2023.4

Probably the biggest thing here is a fix for
#4284
which affects Fedora Silverblue users.

User visible changes

• app: Add a global -q/--quiet flag by @cgwalters in #4384
• Add a "apply" (reboot) automatic update strategy by @cgwalters in #4392

Notable bugfixes

• Make output handling thread-local by @cgwalters in #4405

Other changes

• Fix typo in error log if initramfs generation fails by @plata in #4380

• rust/ffiutil: Drop dead GError code by @cgwalters in #4365

• lib: Use re-exported oci-spec from ostree-ext by @cgwalters in #4383

• tests/compose-image: Remove workaround as F38 commit reached stable by @jmarrero in #4376

• kargs: Simplify idempotent append and delete operations by @Razaloc in #4161

• scripts: Ignore kernel-redhat %posttrans scripts by @jlebon in #4386

• rust: Bump various crates && rust: Bump dependabot PR limit to 6 by @cgwalters in #4385

• upgrade: Split output lines for stored versus to-fetch by @cgwalters in #4394

• build(deps): bump serde from 1.0.160 to 1.0.162 by @dependabot in #4396

• build(deps): bump libc from 0.2.142 to 0.2.143 by @dependabot in #4395

• build(deps): bump rust-ini from 0.18.0 to 0.19.0 by @dependabot in #4397

• useradd: Add -M/--no-create-home by @cgwalters in #4399

• output: More daemon-side progress debugging by @cgwalters in #4402

• man/rpm-ostree: Document status switches by @jlebon in #4413

• client: Print when we're attaching to an existing transaction by @cgwalters in #4398

• tests: Drop ex from initramfs-etc by @cgwalters in #4406

• daemon: Add logging for invocations of non-txn methods by @cgwalters in #4404

• build(deps): bump serde from 1.0.162 to 1.0.163 by @dependabot in #4409

• tests/container: Update package fixtures to f38 by @cgwalters in #4414

• Regenerate cxx bindings by @cgwalters in #4416

• Release 2023.4 by @cgwalters in #4418

New Contributors

• @plata made their first contribution in #4380

Full Changelog: v2023.3...v2023.4

v2023.3

Notable changes this release:

Client

• New --enablerepo, --disablerepo, --setreleasever options on the cli. These allow
  users to enable specific repositories and set releasever when installing packages.

Daemon:

• Unconditionally authorize uid 0 first - unconditionally query the credentials via dbus-{daemon,broker} first, this should avoid errors that can occur if polkit isn't installed or running.

Colin Walters (13):
      main: Don't use timestamps and colors in tracing logs when running in systemd
      cached-sigs: Be compatible with `cosa build-fast`
      libtest: Hack around regression in journalctl
      tests/layering-fedorainfra: Bump to newer systemd
      core: Don't try to load rpm IMA sigs client side unless requested
      main: Don't write colors to non-ttys
      Bump tokio to 1.26
      daemon: Unconditionally authorize uid 0 first
      progress: Add more logging/tracing
      console: Also print which task is being overwritten
      build: Allow GLib 2.70, also `-Wno-error=deprecated-declarations`
      Cargo.lock: Bump many dependencies
      deny: Allow Unicode-DFS-2016

Jan Macku (2):
      ci: trigger `differential-shellcheck` workflow on `push`
      ci(fix): add missing permissions - `security-events`

Joseph Marrero (8):
      rust/src/scripts: ignore rt and automotive debug scripts.
      tests/vmcheck/test-override-kernel: account for kernel-modules-core
      treefile: Add enablerepo/disablerepo/setreleasever cli options
      treefile: cleanup enable_repo function
      test-container: Add test for enablerepo,disablerepo and releasever
      ci: Make sure cxx code is clang-formatted
      ci: Update tests for Fedora 38
      Release 2023.3

Timothée Ravier (1):
      docs: Use upstream theme & update to 0.4.1

Full Changelog: v2023.2...v2023.3

v2023.2

Notable changes this release:

Client

• New --compare-with-build option on the cli Uses the ostree container library to compare OCI compliant images.

Compose

• New --copy-retry-times option to specify the amount of times we retry when copying images fails.

Daemon:

• Support LockLayering=true configuration option that provides an easy way for a sysadmin to disable all package layering and initramfs customizations.
• Use a socket in /run, require non-abstract. The new glib changed to use non-abstract sockets by default, which broke us.

Colin Walters (11):
      Update ostree-ext, use version API
      compose/image: Add `--copy-retry-times`
      core: Add some more debugging and error info around repos
      treefile: Return `.` instead of `""` for parent directory
      ci: Stop using Fedora 32
      main: Drop deprecated `container-encapsulate` entrypoint
      Drop `ex-container` entrypoint
      daemon: Use a socket in `/run`, require non-abstract
      ci: Use `cosa kola` to properly set `ARTIFACT_DIR`
      spec: Add `Requires: /usr/bin/setpriv`
      Bump ostree-ext

Jonathan Lebon (1):
      Support `LockLayering=true` config knob

Joseph Marrero (1):
      rust/src/scripts.rs: ignore posttrans for kernel-rt-core

RishabhSaini (1):
      Add --compare-with-build to cli Uses the ostree container library to comapre OCI compliant images

Thorsten Leemhuis (1):
      docs: adjust to new location of kernel-vanilla-repos

Full Changelog: v2023.1...v2023.2

v2023.1

Client

• Log when a client joins an existing transaction.
• Fix local initramfs regeneration on systems composed with
  boot-location: new.
• Fix container flow in Turkish locales ( #4237 )

Compose

• Loosen lockfile semantics so that a missing locked package does not trigger
  an error unless the compose requires it.
• Drop support for locking by source packages.

Internals

• Update workflow actions to Fedora 37.
• Replace unmaintained actions-rs/toolchain with dtolnay/rust-toolchain.
• Add more error-prefixing in passwd, kernel, and cleanup-related paths.
• Add container-based upgrade test via Prow.

Benjamin Gilbert (2):
      workflows: update actions to current major versions
      workflows: replace actions-rs/toolchain with dtolnay/rust-toolchain

Colin Walters (8):
      ci: Add infrastructure for use with Prow upgrade testing
      passwd: Add various error prefixing
      sysroot: Log when client joins an existing transaction
      Update to ostree-ext 0.10.4
      tests/upgrades: Disable zincati
      Add a `try_fail_point!` macro and use it in more places
      kernel: Add some error prefixing
      cleanup: Add some error prefixing

Jonathan Lebon (11):
      core: Disable modules earlier
      core: Allow lockfiles to reference missing package names
      libpriv/kernel: fix kver parsing from vmlinuz in /boot and /usr/lib/ostree-boot
      .gitignore: add clangd-related files
      compose: Drop support for `source-packages` in lockfiles
      core: Further loosen lockfile handling
      Revert ".gitignore: add clangd-related files"
      Release 2023.1

2022.19

What's Changed

• daemon: Add logging of sysroot load and locking times by @cgwalters in #4219
• client: Add some more error prefixing by @cgwalters in #4221
• encapsulate: Add --copymeta-opt by @cgwalters in #4222
• Two minor staticanalysis fixes by @cgwalters in #4225
• docs/rebase: Document rebasing to a container image by @cgwalters in #4223
• client: Bump most dbus method timeouts to 5 minutes by @cgwalters in #4224
• build(deps): bump libdnf from e4452b1 to 82c59ef by @dependabot in #4229
• build(deps): bump serde from 1.0.148 to 1.0.151 by @dependabot in #4231
• build(deps): bump envsubst from 0.2.0 to 0.2.1 by @dependabot in #4232
• sysroot: Fix conflicting authentication options && build: Release 2022.19 by @cgwalters in #4233

Full Changelog: v2022.18...v2022.19

2022.18

What's Changed

• Finish porting to cap-std by @cgwalters in #4212
• packaging: Upgrade skopeo to a requirement by @cgwalters in #4211
• A few CI updates by @cgwalters in #4210
• ci: Verify package layering across upgrades by @cgwalters in #4217
• Print message when rpm-ostree initramfs --disable is run by @kenneth-dsouza in #4216
• Update to cap-std-ext 1.0.2 by @cgwalters in #4218
• Release 2022.18 by @cgwalters in #4220

New Contributors

• @kenneth-dsouza made their first contribution in #4216

Full Changelog: v2022.17...v2022.18

2022.17

This pulls in several notable fixes for the container flow
around image garbage collection.

Aside from that there's some cleanup to the initramfs
and initramfs-etc commands, a few documentation tweaks
and internal improvements.

Alessandro Di Stefano (1):
      Fix the treefiles reference link in ex-rebuild.md

Colin Walters (19):
      container-encapsulate: Format errors correctly
      composepost: Port symlink generation to cap-std
      composepost: Port rpmdb hardlinking to cap-std
      composepost: Handle existing absolute symlinks
      cxxrsutil: Drop use of `&mut` in `gobj_wrap()`
      Prune container image layers during cleanup too
      Update to ostree-ext 0.10, glib 0.16, cap-std 1.0
      sysroot: Centralize layer prune + logging
      lockfile: Port to non-deprecated chrono APIs
      upgrader: Can't currently check-only in container flow
      upgrade: Make image pruning idempotent
      override: Honor `--install` in container case too
      docs: Document registry auth
      composepost: Port selinux timestamp tweaks to cap-std
      README.md: More clearly link to container bits
      Use default `all` rule for bindings
      daemon: Make failure to query base image non-fatal
      Update to ostree-ext 0.10.1
      Release 2022.17

Jonathan Lebon (7):
      packaging/spec: Upstream "Disable LTO on 32 bits"
      packaging/spec: Drop el8-specific block
      docs: Make clearer that `initramfs --enable` involves dracut
      man: drop `ex` prefix on initramfs-etc command
      man: move `initramfs-etc` to right after `initramfs`
      man: mention `initramfs-etc` in `initramfs` docs
      app: Make `initramfs-etc` help string more explicit

Joseph Marrero (1):
      cliwrap/kernel_install: use original systemctl when running dracut

Luca BRUNO (1):
      importer: fix translation of top directories

dependabot[bot] (11):
      build(deps): bump futures from 0.3.24 to 0.3.25
      build(deps): bump cxx from 1.0.79 to 1.0.82
      build(deps): bump libc from 0.2.135 to 0.2.137
      build(deps): bump serde_json from 1.0.87 to 1.0.89
      build(deps): bump rayon from 1.5.3 to 1.6.0
      build(deps): bump serde from 1.0.147 to 1.0.148
      build(deps): bump chrono from 0.4.22 to 0.4.23
      build(deps): bump cxx-build from 1.0.81 to 1.0.83
      build(deps): bump indicatif from 0.17.1 to 0.17.2
      build(deps): bump rustix from 0.36.4 to 0.36.5
      build(deps): bump openssl from 0.10.42 to 0.10.44

-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg5CRAd4pqfdf6DWMgvDhrcq1x8Q
gQPSQHIoZaiiRTt68AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQD49w7kXNafZSiQJIcmKNYfvPfme48c/GqcA+unajguEpGUYcmOw41r+G+a5CcsNB8
n6kzgDJKcHL6uL5C9GJgE=
-----END SSH SIGNATURE-----

v2022.16

Client

• Rebasing to a container refspec has now been declared stable and no longer
  requires the --experimental flag.
• Include version in rpm-ostree status output even when deployed from a
  container.
• Improve container-related documentation.
• Prune previous container payloads during rebase.

Compose

• Support a new repovars experimental treefile key. This key feeds into the
  librepo URL variable substitution logic. This is useful for the case where the
  same repo files are used by multiple streams and e.g. the baseurl needs to
  be templated by more than just releasever and basearch.
• Support rpm-ostree compose image --label to directly add labels to the OCI
  image.
• Workaround a recent semanage bug causing the SELinux policy to be recompiled
  on client systems even when unneeded. If you've been using Fedora 37 before
  GA, your system may be unnecessarily carrying a customized SELinux policy.
  This is harmless (base policy updates still take effect) but less efficient.
  You can get back to the original policy by following
  these steps.
• Make container: true imply more appropriate defaults like selinux: false
  and tmp-is-dir: true.

Internals

• Update CI to Fedora 37.
• Fix some new compiler warnings.
• Port more Rust code from openat to cap-std
• Improve error-reporting in importer path.
• Stop using deprecated interrupt safety librpm API on rpm 4.18 and newer.
• Fix a memory leak in the core.

Colin Walters (27):
      tests/override-kernel: Adapt for Linux kernels newer than 5
      ci: Fix references to old FCOS location
      util: Fix `-fpermissive` warning
      Add version to status even for containers
      treefile: Make `container: true` opt-in to saner defaults
      build-sys: Don't delete systemd units in `make clean`
      Update to ostree-ext 0.9
      docs/container: Flesh out a bit more and tweak
      Stabilize container functionality
      docs/container: Explain you can upgrade too
      Always use merge commit for container deployments
      compose/image: Add `--label`
      Update to ostree-ext v0.9.1
      daemon: Query container image commit
      When rebasing, prune previous container by default
      composepost: Port a few bits to cap-std
      composepost: Port default target bits to cap-std
      composepost: Port remove files handling to cap-std
      composepost: Port script function to cap-std
      composepost: Port rpmdb symlinking to cap-std
      composepost: Port os-release handling to cap-std
      composepost: Port outer wrapper function to cap-std
      composepost: Port one test to cap-std
      composepost: Port directory size computation to cap-std
      composepost: Port altfiles mutation to cap-std
      build: Compile with rpm 4.18
      packaging/spec: Add a dummy changelog

Jonathan Lebon (11):
      libpriv/postprocess: work around semanage bug
      ci: Update for Fedora 37
      ci: Run "Build Integration Test Data" GHA privileged
      core: Plug leak in vars dir handling
      rust/extensions: Copy `directory` field to generated treefile
      app/compose: Factor out helper to set repos dir
      app/compose: Clear out vars dir
      treefile: Support `repovars` key
      Release 2022.16

Luca BRUNO (1):
      libpriv/importer: bubble up filepath errors

v2022.15

The biggest feature here is that in the new container-native
flow, installing packages that invoke useradd will by
default generate systemd-sysusers fragments. This means
that e.g. RUN rpm-ostree install libvirt in a Dockerfile
will still end up with the qemu user client side.

There's also a notable bugfix for unauthenticated container
fetches.

Also on the client side, there are new DBus APIs for
fetching package metadata, which will be used by
e.g. gnome-software.

• ci: migrate to new directory and method names by @jlebon in #4089

• composepost: Drop unnecessary injection of presets by @cgwalters in #4087

• build(deps): bump cxx from 1.0.76 to 1.0.78 by @dependabot in #4073

• build(deps): bump cxx-build from 1.0.76 to 1.0.78 by @dependabot in #4072

• Update to ostree-ext 0.8.8 by @cgwalters in #4091

• app: Improve error-prefixing in local RPM file handling by @jlebon in #4100

• build(deps): bump libglnx from 26375b5 to e701578 by @dependabot in #4093

• build(deps): bump cxx from 1.0.78 to 1.0.79 by @dependabot in #4094

• daemon: Implement ListRepos method by @mcrha in #4097

• status: Make --booted --json do the expected thing together by @cgwalters in #4090

• build(deps): bump serde_yaml from 0.9.13 to 0.9.14 by @dependabot in #4102

• build(deps): bump cxx-build from 1.0.78 to 1.0.80 by @dependabot in #4104

• build(deps): bump serde_json from 1.0.86 to 1.0.87 by @dependabot in #4103

• architecture: Document /var by @cgwalters in #4105

• Rework useradd(etc) sysusers integration to work in container flow by @cgwalters in #4092

• daemon: Implement WhatProvides and GetPackages methods by @mcrha in #4099

• 📝 Fix typo by @major in #4106

• ci: use Containerfile instead of Dockerfile by @jmarrero in #4109

• deploy: Don't crash if no revision specified with --register-driver by @cgwalters in #4112

• Update to ostree-ext 0.8.9 by @cgwalters in #4108

• Release 2022.15 by @cgwalters in #4117

• @major made their first contribution in #4106

Git-EVTag-v0-SHA512: 0bcda4f74d0cf9caef533d1d14a4742c347bf46b48c3a57b63ed74a1a1b3ee31d2eb70a9a5d988387f9f2a817ed165cf3096783a25cfeac2c3e6f524e747fdc2

v2022.14

Release 2022.14

Client

• rpm-ostree apply-live now prints out systemd units that changed

Container

• It's no longer necessary to rpm-ostree cliwrap --enable in a Dockerfile when overriding the kernel.
• The initramfs generated in containers now includes device files.
• A change to encapsulate at format version 1 by default was made. This moves towards deprecating version 0 in future releases.
• Related to this, the client now explicitly warns loudly if it encounters a format v0 image.

Compose

• The metadata field now correctly functions with inheritance.
• Container whiteouts found at build time are now converted to be generated at ostree deployment time
• new configuration options to enable individual cliwraps.

Internals

• rpm-ostree remove can now be used inside a container as well as using it via dnf/yum compatibility layer i.e. dnf remove.

Akihiko Odaki (1):
      core: Get the kernel version from the kernel path

Colin Walters (41):
      container: Add progress spinners to `compose container-encapsulate`
      build: Ignore changes to `metadata`
      core: Initialize unprivileged member variable
      core: Add an API to deinitialize libdnf
      core: Also only set bootable metadata if `!container`
      Add `compose image`
      cliwrap/rpm: Don't drop privileges in a container image
      cliwrap/yumdnf: Add `dnf image apply-live`
      pkg: Make `rpm-ostree remove` functional in a container
      cliwrap/yumdnf: Implement `remove`
      client: Fix some unused variable warnings
      build-sys: Disable LTO by default
      compose: stop passing JSON treefile to function computing checksum
      compose: Add `cliwrap-binaries`
      ci: Tweaks for stopping infra container
      compose-image: Add `--layer-repo` option
      core: Make checksum API support caller picking the algorithm
      Deduplicate code to compute state digest
      tests/container-image: Add another fast compression, bump timeout
      treefile: Merge metadata field
      tests: Use `--offline` for second build
      rust: Update to ostree-rs-ext 0.8.5
      compose-image: Support `--lockfile`
      compose-image: Print diff of layers
      rust: Update to ostree-ext 0.8.6
      docs: Describe `compose image`
      container: Ensure unprivileged fetch can read `/run/ostree/auth.json`
      docs/experimental: Describe `ex rebuild`
      rust: Bump ostree-ext
      override: Don't crash if argument produces no file descriptors
      tests: Add a helper to go more fully offline
      cliwrap: Also inject /dev/random into cliwrap'd dracut
      container: Encapsulate at format version 1 by default
      rebuild: Fix logic for container-only handling
      compose: Handle embedded whiteouts
      container: Enable wrappers duing transaction
      upgrade: Warn and sleep if we find a deprecated v0 format container
      tests: Bump memory requests to work around Fedora repodata size
      ci: Adjust limits for bumping memory
      systemctl-wrapper: Pass through usage of --root directly
      ci: Add a test case for container builds

Jan Macku (1):
      ci(lint): add shell linter - Differential ShellCheck

Jonathan Lebon (2):
      core: Filter for latest when downloading packages
      ci: Request more memory for RPM building

Joseph Marrero (2):
      ridiculous-rhel-devel-workaround: use yum localinstall instead of rpm -U
      rust/src/client: change container test to use environment variable

Luca BRUNO (2):
      libpriv/utils: add some non-null assertions
      libdnf-sys: remove incorrect noexcept

RishabhSaini (1):
      apply-live: Invoke `systemctl daemon-reload` after unit files change

New Contributors

• @akihikodaki made their first contribution in #4038)
• @jamacku made their first contribution in #4008

Full Changelog: v2022.13...v2022.14