- Update to version 2023.6:
+ signing: ed25519 can now be backed by openssl
* If ostree is compiled with OpenSSL support (as it is on e.g.
Fedora derivatives), this also enables an OpenSSL-backed
implementation of the ed25519 signature support. Previously,
this required libsodium - which can still be used if desired
instead of openssl.
+ composefs changes
* Now enabled at build time (but disabled at runtime) by
default.
On systems with sufficiently new glibc and fsverity, ostree
enables support for composefs at build time. It continues to
be disabled by default at runtime.
* composefs now supports signature verification
There is support for an "initramfs root binding key" that can
be injected into the initramfs, and used to verify the ostree
commit (including its embedded composefs checksum). One
suggested model is to follow how e.g. Fedora signs kernel
modules with a transient throwaway key. For more, please see
the ostree/composefs doc.
Note that composefs continues to be classified as experimental.
* Configuration format has changed
The old ot-composefs kernel argument is no longer honored in
favor of a configuration file that should be present in the
initramfs.
+ ostree-prepare-root other changes
* A new configuration file in the initramfs is honored:
/etc/ostree/prepare-root.conf
* This configuration file can also specify the readonly-sysroot
default, which is now recommended