Imported 23.10.52 from mantic-release pocket.

No reason for CPC update specified.

debian/changelog

@@ -1,3 +1,20 @@
+livecd-rootfs (23.10.52) mantic; urgency=medium
+
+  [ Philip Roche ]
+  * fix: Sort filelists creating when building ubuntu-cpc images (LP: #2033677)
+  * fix: Create .filelist in ubuntu-cpc project binary hooks that do not use
+    create_manifest shared function (LP: #2033751)
+    * fix: Ensure any created .filelist is symlinked with expected prefix
+      and correct permissions
+    * fix: disk-image-non-cloud ubuntu-cpc build target now provides
+      manifest and filelist
+
+  [ Steve Langasek ]
+  * remove ssl-cert "snakeoil" private keys from images, since this makes
+    them not very private.  LP: #2037869.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 02 Oct 2023 18:13:03 -0700
+
 livecd-rootfs (23.10.51) mantic; urgency=medium
 
   [ Dimitri John Ledkov ]

live-build/auto/build

@@ -616,6 +616,14 @@ if [ -e "binary/$INITFS/filesystem.packages" ]; then
 	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
 	chmod 644 "$PREFIX.manifest"
 fi
+
+# If a .filelist is present, use it as the filelist for the image by
+# symlinking with expected name and updating permissions
+if [ -e "binary/$INITFS/filesystem.filelist" ]; then
+	ln "binary/$INITFS/filesystem.filelist" "$PREFIX.filelist"
+	chmod 644 "$PREFIX.filelist"
+fi
+
 if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then
 	# Not a typo, empty manifest-remove has a single LF in it. :/
 	if [ $(cat binary/$INITFS/filesystem.packages-remove | wc -c) -gt 1 ]; then

live-build/auto/config

@@ -1300,6 +1300,18 @@ if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" = "1" ]; then
 	fi
 fi
 
+# apply this hook unconditionally to remove files from the chroot that
+# are supposed to be install-specific secrets and therefore must never
+# be shipped in any image.
+# this hook should be extended if we discover any more files that are
+# supposed to be private but aren't.
+cat > config/hooks/100-too-many-secrets.chroot <<EOF
+#!/bin/sh
+
+rm -fv /etc/ssl/private/ssl-cert-snakeoil.key \
+	/etc/ssl/certs/ssl-cert-snakeoil.pem
+EOF
+
 case $PROJECT in
   ubuntu-cpc|ubuntu-core|ubuntu-base|ubuntu-oci|ubuntu-wsl|ubuntu-mini-iso)
     # ubuntu-cpc gets this added in 025-create-groups.chroot, and we do

live-build/functions

@@ -47,7 +47,7 @@ create_manifest() {
     if [ "$PROJECT" = ubuntu-cpc ]; then
         echo "create_manifest creating file listing."
         local target_filelist=${2%.manifest}.filelist
-        (cd "${chroot_root}" && find -xdev) > "${target_filelist}"
+        (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
     fi
     echo "create_manifest finished"
 }

live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary

@@ -75,6 +75,11 @@ make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
+# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated
+chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages
+(cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+
 umount mountpoint
 rmdir mountpoint
 

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi-non-cloud.binary

@@ -431,6 +431,10 @@ EOF
     rm mountpoint/tmp/device.map
     umount mountpoint/boot/efi
     mount
+
+    # create sorted filelist as the very last step before unmounting
+    (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+
     umount_partition mountpoint
     rmdir mountpoint
 }

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary

@@ -179,6 +179,10 @@ install_grub() {
     rm mountpoint/tmp/device.map
     umount -R mountpoint/boot
     mount
+
+    # create sorted filelist as the very last step before unmounting
+    (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+
     umount_partition mountpoint
     rmdir mountpoint
 }

live-build/ubuntu-cpc/hooks.d/base/series/disk-image-non-cloud

@@ -2,3 +2,5 @@ base/disk-image-uefi-non-cloud.binary
 base/disk-image.binary
 base/disk1-img-xz.binary
 provides livecd.ubuntu-cpc.disk1.img.xz
+provides livecd.ubuntu-cpc.manifest
+provides livecd.ubuntu-cpc.filelist