - Fix encoding of time.Time by using omitzero instead of omitempty + (on go 1.24+) + - Fix setting snapd permissions through permctl for openSUSE + - Fix snap struct json tags typo + - Fix snap pack configure hook permissions check incorrect file mode + - Fix gadget snap reinstall to honor existing sizes of partitions + - Fix to update command line when re-executing a snapd tool + - Fix 'snap validate' of specific missing newline and add error on + missed case of 'snap validate --refresh' without another action + - Workaround for snapd-confine time_t size differences between + architectures + - Disallow pack and install of snapd, base and os with specific + configure hooks + - Drop udev build dependency that is no longer required and add + missing systemd-dev dependency + - Build snap-bootstrap with nomanagers tag to decrease size by 1MB + - Interfaces: polkit | support custom polkit rules + - Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is + confined by AppArmor + - Interfaces: log-observe | add missing udev rule + - Interfaces: hostname-control | fix call to hostnamectl in core24 + - Interfaces: network-control | allow removing created network + namespaces + - Interfaces: scsi-generic | re-enable base declaration for scsi- + generic plug + - Interfaces: u2f | add support for Arculus AuthentiKey + + -- Ernest Lotter Tue, 08 Apr 2025 12:53:39 +0200 + +snapd (2.68.3-3) unstable; urgency=medium + + [ Zygmunt Krynicki ] + * Include libc-dev-bin in Built-Using + * Remove Luke Faraone from uploaders + * Regenerate multilib patch + * Patch spread.yaml to allow testing on trixie + + [ Helmut Grohne ] + * Stop using gcc-multilib and fix snap-seccomp test. + + -- Zygmunt Krynicki Tue, 15 Jul 2025 06:01:41 +0000 + +snapd (2.68.3-2) unstable; urgency=medium + + * switch to pkgconf + * remove checks related to snap-repair + + -- Zygmunt Krynicki Tue, 25 Mar 2025 12:33:00 +0000 + +snapd (2.68.3-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2098137 + - FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to + old keyring path + - Fix Plucky snapd deb build issue related to /var/lib/snapd/void + permissions + - Fix snapd deb build complaint about ifneq with extra bracket + + [ Zygmunt Krynicki ] + * migrate to debhelper-compat + * build only specific binaries + * expand dh-golang hack to secboot/keys + + -- Zygmunt Krynicki Tue, 25 Mar 2025 11:44:06 +0000 + +snapd (2.68.2-1) unstable; urgency=medium + + * New upstream release, LP: #2098137 + - FDE: use boot mode for FDE hooks + - FDE: add snap-bootstrap compatibility check to prevent image + creation with incompatible snapd and kernel snap + - FDE: add argon2 out-of-process KDF support + - FDE: have separate mutex for the sections writing a fresh modeenv + - FDE: LP: #2099709 update secboot to e07f4ae48e98 + - Confdb: support pruning ephemeral data and process alternative + types in order + - core-initrd: look at env to mount directly to /sysroot + - core-initrd: prepare for Plucky build and split out 24.10 + (Oracular) + - Fix missing primed packages in snapd snap manifest + - Interfaces: posix-mq | fix incorrect clobbering of global variable + and make interface more precise + - Interfaces: opengl | add more kernel fusion driver files + + -- Ernest Lotter Thu, 27 Feb 2025 09:56:20 +0200 + +snapd (2.68.1-1) unstable; urgency=medium + + * New upstream release, LP: #2098137 + - Fix snap-confine type specifier type mismatch on armhf + + -- Ernest Lotter Mon, 24 Feb 2025 10:31:49 +0200 + +snapd (2.68-1) unstable; urgency=medium + + * New upstream release, LP: #2098137 + - FDE: add support for new and more extensible key format that is + unified between TPM and FDE hook + - FDE: add support for adding passphrases during installation + - FDE: update secboot to 30317622bbbc + - Snap components: make kernel components available on firstboot + after either initramfs or ephemeral rootfs style install + - Snap components: mount drivers tree from initramfs so kernel + modules are available in early boot stages + - Snap components: support remodeling to models that contain + components + - Snap components: support offline remodeling to models that contain + components + - Snap components: support creating new recovery systems with + components + - Snap components: support downloading components with 'snap + download' command + - Snap components: support sideloading asserted components + - AppArmor Prompting(experimental): improve version checks and + handling of listener notification protocol for communication with + kernel AppArmor + - AppArmor Prompting(experimental): make prompt replies idempotent, + and have at most one rule for any given path pattern, with + potentially mixed outcomes and lifespans + - AppArmor Prompting(experimental): timeout unresolved prompts after + a period of client inactivity + - AppArmor Prompting(experimental): return an error if a patch + request to the API would result in a rule without any permissions + - AppArmor Prompting(experimental): warn if there is no prompting + client present but prompting is enabled, or if a prompting-related + error occurs during snapd startup + - AppArmor Prompting(experimental): do not log error when converting + empty permissions to AppArmor permissions + - Confdb(experimental): rename registries to confdbs (including API + /v2/registries => /v2/confdb) + - Confdb(experimental): support marking confdb schemas as ephemeral + - Confdb(experimental): add confdb-control assertion and feature + flag + - Refresh App Awareness(experimental): LP: #2089195 prevent + possibility of incorrect notification that snap will quit and + update + - Confidential VMs: snap-bootstrap support for loading partition + information from a manifest file for cloudimg-rootfs mode + - Confidential VMs: snap-bootstrap support for setting up cloudimg- + rootfs as an overlayfs with integrity protection + - dm-verity for essential snaps: add support for snap-integrity + assertion + - Interfaces: modify AppArmor template to allow owner read on + @{PROC}/@{pid}/fdinfo/* + - Interfaces: LP: #2072987 modify AppArmor template to allow using + setpriv to run daemon as non-root user + - Interfaces: add configfiles backend that ensures the state of + configuration files in the filesystem + - Interfaces: add ldconfig backend that exposes libraries coming + from snaps to either the rootfs or to other snaps + - Interfaces: LP: #1712808 LP: 1865503 disable udev backend when + inside a container + - Interfaces: add auditd-support interface that grants audit_control + capability and required paths for auditd to function + - Interfaces: add checkbox-support interface that allows + unrestricted access to all devices + - Interfaces: fwupd | allow access to dell bios recovery + - Interfaces: fwupd | allow access to shim and fallback shim + - Interfaces: mount-control | add mount option validator to detect + mount option conflicts early + - Interfaces: cpu-control | add read access to /sys/kernel/irq/ + - Interfaces: locale-control | changed to be implicit on Ubuntu Core + Desktop + - Interfaces: microstack-support | support for utilizing of AMD SEV + capabilities + - Interfaces: u2f | added missing OneSpan device product IDs + - Interfaces: auditd-support | grant seccomp setpriority + - Interfaces: opengl interface | enable parsing of nvidia driver + information files + - Allow mksquashfs 'xattrs' when packing snap types os, core, base + and snapd as part of work to support non-root snap-confine + - Upstream/downstream packaging changes and build updates + - Improve error logs for malformed desktop files to also show which + desktop file is at fault + - Provide more precise error message when overriding channels with + grade during seed creation + - Expose 'snap prepare-image' validation parameter + - Add snap-seccomp 'dump' command that dumps the filter rules from a + compiled profile + - Add fallback release info location /etc/initrd-release + - Added core-initrd to snapd repo and fixed issues with ubuntu-core- + initramfs deb builds + - Remove stale robust-mount-namespace-updates experimental feature + flag + - Remove snapd-snap experimental feature (rejected) and it's feature + flag + - Changed snap-bootstrap to mount base directly on /sysroot + - Mount ubuntu-seed mounted as no-{suid,exec,dev} + - Mapping volumes to disks: add support for volume-assignments in + gadget + - Fix silently broken binaries produced by distro patchelf 0.14.3 by + using locally build patchelf 0.18 + - Fix mismatch between listed refresh candidates and actual refresh + due to outdated validation sets + - Fix 'snap get' to produce compact listing for tty + - Fix missing store-url by keeping it as part of auxiliary store + info + - Fix snap-confine attempting to retrieve device cgroup setup inside + container where it is not available + - Fix 'snap set' and 'snap get' panic on empty strings with early + error checking + - Fix logger debug entries to show correct caller and file + information + - Fix issue preventing hybrid systems from being seeded on first + boot + - LP: #1966203 remove auto-import udev rules not required by deb + package to avoid unwanted syslog errors + - LP: #1886414 fix progress reporting when stdout is on a tty, but + stdin is not + + -- Ernest Lotter Thu, 13 Feb 2025 12:42:09 +0200 + +snapd (2.67.1-1) unstable; urgency=medium + + * New upstream release, LP: #2089691 + - Fix apparmor permissions to allow snaps access to kernel modules + and firmware on UC24, which also fixes the kernel-modules-control + interface on UC24 + - AppArmor prompting (experimental): disallow /./ and /../ in path + patterns + - Fix 'snap run' getent based user lookup in case of bad PATH + - Fix snapd using the incorrect AppArmor version during undo of an + refresh for regenerating snap profiles + - Add new syscalls to base templates + - hardware-observe interface: allow riscv_hwprobe syscall + - mount-observe interface: allow listmount and statmount syscalls + + -- Ernest Lotter Wed, 15 Jan 2025 22:02:37 +0200 + +snapd (2.67-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2089691 + - AppArmor prompting (experimental): allow overlapping rules + - Registry view (experimental): Changes to registry data (from both + users and snaps) can be validated and saved by custodian snaps + - Registry view (experimental): Support 'snapctl get --pristine' to + read the registry data excluding staged transaction changes + - Registry view (experimental): Put registry commands behind + experimental feature flag + - Components: Make modules shipped/created by kernel-modules + components available right after reboot + - Components: Add tab completion for local component files + - Components: Allow installing snaps and components from local files + jointly on the CLI + - Components: Allow 'snapctl model' command for gadget and kernel + snaps + - Components: Add 'snap components' command + - Components: Bug fixes + - eMMC gadget updates (WIP): add syntax support in gadget.yaml for + eMMC schema + - Support for ephemeral recovery mode on hybrid systems + - Support for dm-verity options in snap-bootstrap + - Support for overlayfs options and allow empty what argument for + tmpfs + - Enable ubuntu-image to determine the size of the disk image to + create + - Expose 'snap debug' commands 'validate-seed' and 'seeding' + - Add debug API option to use dedicated snap socket /run/snapd- + snap.socket + - Hide experimental features that are no longer required + (accepted/rejected) + - Mount ubuntu-save partition with no{exec,dev,suid} at install, run + and factory-reset + - Improve memory controller support with cgroup v2 + - Support ssh socket activation configurations (used by ubuntu + 22.10+) + - Fix generation of AppArmor profile with incorrect revision during + multi snap refresh + - Fix refresh app awareness related deadlock edge case + - Fix not caching delta updated snap download + - Fix passing non root uid, guid to initial tmpfs mount + - Fix ignoring snaps in try mode when amending + - Fix reloading of service activation units to avoid systemd errors + - Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS + updates PPA + - Make killing of snap apps best effort to avoid possibility of + malicious failure loop + - Alleviate impact of auto-refresh failure loop with progressive + delay + - Dropped timedatex in selinux-policy to avoid runtime issue + - Fix missing syscalls in seccomp profile + - Modify AppArmor template to allow using SNAP_REEXEC on arch + systems + - Modify AppArmor template to allow using vim.tiny (available in + base snaps) + - Modify AppArmor template to add read-access to debian_version + - Modify AppArmor template to allow owner to read + @{PROC}/@{pid}/sessionid + - {common,personal,system}-files interface: prohibit trailing @ in + filepaths + - {desktop,shutdown,system-observe,upower-observe} interface: + improve for Ubuntu Core Desktop + - custom-device interface: allow @ in custom-device filepaths + - desktop interface: improve launch entry and systray integration + with session + - desktop-legacy interface: allow DBus access to + com.canonical.dbusmenu + - fwupd interface: allow access to nvmem for thunderbolt plugin + - mpris interface: add plasmashell as label + - mount-control interface: add support for nfs mounts + - network-{control,manager} interface: add missing dbus link rules + - network-manager-observe interface: add getDevices methods + - opengl interface: add Kernel Fusion Driver access to opengl + - screen-inhibit-control interface: improve screen inhibit control + for use on core + - udisks2 interface: allow ping of the UDisks2 service + - u2f-devices interface: add Nitrokey Passkey + + -- Zygmunt Krynicki Tue, 28 Jan 2025 06:59:45 +0000 + +snapd (2.66.1-2) unstable; urgency=medium + + [ Zygmunt Krynicki ] + * Add salsa CI/CD pipeline + * Set LC_ALL=C.utf-8 for tests + * Erase special mode of /var/lib/snapd/void + * Adjust integration test to new upstream test suite behavior + * Wrap and sort control files + + [ Bastian Germann ] + * Remove Steve Langasek from Uploaders + + -- Zygmunt Krynicki Sat, 18 Jan 2025 08:42:06 +0000 + +snapd (2.66.1-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2083490 + - AppArmor prompting (experimental): Fix kernel prompting support + check + - Allow kernel snaps to have content slots + - Fix ignoring snaps in try mode when amending + + [ Zygmunt Krynicki ] + * Reabase all patches and drop patches applied upstream. + + -- Zygmunt Krynicki Thu, 28 Nov 2024 10:52:28 +0100 + +snapd (2.66-1) unstable; urgency=medium + + * New upstream release, LP: #2083490 + - AppArmor prompting (experimental): expand kernel support checks + - AppArmor prompting (experimental): consolidate error messages and + add error kinds + - AppArmor prompting (experimental): grant /v2/snaps/{name} via + snap-interfaces-requests-control + - AppArmor prompting (experimental): add checks for duplicate + pattern variants + - Registry views (experimental): add handlers that commit (and + cleanup) registry transactions + - Registry views (experimental): add a snapctl fail command for + rejecting registry transactions + - Registry views (experimental): allow custodian snaps to implement + registry hooks that modify and save registry data + - Registry views (experimental): run view-changed hooks only for + snaps plugging views affected by modified paths + - Registry views (experimental): make registry transactions + serialisable + - Snap components: handle refreshing components to revisions that + have been on the system before + - Snap components: enable creating Ubuntu Core images that contain + components + - Snap components: handle refreshing components independently of + snaps + - Snap components: handle removing components when refreshing a snap + that no longer defines them + - Snap components: extend snapd Ubuntu Core installation API to + allow for picking optional snaps and components to install + - Snap components: extend kernel.yaml with "dynamic-modules", + allowing kernel to define a location for kmods from component + hooks + - Snap components: renamed component type "test" to "standard" + - Desktop IDs: support installing desktop files with custom names + based on desktop-file-ids desktop interface plug attr + - Auto-install snapd on classic systems as prerequisite for any non- + essential snap install + - Support loading AppArmor profiles on WSL2 with non-default kernel + and securityfs mounted + - Debian/Fedora packaging updates + - Add snap debug command for investigating execution aspects of the + snap toolchain + - Improve snap pack error for easier parsing + - Add support for user services when refreshing snaps + - Add snap remove --terminate flag for terminating running snap + processes + - Support building FIPS complaint snapd deb and snap + - Fix to not use nss when looking up for users/groups from snapd + snap + - Fix ordering in which layout changes are saved + - Patch snapd snap dynamic linker to ignore LD_LIBRARY_PATH and + related variables + - Fix libexec dir for openSUSE Slowroll + - Fix handling of the shared snap directory for parallel installs + - Allow writing to /run/systemd/journal/dev-log by default + - Avoid state lock during snap removal to avoid delaying other snapd + operations + - Add nomad-support interface to enable running Hashicorp Nomad + - Add intel-qat interface + - u2f-devices interface: add u2f trustkey t120 product id and fx + series fido u2f devices + - desktop interface: improve integration with xdg-desktop-portal + - desktop interface: add desktop-file-ids plug attr to desktop + interface + - unity7 interface: support desktop-file-ids in desktop files rule + generation + - desktop-legacy interface: support desktop-file-ids in desktop + files rule generation + - desktop-legacy interface: grant access to gcin socket location + - login-session-observe interface: allow introspection + - custom-device interface: allow to explicitly identify matching + device in udev tagging block + - system-packages-doc interface: allow reading /usr/share/javascript + - modem-manager interface: add new format of WWAN ports + - pcscd interface: allow pcscd to read opensc.conf + - cpu-control interface: add IRQ affinity control to cpu_control + - opengl interface: add support for cuda workloads on Tegra iGPU in + opengl interface + + -- Ernest Lotter Fri, 04 Oct 2024 14:22:03 +0200 + +snapd (2.65.3-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2077473 + - Fix missing aux info from store on snap setup + + -- Zygmunt Krynicki Thu, 19 Sep 2024 14:43:40 +0200 + +snapd (2.65.2-1) unstable; urgency=medium + + * New upstream release, LP: #2077473 + - Bump squashfuse from version 0.5.0 to 0.5.2 (used in snapd deb + only) + + -- Ernest Lotter Fri, 06 Sep 2024 17:08:45 +0200 + +snapd (2.65.1-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2077473 + - Support building snapd using base Core22 (Snapcraft 8.x) + - FIPS: support building FIPS complaint snapd variant that switches + to FIPS mode when the system boots with FIPS enabled + - AppArmor: update to latest 4.0.2 release + - AppArmor: enable using ABI 4.0 from host parser + - AppArmor: fix parser lookup + - AppArmor: support AppArmor snippet priorities + - AppArmor: allow reading cgroup memory.max file + - AppArmor: allow using snap-exec coming from the snapd snap when + starting a confined process with jailmode + - AppArmor prompting (experimental): add checks for prompting + support, include prompting status in system key, and restart snapd + if prompting flag changes + - AppArmor prompting (experimental): include prompt prefix in + AppArmor rules if prompting is supported and enabled + - AppArmor prompting (experimental): add common types, constraints, + and mappings from AppArmor permissions to abstract permissions + - AppArmor prompting (experimental): add path pattern parsing and + matching + - AppArmor prompting (experimental): add path pattern precedence + based on specificity + - AppArmor prompting (experimental): add packages to manage + outstanding request prompts and rules + - AppArmor prompting (experimental): add prompting API and notice + types, which require snap-interfaces-requests-control interface + - AppArmor prompting (experimental): feature flag can only be + enabled if prompting is supported, handler service connected, and + the service can be started + - Registry views (experimental): rename from aspects to registries + - Registry views (experimental): support reading registry views and + setting/unsetting registry data using snapctl + - Registry views (experimental): fetch and refresh registry + assertions as needed + - Registry views (experimental): restrict view paths from using a + number as first character and view names to storage path style + patterns + - Snap components: support installing snaps and components from + files at the same time (no REST API/CLI) + - Snap components: support downloading components related assertions + from the store + - Snap components: support installing components from the store + - Snap components: support removing components individually and + during snap removal + - Snap components: support kernel modules as components + - Snap components: support for component install, pre-refresh and + post-refresh hooks + - Snap components: initial support for building systems that contain + components + - Refresh app awareness (experimental): add data field for + /v2/changes REST API to allow associating each task with affected + snaps + - Refresh app awareness (experimental): use the app name from + .desktop file in notifications + - Refresh app awareness (experimental): give snap-refresh-observe + interface access to /v2/snaps/{name} endpoint + - Improve snap-confine compatibility with nvidia drivers + - Allow re-exec when SNAP_REEXEC is set for unlisted distros to + simplify testing + - Allow mixing revision and channel on snap install + - Generate GNU build ID for Go binaries + - Add missing etelpmoc.sh for shell completion + - Do not attempt to run snapd on classic when re-exec is disabled + - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse + - Add snap debug API command to enable running raw queries + - Enable snap-confine snap mount directory detection + - Replace global seccomp filter with deny rules in standard seccomp + template + - Remove support for Ubuntu Core Launcher (superseded by snap- + confine) + - Support creating pending serial bound users after serial assertion + becomes available + - Support disabling cloud-init using kernel command-line + - In hybrid systems, apps can refresh without waiting for restarts + required by essential snaps + - Ship snap-debug-info.sh script used for system diagnostics + - Improve error messages when attempting to run non-existent snap + - Switch to -u UID:GID for strace-static + - Support enabling snapd logging with snap set system + debug.snapd.{log,log-level} + - Add options system.coredump.enable and system.coredump.maxuse to + support using systemd-coredump on Ubuntu Core + - Provide documentation URL for 'snap interface ' + - Fix snapd riscv64 build + - Fix restarting activated services instead of their activator units + (i.e. sockets, timers) + - Fix potential unexpected auto-refresh of snap on managed schedule + - Fix potential segfault by guarding against kernel command-line + changes on classic system + - Fix proxy entries in /etc/environment with missing newline that + caused later manual entries to not be usable + - Fix offline remodelling by ignoring prerequisites that will + otherwise be downloaded from store + - Fix devmode seccomp deny regression that caused spamming the log + instead of actual denies + - Fix snap lock leak during refresh + - Fix not re-pinning validation sets that were already pinned when + enforcing new validation sets + - Fix handling of unexpected snapd runtime failure + - Fix /v2/notices REST API skipping notices with duplicate + timestamps + - Fix comparing systemd versions that may contain pre-release + suffixes + - Fix udev potentially starting before snap-device-helper is made + available + - Fix race in snap seed metadata loading + - Fix treating cloud-init exit status 2 as error + - Fix to prevent sending refresh complete notification if snap snap- + refresh-observe interface is connected + - Fix to queue snapctl service commands if run from the default- + configure hook to ensure they get up-to-date config values + - Fix stop service failure when the service is not actually running + anymore + - Fix parsing /proc/PID/mounts with spaces + - Add registry interface that provides snaps access to a particular + registry view + - Add snap-interfaces-requests-control interface to enable prompting + client snaps + - steam-support interface: remove all AppArmor and seccomp + restrictions to improve user experience + - opengl interface: improve compatibility with nvidia drivers + - home interface: autoconnect home on Ubuntu Core Desktop + - serial-port interface: support RPMsg tty + - display-control interface: allow changing LVDS backlight power and + brightness + - power-control interface: support for battery charging thesholds, + type/status and AC type/status + - cpu-control interface: allow CPU C-state control + - raw-usb interface: support RPi5 and Thinkpad x13s + - custom-device interface: allow device file locking + - lxd-support interface: allow LXD to self-manage its own cgroup + - network-manager interface: support MPTCP sockets + - network-control interface: allow plug/slot access to gnutls config + and systemd resolved cache flushing via D-Bus + - network-control interface: allow wpa_supplicant dbus api + - gpio-control interface: support gpiochip* devices + - polkit interface: fix "rw" mount option check + - u2f-devices interface: enable additional security keys + - desktop interface: enable kde theming support + + -- Zygmunt Krynicki Fri, 06 Sep 2024 13:27:51 +0200 + +snapd (2.65-1) unstable; urgency=medium + + * New upstream release, LP: #2077473 + - Support building snapd using base Core22 (Snapcraft 8.x) + - FIPS: support building FIPS complaint snapd variant that switches + to FIPS mode when the system boots with FIPS enabled + - AppArmor: update to latest 4.0.2 release + - AppArmor: enable using ABI 4.0 from host parser + - AppArmor: fix parser lookup + - AppArmor: support AppArmor snippet priorities + - AppArmor: allow reading cgroup memory.max file + - AppArmor: allow using snap-exec coming from the snapd snap when + starting a confined process with jailmode + - AppArmor prompting (experimental): add checks for prompting + support, include prompting status in system key, and restart snapd + if prompting flag changes + - AppArmor prompting (experimental): include prompt prefix in + AppArmor rules if prompting is supported and enabled + - AppArmor prompting (experimental): add common types, constraints, + and mappings from AppArmor permissions to abstract permissions + - AppArmor prompting (experimental): add path pattern parsing and + matching + - AppArmor prompting (experimental): add path pattern precedence + based on specificity + - AppArmor prompting (experimental): add packages to manage + outstanding request prompts and rules + - AppArmor prompting (experimental): add prompting API and notice + types, which require snap-interfaces-requests-control interface + - AppArmor prompting (experimental): feature flag can only be + enabled if prompting is supported, handler service connected, and + the service can be started + - Registry views (experimental): rename from aspects to registries + - Registry views (experimental): support reading registry views and + setting/unsetting registry data using snapctl + - Registry views (experimental): fetch and refresh registry + assertions as needed + - Registry views (experimental): restrict view paths from using a + number as first character and view names to storage path style + patterns + - Snap components: support installing snaps and components from + files at the same time (no REST API/CLI) + - Snap components: support downloading components related assertions + from the store + - Snap components: support installing components from the store + - Snap components: support removing components individually and + during snap removal + - Snap components: support kernel modules as components + - Snap components: support for component install, pre-refresh and + post-refresh hooks + - Snap components: initial support for building systems that contain + components + - Refresh app awareness (experimental): add data field for + /v2/changes REST API to allow associating each task with affected + snaps + - Refresh app awareness (experimental): use the app name from + .desktop file in notifications + - Refresh app awareness (experimental): give snap-refresh-observe + interface access to /v2/snaps/{name} endpoint + - Improve snap-confine compatibility with nvidia drivers + - Allow re-exec when SNAP_REEXEC is set for unlisted distros to + simplify testing + - Allow mixing revision and channel on snap install + - Generate GNU build ID for Go binaries + - Add missing etelpmoc.sh for shell completion + - Do not attempt to run snapd on classic when re-exec is disabled + - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse + - Add snap debug API command to enable running raw queries + - Enable snap-confine snap mount directory detection + - Replace global seccomp filter with deny rules in standard seccomp + template + - Remove support for Ubuntu Core Launcher (superseded by snap- + confine) + - Support creating pending serial bound users after serial assertion + becomes available + - Support disabling cloud-init using kernel command-line + - In hybrid systems, apps can refresh without waiting for restarts + required by essential snaps + - Ship snap-debug-info.sh script used for system diagnostics + - Improve error messages when attempting to run non-existent snap + - Switch to -u UID:GID for strace-static + - Support enabling snapd logging with snap set system + debug.snapd.{log,log-level} + - Add options system.coredump.enable and system.coredump.maxuse to + support using systemd-coredump on Ubuntu Core + - Provide documentation URL for 'snap interface ' + - Fix restarting activated services instead of their activator units + (i.e. sockets, timers) + - Fix potential unexpected auto-refresh of snap on managed schedule + - Fix potential segfault by guarding against kernel command-line + changes on classic system + - Fix proxy entries in /etc/environment with missing newline that + caused later manual entries to not be usable + - Fix offline remodelling by ignoring prerequisites that will + otherwise be downloaded from store + - Fix devmode seccomp deny regression that caused spamming the log + instead of actual denies + - Fix snap lock leak during refresh + - Fix not re-pinning validation sets that were already pinned when + enforcing new validation sets + - Fix handling of unexpected snapd runtime failure + - Fix /v2/notices REST API skipping notices with duplicate + timestamps + - Fix comparing systemd versions that may contain pre-release + suffixes + - Fix udev potentially starting before snap-device-helper is made + available + - Fix race in snap seed metadata loading + - Fix treating cloud-init exit status 2 as error + - Fix to prevent sending refresh complete notification if snap snap- + refresh-observe interface is connected + - Fix to queue snapctl service commands if run from the default- + configure hook to ensure they get up-to-date config values + - Fix stop service failure when the service is not actually running + anymore + - Fix parsing /proc/PID/mounts with spaces + - Add registry interface that provides snaps access to a particular + registry view + - Add snap-interfaces-requests-control interface to enable prompting + client snaps + - steam-support interface: remove all AppArmor and seccomp + restrictions to improve user experience + - opengl interface: improve compatibility with nvidia drivers + - home interface: autoconnect home on Ubuntu Core Desktop + - serial-port interface: support RPMsg tty + - display-control interface: allow changing LVDS backlight power and + brightness + - power-control interface: support for battery charging thesholds, + type/status and AC type/status + - cpu-control interface: allow CPU C-state control + - raw-usb interface: support RPi5 and Thinkpad x13s + - custom-device interface: allow device file locking + - lxd-support interface: allow LXD to self-manage its own cgroup + - network-manager interface: support MPTCP sockets + - network-control interface: allow plug/slot access to gnutls config + and systemd resolved cache flushing via D-Bus + - network-control interface: allow wpa_supplicant dbus api + - gpio-control interface: support gpiochip* devices + - polkit interface: fix "rw" mount option check + - u2f-devices interface: enable additional security keys + - desktop interface: enable kde theming support + + -- Ernest Lotter Fri, 23 Aug 2024 08:49:28 +0200 + +snapd (2.64-1) unstable; urgency=medium + + * New upstream release, LP: #2072986 + - Support building snapd using base Core22 (Snapcraft 8.x) + - FIPS: support building FIPS complaint snapd variant that switches + to FIPS mode when the system boots with FIPS enabled + - AppArmor: update to AppArmor 4.0.1 + - AppArmor: support AppArmor snippet priorities + - AppArmor prompting: add checks for prompting support, include + prompting status in system key, and restart snapd if prompting + flag changes + - AppArmor prompting: include prompt prefix in AppArmor rules if + prompting is supported and enabled + - AppArmor prompting: add common types, constraints, and mappings + from AppArmor permissions to abstract permissions + - AppArmor prompting: add path pattern parsing and matching + - Registry views (experimental): rename from aspects to registries + - Registry views (experimental): support reading registry views + using snapctl + - Registry views (experimental): restrict view paths from using a + number as first character and view names to storage path style + patterns + - Snap components: support installing snaps and components from + files at the same time (no REST API/CLI) + - Snap components: support downloading components related assertions + from the store + - Snap components: support installing components from the store (no + REST API/CLI) + - Snap components: support removing components (REST API, no CLI) + - Snap components: started support for component hooks + - Snap components: support kernel modules as components + - Refresh app awareness (experimental): add data field for + /v2/changes REST API to allow associating each task with affected + snaps + - Refresh app awareness (experimental): use the app name from + .desktop file in notifications + - Refresh app awareness (experimental): give snap-refresh-observe + interface access to /v2/snaps/{name} endpoint + - Allow re-exec when SNAP_REEXEC is set for unlisted distros to + simplify testing + - Generate GNU build ID for Go binaries + - Add missing etelpmoc.sh for shell completion + - Do not attempt to run snapd on classic when re-exec is disabled + - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse + - Add snap debug api command to enable running raw queries + - Enable snap-confine snap mount directory detection + - Replace global seccomp filter with deny rules in standard seccomp + template + - Remove support for Ubuntu Core Launcher (superseded by snap- + confine) + - Support creating pending serial bound users after serial assertion + becomes available + - Support disabling cloud-init using kernel command-line + - In hybrid systems, apps can refresh without waiting for restarts + required by essential snaps + - Ship snap-debug-info.sh script used for system diagnostics + - Improve error messages when attempting to run non-existent snap + - Switch to -u UID:GID for strace-static + - Support enabling snapd logging with snap set system + debug.snapd.{log,log-level} + - Fix restarting activated services instead of their activator units + (i.e. sockets, timers) + - Fix potential unexpected auto-refresh of snap on managed schedule + - Fix potential segfault by guarding against kernel command-line + changes on classic system + - Fix proxy entries in /etc/environment with missing newline that + caused later manual entries to not be usable + - Fix offline remodelling by ignoring prerequisites that will + otherwise be downloaded from store + - Fix devmode seccomp deny regression that caused spamming the log + instead of actual denies + - Fix snap lock leak during refresh + - Fix not re-pinning validation sets that were already pinned when + enforcing new validation sets + - Fix handling of unexpected snapd runtime failure + - Fix /v2/notices REST API skipping notices with duplicate + timestamps + - Fix comparing systemd versions that may contain pre-release + suffixes + - Fix udev potentially starting before snap-device-helper is made + available + - Fix race in snap seed metadata loading + - Fix treating cloud-init exit status 2 as error + - Fix to prevent sending refresh complete notification if snap snap- + refresh-observe interface is connected + - Fix to queue snapctl service commands if run from the default- + configure hook to ensure they get up-to-date config values + - Fix stop service failure when the service is not actually running + anymore + - Add registry interface that provides snaps access to a particular + registry view + - steam-support interface: relaxed AppArmor and seccomp restrictions + to improve user experience + - home interface: autoconnect home on Ubuntu Core Desktop + - serial-port interface: support RPMsg tty + - display-control interface: allow changing LVDS backlight power and + brightness + - power-control interface: support for battery charging thesholds, + type/status and AC type/status + - cpu-control interface: allow CPU C-state control + - raw-usb interface: support RPi5 and Thinkpad x13s + - custom-device interface: allow device file locking + - lxd-support interface: allow LXD to self-manage its own cgroup + - network-manager interface: support MPTCP sockets + - network-control interface: allow plug/slot access to gnutls config + and systemd resolved cache flushing via D-Bus + + -- Ernest Lotter Wed, 24 Jul 2024 21:11:59 +0200 + +snapd (2.63-4.1) unstable; urgency=medium + + [ Helmut Grohne ] + * Non-maintainer upload. + * Move files to /usr for DEP17. (Closes: #1071119) + + [ Michael Biebl ] + * cmd/snap-seccomp: define GNU_SOURCE for fallocate. + Patch cherry-picked from upstream Git. + Fixes FTBFS with GCC-14. (Closes: #1075522) + + -- Michael Biebl Tue, 03 Sep 2024 16:43:09 +0200 + +snapd (2.63-4) unstable; urgency=medium + + * debian: fix lxc/fuse woes + * debian: remove smoke test intended for containers, closes: #1076490 + + -- Zygmunt Krynicki Fri, 19 Jul 2024 07:15:23 +0200 + +snapd (2.63-3) unstable; urgency=medium + + * debian: fix looking for new upstream versions + * debian: depend on squashfuse in autopkgtests + + -- Zygmunt Krynicki Mon, 17 Jun 2024 16:21:30 +0200 + +snapd (2.63-2) unstable; urgency=medium + + * debian: make test files executable + * debian: add missing sudo call in smoke test + + -- Zygmunt Krynicki Thu, 13 Jun 2024 15:06:19 +0200 + +snapd (2.63-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2061179 + - Support for snap services to show the current status of user + services (experimental) + - Refresh app awareness: record snap-run-inhibit notice when + starting app from snap that is busy with refresh (experimental) + - Refresh app awareness: use warnings as fallback for desktop + notifications (experimental) + - Aspect based configuration: make request fields in the aspect- + bundle's rules optional (experimental) + - Aspect based configuration: make map keys conform to the same + format as path sub-keys (experimental) + - Aspect based configuration: make unset and set behaviour similar + to configuration options (experimental) + - Aspect based configuration: limit nesting level for setting value + (experimental) + - Components: use symlinks to point active snap component revisions + - Components: add model assertion support for components + - Components: fix to ensure local component installation always gets + a new revision number + - Add basic support for a CIFS remote filesystem-based home + directory + - Add support for AppArmor profile kill mode to avoid snap-confine + error + - Allow more than one interface to grant access to the same API + endpoint or notice type + - Allow all snapd service's control group processes to send systemd + notifications to prevent warnings flooding the log + - Enable not preseeded single boot install + - Update secboot to handle new sbatlevel + - Fix to not use cgroup for non-strict confined snaps (devmode, + classic) + - Fix two race conditions relating to freedesktop notifications + - Fix missing tunables in snap-update-ns AppArmor template + - Fix rejection of snapd snap udev command line by older host snap- + device-helper + - Rework seccomp allow/deny list + - Clean up files removed by gadgets + - Remove non-viable boot chains to avoid secboot failure + - posix_mq interface: add support for missing time64 mqueue syscalls + mq_timedreceive_time64 and mq_timedsend_time64 + - password-manager-service interface: allow kwalletd version 6 + - kubernetes-support interface: allow SOCK_SEQPACKET sockets + - system-observe interface: allow listing systemd units and their + properties + - opengl interface: enable use of nvidia container toolkit CDI + config generation + + [ Zygmunt Krynicki ] + * debian: add smoke autopkgtest + + -- Zygmunt Krynicki Thu, 13 Jun 2024 08:13:42 +0200 + +snapd (2.62-5) unstable; urgency=medium + + * debian: enable snapd.socket in autopkgtests + + -- Zygmunt Krynicki Wed, 05 Jun 2024 10:16:06 +0200 + +snapd (2.62-4) unstable; urgency=medium + + * debian: show snapd version, use go from the archive + * debian: pass SPREAD_DEBUG_EACH=0 and SPREAD_REUSE_SNAPD=1 + * debian: create test user for autopkgtest + + -- Zygmunt Krynicki Tue, 04 Jun 2024 11:15:01 +0200 + +snapd (2.62-3) unstable; urgency=medium + + * Cherry pick fix for CVE-2024-5138 (closes: #1072365) + * Update lintian overrides + * Update compatibility level from 9 to 13 + - remove --fail-missing from dh + - remove --with=systemd from dh + - move snapd-generator from usr/lib/... to lib/systemd/system-generators + - drop autoreconf dependencies (obsolete since level 10) + * Synchronize changes from packaging/debian-sid to debian/ + + -- Zygmunt Krynicki Mon, 03 Jun 2024 19:01:31 +0200 + +snapd (2.62-2) unstable; urgency=medium + + * Build-depend on systemd-dev (closes: #1060611) + + -- Zygmunt Krynicki Tue, 28 May 2024 12:27:10 +0200 + +snapd (2.62-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2058277 + - Aspects based configuration schema support (experimental) + - Refresh app awareness support for UI (experimental) + - Support for user daemons by introducing new control switches + --user/--system/--users for service start/stop/restart + (experimental) + - Add AppArmor prompting experimental flag (feature currently + unsupported) + - Installation of local snap components of type test + - Packaging of components with snap pack + - Expose experimental features supported/enabled in snapd REST API + endpoint /v2/system-info + - Support creating and removing recovery systems for use by factory + reset + - Enable API route for creating and removing recovery systems using + /v2/systems with action create and /v2/systems/{label} with action + remove + - Lift requirements for fde-setup hook for single boot install + - Enable single reboot gadget update for UC20+ + - Allow core to be removed on classic systems + - Support for remodeling on hybrid systems + - Install desktop files on Ubuntu Core and update after snapd + upgrade + - Upgrade sandbox features to account for cgroup v2 device filtering + - Support snaps to manage their own cgroups + - Add support for AppArmor 4.0 unconfined profile mode + - Add AppArmor based read access to /etc/default/keyboard + - Upgrade to squashfuse 0.5.0 + - Support useradd utility to enable removing Perl dependency for + UC24+ + - Support for recovery-chooser to use console-conf snap + - Add support for --uid/--gid using strace-static + - Add support for notices (from pebble) and expose via the snapd + REST API endpoints /v2/notices and /v2/notice + - Add polkit authentication for snapd REST API endpoints + /v2/snaps/{snap}/conf and /v2/apps + - Add refresh-inhibit field to snapd REST API endpoint /v2/snaps + - Add refresh-inhibited select query to REST API endpoint /v2/snaps + - Take into account validation sets during remodeling + - Improve offline remodeling to use installed revisions of snaps to + fulfill the remodel revision requirement + - Add rpi configuration option sdtv_mode + - When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if + present on host + - Fix gadget zero-sized disk mapping caused by not ignoring zero + sized storage traits + - Fix gadget install case where size of existing partition was not + correctly taken into account + - Fix trying to unmount early kernel mount if it does not exist + - Fix restarting mount units on snapd start + - Fix call to udev in preseed mode + - Fix to ensure always setting up the device cgroup for base bare + and core24+ + - Fix not copying data from newly set homedirs on revision change + - Fix leaving behind empty snap home directories after snap is + removed (resulting in broken symlink) + - Fix to avoid using libzstd from host by adding to snapd snap + - Fix autorefresh to correctly handle forever refresh hold + - Fix username regex allowed for system-user assertion to not allow + '+' + - Fix incorrect application icon for notification after autorefresh + completion + - Fix to restart mount units when changed + - Fix to support AppArmor running under incus + - Fix case of snap-update-ns dropping synthetic mounts due to + failure to match desired mount dependencies + - Fix parsing of base snap version to enable pre-seeding of Ubuntu + Core Desktop + - Fix packaging and tests for various distributions + - Add remoteproc interface to allow developers to interact with + Remote Processor Framework which enables snaps to load firmware to + ARM Cortex microcontrollers + - Add kernel-control interface to enable controlling the kernel + firmware search path + - Add nfs-mount interface to allow mounting of NFS shares + - Add ros-opt-data interface to allow snaps to access the host + /opt/ros/ paths + - Add snap-refresh-observe interface that provides refresh-app- + awareness clients access to relevant snapd API endpoints + - steam-support interface: generalize Pressure Vessel root paths and + allow access to driver information, features and container + versions + - steam-support interface: make implicit on Ubuntu Core Desktop + - desktop interface: improved support for Ubuntu Core Desktop and + limit autoconnection to implicit slots + - cups-control interface: make autoconnect depend on presence of + cupsd on host to ensure it works on classic systems + - opengl interface: allow read access to /usr/share/nvidia + - personal-files interface: extend to support automatic creation of + missing parent directories in write paths + - network-control interface: allow creating /run/resolveconf + - network-setup-control and network-setup-observe interfaces: allow + busctl bind as required for systemd 254+ + - libvirt interface: allow r/w access to /run/libvirt/libvirt-sock- + ro and read access to /var/lib/libvirt/dnsmasq/** + - fwupd interface: allow access to IMPI devices (including locking + of device nodes), sysfs attributes needed by amdgpu and the COD + capsule update directory + - uio interface: allow configuring UIO drivers from userspace + libraries + - serial-port interface: add support for NXP Layerscape SoC + - lxd-support interface: add attribute enable-unconfined-mode to + require LXD to opt-in to run unconfined + - block-devices interface: add support for ZFS volumes + - system-packages-doc interface: add support for reading jquery and + sphinx documentation + - system-packages-doc interface: workaround to prevent autoconnect + failure for snaps using base bare + - microceph-support interface: allow more types of block devices to + be added as an OSD + - mount-observe interface: allow read access to + /proc/{pid}/task/{tid}/mounts and proc/{pid}/task/{tid}/mountinfo + - polkit interface: changed to not be implicit on core because + installing policy files is not possible + - upower-observe interface: allow stats refresh + - gpg-public-keys interface: allow creating lock file for certain + gpg operations + - shutdown interface: allow access to SetRebootParameter method + - media-control interface: allow device file locking + - u2f-devices interface: support for Trustkey G310H, JaCarta U2F, + Kensington VeriMark Guard, RSA DS100, Google Titan v2 + + -- Zygmunt Krynicki Wed, 17 Apr 2024 09:02:58 +0200 + +snapd (2.61.3-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2039017 + - Install systemd files in correct location for 24.04 + + -- Zygmunt Krynicki Mon, 11 Mar 2024 16:13:16 +0100 + +snapd (2.61.2-2) unstable; urgency=medium + + * Build without bolt support to avoid bolt not supporting riscv64 + + -- Zygmunt Krynicki Fri, 08 Mar 2024 15:28:00 +0100 + +snapd (2.61.2-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2039017 + - Fix to enable plug/slot sanitization for prepare-image + - Fix panic when device-service.access=offline + - Support offline remodeling + - Allow offline update only remodels without serial + - Fail early when remodeling to old model revision + - Fix to enable plug/slot sanitization for validate-seed + - Allow removal of core snap on classic systems + - Fix network-control interface denial for file lock on /run/netns + - Add well-known core24 snap-id + - Fix remodel snap installation order + - Prevent remodeling from UC18+ to UC16 + - Fix cups auto-connect on classic with cups snap installed + - u2f-devices interface support for GoTrust Idem Key with USB-C + - Fix to restore services after unlink failure + - Add libcudnn.so to Nvidia libraries + - Fix skipping base snap download due to false snapd downgrade + conflict + + [ Zygmunt Krynicki ] + * Wrap-and-sort debian/ + + -- Zygmunt Krynicki Thu, 29 Feb 2024 14:27:52 +0100 + +snapd (2.61.1-1) unstable; urgency=medium + + [ Ernest Lotter ] + * New upstream release, LP: #2024007 + - Stop requiring default provider snaps on image building and first + boot if alternative providers are included and available + - Fix auth.json access for login as non-root group ID + - Fix incorrect remodelling conflict when changing track to older + snapd version + - Improved check-rerefresh message + - Fix UC16/18 kernel/gadget update failure due volume mismatch with + installed disk + - Stop auto-import of assertions during install modes + - Desktop interface exposes GetIdletime + - Polkit interface support for new polkit versions + - Fix not applying snapd snap changes in tracked channel when remodelling + + [ Zygmunt Krynicki ] + * Set SNAPD_SKIP_SLOW_TESTS=true avoid hitting firstboot test that are + time-sensitive and mostly check Ubuntu Core functionality that does not + affect classic distributions. Similar "workaround" is done on openSUSE. + + -- Zygmunt Krynicki Mon, 29 Jan 2024 10:56:42 +0100 + +snapd (2.61-1) unstable; urgency=medium + + * New upstream release, LP: #2039017 + - Fix control of activated services in 'snap start' and 'snap stop' + - Correctly reflect activated services in 'snap services' + - Disabled services are no longer enabled again when snap is + refreshed + - interfaces/builtin: added support for Token2 U2F keys + - interfaces/u2f-devices: add Swissbit iShield Key + - interfaces/builtin: update gpio apparmor to match pattern that + contains multiple subdirectories under /sys/devices/platform + - interfaces: add a polkit-agent interface + - interfaces: add pcscd interface + - Kernel command-line can now be edited in the gadget.yaml + - Only track validation-sets in run-mode, fixes validation-set + issues on first boot. + - Added support for using store.access to disable access to snap + store + - Support for fat16 partition in gadget + - Pre-seed authority delegation is now possible + - Support new system-user name daemon + - Several bug fixes and improvements around remodelling + - Offline remodelling support + + -- Philip Meulengracht Fri, 13 Oct 2023 13:06:02 +0200 + +snapd (2.60.4-1) unstable; urgency=medium + + * New upstream release, LP: #2024007 + - i/b/qualcomm_ipc_router.go: switch to plug/slot and add socket + permission + - interfaces/builtin: fix custom-device udev KERNEL values + - overlord: allow the firmware-updater snap to install user daemons + - interfaces: allow loopback as a block-device + + -- Michael Vogt Fri, 15 Sep 2023 20:46:59 +0200 + +snapd (2.60.3-1) unstable; urgency=medium + + * New upstream release, LP: #2024007 + - i/b/shared-memory: handle "private" plug attribute in shared- + memory interface correctly + - i/apparmor: support for home.d tunables from /etc/ + + -- Michael Vogt Fri, 25 Aug 2023 18:36:50 +0200 + +snapd (2.60.2-1) unstable; urgency=medium + + * New upstream release, LP: #2024007 + - i/builtin: allow directories in private /dev/shm + - i/builtin: add read access to /proc/task/schedstat in system- + observe + - snap-bootstrap: print version information at startup + - go.mod: update gopkg.in/yaml.v3 to v3.0.1 to fix CVE-2022-28948 + - snap, store: filter out invalid snap edited links from store info + and persisted state + - o/configcore: write netplan defaults to 00-snapd-config on seeding + - snapcraft.yaml: pull in apparmor_parser optimization patches from + https://gitlab.com/apparmor/apparmor/-/merge_requests/711 + - snap-confine: fix missing \0 after readlink + - cmd/snap: hide append-integrity-data + - interfaces/opengl: add support for ARM Mali + + -- Michael Vogt Fri, 04 Aug 2023 12:14:04 +0200 + +snapd (2.60.1-1) unstable; urgency=medium + + * New upstream release, LP: #2024007 + - install: fallback to lazy unmount() in writeFilesystemContent + - data: include "modprobe.d" and "modules-load.d" in preseeded blob + - gadget: fix install test on armhf + - interfaces: fix typo in network_manager_observe + - sandbox/apparmor: don't let vendored apparmor conflict with system + - gadget/update: set parts in laid out data from the ones matched + - many: move SnapConfineAppArmorDir from dirs to sandbox/apparmor + - many: stop using `-O no-expr-simplify` in apparmor_parser + - go.mod: update secboot to latest uc22 branch + + -- Michael Vogt Tue, 04 Jul 2023 21:21:48 +0200 + +snapd (2.60-1) unstable; urgency=medium + + * New upstream release, LP: #2024007 + - Support for dynamic snapshot data exclusions + - Apparmor userspace is vendored inside the snapd snap + - Added a default-configure hook that exposes gadget default + configuration options to snaps during first install before + services are started + - Allow install from initrd to speed up the initial installation + for systems that do not have a install-device hook + - New `snap sign --chain` flag that appends the account and + account-key assertions + - Support validation-sets in the model assertion + - Support new "min-size" field in gadget.yaml + - New interface: "userns" + + -- Michael Vogt Thu, 15 Jun 2023 17:14:31 +0200 + +snapd (2.59.5-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Explicitly disallow the use of ioctl + TIOCLINUX + This fixes CVE-2023-1523. + + -- Michael Vogt Sat, 27 May 2023 09:44:43 +0200 + +snapd (2.59.4-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Retry when looking for disk label on non-UEFI systems + (LP: #2018977) + - Fix remodel from UC20 to UC22 + + -- Michael Vogt Fri, 12 May 2023 10:15:57 +0200 + +snapd (2.59.3-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Fix quiet boot + - i/b/physical_memory_observe: allow reading virt-phys page mappings + - gadget: warn instead of returning error if overlapping with GPT + header + - overlord,wrappers: restart always enabled units + - go.mod: update github.com/snapcore/secboot to latest uc22 + - boot: make sure we update assets for the system-seed-null role + - many: ignore case for vfat partitions when validating + + -- Michael Vogt Wed, 03 May 2023 12:31:00 +0200 + +snapd (2.59.2-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Notify users when a user triggered auto refresh finished + + -- Michael Vogt Tue, 18 Apr 2023 19:46:10 +0200 + +snapd (2.59.1-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Add udev rules from steam-devices to steam-support interface + - Bugfixes for layout path checking, dm_crypt permissions, + mount-control interface parameter checking, kernel commandline + parsing, docker-support, refresh-app-awareness + + -- Michael Vogt Tue, 28 Mar 2023 20:58:44 +0200 + +snapd (2.59-1) unstable; urgency=medium + + * New upstream release, LP: #2009946 + - Support setting extra kernel command line parameters via snap + configuration and under a gadget allow-list + - Support for Full-Disk-Encryption using ICE + - Support for arbitrary home dir locations via snap configuration + - New nvidia-drivers-support interface + - Support for udisks2 snap + - Pre-download of snaps ready for refresh and automatic refresh of + the snap when all apps are closed + - New microovn interface + - Support uboot with `CONFIG_SYS_REDUNDAND_ENV=n` + - Make "snap-preseed --reset" re-exec when needed + - Update the fwupd interface to support fully confined fwupd + - The memory,cpu,thread quota options are no longer experimental + - Support debugging snap client requests via the + `SNAPD_CLIENT_DEBUG_HTTP` environment variable + - Support ssh listen-address via snap configuration + - Support for quotas on single services + - prepare-image now takes into account snapd versions going into + the image, including in the kernel initrd, to fetch supported + assertion formats + + -- Michael Vogt Fri, 10 Mar 2023 12:51:26 +0100 + +snapd (2.58.3-1) unstable; urgency=medium + + * New upstream release, LP: #1998462 + - interfaces/screen-inhibit-control: Add support for xfce-power- + manager + - interfaces/network-manager: do not show ptrace read + denials + - interfaces: relax rules for mount-control `what` for functionfs + - cmd/snap-bootstrap: add support for snapd_system_disk + - interfaces/modem-manager: add net_admin capability + - interfaces/network-manager: add permission for OpenVPN + - httputil: fix checking x509 certification error on go 1.20 + - i/b/fwupd: allow reading host os-release + - boot: on classic+modes `MarkBootSuccessfull` does not need a base + - boot: do not include `base=` in modeenv for classic+modes installs + - tests: add spread test that validates revert on boot for core does + not happen on classic+modes + - snapstate: only take boot participants into account in + UpdateBootRevisions + - snapstate: refactor UpdateBootRevisions() to make it easier to + check for boot.SnapTypeParticipatesInBoot() + + -- Michael Vogt Tue, 21 Feb 2023 17:14:50 +0100 + +snapd (2.58.2-1) unstable; urgency=medium + + * New upstream release, LP: #1998462 + - bootloader: fix dirty build by hardcoding copyright year + + -- Michael Vogt Wed, 25 Jan 2023 20:02:08 +0100 + +snapd (2.58.1-1) unstable; urgency=medium + + * New upstream release, LP: #1998462 + - secboot: detect lockout mode in CheckTPMKeySealingSupported + - cmd/snap-update-ns: prevent keeping unneeded mountpoints + - o/snapstate: do not infinitely retry when an update fails during + seeding + - interfaces/modem-manager: add permissions for NETLINK_ROUTE + - systemd/emulation.go: use `systemctl --root` to enable/disable + - snap: provide more error context in `NotSnapError` + - interfaces: add read access to /run for cryptsetup + - boot: avoid reboot loop if there is a bad try kernel + - devicestate: retry serial acquire on time based certificate + errors + - o/devicestate: run systemctl daemon-reload after install-device + hook + - cmd/snap,daemon: add 'held' to notes in 'snap list' + - o/snapshotstate: check snapshots are self-contained on import + - cmd/snap: show user+gating hold info in 'snap info' + - daemon: expose user and gating holds at /v2/snaps/{name} + + -- Michael Vogt Mon, 23 Jan 2023 18:03:40 +0100 + +snapd (2.58-1) unstable; urgency=medium + + * New upstream release, LP: #1998462 + - snap-confine: Fix race condition in snap-confine when preparing a + private tmp mount namespace for a snap (CVE-2022-3328) + - many: Use /tmp/snap-private-tmp for per-snap private tmps + - data: Add systemd-tmpfiles configuration to create private tmp dir + - cmd/snap: test allowed and forbidden refresh hold values + - cmd/snap: be more consistent in --hold help and err messages + - cmd/snap: error on refresh holds that are negative or too short + - o/homedirs: make sure we do not write to /var on build time + - image: make sure file customizations happen also when we have + defaultscause + - tests/fde-on-classic: set ubuntu-seed label in seed partitions + - gadget: system-seed-null should also have fs label ubuntu-seed + - many: gadget.HasRole, ubuntu-seed can come also from system-seed- + null + - o/devicestate: fix paths for retrieving recovery key on classic + - cmd/snap-confine: do not discard const qualifier + - interfaces: allow python3.10+ in the default template + - o/restart: fix PendingForSystemRestart + - interfaces: allow wayland slot snaps to access shm files created + by Firefox + - o/assertstate: add Sequence() to val set tracking + - o/assertstate: set val set 'Current' to pinned sequence + - tests: tweak the libvirt interface test to work on 22.10 + - tests: use system-seed-null role on classic with modes tests + - boot: add directory for data on install + - o/devicestate: change some names from esp to seed/seed-null + - gadget: add system-seed-null role + - o/devicestate: really add error to new error message + - restart,snapstate: implement reboot-required notifications on + classic + - many: avoid automatic system restarts on classic through new + overlord/restart logic + - release: Fix WSL detection in LXD + - o/state: introduce WaitStatus + - interfaces: Fix desktop interface rules for document portal + - client: remove classic check for `snap recovery --show- + keys` + - many: create snapd.mounts targets to schedule mount units + - image: enable sysfs overlay for UC preseeding + - i/b/network-control: add permissions for using AF_XDP + - i/apparmor: move mocking of home and overlay conditions to osutil + - tests/main/degraded: ignore man-db update failures in CentOS + - cmd/snap: fix panic when running snap w/ flag but w/o subcommand + - tests: save snaps generated during image preaparation + - tests: skip building snapd based on new env var + - client: remove misleading comments in ValidateApplyOptions + - boot/seal: add debug traces for bootchains + - bootloader/assets: fix grub.cfg when there are no labels + - cmd/snap: improve refresh hold's output + - packaging: enable BPF in RHEL9 + - packaging: do not traverse filesystems in postrm script + - tests: get microk8s from another branch + - bootloader: do not specify Core version in grub entry + - many: refresh --hold follow-up + - many: support refresh hold/unhold to API and CLI + - many: expand fully handling links mapping in all components, in + the API and in snap info + - snap/system_usernames,tests: Azure IoT Edge system usernames + - interface: Allow access to + org.freedesktop.DBus.ListActivatableNames via system-observe + interface + - o/devicestate,daemon: use the expiration date from the assertion + in user-state and REST api (user-removal 4/n) + - gadget: add unit tests for new install functions for FDE on + classic + - cmd/snap-seccomp: fix typo in AF_XDP value + - tests/connected-after-reboot-revert: run also on UC16 + - kvm: allow read of AMD-SEV parameters + - data: tweak apt integration config var + - o/c/configcore: add faillock configuration + - tests: use dbus-daemon instead of dbus-launch + - packaging: remove unclean debian-sid patch + - asserts: add keyword 'user-presence' keyword in system-user + assertion (auto-removal 3/n) + - interfaces: steam-support allow pivot /run/media and /etc/nvidia + mount + - aspects: initial code + - overlord: process auto-import assertion at first boot + - release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2 + - tests: fix lxd-mount-units in ubuntu kinetic + - tests: new variable used to configure the kernel command line in + nested tests + - go.mod: update to newer secboot/uc22 branch + - autopkgtests: fix running autopkgtest on kinetic + - tests: remove squashfs leftovers in fakeinstaller + - tests: create partition table in fakeinstaller + - o/ifacestate: introduce DebugAutoConnectCheck hook + - tests: use test-snapd-swtpm instead of swtpm-mvo snap in nested + helper + - interfaces/polkit: do not require polkit directory if no file is + needed + - o/snapstate: be consistent not creating per-snap save dirs for + classic models + - inhibit: use hintFile() + - tests: use `snap prepare-image` in fde-on-classic mk-image.sh + - interfaces: add microceph interface + - seccomp: allow opening XDP sockets + - interfaces: allow access to icon subdirectories + - tests: add minimal-smoke test for UC22 and increase minimal RAM + - overlord: introduce hold levels in the snapstate.Hold* API + - o/devicestate: support mounting ubuntu-save also on classic with + modes + - interfaces: steam-support allow additional mounts + - fakeinstaller: format SystemDetails result with %+v + - cmd/libsnap-confine-private: do not panic on chmod failure + - tests: ensure that fakeinstaller put the seed into the right place + - many: add stub services for prompting + - tests: add libfwupd and libfwupdplugin5 to openSUSE dependencies + - o/snapstate: fix snaps-hold pruning/reset in the presence of + system holding + - many: add support for setting up encryption from installer + - many: support classic snaps in the context of classic and extended + models + - cmd/snap,daemon: allow zero values from client to daemon for + journal rate limit + - boot,o/devicestate: extend HasFDESetupHook to consider unrelated + kernels + - cmd/snap: validation set refresh-enforce CLI support + spread test + - many: fix filenames written in modeenv for base/gadget plus drive- + by TODO + - seed: fix seed test to use a pseudo-random byte sequence + - cmd/snap-confine: remove setuid calls from cgroup init code + - boot,o/devicestate: introduce and use MakeRunnableStandaloneSystem + - devicestate,boot,tests: make `fakeinstaller` test work + - store: send Snap-Device-Location header with cloud information + - overlord: fix unit tests after merging master in + - o/auth: move HasUserExpired into UserState and name it HasExpired, + and add unit tests for this + - o/auth: rename NewUserData to NewUserParams + - many: implementation of finish install step handlers + - overlord: auto-resolve validation set enforcement constraints + - i/backends,o/ifacestate: cleanup backends.All + - cmd/snap-confine: move bind-mount setup into separate function + - tests/main/mount-ns: update namespace for 18.04 + - o/state: Hold pseudo-error for explicit holding, concept of + pending changes in prune logic + - many: support extended classic models that omit kernel/gadget + - data/selinux: allow snapd to detect WSL + - overlord: add code to remove users that has an expiration date set + - wrappers,snap/quota: clear LogsDirectory= in the service unit for + journal namespaces + - daemon: move user add, remove operations to overlord device state + - gadget: implement write content from gadget information + - {device,snap}state: fix ineffectual assignments + - daemon: support validation set refresh+enforce in API + - many: rename AddAffected* to RegisterAffected*, add + Change|State.Has, fix a comment + - many: reset store session when setting proxy.store + - overlord/ifacestate: fix conflict detection of auto-connection + - interfaces: added read/write access to /proc/self/coredump_filter + for process-control + - interfaces: add read access to /proc/cgroups and + /proc/sys/vm/swappiness to system-observe + - fde: run fde-reveal-key with `DefaultDependencies=no` + - many: don't concatenate non-constant format strings + - o/devicestate: fix non-compiling test + - release, snapd-apparmor: fixed outdated WSL detection + - many: add todos discussed in the review in + tests/nested/manual/fde-on-classic, snapstate cleanups + - overlord: run install-device hook during factory reset + - i/b/mount-control: add optional `/` to umount rules + - gadget/install: split Run in several functions + - o/devicestate: refactor some methods as preparation for install + steps implementation + - tests: fix how snaps are cached in uc22 + - tests/main/cgroup-tracking-failure: fix rare failure in Xenial and + Bionic + - many: make {Install,Initramfs}{{,Host},Writable}Dir a function + - tests/nested/manual/core20: fix manual test after changes to + 'tests.nested exec' + - tests: move the unit tests system to 22.04 in github actions + workflow + - tests: fix nested errors uc20 + - boot: rewrite switch in SnapTypeParticipatesInBoot() + - gadget: refactor to allow usage from the installer + - overlord/devicestate: support for mounting ubuntu-save before the + install-device hook + - many: allow to install/update kernels/gadgets on classic with + modes + - tests: fix issues related to dbus session and localtime in uc18 + - many: support home dirs located deeper under /home + - many: refactor tests to use explicit strings instead of + boot.Install{Initramfs,Host}{Writable,FDEData}Dir + - boot: add factory-reset cases for boot-flags + - tests: disable quota tests on arm devices using ubuntu core + - tests: fix unbound SPREAD_PATH variable on nested debug session + - overlord: start turning restart into a full state manager + - boot: apply boot logic also for classic with modes boot snaps + - tests: fix snap-env test on debug section when no var files were + created + - overlord,daemon: allow returning errors when requesting a restart + - interfaces: login-session-control: add further D-Bus interfaces + - snapdenv: added wsl to userAgent + - o/snapstate: support running multiple ops transactionally + - store: use typed valset keys in store package + - daemon: add `ensureStateSoon()` when calling systems POST api + - gadget: add rules for validating classic with modes gadget.yaml + files + - wrappers: journal namespaces did not honor journal.persistent + - many: stub devicestate.Install{Finish,SetupStorageEncryption}() + - sandbox/cgroup: don't check V1 cgroup if V2 is active + - seed: add support to load auto import assertion + - tests: fix preseed tests for arm systems + - include/lk: update LK recovery environment definition to include + device lock state used by bootloader + - daemon: return `storage-encryption` in /systems/