FEDORA-2025-53bdd3139d — enhancement update for snapd

stable

snapd-2.71-0.fc43

FEDORA-2025-53bdd3139d created by zyga 4 months ago for Fedora 43

FDE: auto-repair when recovery key is used
FDE: revoke keys on shim update
FDE: revoke old TPM keys when dbx has been updated
FDE: do not reseal FDE hook keys every time
FDE: store keys in the kernel keyring when installing from initrd
FDE: allow disabled DMA on Core
FDE: snap-bootstrap: do not check for partition in scan-disk on CVM
FDE: support secboot preinstall check for 25.10+ hybrid installs via the /v2/system/{label} endpoint
FDE: support generating recovery key at install time via the /v2/systems/{label} endpoint
FDE: update passphrase quality check at install time via the /v2/systems/{label} endpoint
FDE: support replacing recovery key at runtime via the new /v2/system-volumes endpoint
FDE: support checking recovery keys at runtime via the /v2/system- volumes endpoint
FDE: support enumerating keyslots at runtime via the /v2/system- volumes endpoint
FDE: support changing passphrase at runtime via the /v2/system- volumes endpoint
FDE: support passphrase quality check at runtime via the /v2/system-volumes endpoint
FDE: update secboot to revision 3e181c8edf0f
Confdb: support lists and indexed paths on read and write
Confdb: alias references must be wrapped in brackets
Confdb: support indexed paths in confdb-schema assertion
Confdb: make API errors consistent with options
Confdb: fetch confdb-schema assertion on access
Confdb: prevent --previous from being used in read-side hooks
Components: fix snap command with multiple components
Components: set revision of seed components to x1
Components: unmount extra kernel-modules components mounts
AppArmor Prompting: add lifespan "session" for prompting rules
AppArmor Prompting: support restoring prompts after snapd restart
AppArmor Prompting: limit the extra information included in probed AppArmor features and system key
Notices: refactor notice state internals
SELinux: look for restorecon/matchpathcon at all known locations rather than current PATH
SELinux: update policy to allow watching cgroups (for RAA), and talking to user session agents (service mgmt/refresh)
Refresh App Awareness: Fix unexpected inotify file descriptor cleanup
snap-confine: workaround for glibc fchmodat() fallback and handle ENOSYS
snap-confine: add support for host policy for limiting users able to run snaps
LP: #2114923 Reject system key mismatch advise when not yet seeded
Use separate lanes for essential and non-essential snaps during seeding and allow non-essential installs to retry
Fix bug preventing remodel from core18 to core18 when snapd snap is unchanged
LP: #2112551 Make removal of last active revision of a snap equal to snap remove
LP: #2114779 Allow non-gpt in fallback mode to support RPi
Switch from using systemd LogNamespace to manually controlled journal quotas
Change snap command trace logging to only log the command names
Grant desktop-launch access to /v2/snaps
Update code for creating the snap journal stream
Switch from using core to snapd snap for snap debug connectivity
LP: #2112544 Fix offline remodel case where we switched to a channel without an actual refresh
LP: #2112332 Exclude snap/snapd/preseeding when generating preseed tarball
LP: #1952500 Fix snap command progress reporting
LP: #1849346 Interfaces: kerberos-tickets | add new interface
Interfaces: u2f | add support for Thetis Pro
Interfaces: u2f | add OneSpan device and fix older device
Interfaces: pipewire, audio-playback | support pipewire as system daemon
Interfaces: gpg-keys | allow access to GPG agent sockets
Interfaces: usb-gadget | add new interface
Interfaces: snap-fde-control, firmware-updater-support | add new interfaces to support FDE
Interfaces: timezone-control | extend to support timedatectl varlink
Interfaces: cpu-control | fix rules for accessing IRQ sysfs and procfs directories
Interfaces: microstack-support | allow SR-IOV attachments
Interfaces: modify AppArmor template to allow snaps to read their own systemd credentials
Interfaces: posix-mq | allow stat on /dev/mqueue
LP: #2098780 Interfaces: log-observe | add capability dac_read_search
Interfaces: block-devices | allow access to ZFS pools and datasets
LP: #2033883 Interfaces: block-devices | opt-in access to individual partitions
Interfaces: accel | add new interface to support accel kernel subsystem
Interfaces: shutdown | allow client to bind on its side of dbus socket
Interfaces: modify seccomp template to allow pwritev2
Interfaces: modify AppArmor template to allow reading /proc/sys/fs/nr_open
Packaging: drop snap.failure service for openSUSE
Packaging: add SELinux support for openSUSE
Packaging: disable optee when using nooptee build tag
Packaging: add support for static PIE builds in snapd.mk, drop pie.patch from openSUSE
Packaging: add libcap2-bin runtime dependency for ubuntu-16.04
Packaging: use snapd.mk for packaging on Fedora
Packaging: exclude .git directory
Packaging: fix DPKG_PARSECHANGELOG assignment
Packaging: fix building on Fedora with dpkg installed

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2025-53bdd3139d

This update has been submitted for testing by zyga.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

zyga edited this update.

4 months ago

This update has been pushed to testing.

4 months ago

This update has been submitted for stable by bodhi.

There is an ongoing freeze; this will be pushed to stable after the freeze is over.

4 months ago

This update has been pushed to stable.

4 months ago

Please log in to add feedback.

Metadata

Type

enhancement

Karma

Signed

Content Type

RPM

Test Gating

ignored

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

3 days

Dates

submitted

4 months ago

in testing

4 months ago

in stable

4 months ago

modified

4 months ago

approved

4 months ago

Builds

snapd-2.71-0.fc43

Automated Test Results

ignored