Overview
Request 1107802 revoked
- Update to version 2023.6:
+ signing: ed25519 can now be backed by openssl
* If ostree is compiled with OpenSSL support (as it is on e.g.
Fedora derivatives), this also enables an OpenSSL-backed
implementation of the ed25519 signature support. Previously,
this required libsodium - which can still be used if desired
instead of openssl.
+ composefs changes
* Now enabled at build time (but disabled at runtime) by
default.
On systems with sufficiently new glibc and fsverity, ostree
enables support for composefs at build time. It continues to
be disabled by default at runtime.
* composefs now supports signature verification
There is support for an "initramfs root binding key" that can
be injected into the initramfs, and used to verify the ostree
commit (including its embedded composefs checksum). One
suggested model is to follow how e.g. Fedora signs kernel
modules with a transient throwaway key. For more, please see
the ostree/composefs doc.
Note that composefs continues to be classified as experimental.
* Configuration format has changed
The old ot-composefs kernel argument is no longer honored in
favor of a configuration file that should be present in the
initramfs.
+ ostree-prepare-root other changes
* A new configuration file in the initramfs is honored:
/etc/ostree/prepare-root.conf
* This configuration file can also specify the readonly-sysroot
default, which is now recommended
Request History
alarrosa created request
- Update to version 2023.6:
+ signing: ed25519 can now be backed by openssl
* If ostree is compiled with OpenSSL support (as it is on e.g.
Fedora derivatives), this also enables an OpenSSL-backed
implementation of the ed25519 signature support. Previously,
this required libsodium - which can still be used if desired
instead of openssl.
+ composefs changes
* Now enabled at build time (but disabled at runtime) by
default.
On systems with sufficiently new glibc and fsverity, ostree
enables support for composefs at build time. It continues to
be disabled by default at runtime.
* composefs now supports signature verification
There is support for an "initramfs root binding key" that can
be injected into the initramfs, and used to verify the ostree
commit (including its embedded composefs checksum). One
suggested model is to follow how e.g. Fedora signs kernel
modules with a transient throwaway key. For more, please see
the ostree/composefs doc.
Note that composefs continues to be classified as experimental.
* Configuration format has changed
The old ot-composefs kernel argument is no longer honored in
favor of a configuration file that should be present in the
initramfs.
+ ostree-prepare-root other changes
* A new configuration file in the initramfs is honored:
/etc/ostree/prepare-root.conf
* This configuration file can also specify the readonly-sysroot
default, which is now recommended
gnome-review-bot accepted review
Check script succeeded
luc14n0 declined review
Sorry Antonio you had all this trouble, but libostree is already updated in GNOME:Next and should be soon forwarded.
luc14n0 declined request
Sorry Antonio you had all this trouble, but libostree is already updated in GNOME:Next and should be soon forwarded.
alarrosa revoked request
The package 'home:alarrosa:branches:GNOME:Factory/libostree' has been removed