-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-6443834ac3 2025-09-13 02:42:15.995345+00:00 -------------------------------------------------------------------------------- Name : snapd Product : Fedora 41 Version : 2.71 Release : 0.fc41 URL : https://github.com/snapcore/snapd Summary : A transactional software package manager Description : Snappy is a modern, cross-distribution, transactional package manager designed for working with self-contained, immutable packages. -------------------------------------------------------------------------------- Update Information: FDE: auto-repair when recovery key is used FDE: revoke keys on shim update FDE: revoke old TPM keys when dbx has been updated FDE: do not reseal FDE hook keys every time FDE: store keys in the kernel keyring when installing from initrd FDE: allow disabled DMA on Core FDE: snap-bootstrap: do not check for partition in scan-disk on CVM FDE: support secboot preinstall check for 25.10+ hybrid installs via the /v2/system/{label} endpoint FDE: support generating recovery key at install time via the /v2/systems/{label} endpoint FDE: update passphrase quality check at install time via the /v2/systems/{label} endpoint FDE: support replacing recovery key at runtime via the new /v2/system-volumes endpoint FDE: support checking recovery keys at runtime via the /v2/system- volumes endpoint FDE: support enumerating keyslots at runtime via the /v2/system- volumes endpoint FDE: support changing passphrase at runtime via the /v2/system- volumes endpoint FDE: support passphrase quality check at runtime via the /v2/system-volumes endpoint FDE: update secboot to revision 3e181c8edf0f Confdb: support lists and indexed paths on read and write Confdb: alias references must be wrapped in brackets Confdb: support indexed paths in confdb-schema assertion Confdb: make API errors consistent with options Confdb: fetch confdb-schema assertion on access Confdb: prevent --previous from being used in read-side hooks Components: fix snap command with multiple components Components: set revision of seed components to x1 Components: unmount extra kernel-modules components mounts AppArmor Prompting: add lifespan "session" for prompting rules AppArmor Prompting: support restoring prompts after snapd restart AppArmor Prompting: limit the extra information included in probed AppArmor features and system key Notices: refactor notice state internals SELinux: look for restorecon/matchpathcon at all known locations rather than current PATH SELinux: update policy to allow watching cgroups (for RAA), and talking to user session agents (service mgmt/refresh) Refresh App Awareness: Fix unexpected inotify file descriptor cleanup snap-confine: workaround for glibc fchmodat() fallback and handle ENOSYS snap-confine: add support for host policy for limiting users able to run snaps LP: #2114923 Reject system key mismatch advise when not yet seeded Use separate lanes for essential and non-essential snaps during seeding and allow non-essential installs to retry Fix bug preventing remodel from core18 to core18 when snapd snap is unchanged LP: #2112551 Make removal of last active revision of a snap equal to snap remove LP: #2114779 Allow non-gpt in fallback mode to support RPi Switch from using systemd LogNamespace to manually controlled journal quotas Change snap command trace logging to only log the command names Grant desktop-launch access to /v2/snaps Update code for creating the snap journal stream Switch from using core to snapd snap for snap debug connectivity LP: #2112544 Fix offline remodel case where we switched to a channel without an actual refresh LP: #2112332 Exclude snap/snapd/preseeding when generating preseed tarball LP: #1952500 Fix snap command progress reporting LP: #1849346 Interfaces: kerberos-tickets | add new interface Interfaces: u2f | add support for Thetis Pro Interfaces: u2f | add OneSpan device and fix older device Interfaces: pipewire, audio-playback | support pipewire as system daemon Interfaces: gpg-keys | allow access to GPG agent sockets Interfaces: usb-gadget | add new interface Interfaces: snap-fde-control, firmware-updater-support | add new interfaces to support FDE Interfaces: timezone-control | extend to support timedatectl varlink Interfaces: cpu-control | fix rules for accessing IRQ sysfs and procfs directories Interfaces: microstack-support | allow SR-IOV attachments Interfaces: modify AppArmor template to allow snaps to read their own systemd credentials Interfaces: posix-mq | allow stat on /dev/mqueue LP: #2098780 Interfaces: log-observe | add capability dac_read_search Interfaces: block-devices | allow access to ZFS pools and datasets LP: #2033883 Interfaces: block-devices | opt-in access to individual partitions Interfaces: accel | add new interface to support accel kernel subsystem Interfaces: shutdown | allow client to bind on its side of dbus socket Interfaces: modify seccomp template to allow pwritev2 Interfaces: modify AppArmor template to allow reading /proc/sys/fs/nr_open Packaging: drop snap.failure service for openSUSE Packaging: add SELinux support for openSUSE Packaging: disable optee when using nooptee build tag Packaging: add support for static PIE builds in snapd.mk, drop pie.patch from openSUSE Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 Packaging: use snapd.mk for packaging on Fedora Packaging: exclude .git directory Packaging: fix DPKG_PARSECHANGELOG assignment Packaging: fix building on Fedora with dpkg installed -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 22 2025 Ernest Lotter <ernest.lotter@xxxxxxxxxxxxx> - New upstream release 2.71 - FDE: auto-repair when recovery key is used - FDE: revoke keys on shim update - FDE: revoke old TPM keys when dbx has been updated - FDE: do not reseal FDE hook keys every time - FDE: store keys in the kernel keyring when installing from initrd - FDE: allow disabled DMA on Core - FDE: snap-bootstrap: do not check for partition in scan-disk on CVM - FDE: support secboot preinstall check for 25.10+ hybrid installs via the /v2/system/{label} endpoint - FDE: support generating recovery key at install time via the /v2/systems/{label} endpoint - FDE: update passphrase quality check at install time via the /v2/systems/{label} endpoint - FDE: support replacing recovery key at runtime via the new /v2/system-volumes endpoint - FDE: support checking recovery keys at runtime via the /v2/system- volumes endpoint - FDE: support enumerating keyslots at runtime via the /v2/system- volumes endpoint - FDE: support changing passphrase at runtime via the /v2/system- volumes endpoint - FDE: support passphrase quality check at runtime via the /v2/system-volumes endpoint - FDE: update secboot to revision 3e181c8edf0f - Confdb: support lists and indexed paths on read and write - Confdb: alias references must be wrapped in brackets - Confdb: support indexed paths in confdb-schema assertion - Confdb: make API errors consistent with options - Confdb: fetch confdb-schema assertion on access - Confdb: prevent --previous from being used in read-side hooks - Components: fix snap command with multiple components - Components: set revision of seed components to x1 - Components: unmount extra kernel-modules components mounts - AppArmor Prompting: add lifespan "session" for prompting rules - AppArmor Prompting: support restoring prompts after snapd restart - AppArmor Prompting: limit the extra information included in probed AppArmor features and system key - Notices: refactor notice state internals - SELinux: look for restorecon/matchpathcon at all known locations rather than current PATH - SELinux: update policy to allow watching cgroups (for RAA), and talking to user session agents (service mgmt/refresh) - Refresh App Awareness: Fix unexpected inotify file descriptor cleanup - snap-confine: workaround for glibc fchmodat() fallback and handle ENOSYS - snap-confine: add support for host policy for limiting users able to run snaps - LP: #2114923 Reject system key mismatch advise when not yet seeded - Use separate lanes for essential and non-essential snaps during seeding and allow non-essential installs to retry - Fix bug preventing remodel from core18 to core18 when snapd snap is unchanged - LP: #2112551 Make removal of last active revision of a snap equal to snap remove - LP: #2114779 Allow non-gpt in fallback mode to support RPi - Switch from using systemd LogNamespace to manually controlled journal quotas - Change snap command trace logging to only log the command names - Grant desktop-launch access to /v2/snaps - Update code for creating the snap journal stream - Switch from using core to snapd snap for snap debug connectivity - LP: #2112544 Fix offline remodel case where we switched to a channel without an actual refresh - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed tarball - LP: #1952500 Fix snap command progress reporting - LP: #1849346 Interfaces: kerberos-tickets | add new interface - Interfaces: u2f | add support for Thetis Pro - Interfaces: u2f | add OneSpan device and fix older device - Interfaces: pipewire, audio-playback | support pipewire as system daemon - Interfaces: gpg-keys | allow access to GPG agent sockets - Interfaces: usb-gadget | add new interface - Interfaces: snap-fde-control, firmware-updater-support | add new interfaces to support FDE - Interfaces: timezone-control | extend to support timedatectl varlink - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and procfs directories - Interfaces: microstack-support | allow SR-IOV attachments - Interfaces: modify AppArmor template to allow snaps to read their own systemd credentials - Interfaces: posix-mq | allow stat on /dev/mqueue - LP: #2098780 Interfaces: log-observe | add capability dac_read_search - Interfaces: block-devices | allow access to ZFS pools and datasets - LP: #2033883 Interfaces: block-devices | opt-in access to individual partitions - Interfaces: accel | add new interface to support accel kernel subsystem - Interfaces: shutdown | allow client to bind on its side of dbus socket - Interfaces: modify seccomp template to allow pwritev2 - Interfaces: modify AppArmor template to allow reading /proc/sys/fs/nr_open - Packaging: drop snap.failure service for openSUSE - Packaging: add SELinux support for openSUSE - Packaging: disable optee when using nooptee build tag - Packaging: add support for static PIE builds in snapd.mk, drop pie.patch from openSUSE - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04 - Packaging: use snapd.mk for packaging on Fedora - Packaging: exclude .git directory - Packaging: fix DPKG_PARSECHANGELOG assignment - Packaging: fix building on Fedora with dpkg installed * Fri Aug 15 2025 Maxwell G <maxwell@xxxxxxx> - 2.70-3 - Rebuild for golang-1.25.0 * Fri Jul 25 2025 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.70-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-6443834ac3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
