-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-5d2ce9a864 2025-07-23 00:57:56.630628+00:00 -------------------------------------------------------------------------------- Name : snapd Product : Fedora 42 Version : 2.70 Release : 1.fc42 URL : https://github.com/snapcore/snapd Summary : A transactional software package manager Description : Snappy is a modern, cross-distribution, transactional package manager designed for working with self-contained, immutable packages. -------------------------------------------------------------------------------- Update Information: New upstream release 2.70 FDE: Fix reseal with v1 hook key format FDE: set role in TPM keys AppArmor prompting (experimental): add handling for expired requests or listener in the kernel AppArmor prompting: log the notification protocol version negotiated with the kernel AppArmor prompting: implement notification protocol v5 (manually disabled for now) AppArmor prompting: register listener ID with the kernel and resend notifications after snapd restart (requires protocol v5+) AppArmor prompting: select interface from metadata tags and set request interface accordingly (requires protocol v5+) AppArmor prompting: include request PID in prompt AppArmor prompting: move the max prompt ID file to a subdirectory of the snap run directory AppArmor prompting: avoid race between closing/reading socket fd Confdb (experimental): make save/load hooks mandatory if affecting ephemeral Confdb: clear tx state on failed load Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g. confdb-schema) Confdb: add NestedEphemeral to confdb schemas Confdb: add early concurrency checks Simplify building Arch package Enable snapd.apparmor on Fedora Build snapd snap with libselinux Emit snapd.apparmor warning only when using apparmor backend When running snap, on system key mismatch e.g. due to network attached HOME, trigger and wait for a security profiles regeneration Avoid requiring state lock to get user, warnings, or pending restarts when handling API requests Start/stop ssh.socket for core24+ when enabling/disabling the ssh service Allow providing a different base when overriding snap Modify snap-bootstrap to mount snapd snap directly to /snap Modify snap-bootstrap to mount /lib/{modules,firmware} from snap as fallback Modify core-initrd to use systemctl reboot instead of /sbin/reboot Copy the initramfs 'manifest-initramfs.yaml' to initramfs file creation directory so it can be copied to the kernel snap Build the early initrd from installed ucode packages Create drivers tree when remodeling from UC20/22 to UC24 Load gpio-aggregator module before the helper-service needs it Run 'systemctl start' for mount units to ensure they are run also when unchanged Update godbus version to 'v5 v5.1.0' Add support for POST to /v2/system-info with system-key-mismatch indication from the client Add 'snap sign --update-timestamp' flag to update timestamp before signing Add vfs support for snap-update-ns to use to simulate and evaluate mount sequences Add refresh app awareness debug logging Add snap-bootstrap scan-disk subcommand to be called from udev Add feature to inject proxy store assertions in build image Add OP-TEE bindings, enable by default in ARM and ARM65 builds Fix systemd dependency options target to go under 'unit' section Fix snap-bootstrap reading kernel snap instead of base resulting in bad modeenv Fix a regression during seeding when using early-config LP: #2107443 reset SHELL to /bin/bash in non-classic snaps Make Azure kernels reboot upon panic Fix snap-confine to not drop capabilities if the original user is already root Fix data race when stopping services Fix task dependency issue by temporarily disable re-refresh on prerequisite updates Fix compiling against op-tee on armhf Fix dbx update when not using FDE Fix potential validation set deadlock due to bases waiting on snaps LP: #2104066 Only cancel notices requests on stop/shutdown Interfaces: bool-file | fix gpio glob pattern as required for '[XXXX]*' format Interfaces: system-packages-doc | allow access to /usr/local/share/doc Interfaces: ros-snapd-support interface | added new interface Interfaces: udisks2 | allow chown capability Interfaces: system-observe | allow reading cpu.max Interfaces: serial-port | add ttyMAXX to allowed list Interfaces: modified seccomp template to disallow 'O_NOTIFICATION_PIPE' Interfaces: fwupd | add support for modem-manager plugin Interfaces: gpio-chardev | make unsupported and remove experimental flag to hide this feature until gpio-aggregator is available Interfaces: hardware-random | fix udev match rule Interfaces: timeserver-control | extend to allow timedatectl timesync commands Interfaces: add symlinks backend Interfaces: system key mismatch handling -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 3 2025 Ernest Lotter <ernest.lotter@xxxxxxxxxxxxx> - New upstream release 2.70 - FDE: Fix reseal with v1 hook key format - FDE: set role in TPM keys - AppArmor prompting (experimental): add handling for expired requests or listener in the kernel - AppArmor prompting: log the notification protocol version negotiated with the kernel - AppArmor prompting: implement notification protocol v5 (manually disabled for now) - AppArmor prompting: register listener ID with the kernel and resend notifications after snapd restart (requires protocol v5+) - AppArmor prompting: select interface from metadata tags and set request interface accordingly (requires protocol v5+) - AppArmor prompting: include request PID in prompt - AppArmor prompting: move the max prompt ID file to a subdirectory of the snap run directory - AppArmor prompting: avoid race between closing/reading socket fd - Confdb (experimental): make save/load hooks mandatory if affecting ephemeral - Confdb: clear tx state on failed load - Confdb: modify 'snap sign' formats JSON in assertion bodies (e.g. confdb-schema) - Confdb: add NestedEphemeral to confdb schemas - Confdb: add early concurrency checks - Simplify building Arch package - Enable snapd.apparmor on Fedora - Build snapd snap with libselinux - Emit snapd.apparmor warning only when using apparmor backend - When running snap, on system key mismatch e.g. due to network attached HOME, trigger and wait for a security profiles regeneration - Avoid requiring state lock to get user, warnings, or pending restarts when handling API requests - Start/stop ssh.socket for core24+ when enabling/disabling the ssh service - Allow providing a different base when overriding snap - Modify snap-bootstrap to mount snapd snap directly to /snap - Modify snap-bootstrap to mount /lib/{modules,firmware} from snap as fallback - Modify core-initrd to use systemctl reboot instead of /sbin/reboot - Copy the initramfs 'manifest-initramfs.yaml' to initramfs file creation directory so it can be copied to the kernel snap - Build the early initrd from installed ucode packages - Create drivers tree when remodeling from UC20/22 to UC24 - Load gpio-aggregator module before the helper-service needs it - Run 'systemctl start' for mount units to ensure they are run also when unchanged - Update godbus version to 'v5 v5.1.0' - Add support for POST to /v2/system-info with system-key-mismatch indication from the client - Add 'snap sign --update-timestamp' flag to update timestamp before signing - Add vfs support for snap-update-ns to use to simulate and evaluate mount sequences - Add refresh app awareness debug logging - Add snap-bootstrap scan-disk subcommand to be called from udev - Add feature to inject proxy store assertions in build image - Add OP-TEE bindings, enable by default in ARM and ARM64 builds - Fix systemd dependency options target to go under 'unit' section - Fix snap-bootstrap reading kernel snap instead of base resulting in bad modeenv - Fix a regression during seeding when using early-config - LP: #2107443 reset SHELL to /bin/bash in non-classic snaps - Make Azure kernels reboot upon panic - Fix snap-confine to not drop capabilities if the original user is already root - Fix data race when stopping services - Fix task dependency issue by temporarily disable re-refresh on prerequisite updates - Fix compiling against op-tee on armhf - Fix dbx update when not using FDE - Fix potential validation set deadlock due to bases waiting on snaps - LP: #2104066 Only cancel notices requests on stop/shutdown - Interfaces: bool-file | fix gpio glob pattern as required for '[XXXX]*' format - Interfaces: system-packages-doc | allow access to /usr/local/share/doc - Interfaces: ros-snapd-support interface | added new interface - Interfaces: udisks2 | allow chown capability - Interfaces: system-observe | allow reading cpu.max - Interfaces: serial-port | add ttyMAXX to allowed list - Interfaces: modified seccomp template to disallow 'O_NOTIFICATION_PIPE' - Interfaces: fwupd | add support for modem-manager plugin - Interfaces: gpio-chardev | make unsupported and remove experimental flag to hide this feature until gpio-aggregator is available - Interfaces: hardware-random | fix udev match rule - Interfaces: timeserver-control | extend to allow timedatectl timesync commands - Interfaces: add symlinks backend - Interfaces: system key mismatch handling * Tue Apr 8 2025 Ernest Lotter <ernest.lotter@xxxxxxxxxxxxx> - New upstream release 2.69 - FDE: re-factor listing of the disks based on run mode model and model to correctly resolve paths - FDE: run snapd from snap-failure with the correct keyring mode - Snap components: allow remodeling back to an old snap revision that includes components - Snap components: fix remodel to a kernel snap that is already installed on the system, but not the current kernel due to a previous remodel. - Snap components: fix for snapctl inputs that can crash snapd - Confdb (experimental): load ephemeral data when reading data via snapctl get - Confdb (experimental): load ephemeral data when reading data via snap get - Confdb (experimental): rename {plug}-view-changed hook to observe- view-{plug} - Confdb (experimental): rename confdb assertion to confdb-schema - Confdb (experimental): change operator grouping in confdb-control assertion - Confdb (experimental): add confdb-control API - AppArmor: extend the probed features to include the presence of files, as well as directories - AppArmor prompting (experimental): simplify the listener - AppArmor metadata tagging (disabled): probe parser support for tags - AppArmor metadata tagging (disabled): implement notification protocol v5 - Confidential VMs: sysroot.mount is now dynamically created by snap-bootstrap instead of being a static file in the initramfs - Confidential VMs: Add new implementation of snap integrity API - Non-suid snap-confine: first phase to replace snap-confine suid with capabilities to achieve the required permissions - Initial changes for dynamic security profiles updates - Provide snap icon fallback for /v2/icons without requiring network access at runtime - Add eMMC gadget update support - Support reexec when using /usr/libexec/snapd on the host (Arch Linux, openSUSE) - Auto detect snap mount dir location on unknown distributions - Modify snap-confine AppArmor template to allow all glibc HWCAPS subdirectories to prevent launch errors - LP: #2102456 update secboot to bf2f40ea35c4 and modify snap- bootstrap to remove usage of go templates to reduce size by 4MB - Fix snap-bootstrap to mount kernel snap from /sysroot/writable/system-data - LP: #2106121 fix snap-bootstrap busy loop - Fix encoding of time.Time by using omitzero instead of omitempty (on go 1.24+) - Fix setting snapd permissions through permctl for openSUSE - Fix snap struct json tags typo - Fix snap pack configure hook permissions check incorrect file mode - Fix gadget snap reinstall to honor existing sizes of partitions - Fix to update command line when re-executing a snapd tool - Fix 'snap validate' of specific missing newline and add error on missed case of 'snap validate --refresh' without another action - Workaround for snapd-confine time_t size differences between architectures - Disallow pack and install of snapd, base and os with specific configure hooks - Drop udev build dependency that is no longer required and add missing systemd-dev dependency - Build snap-bootstrap with nomanagers tag to decrease size by 1MB - Interfaces: polkit | support custom polkit rules - Interfaces: opengl | LP: #2088456 fix GLX on nvidia when xorg is confined by AppArmor - Interfaces: log-observe | add missing udev rule - Interfaces: hostname-control | fix call to hostnamectl in core24 - Interfaces: network-control | allow removing created network namespaces - Interfaces: scsi-generic | re-enable base declaration for scsi- generic plug - Interfaces: u2f | add support for Arculus AuthentiKey * Wed Apr 2 2025 Ernest Lotter <ernest.lotter@xxxxxxxxxxxxx> - New upstream release 2.68.4 - Snap components: LP: #2104933 workaround for classic 24.04/24.10 models that incorrectly specify core22 instead of core24 - Update build dependencies -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-5d2ce9a864' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
