[ubuntu/plucky-proposed] snapd 2.68.3+ubuntu25.04.2 (Accepted)
Ernest Lotter
ernest.lotter at canonical.com
Tue Apr 1 16:05:38 UTC 2025
snapd (2.68.3+ubuntu25.04.2) plucky; urgency=medium
* New upstream release, LP: #2098137
- FDE: use boot mode for FDE hooks
- FDE: add snap-bootstrap compatibility check to prevent image
creation with incompatible snapd and kernel snap
- FDE: add argon2 out-of-process KDF support
- FDE: have separate mutex for the sections writing a fresh modeenv
- FDE: LP: #2099709 update secboot to e07f4ae48e98
- FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to
old keyring path
- Confdb: support pruning ephemeral data and process alternative
types in order
- core-initrd: look at env to mount directly to /sysroot
- core-initrd: prepare for Plucky build and split out 24.10
(Oracular)
- Fix Plucky snapd deb build issue related to /var/lib/snapd/void
permissions
- Fix snapd deb build complaint about ifneq with extra bracket
- Fix missing primed packages in snapd snap manifest
- Interfaces: posix-mq | fix incorrect clobbering of global variable
and make interface more precise
- Interfaces: opengl | add more kernel fusion driver files
- Fix snap-confine type specifier type mismatch on armhf
- FDE: add support for new and more extensible key format that is
unified between TPM and FDE hook
- FDE: add support for adding passphrases during installation
- FDE: update secboot to 30317622bbbc
- Snap components: make kernel components available on firstboot
after either initramfs or ephemeral rootfs style install
- Snap components: mount drivers tree from initramfs so kernel
modules are available in early boot stages
- Snap components: support remodeling to models that contain
components
- Snap components: support offline remodeling to models that contain
components
- Snap components: support creating new recovery systems with
components
- Snap components: support downloading components with 'snap
download' command
- Snap components: support sideloading asserted components
- AppArmor Prompting(experimental): improve version checks and
handling of listener notification protocol for communication with
kernel AppArmor
- AppArmor Prompting(experimental): make prompt replies idempotent,
and have at most one rule for any given path pattern, with
potentially mixed outcomes and lifespans
- AppArmor Prompting(experimental): timeout unresolved prompts after
a period of client inactivity
- AppArmor Prompting(experimental): return an error if a patch
request to the API would result in a rule without any permissions
- AppArmor Prompting(experimental): warn if there is no prompting
client present but prompting is enabled, or if a prompting-related
error occurs during snapd startup
- AppArmor Prompting(experimental): do not log error when converting
empty permissions to AppArmor permissions
- Confdb(experimental): rename registries to confdbs (including API
/v2/registries => /v2/confdb)
- Confdb(experimental): support marking confdb schemas as ephemeral
- Confdb(experimental): add confdb-control assertion and feature
flag
- Refresh App Awareness(experimental): LP: #2089195 prevent
possibility of incorrect notification that snap will quit and
update
- Confidential VMs: snap-bootstrap support for loading partition
information from a manifest file for cloudimg-rootfs mode
- Confidential VMs: snap-bootstrap support for setting up cloudimg-
rootfs as an overlayfs with integrity protection
- dm-verity for essential snaps: add support for snap-integrity
assertion
- Interfaces: modify AppArmor template to allow owner read on
@{PROC}/@{pid}/fdinfo/*
- Interfaces: LP: #2072987 modify AppArmor template to allow using
setpriv to run daemon as non-root user
- Interfaces: add configfiles backend that ensures the state of
configuration files in the filesystem
- Interfaces: add ldconfig backend that exposes libraries coming
from snaps to either the rootfs or to other snaps
- Interfaces: LP: #1712808 disable udev backend when
inside a container
- Interfaces: add auditd-support interface that grants audit_control
capability and required paths for auditd to function
- Interfaces: add checkbox-support interface that allows
unrestricted access to all devices
- Interfaces: fwupd | allow access to dell bios recovery
- Interfaces: fwupd | allow access to shim and fallback shim
- Interfaces: mount-control | add mount option validator to detect
mount option conflicts early
- Interfaces: cpu-control | add read access to /sys/kernel/irq/
- Interfaces: locale-control | changed to be implicit on Ubuntu Core
Desktop
- Interfaces: microstack-support | support for utilizing of AMD SEV
capabilities
- Interfaces: u2f | added missing OneSpan device product IDs
- Interfaces: auditd-support | grant seccomp setpriority
- Interfaces: opengl interface | enable parsing of nvidia driver
information files
- Interfaces: mount-control interface | add CIFS support
- Allow mksquashfs 'xattrs' when packing snap types os, core, base
and snapd as part of work to support non-root snap-confine
- Upstream/downstream packaging changes and build updates
- Improve error logs for malformed desktop files to also show which
desktop file is at fault
- Provide more precise error message when overriding channels with
grade during seed creation
- Expose 'snap prepare-image' validation parameter
- Add snap-seccomp 'dump' command that dumps the filter rules from a
compiled profile
- Add fallback release info location /etc/initrd-release
- Added core-initrd to snapd repo and fixed issues with ubuntu-core-
initramfs deb builds
- Remove stale robust-mount-namespace-updates experimental feature
flag
- Remove snapd-snap experimental feature (rejected) and it's feature
flag
- Changed snap-bootstrap to mount base directly on /sysroot
- Mount ubuntu-seed mounted as no-{suid,exec,dev}
- Mapping volumes to disks: add support for volume-assignments in
gadget
- Fix silently broken binaries produced by distro patchelf 0.14.3 by
using locally build patchelf 0.18
- Fix mismatch between listed refresh candidates and actual refresh
due to outdated validation sets
- Fix 'snap get' to produce compact listing for tty
- Fix missing store-url by keeping it as part of auxiliary store
info
- Fix snap-confine attempting to retrieve device cgroup setup inside
container where it is not available
- Fix 'snap set' and 'snap get' panic on empty strings with early
error checking
- Fix logger debug entries to show correct caller and file
information
- Fix issue preventing hybrid systems from being seeded on first
boot
- LP: #1966203 remove auto-import udev rules not required by deb
package to avoid unwanted syslog errors
- LP: #1886414 fix progress reporting when stdout is on a tty, but
stdin is not
Date: Mon, 10 Mar 2025 20:13:38 +0200
Changed-By: Ernest Lotter <ernest.lotter at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Julian Andres Klode <julian.klode at canonical.com>
https://launchpad.net/ubuntu/+source/snapd/2.68.3+ubuntu25.04.2
-------------- next part --------------
Format: 1.8
Date: Mon, 10 Mar 2025 20:13:38 +0200
Source: snapd
Built-For-Profiles: noudeb
Architecture: source
Version: 2.68.3+ubuntu25.04.2
Distribution: plucky
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ernest Lotter <ernest.lotter at canonical.com>
Launchpad-Bugs-Fixed: 1712808 1886414 1966203 2072987 2089195 2098137 2099709 2101834
Changes:
snapd (2.68.3+ubuntu25.04.2) plucky; urgency=medium
.
* New upstream release, LP: #2098137
- FDE: use boot mode for FDE hooks
- FDE: add snap-bootstrap compatibility check to prevent image
creation with incompatible snapd and kernel snap
- FDE: add argon2 out-of-process KDF support
- FDE: have separate mutex for the sections writing a fresh modeenv
- FDE: LP: #2099709 update secboot to e07f4ae48e98
- FDE: LP: #2101834 snapd 2.68+ and snap-bootstrap <2.68 fallback to
old keyring path
- Confdb: support pruning ephemeral data and process alternative
types in order
- core-initrd: look at env to mount directly to /sysroot
- core-initrd: prepare for Plucky build and split out 24.10
(Oracular)
- Fix Plucky snapd deb build issue related to /var/lib/snapd/void
permissions
- Fix snapd deb build complaint about ifneq with extra bracket
- Fix missing primed packages in snapd snap manifest
- Interfaces: posix-mq | fix incorrect clobbering of global variable
and make interface more precise
- Interfaces: opengl | add more kernel fusion driver files
- Fix snap-confine type specifier type mismatch on armhf
- FDE: add support for new and more extensible key format that is
unified between TPM and FDE hook
- FDE: add support for adding passphrases during installation
- FDE: update secboot to 30317622bbbc
- Snap components: make kernel components available on firstboot
after either initramfs or ephemeral rootfs style install
- Snap components: mount drivers tree from initramfs so kernel
modules are available in early boot stages
- Snap components: support remodeling to models that contain
components
- Snap components: support offline remodeling to models that contain
components
- Snap components: support creating new recovery systems with
components
- Snap components: support downloading components with 'snap
download' command
- Snap components: support sideloading asserted components
- AppArmor Prompting(experimental): improve version checks and
handling of listener notification protocol for communication with
kernel AppArmor
- AppArmor Prompting(experimental): make prompt replies idempotent,
and have at most one rule for any given path pattern, with
potentially mixed outcomes and lifespans
- AppArmor Prompting(experimental): timeout unresolved prompts after
a period of client inactivity
- AppArmor Prompting(experimental): return an error if a patch
request to the API would result in a rule without any permissions
- AppArmor Prompting(experimental): warn if there is no prompting
client present but prompting is enabled, or if a prompting-related
error occurs during snapd startup
- AppArmor Prompting(experimental): do not log error when converting
empty permissions to AppArmor permissions
- Confdb(experimental): rename registries to confdbs (including API
/v2/registries => /v2/confdb)
- Confdb(experimental): support marking confdb schemas as ephemeral
- Confdb(experimental): add confdb-control assertion and feature
flag
- Refresh App Awareness(experimental): LP: #2089195 prevent
possibility of incorrect notification that snap will quit and
update
- Confidential VMs: snap-bootstrap support for loading partition
information from a manifest file for cloudimg-rootfs mode
- Confidential VMs: snap-bootstrap support for setting up cloudimg-
rootfs as an overlayfs with integrity protection
- dm-verity for essential snaps: add support for snap-integrity
assertion
- Interfaces: modify AppArmor template to allow owner read on
@{PROC}/@{pid}/fdinfo/*
- Interfaces: LP: #2072987 modify AppArmor template to allow using
setpriv to run daemon as non-root user
- Interfaces: add configfiles backend that ensures the state of
configuration files in the filesystem
- Interfaces: add ldconfig backend that exposes libraries coming
from snaps to either the rootfs or to other snaps
- Interfaces: LP: #1712808 disable udev backend when
inside a container
- Interfaces: add auditd-support interface that grants audit_control
capability and required paths for auditd to function
- Interfaces: add checkbox-support interface that allows
unrestricted access to all devices
- Interfaces: fwupd | allow access to dell bios recovery
- Interfaces: fwupd | allow access to shim and fallback shim
- Interfaces: mount-control | add mount option validator to detect
mount option conflicts early
- Interfaces: cpu-control | add read access to /sys/kernel/irq/
- Interfaces: locale-control | changed to be implicit on Ubuntu Core
Desktop
- Interfaces: microstack-support | support for utilizing of AMD SEV
capabilities
- Interfaces: u2f | added missing OneSpan device product IDs
- Interfaces: auditd-support | grant seccomp setpriority
- Interfaces: opengl interface | enable parsing of nvidia driver
information files
- Interfaces: mount-control interface | add CIFS support
- Allow mksquashfs 'xattrs' when packing snap types os, core, base
and snapd as part of work to support non-root snap-confine
- Upstream/downstream packaging changes and build updates
- Improve error logs for malformed desktop files to also show which
desktop file is at fault
- Provide more precise error message when overriding channels with
grade during seed creation
- Expose 'snap prepare-image' validation parameter
- Add snap-seccomp 'dump' command that dumps the filter rules from a
compiled profile
- Add fallback release info location /etc/initrd-release
- Added core-initrd to snapd repo and fixed issues with ubuntu-core-
initramfs deb builds
- Remove stale robust-mount-namespace-updates experimental feature
flag
- Remove snapd-snap experimental feature (rejected) and it's feature
flag
- Changed snap-bootstrap to mount base directly on /sysroot
- Mount ubuntu-seed mounted as no-{suid,exec,dev}
- Mapping volumes to disks: add support for volume-assignments in
gadget
- Fix silently broken binaries produced by distro patchelf 0.14.3 by
using locally build patchelf 0.18
- Fix mismatch between listed refresh candidates and actual refresh
due to outdated validation sets
- Fix 'snap get' to produce compact listing for tty
- Fix missing store-url by keeping it as part of auxiliary store
info
- Fix snap-confine attempting to retrieve device cgroup setup inside
container where it is not available
- Fix 'snap set' and 'snap get' panic on empty strings with early
error checking
- Fix logger debug entries to show correct caller and file
information
- Fix issue preventing hybrid systems from being seeded on first
boot
- LP: #1966203 remove auto-import udev rules not required by deb
package to avoid unwanted syslog errors
- LP: #1886414 fix progress reporting when stdout is on a tty, but
stdin is not
Checksums-Sha1:
c926d8d5e6a975d8439bb72208b51e0585d5e0de 3137 snapd_2.68.3+ubuntu25.04.2.dsc
c22b12dba255a21fa3fd4e7902c4639ea42c6968 11077580 snapd_2.68.3+ubuntu25.04.2.tar.xz
1395e8301b3c642ccd3cbd11195dcc097a8c19d3 15095 snapd_2.68.3+ubuntu25.04.2_source.buildinfo
Checksums-Sha256:
e236666c5d3469f81a0154e52ab6179edd36fc8a4bc36ae8c404b2cb0fcce4a3 3137 snapd_2.68.3+ubuntu25.04.2.dsc
7f526db8ac2a3a17b5520fde23331f849fbdfa8b02bda35e85e67d5cb42381a2 11077580 snapd_2.68.3+ubuntu25.04.2.tar.xz
6b93440e5eb5d98df1f1f9015cd3404c507096668d8328e99426c05ce08a12ce 15095 snapd_2.68.3+ubuntu25.04.2_source.buildinfo
Files:
3234fb6706754b86ef49be7add8fc39f 3137 devel optional snapd_2.68.3+ubuntu25.04.2.dsc
a5836cb3bcda40d1979f11443dbbfdbe 11077580 devel optional snapd_2.68.3+ubuntu25.04.2.tar.xz
e457241ff981c2dde6020ab605731527 15095 devel optional snapd_2.68.3+ubuntu25.04.2_source.buildinfo
More information about the plucky-changes
mailing list