[Bug 2151779] [NEW] noble desktop isos contain mostly empty enhanced-secureboot layers
Michael Hudson-Doyle
2151779 at bugs.launchpad.net
Thu May 7 09:58:13 UTC 2026
Public bug reported:
[ Impact ]
livecd-rootfs still contains build configuration for the "enhanced-secureboot"
desktop image variant (the TPM-backed FDE spike). The binary hook that
produced the snapd system for these images was removed in 24.04.96 (LP:
#2147086), so the remaining configuration in live-build/auto/config now only
adds two extra layered passes (minimal.enhanced-secureboot and
minimal.standard.enhanced-secureboot) that build squashfs layers nothing
consumes. This is now just wasteful and confusing.
[ Test Plan ]
Build a desktop ISO from the noble livecd-rootfs with this change applied and
verify:
1. The build completes successfully.
2. No minimal.enhanced-secureboot.* or
minimal.standard.enhanced-secureboot.* squashfs files are produced.
3. There are no enhanced-secureboot layers in the install-source.yaml
4. The resulting ISO boots, the live session works, and a normal
install (both minimal and full variants) completes and boots into
the installed system.
5. Diff the produced image against a build of 24.04.96 and confirm
the only differences are the absence of the enhanced-secureboot
layer artefacts.
[ Where problems could occur ]
The change only removes a self-contained block inside the desktop case
of live-build/auto/config; it does not touch shared helpers, other
projects, or any image-construction logic that runs on the default
desktop layers. The most plausible regression would be that something
downstream (image catalog tooling, ubuntu-image, or an out-of-tree
consumer) was implicitly depending on the enhanced-secureboot squashfs
or catalog-in.yaml files being present on the build output. The
companion 24.04.96 SRU already removed the hook that produced the
snapd system for those images, so any such consumer is already broken
on 24.04.96; this change just stops generating the orphaned layer
artefacts.
[ Other Info ]
This is a follow-up to LP: #2147086 / 24.04.96, which removed the
020-ubuntu-enhanced-sb.binary hook. That commit left the corresponding
add_package / derive_language_layers / catalog-in.yaml block in
live-build/auto/config in place. This SRU finishes that cleanup.
** Affects: livecd-rootfs (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: livecd-rootfs (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: livecd-rootfs (Ubuntu Noble)
Importance: Undecided
Status: New
** Changed in: livecd-rootfs (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2151779
Title:
noble desktop isos contain mostly empty enhanced-secureboot layers
Status in livecd-rootfs package in Ubuntu:
Invalid
Status in livecd-rootfs source package in Noble:
New
Bug description:
[ Impact ]
livecd-rootfs still contains build configuration for the "enhanced-secureboot"
desktop image variant (the TPM-backed FDE spike). The binary hook that
produced the snapd system for these images was removed in 24.04.96 (LP:
#2147086), so the remaining configuration in live-build/auto/config now only
adds two extra layered passes (minimal.enhanced-secureboot and
minimal.standard.enhanced-secureboot) that build squashfs layers nothing
consumes. This is now just wasteful and confusing.
[ Test Plan ]
Build a desktop ISO from the noble livecd-rootfs with this change applied and
verify:
1. The build completes successfully.
2. No minimal.enhanced-secureboot.* or
minimal.standard.enhanced-secureboot.* squashfs files are produced.
3. There are no enhanced-secureboot layers in the install-source.yaml
4. The resulting ISO boots, the live session works, and a normal
install (both minimal and full variants) completes and boots into
the installed system.
5. Diff the produced image against a build of 24.04.96 and confirm
the only differences are the absence of the enhanced-secureboot
layer artefacts.
[ Where problems could occur ]
The change only removes a self-contained block inside the desktop case
of live-build/auto/config; it does not touch shared helpers, other
projects, or any image-construction logic that runs on the default
desktop layers. The most plausible regression would be that something
downstream (image catalog tooling, ubuntu-image, or an out-of-tree
consumer) was implicitly depending on the enhanced-secureboot squashfs
or catalog-in.yaml files being present on the build output. The
companion 24.04.96 SRU already removed the hook that produced the
snapd system for those images, so any such consumer is already broken
on 24.04.96; this change just stops generating the orphaned layer
artefacts.
[ Other Info ]
This is a follow-up to LP: #2147086 / 24.04.96, which removed the
020-ubuntu-enhanced-sb.binary hook. That commit left the corresponding
add_package / derive_language_layers / catalog-in.yaml block in
live-build/auto/config in place. This SRU finishes that cleanup.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2151779/+subscriptions
More information about the foundations-bugs
mailing list