-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Aug 2025 13:57:25 +0000
Source: snapd
Architecture: source
Version: 2.71-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Hudson-Doyle <mwhudson@debian.org>
Changed-By: Zygmunt Krynicki <me@zygoon.pl>
Changes:
snapd (2.71-1) unstable; urgency=medium
.
[ Ernest Lotter ]
* New upstream release, LP: #2118396
- FDE: auto-repair when recovery key is used
- FDE: revoke keys on shim update
- FDE: revoke old TPM keys when dbx has been updated
- FDE: do not reseal FDE hook keys every time
- FDE: store keys in the kernel keyring when installing from initrd
- FDE: allow disabled DMA on Core
- FDE: snap-bootstrap: do not check for partition in scan-disk on
CVM
- FDE: support secboot preinstall check for 25.10+ hybrid installs
via the /v2/system/{label} endpoint
- FDE: support generating recovery key at install time via the
/v2/systems/{label} endpoint
- FDE: update passphrase quality check at install time via the
/v2/systems/{label} endpoint
- FDE: support replacing recovery key at runtime via the new
/v2/system-volumes endpoint
- FDE: support checking recovery keys at runtime via the /v2/system-
volumes endpoint
- FDE: support enumerating keyslots at runtime via the /v2/system-
volumes endpoint
- FDE: support changing passphrase at runtime via the /v2/system-
volumes endpoint
- FDE: support passphrase quality check at runtime via the
/v2/system-volumes endpoint
- FDE: update secboot to revision 3e181c8edf0f
- Confdb: support lists and indexed paths on read and write
- Confdb: alias references must be wrapped in brackets
- Confdb: support indexed paths in confdb-schema assertion
- Confdb: make API errors consistent with options
- Confdb: fetch confdb-schema assertion on access
- Confdb: prevent --previous from being used in read-side hooks
- Components: fix snap command with multiple components
- Components: set revision of seed components to x1
- Components: unmount extra kernel-modules components mounts
- AppArmor Prompting: add lifespan "session" for prompting rules
- AppArmor Prompting: support restoring prompts after snapd restart
- AppArmor Prompting: limit the extra information included in probed
AppArmor features and system key
- Notices: refactor notice state internals
- SELinux: look for restorecon/matchpathcon at all known locations
rather than current PATH
- SELinux: update policy to allow watching cgroups (for RAA), and
talking to user session agents (service mgmt/refresh)
- Refresh App Awareness: Fix unexpected inotify file descriptor
cleanup
- snap-confine: workaround for glibc fchmodat() fallback and handle
ENOSYS
- snap-confine: add support for host policy for limiting users able
to run snaps
- LP: #2114923 Reject system key mismatch advise when not yet seeded
- Use separate lanes for essential and non-essential snaps during
seeding and allow non-essential installs to retry
- Fix bug preventing remodel from core18 to core18 when snapd snap
is unchanged
- LP: #2112551 Make removal of last active revision of a snap equal
to snap remove
- LP: #2114779 Allow non-gpt in fallback mode to support RPi
- Switch from using systemd LogNamespace to manually controlled
journal quotas
- Change snap command trace logging to only log the command names
- Grant desktop-launch access to /v2/snaps
- Update code for creating the snap journal stream
- Switch from using core to snapd snap for snap debug connectivity
- LP: #2112544 Fix offline remodel case where we switched to a
channel without an actual refresh
- LP: #2112332 Exclude snap/snapd/preseeding when generating preseed
tarball
- LP: #1952500 Fix snap command progress reporting
- LP: #1849346 Interfaces: kerberos-tickets | add new interface
- Interfaces: u2f | add support for Thetis Pro
- Interfaces: u2f | add OneSpan device and fix older device
- Interfaces: pipewire, audio-playback | support pipewire as system
daemon
- Interfaces: gpg-keys | allow access to GPG agent sockets
- Interfaces: usb-gadget | add new interface
- Interfaces: snap-fde-control, firmware-updater-support | add new
interfaces to support FDE
- Interfaces: timezone-control | extend to support timedatectl
varlink
- Interfaces: cpu-control | fix rules for accessing IRQ sysfs and
procfs directories
- Interfaces: microstack-support | allow SR-IOV attachments
- Interfaces: modify AppArmor template to allow snaps to read their
own systemd credentials
- Interfaces: posix-mq | allow stat on /dev/mqueue
- LP: #2098780 Interfaces: log-observe | add capability
dac_read_search
- Interfaces: block-devices | allow access to ZFS pools and datasets
- LP: #2033883 Interfaces: block-devices | opt-in access to
individual partitions
- Interfaces: accel | add new interface to support accel kernel
subsystem
- Interfaces: shutdown | allow client to bind on its side of dbus
socket
- Interfaces: modify seccomp template to allow pwritev2
- Interfaces: modify AppArmor template to allow reading
/proc/sys/fs/nr_open
- Packaging: drop snap.failure service for openSUSE
- Packaging: add SELinux support for openSUSE
- Packaging: disable optee when using nooptee build tag
- Packaging: add support for static PIE builds in snapd.mk, drop
pie.patch from openSUSE
- Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
- Packaging: use snapd.mk for packaging on Fedora
- Packaging: exclude .git directory
- Packaging: fix DPKG_PARSECHANGELOG assignment
- Packaging: fix building on Fedora with dpkg installed
.
[ Zygmunt Krynicki ]
* Remove auth_requestor.go (secboot)
* Rebase and re-export patches
* Fix typo and clarify what core means
* Remove transitional ubuntu-core-launcher package
* Remove transitional snap-confine package
* Simplify Conflicts: snap to exclude ubuntu version
* Expand the description of golang-github-snapcore-snapd-dev
* Rewrite summary of golang-github-snapcore-snapd-dev
* Move golang-github-snapcore-snapd-dev to golang section
* Update lintian overrides
* Add Static-Built-Using to snapd
* Use Breaks: snap, instead of Conflicts: snap
* Do not ship snapd.recovery-chooser-trigger.service
* Add manual page for snapd.apparmor.service
* Add manual page for snapd.seeded.service
* Add manual page for snapd.service
* Update standards-version to 4.7.2
Checksums-Sha1:
3a612de1e190e94f7f969c6e78d7f558fe0f0ba5 3446 snapd_2.71-1.dsc
4614fc4e36d2aea9b331142a342bfbe954ebf21f 16302240 snapd_2.71.orig.tar.gz
feb3ffd6ea2e2d0b9f836f660481a124a594f9cb 150540 snapd_2.71-1.debian.tar.xz
5082c623b08c6e4ed533d2e3a91f7e1d2c553f1f 12250 snapd_2.71-1_source.buildinfo
Checksums-Sha256:
63f7cab1b66dde013ebf63bbbf2cecb599130699aba07b9e3ef5f8df9c4a388b 3446 snapd_2.71-1.dsc
362028f991120b37a5706d6637479dc30e1296f82d0c2a957b0a29e66ff1879a 16302240 snapd_2.71.orig.tar.gz
52234874646025d4be930023771c1c4f235518c95644ca8564dc7d093d3c69a8 150540 snapd_2.71-1.debian.tar.xz
81bf7480206e3d34b8679815ded7336fe6128e0ba40749e524e6f0e7752fea72 12250 snapd_2.71-1_source.buildinfo
Files:
665676583a0c44f5007fd2f64db7c3b8 3446 devel optional snapd_2.71-1.dsc
719970fcf74b995e8292f6b5d147ea0d 16302240 devel optional snapd_2.71.orig.tar.gz
0c1beab5b2cb63345e10f7b6e1d6e9ac 150540 devel optional snapd_2.71-1.debian.tar.xz
8e591945dc25035c6f19ce58b03cd7e7 12250 devel optional snapd_2.71-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEt2ztm0XK8VV9JxpqKJTpOijGe0cFAminJjIUHHprcnluaWNr
aUBnbWFpbC5jb20ACgkQKJTpOijGe0fmKw//aN2GPgDkbELnzZwTtl6DZFyp2uGL
ru7QRBgFmvbyh9xUaVVFa1z4Z2o0006EPw3Oo5jUGGume8s+c98G7ZwMbHCOther
9qTYUMCIhsBcOu4qapL+n010XUYzoeTNYEH7pEAdobs/sSOeS8f7xX/z9RO7PwWU
xt7kYaI+BOuxnhIYN7a67v4kPWN/R2lwn2sFi6bI6ss/KOS9K/QGwHkGRSuZvLGA
YgJbVv+Spc3LVTu5IVs5HY/47dtzzTXv+tdh+uYW+wbfJYqrjU9+6GMaQ1ODncRu
x4vJoJRFrbQs5FIhrSvlAaTFehR9fkOQ0FY9+WSjTieMxG1iDLY00qoznaQ0/v28
LCpmgBcitVJRJfNx/hieGxi+JkXSNvciyeQ1SEjYPwLHh6Cu55jWUFhr4cqIbuH0
uWIJ8NxY7L0sfqi8ASBUSaNm6Sa66qYfc9WKC+KDLPTUUUOYOYBO0JF2ifgomXFh
CBEZO52UMrQvgO3Qawl40Dl1awKQbKevbpSdLHRMiDjkCNKR+7JknMCGoTrDr+/1
GEe3WRu0vT1iTavDtYqtt4SesABaL1k1cs9o/nSXuxg/P/GbEGLJuD5eMZRsOqPA
5HyNxTa5iQf5SUccOwM5S0Wo2KIQwhLYAmXT7nPJy4dWV7Uj9zf2mYrUbGR7Ovsn
SZ81wdCAJ5+9Qr0=
=nOl/
-----END PGP SIGNATURE-----
Attachment:
pgpXlB1ukEQf5.pgp
Description: PGP signature