snapd (2.76+ubuntu26.10.1) stonking; urgency=medium

  * New upstream release, LP: #2154498
    - assertions: add helper for validating integrity data
    - assertions: drop incorrect/non-standard Ed25519 support
    - confdb: allow only API admin read access to confdb secrets
    - confdb: block concurrent confdb accesses
    - confdb: block concurrent snapctl accesses to configuration
      database
    - confdb: check for ephemeral data when missing save-view hook on
      commit
    - confdb: ignore not-found errors in confdb-schema refreshes
    - confdb: support --wait-for timeouts when accessing confdb
    - core-initrd: add group referenced in udev rules
    - core-initrd: add libbpf dependency to initramfs
    - core-initrd: add missing libbpf dependency in 24.04 packaging
    - core-initrd: ensure audio is a system group
    - core-initrd: fix /boot/uboot mount with u-boot env in dedicated
      partition
    - core-initrd: increase mount burst from 5 to 128 for faster boot
    - core-initrd: sync partition udev rules with the ones in core-base
    - core-initrd: sync with latest upload to snappy-dev PPA
    - core-initrd: synchronize changelogs with latest PPA upload
    - core-initrd: update changelog with latest PPA upload
    - core-initrd: add nfnetlink module to fix nf netlink
      socket speed regression (Ubuntu Core only)
    - cross-distro: allow snapd to manipulate systemd unit files in
      SELinux policy
    - cross-distro: FIPS bootstrap and dispatch via snap-fips-dispatch
    - desktop: fix common ID selection with multiple desktop plugs
    - FDE: allow user mode on core in secboot TPM handling
    - FDE: bump go-efilib dependency
    - FDE: bump secboot to rev cdcb64992e54 for FDE fixes
    - FDE: deprecate check-pin/passphrase API endpoints
    - LP: #2147606 FDE: give inactive state on classic
    - FDE: improve tracing for OP-TEE probing
    - FDE: move auto-repair logic to overlord/fdestate and provide state
    - FDE: update secboot for TPM/FDE bug fixes including Intel HAP and
      recovery key parsing
    - FDE: use any primary key matching digest when adding a keyslot
    - FDE: use ignore action for preinstall check in VM
    - interfaces: bluez | drop explicit deny send_destination in D-Bus
      configuration
    - interfaces: conditionally deny /proc/self/mountinfo to suppress Go
      1.25+ denials
    - interfaces: custom-device | fix for-device validation panic on
      non-string value
    - interfaces: disallow auto-connect to parallel installs
    - interfaces: docker | make plug implicit on classic systems
    - interfaces: ignore errors in disconnect hooks during explicit snap
      disconnect
    - interfaces: mediatek-accel | add plug interface base declaration
    - interfaces: microceph-support | suppress noisy sudo denial audit
      logs
    - interfaces: podman | add new interface for podman socket access
    - interfaces: pulseaudio | fix security tag syntax inconsistency
    - interfaces: raw-usb | allow USB device enumeration on Fairphone 5
      with NexDock
    - interfaces: restore auto-connections on failed refresh undo
    - LP: #2148544 interfaces: bool-file | support deep SoC sysfs paths
      for LED brightness
    - LP: #2139213 packaging: make Ubuntu 16.04 packaging dep17
      compliant
    - packaging: add cross-distro build script and instructions
    - packaging: add openSUSE 16.0 spread support
    - packaging: Debian build improvements
    - packaging: default openSUSE to /var/lib/snapd/snap and sync from
      downstream
    - packaging: drop transitional packages only for Ubuntu 26.04
      (Resolute)
    - packaging: fix Launchpad FIPS build detection for snapd-fips job
    - packaging: refactor and clean up snapd.mk, standardize test-data
      directories
    - packaging: switch to golang-github-chai2010-gettext-go-dev
    - packaging: update bundled AppArmor 4.1.7 (snapd snap only)
    - prompting: escape paths in prompt constraints
    - prompting: improve API error handling and validation
    - prompting: improve error message when no handler service is
      present
    - prompting: re-enable the prompting notice backend
    - prompting: respond with full user-allowed permission set
    - prompting: validate permissions while unmarshalling
    - remote device management: implement dispatch-mgmt-messages task
      with sequencing support
    - LP: #2125344 snap: avoid empty channel forwarding message
    - LP: #2150683 snap: clarify snap install help text for --classic
      and --devmode
    - LP: #2152908 snap: print complex attributes in snap interface
      --attrs output
    - snap: add run-inhibit hint and inhibit info when a snap is
      disabled
    - snap: allow removing a snap and its base at the same time
    - snap: display detailed component information in snap info
    - snap: extend AlreadyInstalledError to multiple snaps and
      components
    - snap: extend set-quota command options description with accepted
      value formats
    - snap: implement snap delta command for computing snap deltas
    - snap: improve consistency for snap install when some snaps are
      already installed
    - snap: show hint in snap list that a snap has components
    - snap-confine: allow inheriting unix sockets from snaps
    - snap-confine: allow linking to libm in AppArmor profile
    - snap-confine: fix out-of-bounds read in mountinfo parser for
      partial escape sequences
    - snap-confine: harden bpffs mount with nosuid, nodev, noexec flags
    - snap-confine: remove experimental persistent per-user mount
      namespace feature
    - snap-confine: set FD_CLOEXEC on file descriptors returned by BPF
      helpers
    - snap-confine: support transparent_hugepage in AppArmor profile
    - snap-confine: use strchr after NUL-terminating in infofile parser
    - snap-update-ns: switch to a multi-pass process for constructing
      and updating mount namespaces
    - RemoveMountUnitFile now unmounts even if mount unit file is
      missing
    - Add explicit mount phase during single-reboot refresh to fix undo
      of kernel refreshes
    - Add security audit logging subsystem
    - Add base prioritized AppArmmor snippets for strictly confined or
      jailed snaps
    - Allow openshell snap to use experimental daemon-scope: user
    - Allow configuring mount unit options based on filesystem type
    - Allow equals signs in uevent values in netlink parser
    - Also bind-mount directories modified by kmod backend during
      preseed
    - Clean up potentially corrupted files during snap download undo
    - Complete the bootloader environment implementation
    - Copy integrity data files during snap install
    - Create hook for seed refresh mode
    - Create removal tasks for old seed-refresh seeds
    - Dispatch systemctl commands asynchronously when calling Stop()
    - Ensure /tmp/.X11-unix created inside mount namespace has correct
      permissions
    - Ensure exclusive changes conflict with refresh/revert
    - Ensure existing snap confinement flags are not dropped when
      installing or removing components
    - Export ubuntu-boot-state filename constant from bootloader package
    - Fix duplicate removal of apps under $SNAP_MOUNT_DIR/bin
    - Fix integration between prerequisites task and seed-refresh mode
    - Fix split-refresh overwriting provided lane
    - Fix use of umask in GetListener for socket activation
    - Ignore net.ErrClosed during daemon shutdown
    - Implement ResolveValidationSetsEnforcementError in terms of one
      call
    - Improve snapctl install consistency when components are already
      installed
    - Inject seed creation tasks into snap refresh flow
    - Introduce system options for custom certificates on Ubuntu Core
    - Keep idle services with activation units stopped on reload
    - List snap components in snap-debug-info via debug-tools
    - Look at gadget.yaml instead of marker file to determine ubootpart
      usage
    - LP: #1966067 Skip redundant xdg-settings confirmation prompt when
      setting is already correct
    - LP: #2110368 Fix component installation for private snaps via
      snapctl
    - LP: #2110368 Fix download of private snap components by setting
      UserID
    - LP: #2144666 Fix mount namespace updates with synthetic bind
      mounts on same target paths
    - LP: #2146337 Improve handling of failed downloads and retain
      partial files for resume
    - LP: #2147207 Fix snap enable/disable cycle forgetting components
    - Make run-inhibit hint for kill-snap-apps task based on kill reason
    - Merge content-provider prerequisite updates into seed-refresh
    - Move SortServices into Backend.StartServices
    - Move state to client change conversion to ctlcmd package
    - Omit misleading "try to refresh snapd" suggestion for ISA-related
      errors
    - Only create link-component tasks when needed during refresh to
      existing revision
    - Reconfigure piboot bootloader on gadget refreshes to preserve
      os_prefix
    - Reduce the number of AppArmor profile regenerations during snap
      operations
    - Refactor seed-refresh ownership to devicestate
    - Regenerate certificate database on remodels
    - Remove obsolete FIXME comment in VersionCompare
    - Remove unused GenerateDmVerityData helper from snap/integrity
    - Rename and document error type for ISA assumes flags
    - Restart snapd from daemon.Stop to improve restart reliability
    - Restart stopped services on error in stopSnapServices for
      transactionality
    - Simplify certificate-db updates on model-base refresh/installs
    - Support racing Loop and Stop correctly in overlord
    - Support sending file descriptors to systemd via sd_notify
    - Unroll CPU-heavy recursive function in snap state handlers
    - Update seccomp syscalls list for kernel 7.1.0
    - Use change ID to prevent nested seed-refresh spawned by
      prerequisites
    - Validate content interface plug target directories exist for
      core26+ snaps
    - Validate layout paths exist in snap tree for snaps using bare or
      core26+

 -- Ernest Lotter <ernest.lotter@canonical.com>  Thu, 28 May 2026 20:00:16 +0200

snapd (2.75.2+ubuntu26.10) stonking; urgency=medium

  * New upstream release, LP: #2143882
    - Interfaces: network-setup-*| allow running python binaries from
      the base on UC26+
    - Cross-distro: modify SELinux policy to allow mounting on
      /var/snap/<snap>/<rev>
    - Fix potential task deadlock by considering all tasks in a lane
      that might be waiting for a reboot when processing delayed
      security backend effects

 -- Katie May <katie.may@canonical.com>  Mon, 30 Mar 2026 17:06:36 +0200

snapd (2.74.1+ubuntu26.10.4) resolute; urgency=medium

  * New upstream release, LP: #2138629
    - LP: #2147645 FDE: secboot fixes

 -- Ernest Lotter <ernest.lotter@canonical.com>  Thu, 14 Apr 2026 09:30:00 +0200

snapd (2.74.1+ubuntu26.04.3) resolute; urgency=medium

  * New upstream release, LP: #2138629
    - FDE: secboot fixes
    - Security: CVE-2026-3888
    - Packaging: fix deb package version number
    - Packaging: fix autopkgtest failure to install spread

 -- Ernest Lotter <ernest.lotter@canonical.com>  Thu, 24 Mar 2026 13:46:00 +0200

snapd (2.74.1+ubuntu26.04) resolute; urgency=medium

  * New upstream release, LP: #2138629
    - FDE: measure DeployedMode and AuditMode variables if they appear
      as disabled in the event log to avoid a potential reseal-failure
      boot loop
    - LP: #2141328 FDE: reuse preinstall check context during install to
      account for user-ignored errors
    - LP: #2139611 FDE: fix db updates by allowing multiple payloads
    - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising
      memory lock limit when required
    - LP: #2139099 snap-confine: bump the max element count of the BPF
      map used to store IDs of allowed/matched devices to 1000
    - LP: #2141607 Desktop: revert change that caused user daemons
      declaring the desktop plug to implicitly depend on graphical-
      session.target
    - Interfaces: Added pidfd_open and memfd_secret to seccomp template
    - Interfaces: camera | add locking permission for /dev/video

 -- Ernest Lotter <ernest.lotter@canonical.com>  Thu, 12 Feb 2026 21:27:23 +0200

snapd (2.74+ubuntu26.04) resolute; urgency=medium

  * New upstream release, LP: #2138629
    - FDE: use new activation API from secboot
    - FDE: use activation API also with non keydata keys
    - FDE: ignore internal recovery key expiration during install
    - FDE: support adding/removing PINs post-installation
    - FDE: support changing PINs post-installation
    - FDE: support adding a recovery key post-installation
    - FDE: provide activation status via new endpoint v2/system-
      info/storage-encrypted
    - FDE: support sealing and resealing using the preinstall check
      result
    - FDE: disable passphrase support during install
    - FDE: add keyboard configuration helpers
    - FDE: lazily inject keyboard layout configuration in kernel cmdline
    - FDE: enable pin tries and limits PIN entry attempts to 3
    - FDE: extend secureboot endpoint to accept DB, KEK, and PK
    - FDE: simplify /v2/system-volumes keyslots handling by allowing
      name-only entries, implicitly expanding to all system containers
    - FDE: support extra non-system key slot names to support agents
      such as Landscape to set dedicated recovery keys
    - FDE: initialize fde state after device state
    - FDE: use device node to find the storage container and keys
    - FDE: provide user visible name for disk based on ID_MODEL
    - FDE: update secboot in snapd with latest additions and fixes
    - core-initrd: add systemd service for setting plymouth keyboard
      layout and X11 keyboard layouts
    - core-initrd: set plymouth cleartext toggle option
    - core-initrd: fix plymouth missing font issue
    - core-initrd: update dependency from libteec1 to libteec2
    - core-initrd: add new dlopened libs
    - LP: #2116949 Preseeding: add support for preseeding of hybrid
      systems via the installer API$
    - Preseeding: check whether a path is a mountpoint before remounting
    - Confdb: support tagging paths as secret in storage schemas
    - Confdb: support filtering on placeholder sub-keys
    - Confdb: support filtering in API and confdbstate
    - Confdb: support field filtering on reads
    - Confdb: support "parameters" stanza and check filters against them
    - Confdb: add support for '--with' contraints
    - Confdb: parsing fixes and error handling improvements
    - Assertions: restrict serials to new format in confdb-control
    - Assertions: add verify signature function
    - Remote device management: modify request-message assertion to
      expose its time constraints for remote device management
    - Remote device management: support polling of store messages
    - Remote device management: add signing of response messages with
      device key
    - Prompting: enable notify protocol v5 and test prompt restoration
      after snapd restart
    - snap: change malformed '--channel=' warning to error
    - snap: add 'snap report-issue' command to get the available contact
      details for the specified snap
    - snap: add 'snap version --verbose' flag to include information on
      snap binaries origin
    - snap: create the XDG_RUNTIME_DIR folder
    - LP: #2068493 snap: add support for 'snap refresh --tracking'
    - snapctl: add '--tracking' flag to 'snapctl refresh'
    - Reexec: include the info filepath in the version compare debug log
    - Reexec: add support for forcing reexec into and older snapd snap
      by setting SNAP_REEXEC=force in the environment
    - snap-confine: correct error message related to snap-confine group
      policy validation
    - snap-confine: ensure we only mount existing directories
    - LP: #2134364 snap-confine: handle potential race when creating
      /tmp/snap-private-tmp when lacking systemd-tmpfiles support
    - snap-confine: filter plus characters from security tags
    - Desktop: use desktop file IDs as desktop IDs
    - Desktop: store the common ID in the desktop file
    - Desktop: allow graphical daemons to show icons in the dock
    - Desktop: change user daemons with desktop plug defined to depend
      on graphical-session.target
    - dm-verity for essential snaps: made change to prerequisite struct
    - Cross-distro: modify SELinux profile to allow connecting to squid
      proxy
    - Cross-distro: add support for migrating snap mount directory
    - Packaging: drop ubuntu-14.04 packaging
    - Packaging: drop ubuntu-{14.04,16.04} transitional binary packages
    - Packaging: remove desktop files and state lock file during snapd
      purge
    - Packaging: fix inhibition hint file being left behind on failed
      unlink-current-snap
    - Disallow timeouts < 1us in systemd units
    - Add snap-store to the user-daemons support overrides
    - Support for SuccessExitStatus= generation for systemd daemon
    - Make standby output more verbose
    - Add prepare-serial-request hook
    - Try to discard snap mount namespaces when no processes are running
      during snap updates
    - Improve handling of snap downloads cache by introducing periodic
      cleanup with more aggressive policy
    - Interfaces: mediatek-accel | create new interface
    - Interfaces: nvidia-video-driver-libs | create new interface
    - Interfaces: *-driver-libs | accept component paths
    - Interfaces: desktop-legacy, unity7 | remove workaround for slash
      filtering in ibus address
    - Interfaces: fwupd | allow writing reboot notification in /run
    - Interfaces: add 'install' coreutil to base AppArmor template
    - Interfaces: u2f-devices | add apparmor permissions to allow the
      use of the libfido2 library in snaps
    - Interfaces: u2f-devices | add support for Thetis security key
    - Interfaces: add AppArmor workaround for mmap MAP_HUGETLB
    - Interfaces: timeserver-control | manage per-link ntp settings via
      systemd-networkd

 -- Ernest Lotter <ernest.lotter@canonical.com>  Tue, 20 Jan 2026 18:54:17 +0200

snapd (2.73+ubuntu26.04) resolute; urgency=medium

  * New upstream release, LP: #2132084
    - FDE: do not save incomplete FDE state when resealing was skipped
    - FDE: warn of inconsistent primary or policy counter
    - Confdb: document confdb in snapctl help messages
    - Confdb: only confdb hooks wait if snaps are disabled
    - Confdb: relax confdb change conflict checks
    - Confdb: remove empty parent when removing last leaf
    - Confdb: support parsing field filters
    - Confdb: wrap confdb write values under "values" key
    - dm-verity for essential snaps: add new naming convention for
      verity files
    - dm-verity for essential snaps: add snap integrity discovery
    - dm-verity for essential snaps: fix verity salt calculation
    - Assertions: add hardware identity assertion
    - Assertions: add integrity stanza in snap resources revisions
    - Assertions: add request message assertion required for remote
      device management
    - Assertions: add response-message assertion for secure remote
      device management
    - Assertions: expose WithStackedBackstore in RODatabase
    - Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    - Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    - Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    - Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    - Preseed: do not remove the /snap dir but rather all its contents
      during reset
    - snap-confine: attach name derived from security tag to BPF maps
      and programs
    - snap-confine: ensure permitted capabilities match expectation
    - snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    - snap-confine: Improve validation of user controlled paths
    - snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    - core-initrd: add 26.04 ubuntu-core-initramfs package
    - core-initrd: add missing order dependency for setting default
      system files
    - core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    - core-initrd: make cpio a Depends and remove from Build-Depends
    - core-initrd: start plymouth sooner and reload when gadget is
      available
    - Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    - Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    - Prompting: enable prompting for the camera interface
    - Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    - LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    - AppArmor: add free and pidof to the template
    - AppArmor: adjust interfaces/profiles to cope with coreutils paths
    - Interfaces: add support for compatibility expressions
    - Interfaces: checkbox-support | complete overhaul
    - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-
      driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-
      driver-libs
    - Interfaces: allow snaps on classic access to nvidia graphics
      libraries exported by *-driver-libs interfaces
    - Interfaces: fwupd | broaden access to /boot/efi/EFI
    - Interfaces: gsettings | set dconf-service as profile for
      ca.desrt.dconf.Writer
    - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new
      interfaces
    - Interfaces: opengl | grant read/write permission to /run/nvidia-
      persistenced/socket
    - interfaces: ros-snapd-support | add access to /v2/changes/
    - Interfaces: system-observe | read access to btrfs/ext4/zfs
      filesystem information
    - Interfaces: system-trace | allow /sys/kernel/tracing/** rw
    - Interfaces: usb-gadget | add support for ffs mounts in attributes
    - Add autocompletion to run command
    - Introduce option for disallowing auto-connection of a specific
      interface
    - Only log errors for user service operations performed as a part of
      snap removal
    - Patch snap names in service requests for parallel installed snaps
    - Simplify traits for eMMC special partitions
    - Strip apparmor_parser from debug symbols shrinking snapd size by
      ~3MB
    - Fix InstallPathMany skipping refresh control
    - Fix waiting for GDB helper to stop before attaching gdbserver
    - Protect the per-snap tmp directory against being reaped by age
    - Prevent disabling base snaps to ensure dependent snaps can be
      removed
    - Modify API endpoint /v2/logs to reject n <= 0 (except for special
      case -1 meaning all)
    - Avoid potential deadlock when task is injected after the change
      was aborted
    - Avoid race between store download stream and cache cleanup
      executing in parallel when invoked by snap download task
    - LP: #1851490 Use "current" instead of revision number for icons
    - LP: #2121853 Add snapctl version command
    - LP: #2127214 Ensure no more than one partition on disk can match a
      gadget partition
    - LP: #2127244 snap-confine: update AppArmor profile to allow
      read/write to journal as workaround for snap-confine fd
      inheritance prevented by newer AppArmor
    - LP: #2127766 Add new tracing mechanism with independently running
      strace and shim synchronization

 -- Ernest Lotter <ernest.lotter@canonical.com>  Fri, 21 Nov 2025 09:08:02 +0200

snapd (2.72+ubuntu26.04.1) resolute; urgency=medium

  * New upstream release, LP: #2124239
    - FDE: support replacing TPM protected keys at runtime via the
      /v2/system-volumes endpoint
    - FDE: support secboot preinstall check fix actions for 25.10+
      hybrid installs via the /v2/system/{label} endpoint
    - FDE: tweak polkit message to remove jargon
    - FDE: ensure proper sealing with kernel command line defaults
    - FDE: provide generic reseal function
    - FDE: support using OPTEE for protecting keys, as an alternative to
      existing fde-setup hooks (Ubuntu Core only)
    - Confdb: 'snapctl get --view' supports passing default values
    - Confdb: content sub-rules in confdb-schemas inherit their parent
      rule's "access"
    - Confdb: make confdb error kinds used in API more generic
    - Confdb: fully support lists and indexed paths (including unset)
    - Prompting: add notice backend for prompting types (unused for now)
    - Prompting: include request cgroup in prompt
    - Prompting: handle unsupported xattrs
    - Prompting: add permission mapping for the camera interface
    - Notices: read notices from state without state lock
    - Notices: add methods to get notice fields and create, reoccur, and
      deepcopy notice
    - Notices: add notice manager to coordinate separate notice backends
    - Notices: support draining notices from state when notice backend
      registered as producer of a particular notice type
    - Notices: query notice manager from daemon instead of querying
      state for notices directly
    - Packaging: Ubuntu | ignore .git directory
    - Packaging: FIPS | bump deb Go FIPS to 1.23
    - Packaging: snap | bump FIPS toolchain to 1.23
    - Packaging: debian | sync most upstream changes
    - Packaging: debian-sid | depends on libcap2-bin for postint
    - Packaging: Fedora | drop fakeroot
    - Packaging: snap | modify snapd.mk to pass build tags when running
      unit tests
    - Packaging: snap | modify snapd.mk to pass nooptee build tag
    - Packaging: modify Makefile.am to fix snap-confine install profile
      with 'make hack'
    - Packaging: modify Makefile.am to fix out-of-tree use of 'make
      hack'
    - LP: #2122054 Snap installation: skip snap icon download when
      running in a cloud or using a proxy store
    - Snap installation: add timeout to http client when downloading
      snap icon
    - Snap installation: use http(s) proxy for icon downloads
    - LP: #2117558 snap-confine: fix error message with /root/snap not
      accessible
    - snap-confine: fix non-suid limitation by switching to root:root to
      operate v1 freezer
    - core-initrd: do not use writable-paths when not available
    - core-initrd: remove debian folder
    - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev
      interface now with the more robust gpio-aggregator configfs kernel
      interface
    - Interfaces: gpio-chardev | exclusive snap connections, raise a
      conflict when both gpio-chardev and gpio are connected
    - Interfaces: gpio-chardev | fix gpio-aggregator module load order
    - Interfaces: ros-snapd-support | grant access to /v2/changes
    - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,
      opengl-driver-libs, opengles-driver-libs | new interfaces to
      support nvidia driver components
    - Interfaces: microstack-support | allow DPDK (hugepage related
      permissions)
    - Interfaces: system-observe | allow reading additional files in
      /proc, needed by node-exporter
    - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key
      and Kensington VeriMark DT Fingerprint Key to device list
    - Interfaces: snap-interfaces-requests-control | allow shell API
      control
    - Interfaces: fwupd | allow access to Intel CVS sysfs
    - Interfaces: hardware-observe | allow read access to Kernel
      Samepage Merging (KSM)
    - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP
    - Interfaces: spi | relax sysfs permission rules to allow access to
      SPI device node attributes
    - Interfaces: content | introduce compatibility label
    - LP: #2121238 Interfaces: do not expose Kerberos tickets for
      classic snaps
    - Interfaces: ssh-public-keys | allow ro access to public host keys
      with ssh-key
    - Interfaces: Modify AppArmor template to allow listing systemd
      credentials and invoking systemd-creds
    - Interfaces: modify AppArmor template with workarounds for Go 1.35
      cgroup aware GOMAXPROCS
    - Interfaces: modify seccomp template to allow landlock_*
    - Prevent snap hooks from running while relevant snaps are unlinked
    - Make refreshes wait before unlinking snaps if running hooks can be
      affected
    - Fix systemd unit generation by moving "WantedBy=" from section
      "unit" to "install"
    - Add opt-in logging support for snap-update-ns
    - Unhide 'snap help' sign and export-key under Development category
    - LP: #2117121 Cleanly support socket activation for classic snap
    - Add architecture to 'snap version' output
    - Add 'snap debug api' option to disable authentication through
      auth.json
    - Show grade in notes for 'snap info --verbose'
    - Fix preseeding failure due to scan-disk issue on RPi
    - Support 'snap debug api' queries to user session agents
    - LP: #2112626 Improve progress reporting for snap install/refresh
    - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files
    - Fix /v2/apps error for root user when user services are present
    - LP: #2114704 Extend output to indicate when snap data snapshot was
      created during remove
    - Improve how we handle emmc volumes
    - Improve handling of system-user extra assertions

 -- Ernest Lotter <ernest.lotter@canonical.com>  Thu, 18 Sep 2025 10:00:54 +0200

snapd (2.71.1+ubuntu25.10.1) questing; urgency=medium

  * New upstream release, LP: #2118396
    - LP: #2125439 FDE: update secboot to revision f8400226f49a to fix
      possible preinstall secboot panic when secure boot is disabled

 -- Ernest Lotter <ernest.lotter@canonical.com>  Fri, 26 Sep 2025 07:39:49 +0200
