[ubuntu/questing-proposed] snapd 2.74.1+ubuntu25.10.4 (Accepted)
Ernest Lotter
ernest.lotter at canonical.com
Thu Apr 2 19:45:36 UTC 2026
snapd (2.74.1+ubuntu25.10.4) questing; urgency=medium
* New upstream release, LP: #2138629
- FDE: secboot fixes
- Security: CVE-2026-3888
- Packaging: fix deb package version number
- Packaging: fix autopkgtest failure to install spread
- Packaging: revert dropping transitional packages
snapd (2.74.1+ubuntu25.10) questing; urgency=medium
- FDE: measure DeployedMode and AuditMode variables if they appear
as disabled in the event log to avoid a potential reseal-failure
boot loop
- LP: #2141328 FDE: reuse preinstall check context during install to
account for user-ignored errors
- LP: #2139611 FDE: fix db updates by allowing multiple payloads
- LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising
memory lock limit when required
- LP: #2139099 snap-confine: bump the max element count of the BPF
map used to store IDs of allowed/matched devices to 1000
- LP: #2141607 Desktop: revert change that caused user daemons
declaring the desktop plug to implicitly depend on graphical-
session.target
- Interfaces: Added pidfd_open and memfd_secret to seccomp template
- Interfaces: camera | add locking permission for /dev/video
snapd (2.74+ubuntu25.10) questing; urgency=medium
- FDE: use new activation API from secboot
- FDE: use activation API also with non keydata keys
- FDE: ignore internal recovery key expiration during install
- FDE: support adding/removing PINs post-installation
- FDE: support changing PINs post-installation
- FDE: support adding a recovery key post-installation
- FDE: provide activation status via new endpoint v2/system-
info/storage-encrypted
- FDE: support sealing and resealing using the preinstall check
result
- FDE: disable passphrase support during install
- FDE: add keyboard configuration helpers
- FDE: lazily inject keyboard layout configuration in kernel cmdline
- FDE: enable pin tries and limits PIN entry attempts to 3
- FDE: extend secureboot endpoint to accept DB, KEK, and PK
- FDE: simplify /v2/system-volumes keyslots handling by allowing
name-only entries, implicitly expanding to all system containers
- FDE: support extra non-system key slot names to support agents
such as Landscape to set dedicated recovery keys
- FDE: initialize fde state after device state
- FDE: use device node to find the storage container and keys
- FDE: provide user visible name for disk based on ID_MODEL
- FDE: update secboot in snapd with latest additions and fixes
- core-initrd: add systemd service for setting plymouth keyboard
layout and X11 keyboard layouts
- core-initrd: set plymouth cleartext toggle option
- core-initrd: fix plymouth missing font issue
- core-initrd: update dependency from libteec1 to libteec2
- core-initrd: add new dlopened libs
- LP: #2116949 Preseeding: add support for preseeding of hybrid
systems via the installer API$
- Preseeding: check whether a path is a mountpoint before remounting
- Confdb: support tagging paths as secret in storage schemas
- Confdb: support filtering on placeholder sub-keys
- Confdb: support filtering in API and confdbstate
- Confdb: support field filtering on reads
- Confdb: support "parameters" stanza and check filters against them
- Confdb: add support for '--with' contraints
- Confdb: parsing fixes and error handling improvements
- Assertions: restrict serials to new format in confdb-control
- Assertions: add verify signature function
- Remote device management: modify request-message assertion to
expose its time constraints for remote device management
- Remote device management: support polling of store messages
- Remote device management: add signing of response messages with
device key
- Prompting: enable notify protocol v5 and test prompt restoration
after snapd restart
- snap: change malformed '--channel=' warning to error
- snap: add 'snap report-issue' command to get the available contact
details for the specified snap
- snap: add 'snap version --verbose' flag to include information on
snap binaries origin
- snap: create the XDG_RUNTIME_DIR folder
- LP: #2068493 snap: add support for 'snap refresh --tracking'
- snapctl: add '--tracking' flag to 'snapctl refresh'
- Reexec: include the info filepath in the version compare debug log
- Reexec: add support for forcing reexec into and older snapd snap
by setting SNAP_REEXEC=force in the environment
- snap-confine: correct error message related to snap-confine group
policy validation
- snap-confine: ensure we only mount existing directories
- LP: #2134364 snap-confine: handle potential race when creating
/tmp/snap-private-tmp when lacking systemd-tmpfiles support
- snap-confine: filter plus characters from security tags
- Desktop: use desktop file IDs as desktop IDs
- Desktop: store the common ID in the desktop file
- Desktop: allow graphical daemons to show icons in the dock
- Desktop: change user daemons with desktop plug defined to depend
on graphical-session.target
- dm-verity for essential snaps: made change to prerequisite struct
- Cross-distro: modify SELinux profile to allow connecting to squid
proxy
- Cross-distro: add support for migrating snap mount directory
- Packaging: drop ubuntu-14.04 packaging
- Packaging: drop ubuntu-{14.04,16.04} transitional binary packages
- Packaging: remove desktop files and state lock file during snapd
purge
- Packaging: fix inhibition hint file being left behind on failed
unlink-current-snap
- Disallow timeouts < 1us in systemd units
- Add snap-store to the user-daemons support overrides
- Support for SuccessExitStatus= generation for systemd daemon
- Make standby output more verbose
- Add prepare-serial-request hook
- Try to discard snap mount namespaces when no processes are running
during snap updates
- Improve handling of snap downloads cache by introducing periodic
cleanup with more aggressive policy
- Interfaces: mediatek-accel | create new interface
- Interfaces: nvidia-video-driver-libs | create new interface
- Interfaces: *-driver-libs | accept component paths
- Interfaces: desktop-legacy, unity7 | remove workaround for slash
filtering in ibus address
- Interfaces: fwupd | allow writing reboot notification in /run
- Interfaces: add 'install' coreutil to base AppArmor template
- Interfaces: u2f-devices | add apparmor permissions to allow the
use of the libfido2 library in snaps
- Interfaces: u2f-devices | add support for Thetis security key
- Interfaces: add AppArmor workaround for mmap MAP_HUGETLB
- Interfaces: timeserver-control | manage per-link ntp settings via
systemd-networkd
Date: Thu, 02 Apr 2026 08:44:00 +0200
Changed-By: Ernest Lotter <ernest.lotter at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Julian Andres Klode <julian.klode at canonical.com>
https://launchpad.net/ubuntu/+source/snapd/2.74.1+ubuntu25.10.4
-------------- next part --------------
Format: 1.8
Date: Thu, 02 Apr 2026 08:44:00 +0200
Source: snapd
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 2.74.1+ubuntu25.10.4
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ernest Lotter <ernest.lotter at canonical.com>
Launchpad-Bugs-Fixed: 2068493 2116949 2134364 2138629 2139099 2139300 2139611 2141328 2141607
Changes:
snapd (2.74.1+ubuntu25.10.4) questing; urgency=medium
.
* New upstream release, LP: #2138629
- FDE: secboot fixes
- Security: CVE-2026-3888
- Packaging: fix deb package version number
- Packaging: fix autopkgtest failure to install spread
- Packaging: revert dropping transitional packages
.
snapd (2.74.1+ubuntu25.10) questing; urgency=medium
.
- FDE: measure DeployedMode and AuditMode variables if they appear
as disabled in the event log to avoid a potential reseal-failure
boot loop
- LP: #2141328 FDE: reuse preinstall check context during install to
account for user-ignored errors
- LP: #2139611 FDE: fix db updates by allowing multiple payloads
- LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising
memory lock limit when required
- LP: #2139099 snap-confine: bump the max element count of the BPF
map used to store IDs of allowed/matched devices to 1000
- LP: #2141607 Desktop: revert change that caused user daemons
declaring the desktop plug to implicitly depend on graphical-
session.target
- Interfaces: Added pidfd_open and memfd_secret to seccomp template
- Interfaces: camera | add locking permission for /dev/video
.
snapd (2.74+ubuntu25.10) questing; urgency=medium
.
- FDE: use new activation API from secboot
- FDE: use activation API also with non keydata keys
- FDE: ignore internal recovery key expiration during install
- FDE: support adding/removing PINs post-installation
- FDE: support changing PINs post-installation
- FDE: support adding a recovery key post-installation
- FDE: provide activation status via new endpoint v2/system-
info/storage-encrypted
- FDE: support sealing and resealing using the preinstall check
result
- FDE: disable passphrase support during install
- FDE: add keyboard configuration helpers
- FDE: lazily inject keyboard layout configuration in kernel cmdline
- FDE: enable pin tries and limits PIN entry attempts to 3
- FDE: extend secureboot endpoint to accept DB, KEK, and PK
- FDE: simplify /v2/system-volumes keyslots handling by allowing
name-only entries, implicitly expanding to all system containers
- FDE: support extra non-system key slot names to support agents
such as Landscape to set dedicated recovery keys
- FDE: initialize fde state after device state
- FDE: use device node to find the storage container and keys
- FDE: provide user visible name for disk based on ID_MODEL
- FDE: update secboot in snapd with latest additions and fixes
- core-initrd: add systemd service for setting plymouth keyboard
layout and X11 keyboard layouts
- core-initrd: set plymouth cleartext toggle option
- core-initrd: fix plymouth missing font issue
- core-initrd: update dependency from libteec1 to libteec2
- core-initrd: add new dlopened libs
- LP: #2116949 Preseeding: add support for preseeding of hybrid
systems via the installer API$
- Preseeding: check whether a path is a mountpoint before remounting
- Confdb: support tagging paths as secret in storage schemas
- Confdb: support filtering on placeholder sub-keys
- Confdb: support filtering in API and confdbstate
- Confdb: support field filtering on reads
- Confdb: support "parameters" stanza and check filters against them
- Confdb: add support for '--with' contraints
- Confdb: parsing fixes and error handling improvements
- Assertions: restrict serials to new format in confdb-control
- Assertions: add verify signature function
- Remote device management: modify request-message assertion to
expose its time constraints for remote device management
- Remote device management: support polling of store messages
- Remote device management: add signing of response messages with
device key
- Prompting: enable notify protocol v5 and test prompt restoration
after snapd restart
- snap: change malformed '--channel=' warning to error
- snap: add 'snap report-issue' command to get the available contact
details for the specified snap
- snap: add 'snap version --verbose' flag to include information on
snap binaries origin
- snap: create the XDG_RUNTIME_DIR folder
- LP: #2068493 snap: add support for 'snap refresh --tracking'
- snapctl: add '--tracking' flag to 'snapctl refresh'
- Reexec: include the info filepath in the version compare debug log
- Reexec: add support for forcing reexec into and older snapd snap
by setting SNAP_REEXEC=force in the environment
- snap-confine: correct error message related to snap-confine group
policy validation
- snap-confine: ensure we only mount existing directories
- LP: #2134364 snap-confine: handle potential race when creating
/tmp/snap-private-tmp when lacking systemd-tmpfiles support
- snap-confine: filter plus characters from security tags
- Desktop: use desktop file IDs as desktop IDs
- Desktop: store the common ID in the desktop file
- Desktop: allow graphical daemons to show icons in the dock
- Desktop: change user daemons with desktop plug defined to depend
on graphical-session.target
- dm-verity for essential snaps: made change to prerequisite struct
- Cross-distro: modify SELinux profile to allow connecting to squid
proxy
- Cross-distro: add support for migrating snap mount directory
- Packaging: drop ubuntu-14.04 packaging
- Packaging: drop ubuntu-{14.04,16.04} transitional binary packages
- Packaging: remove desktop files and state lock file during snapd
purge
- Packaging: fix inhibition hint file being left behind on failed
unlink-current-snap
- Disallow timeouts < 1us in systemd units
- Add snap-store to the user-daemons support overrides
- Support for SuccessExitStatus= generation for systemd daemon
- Make standby output more verbose
- Add prepare-serial-request hook
- Try to discard snap mount namespaces when no processes are running
during snap updates
- Improve handling of snap downloads cache by introducing periodic
cleanup with more aggressive policy
- Interfaces: mediatek-accel | create new interface
- Interfaces: nvidia-video-driver-libs | create new interface
- Interfaces: *-driver-libs | accept component paths
- Interfaces: desktop-legacy, unity7 | remove workaround for slash
filtering in ibus address
- Interfaces: fwupd | allow writing reboot notification in /run
- Interfaces: add 'install' coreutil to base AppArmor template
- Interfaces: u2f-devices | add apparmor permissions to allow the
use of the libfido2 library in snaps
- Interfaces: u2f-devices | add support for Thetis security key
- Interfaces: add AppArmor workaround for mmap MAP_HUGETLB
- Interfaces: timeserver-control | manage per-link ntp settings via
systemd-networkd
Checksums-Sha1:
3b65c5a5821abd70f9c5c653fd5c71266ddc9787 3080 snapd_2.74.1+ubuntu25.10.4.dsc
dcfaddeeeecd92ef9df04774db863b1e6fd52ead 11187372 snapd_2.74.1+ubuntu25.10.4.tar.xz
758af363c62c025b7106338d92322b6ec81d3677 9289 snapd_2.74.1+ubuntu25.10.4_source.buildinfo
Checksums-Sha256:
86d917ad2bb9fd80d13b849bb8d92d76201538d2de73a6b629ed78bd392d17a1 3080 snapd_2.74.1+ubuntu25.10.4.dsc
fea8d3fdb1b41eb87bbe5496d8a30f69ffea6bb64f4af49108696be790d8a27e 11187372 snapd_2.74.1+ubuntu25.10.4.tar.xz
971b92ab6c332cf09c4706248dd7900a6be93d1f2cf789e4b3dff80ed9b36abb 9289 snapd_2.74.1+ubuntu25.10.4_source.buildinfo
Files:
15f721f4977e231d539fb58cf7a340ee 3080 devel optional snapd_2.74.1+ubuntu25.10.4.dsc
a5090ff18f199e8d87bb5033572020e1 11187372 devel optional snapd_2.74.1+ubuntu25.10.4.tar.xz
365829cf0f1bcaf125283f3be4a5d56e 9289 devel optional snapd_2.74.1+ubuntu25.10.4_source.buildinfo
More information about the Questing-changes
mailing list