releasing package livecd-rootfs version 25.10.16

* bryalex/bryalex/6.14-master:
  Add debian/changelog entry (LP: #2116199)
  feat(apparmor): Add missing components to 6.14 kernel apparmor features' preseeds

debian/changelog

@@ -1,3 +1,160 @@
+livecd-rootfs (25.10.16) questing; urgency=medium
+
+  * Put the uc20-style system seed for TPM backed FDE in the live layer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 13 Aug 2025 10:34:39 +1200
+
+livecd-rootfs (25.10.15) questing; urgency=medium
+
+  * Add missing components to 6.14 kernel apparmor features' preseeds.
+    (LP: #2116199)
+
+ -- Bryan Alexander <bryan.alexander@canonical.com>  Thu, 17 Jul 2025 13:27:17 -0700
+
+livecd-rootfs (25.10.14) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  [ Tim Andersson ]
+  [ Daniel Bungert ]
+  * desktop TPMFDE: move snaps back to stable channels
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
+
+livecd-rootfs (25.10.13) questing; urgency=medium
+
+  [ Olivier Gayot ]
+  * Build ubuntu-server with multipath-tools-boot installed, so that the
+    multipath stack ends up present in the initramfs.
+    The LVM stack is already present in the initramfs of the installer. And
+    since kinetic, the /dev/mapper entries for LVM devices are created during
+    the initramfs phase. This is a problem when we have LVM on top of a
+    multipath disk because LVM ends up creating /dev/mapper entries out of
+    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
+    should. Adding the multipath stack in the initramfs gives multipath a
+    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
+    does (LP: #2080474).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
+
+livecd-rootfs (25.10.12) questing; urgency=medium
+
+  [ Zygmunt Krynicki ]
+  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
+
+  [ Dennis Loose ]
+  [ Didier Roche-Tolomelli ]
+  * Allow the ubuntu-desktop-installer to request snap seeding state
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
+
+livecd-rootfs (25.10.11) questing; urgency=medium
+
+  * Fix installer startup to wait for snapd to be preseeded first
+    (LP: #2114923)
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 11 Jul 2025 14:57:56 +0200
+
+livecd-rootfs (25.10.10) questing; urgency=medium
+
+  * risc-v cloud images: enable cpc fixes for riscv64
+
+ -- Adriano Cordova <adriano.cordova@canonical.com>  Tue, 01 Jul 2025 09:11:16 -0400
+
+livecd-rootfs (25.10.9) questing; urgency=medium
+
+  * desktop and server: read $SUBARCH to allow the use of nvidia's kernel
+    instead of generic (LP: #2109822)
+
+ -- Antoine Lassagne <antoine.lassagne@canonical.com>  Tue, 17 Jun 2025 22:23:11 +1200
+
+livecd-rootfs (25.10.8) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  * desktop: use snapd from edge
+  * desktop: tpmfde image use desktop-security-center and firmware-updater
+    from edge
+
+  [ Dan Bungert ]
+  * lb_binary_layered: try #2 to fix mtimes in layered squashfses. (LP2107332)
+    Constrain mtime sync to the current upperdir so that files in lower layers
+    are not redundantly included.
+  * server: fix failure to process the hwe kernel layer due to multiple
+    kernels being present (LP: #2112501)
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 13 Jun 2025 12:00:20 -0600
+
+livecd-rootfs (25.10.7) questing; urgency=medium
+
+  * revert 25.10.6 due to duplicated snaps
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 10 Jun 2025 07:55:40 -0600
+
+livecd-rootfs (25.10.6) questing; urgency=medium
+
+  * lb_binary_layered: fix mtimes in layered squashfses. (LP: #2107332)
+    Failing to preserve mtime causes unnecessary python pyc rebuilds due to
+    mtime mismatch, and it's generally strange that reinstalling a package
+    that is already installed changes the files on the system (minus
+    intentional differences such as what's going on in the minimized install
+    source).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 30 May 2025 17:05:15 -0600
+
+livecd-rootfs (25.10.5) questing; urgency=medium
+
+  * desktop: TPMFDE snapd from latest/edge
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Wed, 28 May 2025 10:27:47 -0600
+
+livecd-rootfs (25.10.4) questing; urgency=medium
+
+  * desktop: TPMFDE kernel from 25.10/candidate
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Sun, 25 May 2025 23:18:59 -0600
+
+livecd-rootfs (25.10.3) questing; urgency=medium
+
+  * desktop: update TPMFDE model and don't skip 020-ubuntu-enhanced-sb.binary.
+    (LP: #2110195)  Temporarily use the model that allows overriding snap
+    channels so we can get matching snaps.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 23 May 2025 12:59:40 -0600
+
+livecd-rootfs (25.10.2) questing; urgency=medium
+
+  * desktop: skip 020-ubuntu-enhanced-sb.binary until a matching kernel is
+    ready for snapd 2.68.x
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 06 May 2025 08:24:10 +0200
+
+livecd-rootfs (25.10.1) questing; urgency=medium
+
+  * desktop: no longer involve cloud-init in early networking (LP: #2107225)
+  * server: provide network config direct to netplan
+  * server: update default netplan config for IPv6 autoconfiguration &
+    connectivity
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Mon, 28 Apr 2025 09:53:34 -0600
+
+livecd-rootfs (25.04.26) plucky; urgency=medium
+
+  * cpc: Restore UseDomains=true in cloud images (LP: #2106729)
+
+ -- Tomáš Virtus <tomas.virtus@canonical.com>  Thu, 10 Apr 2025 13:07:25 +0000
+
+livecd-rootfs (25.04.25) plucky; urgency=medium
+
+  * live-build/auto/build: Use --workdir in ubuntu-image to avoid filling
+    tmpfs-based /tmp (LP: #2103735)
+
+ -- Dave Jones <dave.jones@canonical.com>  Thu, 20 Mar 2025 17:22:47 +0000
+
+livecd-rootfs (25.04.24) plucky; urgency=medium
+
+  * desktop: update TPMFDE model to move pc-kernel to channel 25.04/stable.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 13 Mar 2025 17:17:30 -0600
+
 livecd-rootfs (25.04.23) plucky; urgency=medium
 
   * Add 6.14 kernel apparmor features' preseeds. (LP: #2102120)

debian/install

@@ -4,3 +4,4 @@ get-ppa-fingerprint usr/share/livecd-rootfs
 minimize-manual usr/share/livecd-rootfs
 checkout-translations-branch usr/share/livecd-rootfs
 update-source-catalog usr/share/livecd-rootfs
+sync-mtime usr/share/livecd-rootfs

live-build/apparmor/6.14/domain/disconnected.ipc

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring

@@ -1 +1 @@
-0
+1

live-build/auto/build

@@ -48,8 +48,9 @@ if [ "${IMAGEFORMAT:-}" = "ubuntu-image" ]; then
 		exit 0
 	else
 		# Ubuntu classic preinstalled images
+		# --workdir is specified to avoid filling /tmp which is now a tmpfs
 		/snap/bin/ubuntu-image classic --verbose $UBUNTU_IMAGE_ARGS \
-			-O output "$IMAGE_DEFINITION"
+			--workdir work -O output "$IMAGE_DEFINITION"
 		# Since the output of the ubuntu-image call can vary based on what
 		# kind of an image we build, the safest bet is to 'export' all the
 		# artifacts from the output directory. The image definition file
@@ -483,6 +484,9 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		lowlatency-hwe-*)
 			FLAVOUR="lowlatency"
 			;;
+		nvidia-hwe-*)
+			FLAVOUR="nvidia"
+			;;
 	esac
 	KVERS="$( (cd "binary/$INITFS"; ls vmlinu?-* 2>/dev/null || true) | (fgrep -v .efi || true) | sed -n "s/^vmlinu.-\\([^-]*-[^-]*-$FLAVOUR\\)$/\\1/p" )"
 	if [ -z "$KVERS" ]; then

live-build/auto/config

@@ -3,7 +3,7 @@ set -e
 
 case $ARCH:$SUBARCH in
 	amd64:|amd64:generic|amd64:intel-iot|\
-	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|\
+	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|arm64:nvidia|\
 	arm64:tegra|arm64:tegra-igx|arm64:tegra-jetson|arm64:x13s|\
 	arm64:largemem|\
 	armhf:|\
@@ -844,6 +844,16 @@ case $PROJECT in
 				HAS_DEFAULT_LANGUAGES=yes
 				LANGUAGE_BASE=desktop
 				KERNEL_FLAVOURS='generic-hwe-24.04'
+
+				case $SUBARCH in
+					nvidia)
+						KERNEL_FLAVOURS="nvidia-hwe-24.04"
+						;;
+					*)
+						# nothing to do here.
+						;;
+				esac
+				
 				do_layered_desktop_image
 
 				# Enchanced secureboot stuff
@@ -999,6 +1009,14 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
+				# If we have a multipath disk with LVM on top, we want to give
+				# multipath a chance to create the /dev/mapper/mpatha entry
+				# during the initramfs phase. Otherwise LVM will "steal" the
+				# device (e.g., /dev/sda2) and prevent multipath from using it
+				# after pivoting to the root filesystem of the live
+				# environment.
+				# See LP: #2080474 and LP: #1480399.
+				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot
 
 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live
 
@@ -1023,6 +1041,9 @@ case $PROJECT in
 						# variants='ga-64k hwe-64k'
 						variants='ga-64k'
 						;;
+					nvidia)
+						variants='nvidia'
+						;;
 					*)
 						# variants='ga hwe'
 						variants='ga'
@@ -1060,21 +1081,20 @@ case $PROJECT in
 					elif [ "$variant" = "tegra-jetson" ]; then
 						kernel_metapkg=linux-nvidia-tegra-jetson
 						flavor=nvidia-tegra-jetson
+					elif [ "$variant" = "nvidia" ]; then
+						kernel_metapkg=linux-nvidia-hwe-$(lsb_release -sr)
+						flavor=nvidia
 					else
 						echo "bogus variant: $variant"
 						exit 1
 					fi
 
-					add_pass ubuntu-server-minimal.ubuntu-server.installer.$flavor
 					if [ "$first_kernel" = "y" ]; then
 						# Put the first kernel offered into the base layer
-						kernel_layer=ubuntu-server-minimal
 						first_kernel=n
-					else
-						# and subsequent ones into their own layer
-						kernel_layer=ubuntu-server-minimal.ubuntu-server.installer.$flavor
+						add_package ubuntu-server-minimal $kernel_metapkg
 					fi
-					add_package $kernel_layer $kernel_metapkg
+					add_package ubuntu-server-minimal.ubuntu-server.installer.$flavor $kernel_metapkg
 
 					LIVE_PASSES="${LIVE_PASSES:+$LIVE_PASSES }ubuntu-server-minimal.ubuntu-server.installer.$flavor"
 				done

live-build/functions

@@ -565,8 +565,14 @@ _snap_post_process() {
         core[0-9]*)
             # If the 'core' snap is not present, assume we are coreXX-only and
             # install the snapd snap.
+            channel=stable
+            # FIXME: This can be commented and uncommented to enable snaps from
+            # edge for development spikes.
+            # if [ $PROJECT = "ubuntu" ]; then
+            #     channel=edge
+            # fi
             if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
-                _snap_preseed $CHROOT_ROOT snapd stable
+                _snap_preseed $CHROOT_ROOT snapd "$channel"
             fi
             ;;
         core)

live-build/lb_binary_layered

@@ -163,15 +163,24 @@ build_layered_squashfs () {
 			#    (rather than the default which is to skip copies based
 			#    on size + mtime)
 			#  --no-times to not copy mtimes from source to dest (we
-			#    don't care about mtime in the image and want to
+			#    do care about mtime in the image but want to
 			#    deduplicate files that have indentical contents but
-			#    different mtimes)
+			#    different mtimes, and mtime will be fixed below)
 			#  --del because we want to remove files that have been
 			#    deleted in this layer.
 			rsync -aXHAS --checksum --no-times --del chroot/ chroot-2/
 			umount chroot-2
 			rmdir chroot-2
 			overlay_dir="$overlay_dir-2"
+			# We use rsync with --no-times rsync (see above)
+			# for the absolute best size reduction.  But there are
+			# cases where we want mtime preservation to match what
+			# was found in the original archive packages, such as
+			# keeping .py mtime in sync with the matching .pyc.
+			# Operate on the upperdir directly, so that we are only
+			# modifying mtime on files that are actually changed in
+			# this layer. LP: #2107332
+			/usr/share/livecd-rootfs/sync-mtime chroot "$overlay_dir"
 		fi
 
 		create_squashfs "${overlay_dir}" ${squashfs_f}

live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu-cpc/hooks.d/chroot/060-use-domains.chroot

@@ -0,0 +1,9 @@
+#!/bin/bash
+ 
+# See https://bugs.launchpad.net/cloud-images/+bug/2106729
+
+mkdir -p /etc/systemd/networkd.conf.d/
+cat >/etc/systemd/networkd.conf.d/50-cloudimg-settings.conf <<EOF
+[Network]
+UseDomains=true
+EOF

live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot

@@ -100,7 +100,7 @@ fi
 
 case $arch in
 	# ppc, riscv64 and s390x images are special
-	powerpc|ppc64el|s390x|riscv64)
+	powerpc|ppc64el|s390x)
 		exit 0
 		;;
 esac

live-build/ubuntu-server/hooks/02-hwe-kernel.chroot_early

@@ -0,0 +1,18 @@
+#!/bin/bash -eux
+# vi: ts=4 noexpandtab
+
+case $PASS in
+    ubuntu-server-minimal.ubuntu-server.installer.*.*)
+        exit 0
+        ;;
+    ubuntu-server-minimal.ubuntu-server.installer.*)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+# remove excess kernels.  auto/config arranges for the correct one to be
+# installed.
+
+apt-get --yes remove --purge 'linux-image*'

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/netplan/00-installer-config.yaml

@@ -0,0 +1,19 @@
+# This is the initial network config.
+# It can be overwritten by cloud-init or subiquity.
+# For more information, see netplan(5)
+
+network:
+    version: 2
+    ethernets:
+        zz-all-en:
+            match:
+                name: "en*"
+            dhcp4: true
+            dhcp6: true
+            accept-ra: true
+        zz-all-eth:
+            match:
+                name: "eth*"
+            dhcp4: true
+            dhcp6: true
+            accept-ra: true

live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary

@@ -1,139 +1,24 @@
 #! /bin/sh
 
+# We need to remove the snapd seed configuration for the layers that
+# will be the installation source for a TPM-backed FDE install or
+# snapd gets very confused on the boot of the target system.
+
 set -eux
 
 case ${PASS:-} in
-    minimal.standard.enhanced-secureboot)
-        ;;
-    minimal.enhanced-secureboot)
+    *.enhanced-secureboot)
         ;;
     *)
         exit 0
         ;;
 esac
 
+. config/functions
+
 if [ -n "${SUBPROJECT:-}" ]; then
     echo "We don't run Ubuntu Desktop hooks for this project."
     exit 0
 fi
 
-. config/binary
-. config/functions
-
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-cat <<EOF > config/classic-model.model
-type: model
-authority-id: canonical
-series: 16
-brand-id: canonical
-model: ubuntu-classic-2504-amd64
-architecture: amd64
-base: core24
-classic: true
-distribution: ubuntu
-grade: signed
-snaps:
-  -
-    default-channel: classic-25.04/stable
-    id: UqFziVZDHLSyO3TqSWgNBoAdHbLI4dAH
-    name: pc
-    type: gadget
-  -
-    components:
-      nvidia-550-ko:
-        presence: optional
-      nvidia-550-user:
-        presence: optional
-    default-channel: 24/edge/nvidia-components-dev
-    id: pYVQrBcKmBa0mZ4CCN7ExT6jH8rY1hza
-    name: pc-kernel
-    type: kernel
-  -
-    default-channel: latest/stable
-    id: amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
-    name: core22
-    type: base
-  -
-    default-channel: latest/stable
-    id: dwTAh7MZZ01zyriOZErqd1JynQLiOGvM
-    name: core24
-    type: base
-  -
-    default-channel: latest/stable
-    id: PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
-    name: snapd
-    type: snapd
-  -
-    default-channel: latest/stable
-    id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR
-    name: bare
-    type: base
-  -
-    default-channel: latest/stable/ubuntu-25.04
-    id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
-    name: firefox
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-25.04
-    id: lATO8HzwVvrAPrlZRAWpfyrJKlAJrZS3
-    name: gnome-42-2204
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-25.04
-    id: jZLfBRzf1cYlYysIjD2bwSzNtngY0qit
-    name: gtk-common-themes
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-25.04
-    id: IrwRHakqtzhFRHJOOPxKVPU0Kk7Erhcu
-    name: snapd-desktop-integration
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-25.04
-    id: EI0D1KHjP8XiwMZKqSjuh6W8zvcowUVP
-    name: firmware-updater
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-25.04
-    id: FppXWunWzuRT2NUT9CwoBPNJNZBYOCk0
-    name: desktop-security-center
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-25.04
-    id: aoc5lfC8aUd2VL8VpvynUJJhGXp5K6Dj
-    name: prompting-client
-    type: app
-  -
-    default-channel: 2/stable/ubuntu-25.04
-    id: gjf3IPXoRiipCu9K0kVu52f0H56fIksg
-    name: snap-store
-    type: app
-timestamp: 2024-10-30T12:00:00.0Z
-sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
-
-AcLBXAQAAQoABgUCZ8+91wAKCRDgT5vottzAElaFD/9cwt6iJhWyTO6IxEEt35djQoQEXOLxEmje
-krqx3TVSM8BVCdRXBrUlU4Uj2xHTQnbAKtLlZYh8eYlDtPw1MRxVAijykUAhumXvohbySCpCkEcZ
-lFujIjLgQFvvUpTR9j1DNL7h7p4ZZDevSUGPVxf436V+4HpUF+UhPnZAHEpy4Vwi6B5CZZDn9JLu
-VL20QIiUa8rBpLUAU3TGNJsTygeLfZBrGU8jRiFEV6YHH9XS0TWYZrolvS3V0Cr7OXubxWeeBJgW
-y8Lxp88Dp7cg8B74weFG9GjqgZDP4X8BRhVLQprhs1MGFTtfV1/0viWDpNLW1FYHH3iae4nLx55j
-7AfydLAYs1DBSZliN3mLxR0vt40Bl4vhgiz3uKbwlnPPNo3ZlPY6zJIE2BkjjL46AcFgSbd5Z0HW
-iH2KoDzXzGWQUIYGenNQuWj14pHv8j6LPSiPxq+FAhHJv5O1KcMM9X9bR6hBgTArudVKnEeleSlm
-zYY0J3mdANwQviQwdCLQjwmuV7ZPH7Jg+uV/PoRITZjtz/TTEzkKgVSJl6ATEKImoRRgfa88eMDS
-C5jUR3XWNvZcj3GPbXIlJEi/HrTdjLIfMDBqbTSwHXmYm9oBZN37OwUPvR4l0blqoVxDa9L5+XVo
-UnbiP807fY7LyfYdp12BnktXWUkOYew9knyr/fdQgA==
-EOF
-
-channel=""
-if [ -n "${CHANNEL:-}" ]; then
-    channel="--channel $CHANNEL"
-fi
-
 reset_snapd_state chroot
-
-# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
-# snap versions regardless of phasing status
-env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic config/classic-model.model $channel chroot
-mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
-rm -rf chroot/var/lib/snapd/seed
-mv chroot/system-seed chroot/var/lib/snapd/seed

live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# create the system seed for TPM-backed FDE in the live layer of the installer.
+
+set -eux
+
+case ${PASS:-} in
+    *.live)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+if [ -n "${SUBPROJECT:-}" ]; then
+    echo "We don't run Ubuntu Desktop hooks for this project."
+    exit 0
+fi
+
+. config/binary
+. config/functions
+
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
+
+channel=""
+if [ -n "${CHANNEL:-}" ]; then
+    channel="--channel $CHANNEL"
+fi
+
+# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
+# snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
+env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
+mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
+rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
+rm -rf chroot/system-seed/

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules

@@ -0,0 +1,13 @@
+// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
+//
+// THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
+//
+// Allow the ubuntu-desktop-installer to request snap seeding state
+// used before starting.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "io.snapcraft.snapd.manage-configuration") {
+            return polkit.Result.YES;
+    }
+});
+

live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service

@@ -10,6 +10,8 @@ Conflicts=gnome-session@gnome-login.target
 
 [Service]
 Type=oneshot
+# Make sure that the system was seeded to access the snap
+ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no

live-build/ubuntu/ubuntu-classic-amd64.model

@@ -0,0 +1,89 @@
+type: model
+authority-id: canonical
+series: 16
+brand-id: canonical
+model: ubuntu-classic-2510-amd64-dangerous
+architecture: amd64
+base: core24
+classic: true
+distribution: ubuntu
+grade: dangerous
+snaps:
+  -
+    default-channel: classic-25.10/edge
+    id: UqFziVZDHLSyO3TqSWgNBoAdHbLI4dAH
+    name: pc
+    type: gadget
+  -
+    default-channel: 25.10/edge
+    id: pYVQrBcKmBa0mZ4CCN7ExT6jH8rY1hza
+    name: pc-kernel
+    type: kernel
+  -
+    default-channel: latest/edge
+    id: amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
+    name: core22
+    type: base
+  -
+    default-channel: latest/edge
+    id: PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
+    name: snapd
+    type: snapd
+  -
+    default-channel: latest/edge
+    id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR
+    name: bare
+    type: base
+  -
+    default-channel: latest/edge
+    id: EI0D1KHjP8XiwMZKqSjuh6W8zvcowUVP
+    name: firmware-updater
+    type: app
+  -
+    default-channel: latest/edge
+    id: FppXWunWzuRT2NUT9CwoBPNJNZBYOCk0
+    name: desktop-security-center
+    type: app
+  -
+    default-channel: latest/edge
+    id: aoc5lfC8aUd2VL8VpvynUJJhGXp5K6Dj
+    name: prompting-client
+    type: app
+  -
+    default-channel: latest/edge
+    id: gjf3IPXoRiipCu9K0kVu52f0H56fIksg
+    name: snap-store
+    type: app
+  -
+    default-channel: latest/edge
+    id: jZLfBRzf1cYlYysIjD2bwSzNtngY0qit
+    name: gtk-common-themes
+    type: app
+  -
+    default-channel: latest/edge
+    id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
+    name: firefox
+    type: app
+  -
+    default-channel: latest/edge
+    id: lATO8HzwVvrAPrlZRAWpfyrJKlAJrZS3
+    name: gnome-42-2204
+    type: app
+  -
+    default-channel: latest/edge
+    id: IrwRHakqtzhFRHJOOPxKVPU0Kk7Erhcu
+    name: snapd-desktop-integration
+    type: app
+timestamp: 2025-05-01T12:00:00.0Z
+sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
+
+AcLBXAQAAQoABgUCaBpC0wAKCRDgT5vottzAEmTaD/4+m7UJU64O0/Nu5OimYd5aSYoi1PSH5nq6
+HK9F3vJnL0xpJRtnNgmUi1STghVa8ej2TOMvcTmgNcB+XG7xTadUEJIOu+GP7Q1WChnDQJjEFf0v
+9rL9/KI80ij00BHupRq3NZrru24TP72Rccd1I9Y1g0v6Y7eZODj6DLrIId9iIoYUqy3/jLAjoNq/
+Njm2+tlfC219gkyHQxYDtXRg5gPLpw58y9TkcaPj90WZAL1S3u/O6WvC3TSm8x1ESCx0HEfuHke8
+KcccjoTGshHKUsNHrdAs09SmJRS5m+JtgmO3yA1Fi/DiHHf6MAqxfTxao9vcu1yZlH/x710shOYS
+ySDMLllIKpU0p69Oo23uRgl/4fmuxiK/tGEYusMPTGmcy7jmnfRha6iYt4Dj3fWbZn88kkcwzheb
+RAzDItXBX/xcyqnBYt9821hDrGAgtpgNPWXx0l944VcYBoSEMx3LS+XITdiPwg08A9UZIgYBbc6z
+Pc02I4+7ObGmyxBpfFSNUxApkhph9fq97OfVe6LSnXR2p8m8EQ7tFBlIO+Wco9AeTxf6aS+vRjgd
+nhxfIfE7qlhzFEFV6BOQMPtR0zovramo3QYfig57erCLzt6YQvs/bUmdlIB5M7W6cdwC9X+jqV/f
+LHe4yOQIv4zZzcTxZeSVrlkIo2FcqpD6ishUecThqw==

sync-mtime

@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+# usage: sync-mtime src dst
+#
+# synchronize atime/mtime on files between src and dst.
+#
+# src and dst are directories, where dst is expected to contain a subset of the
+# files found in src. for each file present in dst or a subdirectory thereof,
+# if atime/mtime differ between the same file in src and that file in dst,
+# update atime/mtime on the file in dst.
+
+import os
+import sys
+from pathlib import Path
+
+
+def time_eq(a: os.stat_result, b: os.stat_result) -> bool:
+    return (
+        (a.st_mtime_ns == b.st_mtime_ns) and
+        (a.st_atime_ns == b.st_atime_ns)
+    )
+
+
+src, dst = sys.argv[1:]
+for dirpath, dirnames, filenames in Path(dst).walk():
+    for filename in filenames:
+        dst_file = dirpath / filename
+        if not dst_file.is_file():
+            continue
+        src_file = src / dst_file.relative_to(dst)
+
+        src_stat = src_file.stat(follow_symlinks=False)
+        dst_stat = dst_file.stat(follow_symlinks=False)
+        if time_eq(src_stat, dst_stat):
+            continue
+
+        ns = (src_stat.st_atime_ns, src_stat.st_mtime_ns)
+        os.utime(dst_file, ns=ns, follow_symlinks=False)