Update d/ch for 26.04.28 release

Switch arm64 mirror from ports to archive
releasing package livecd-rootfs version 26.04.27
2026-04-02 15:11:17 +00:00 · 2026-04-02 18:34:39 +05:30 · 2026-04-02 18:34:07 +05:30 · 2026-04-02 16:00:13 +13:00 · 2026-04-02 15:47:26 +13:00 · 2026-04-02 15:46:27 +13:00
177 changed files with 4398 additions and 786 deletions
--- a/.launchpad.yaml
+++ b/.launchpad.yaml
@ -0,0 +1,12 @@
+pipeline:
+  - [lint]
+
+jobs:
+  lint:
+    series: noble
+    architectures: amd64
+    packages:
+      - black
+      - mypy
+      - python3-flake8
+    run: ./check-lint
--- a/README.parameters
+++ b/README.parameters
@ -0,0 +1,263 @@
+Understanding the parameters used by livecd-rootfs
+==================================================
+
+livecd-rootfs is a confusing codebase. One of the confusing things is
+how information flows into and around the image build process. There
+is IMAGEFORMAT and IMAGE_TARGETS and PROJECT and many other
+variables. It is not obvious when looking at the code if a given
+variable is something passed as a parameter or something derived from
+it.
+
+All (or almost all) production use of livecd-rootfs is via
+launchpad-buildd so the set of potential parameters is limited by the
+set of environment variables launchpad-build can set in response to
+the build request.
+
+The process from build request to environment live-build is run is a
+little convoluted. The build request takes:
+
+ an archive -- where to get livecd-rootfs from
+ a distro_arch_series -- the series to get livecd-rootfs and build
+ a pocket -- pocket to get livecd-rootfs from, also influences if proposed is
+             used as a package source for the image being built
+ unique_key -- you cannot have more than one pending livefs build with the same
+               unique_key. does not affect the build at all.
+ version -- optional version string, see below. often a serial like 20250525.1
+ metadata_override -- combined with the metadata on the livefs itself to make
+                      the metadata for this build.
+
+(ref: https://launchpad.net/+apidoc/devel.html#livefs-requestBuild)
+
+These parameters are stored on the livefsbuild object (ref:
+https://git.launchpad.net/launchpad/tree/lib/lp/soyuz/model/livefsbuild.py#n372)
+and converted into a set of args passed to launchpad-build by the
+LiveFSBuildBehaviour class (ref:
+https://git.launchpad.net/launchpad/tree/lib/lp/soyuz/model/livefsbuildbehaviour.py#n99).
+
+Inside launchpad-build, these arguments are inspected by the
+LiveFilesystemBuildManager.initiate method (ref:
+https://git.launchpad.net/launchpad-buildd/tree/lpbuildd/livefs.py#n24)
+which turns them into arguments for the BuildLiveFS lpbuild
+"operation" which is what creates the environment live-build runs in
+(ref:
+https://git.launchpad.net/launchpad-buildd/tree/lpbuildd/target/build_livefs.py#n167).
+
+These variables can be set for both lb config and lb build:
+
+ PROJECT       (mandatory, comes from "project" in the metadata)
+ ARCH          (set to the abi tag of the distroarchseries being built for)
+ ARCH_VARIANT  (set to the isa tag of the distroarchseries being built for if it is
+                different from the abi tag)
+ SUBPROJECT    (optional, comes from "subproject" in the metadata)
+ SUBARCH       (optional, comes from "subarch" in the metadata)
+ CHANNEL       (optional, comes from "subarch" in the metadata)
+ IMAGE_TARGETS (optional, comes from "image_targets" in the metadata
+                "image_targets" is a list. IMAGE_TARGETS is set to " ".join(image_targets))
+ REPO_SNAPSHOT_STAMP
+               (optional, comes from "repo_snapshot_stamp" in the metadata)
+ SNAPSHOT_SERVICE_TIMESTAMP
+               (optional, comes from "snapshot_snapshot_stamp" in the metadata)
+ COHORT_KEY
+               (optional, comes from "cohort-key" in the metadata)
+
+launchpad-buildd also contains code to set http_proxy / HTTP_PROXY /
+LB_APT_HTTP_PROXY but there does not appear to be any way to trigger
+this when requesting a build.
+
+In addition the following variables can be set for lb config only (why
+are some things set for lb config only? no idea):
+
+ SUITE         (set to the name of the distroarchseries being built for)
+ NOW           (set to value of the 'version' argument to the build request,
+                defaults to strftime("%Y%m%d-%H%M%S"))
+ IMAGEFORMAT   (optional, comes from "image_format" in the metadata)
+ PROPOSED      (set to "1" if the pocket passed to the build request is proposed)
+ EXTRA_PPAS    (optional, comes from "extra_ppas" in the metadata
+                "extra_ppas" is a list. EXTRA_PPAS is set to " ".join(extra_ppas))
+ EXTRA_SNAPS   (optional, comes from "extra_snaps" in the metadata
+                "extra_snaps" is a list. EXTRA_SNAPS is set to " ".join(extra_snaps))
+ BUILD_TYPE    (optional, the "type" (i.e. Daily or Release) of ISO being built,
+                goes into .disk/info on the ISO, defaults to Daily)
+
+Here is an opinionated and slightly angry attempt to describe what
+each of these is for:
+
+PROJECT
+-------
+
+This is the big one, the main variable that defines what is being
+built. It can be ubuntu, ubuntu-server, xubuntu, ubuntu-mini-iso, that
+sort of thing. Generally PROJECT determines the set of packages
+installed but it (unfortunately?) has a bit more impact than that.
+
+It's unarguable that we need a parameter like this.
+
+ARCH
+----
+
+The architecture being built for. This is always the same as `dpkg
+--print-architecture` for us, we don't do any cross builds.
+
+It's kind of redundant but it's not really a problem that this exists.
+
+ARCH_VARIANT
+------------
+
+The "variant" being built for, i.e. the ISA tag of the
+distroarchseries. Only set if this is different from the ABI tag.
+
+This is definitely needed to be able to build images for variants.
+
+SUBPROJECT
+----------
+
+This is used for some builds to build a different sort of build of the
+project. It can be set to:
+
+ * "minimized" for ubuntu-cpc builds to make a minimal cloud image
+ * "minimal" for xubuntu builds to make a smaller ISO
+ * "desktop-preinstalled" for ubuntu builds to make a preinstalled
+   image instead of the parts for an installer.
+ * "buildd" for images to be used as build images by craft tools, and also
+   buildd chroots used on launchpad builders?
+ * "live" for ubuntu-server builds, historically to distinguish d-i
+   style installers from subiquity style installers
+ * "desktop" for ubuntu-core-installer builds, to influence which
+   model is use to build the ubuntu core system that will be
+   installed.
+
+_This_ parameter is a total mess. The desktop-preinstalled use feels
+particularly egregious.
+
+SUBARCH
+-------
+
+This identifies the target machine more specifically than ARCH,
+e.g. "tegra-jetson" or "licheerv". Used mostly but not exclusively for
+preinstalled builds.
+
+We probably do need something like this.
+
+CHANNEL
+-------
+
+Influences which channel snaps included in the build are taken from
+(via a few different mechanisms).
+
+IMAGE_TARGETS
+-------------
+
+Passed for CPC (and ubuntu-oem, for some reason) builds to
+`config/hooks.d/make-hooks` which uses it to select which binary hooks
+to run (and so determines which artifacts get produced).
+
+It is probably reasonable that this exists.
+
+REPO_SNAPSHOT_STAMP
+-------------------
+
+Currently unused.
+
+SNAPSHOT_SERVICE_TIMESTAMP
+--------------------------
+
+Also currently unused, and unclear how it differs from
+REPO_SNAPSHOT_STAMP.
+
+COHORT_KEY
+----------
+
+Used to make sure that different builds run at the same time don't get
+different versions of snaps due to phasing differences.
+
+This is a totally valid thing to need to supply.
+
+http_proxy / HTTP_PROXY / LB_APT_HTTP_PROXY
+-------------------------------------------
+
+Nothing complex here!
+
+SUITE
+-----
+
+This is the series being built (e.g. noble, questing). It is misnamed
+really -- a suite is usually a combination of a series and a pocket
+(noble-proposed, questing-security).
+
+As with ARCH this is sort of redundant as we do builds in a chroot of
+the series being built but OTOH it is definitely information the
+build needs to know!
+
+NOW
+---
+
+The serial for the build, e.g. 20250519 or 20240418.4.
+
+It is a totally reasonable parameter.
+
+IMAGEFORMAT
+-----------
+
+This is one of the more incoherently handled parameters. In rough
+outline it is the filesystem of the image we produce.
+
+Installer builds do not produce raw images, so this ends up being set
+to 'plain' (which causes live-build to just leave the rootfs as a
+directory tree) or 'none' (which causes live-build to do roughly the
+same thing but in a different way?).
+
+Image builds that use ubuntu-image set it to "ubuntu-image". These
+builds do not call 'lb build' or 'lb binary'.
+
+Other preinstalled images (mostly cpc images) set it to ext4 (but then
+use live-build/ubuntu-cpc/hooks.d/remove-implicit-artifacts to remove
+the output file that this causes live-build to produce...). Some
+projects rely on this being set via metadata when building the project
+it seems.
+
+It can be set when starting an image build, but most builds do not and
+the behavior when it is not set explicitly is pretty confusing.
+
+This place is not a place of honor.
+
+PROPOSED
+--------
+
+Should packages from proposed by included?
+
+This is not really as useful as it used to be for a bunch of reasons
+but it conceptually makes sense.
+
+EXTRA_PPAS
+----------
+
+Extra archives to get packages from.
+
+This is a space separated list by the time it gets to
+livecd-rootfs. Each element of the list is of the form USER/NAME[:PIN]
+where user is a Launchpad user/team name, NAME is the name of the ppa
+to add and the optional colon-PIN at the end is the value to pin (in
+the "man 5 apt_preferences: sense) packages from this PPA at.
+
+Production builds shouldn't really use this but it's definitely useful
+for development.
+
+EXTRA_SNAPS
+-----------
+
+Extra snaps to include (but only for ubuntu-image based builds).
+
+BUILD_TYPE
+----------
+
+Before release, the .disk/info on an ISO looks like:
+
+    Ubuntu-Server 26.04 LTS "Resolute Raccoon" - Daily amd64 (20260210)
+
+after release it looks like:
+
+    Ubuntu-Server 26.04 LTS "Resolute Raccoon" - Release amd64 (20270210)
+
+We could do a livecd-rootfs upload to change this (it only changes
+once per cycle), but it's quicker and easier to manage this from the
+code that triggers the livefs builds.
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eux
+
+export MYPYPATH=live-build
+mypy live-build/isobuilder live-build/isobuild
+mypy live-build/gen-iso-ids
+
+black --check live-build/isobuilder live-build/isobuild live-build/gen-iso-ids
+
+python3 -m flake8 --max-line-length 88 --ignore E203 live-build/isobuilder live-build/isobuild live-build/gen-iso-ids
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,316 @@
+livecd-rootfs (26.04.28) resolute; urgency=medium
+
+  * Switch arm64 mirror from ports to archive. (LP: #2147101)
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Thu, 02 Apr 2026 18:34:10 +0530
+
+livecd-rootfs (26.04.27) resolute; urgency=medium
+
+  [ Michael Hudson-Doyle ]
+  * Only publish the ISOs, not the other bits, now that we are publishing the
+    ISOs on cdimage.
+  * Fix mini iso to not contain a pool or squashfs.
+
+  [ Ryan Hill ]
+  * add 7.0 kernel apparmor features preseeds
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 02 Apr 2026 15:59:29 +1300
+
+livecd-rootfs (26.04.26) resolute; urgency=medium
+
+  * Ensure snapd tracks stable and not edge anymore.
+    We did remove it from multiple places, but this one was left and as a
+    consequence, the latest iso was still having snapd edge.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 27 Mar 2026 15:31:21 +0100
+
+livecd-rootfs (26.04.25) resolute; urgency=medium
+
+  * bake LIVECD_ROOTFS_ROOT into config/functions, fixing some build failures
+    (for at least ubuntu and some ubuntu-cpc configurations).
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Fri, 20 Mar 2026 06:47:44 +1300
+
+livecd-rootfs (26.04.24) resolute; urgency=medium
+
+  [ Allen Abraham ]
+  * Added a hook to produce a working minimal Ubuntu image using imagecraft
+
+  [ Michael Hudson-Doyle ]
+  * Various quality of life improvements for hacking on livecd-rootfs:
+    - Add a "ubuntu-test-iso" project that builds a not very useful ISO in 2-5 minutes.
+    - Add a build-livefs script that takes care of copying the auto scripts and
+      invoking lb clean/config/build with the right environment.
+    - Add a build-livefs-lxd script to run the above script in a lxd vm.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 16 Mar 2026 11:05:13 +1300
+
+livecd-rootfs (26.04.23) resolute; urgency=medium
+
+  [ Tobias Heider ]
+  * Fix ISO builds when KERNEL_FLAVOUR != generic.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 02 Mar 2026 10:51:47 +1300
+
+livecd-rootfs (26.04.22) resolute; urgency=medium
+
+  [ Oliver Gayot ]
+  * Pull the model from Launchpad's lp:canonical-models
+    repo, instead of having it uploaded as part of livecd-rootfs. This
+    indirection makes it possible to update the models without requiring a new
+    upload of livecd-rootfs every time.
+
+  [ Michael Hudson-Doyle ]
+  * Fix two more problems with livefs-built ISOs:
+    - Generate the for-iso squashfs in the right place for Kubuntu.
+    - Fix confusion about the kernel path on the ISO on riscv64.
+
+  [ Tobias Heider ]
+  * Fix pool generation when using extra_ppas.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 26 Feb 2026 10:56:42 +1300
+
+livecd-rootfs (26.04.21) resolute; urgency=medium
+
+  [ Dan Bungert ]
+  * Update new signed models to ship latest nvidia drivers for ubuntu hybrid.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Wed, 25 Feb 2026 08:38:32 +0100
+
+livecd-rootfs (26.04.20) resolute; urgency=medium
+
+  [ Michael Raymond ]
+  * Bug-fix: Only use main archive keyring when building with debootstrap
+    so EOL release signatures can be verified after EOL.
+
+  [ Allen Abraham ]
+  * Make SBOM generation optional in create_manifest function.
+
+  [ Michael Hudson-Doyle ]
+  * 030-ubuntu-live-system-seed.binary: do not run if there is no layer to
+    install the system, in particular on arm64.
+  * Fix some path confusion in the new isobuilder.boot package and refactor
+    grub config generation to be more string based.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Fri, 20 Feb 2026 12:45:41 +1300
+
+livecd-rootfs (26.04.19) resolute; urgency=medium
+
+  * Translate the debian-cd tools/boot/$series/boot-$arch scripts to Python
+    and use that to make ISOs bootable rather than cloning debian-cd.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 17 Feb 2026 11:16:43 +1300
+
+livecd-rootfs (26.04.18) resolute; urgency=medium
+
+  [ Michael Hudson-Doyle ]
+  * document ARCH_VARIANT and BUILD_TYPE in README.parameters
+  * isobuilder: pass ignore_dangling_symlinks=True when copying apt config
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Mon, 16 Feb 2026 16:14:03 +0530
+
+livecd-rootfs (26.04.17) resolute; urgency=medium
+
+  * desktop: build the stable ISO using the stable model - essentially
+    reverting all the hacks.
+  * desktop: update the stable model to the latest. It has:
+    - components defined for the 6.19 kernel (nvidia 580 series)
+    - no core26: for TPM/FDE recovery testing, please install the core26 snap
+      from edge.
+
+ -- Olivier Gayot <olivier.gayot@canonical.com>  Thu, 12 Feb 2026 10:25:15 +0100
+
+livecd-rootfs (26.04.16) resolute; urgency=medium
+
+  * Rename ISO_STATUS to BUILD_TYPE for image builds.
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Thu, 12 Feb 2026 01:41:11 +0530
+
+livecd-rootfs (26.04.15) resolute; urgency=medium
+
+  [ Matthew Hagemann ]
+  * desktop: delay display manager starting until snapd seeding completes
+
+  [ Michael Hudson-Doyle ]
+  * Make an ISO in the livefs build when building an installer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 11 Feb 2026 10:04:37 +1300
+
+livecd-rootfs (26.04.14) resolute; urgency=medium
+
+  [ Olivier Gayot ]
+  * desktop: build stable image with snapd from beta. Snapd 2.74 has just been
+    uploaded to beta. Let's stop using the version declared in the dangerous model.
+
+  [ Didier Roche-Tolomelli ]
+  * desktop: add (commented out) config to force reexecution of snapd snap version
+
+ -- Olivier Gayot <olivier.gayot@canonical.com>  Thu, 22 Jan 2026 10:13:36 +0100
+
+livecd-rootfs (26.04.13) resolute; urgency=medium
+
+  * Bootstrap and install variant packages if ARCH_VARIANT is set.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 06 Jan 2026 22:03:15 +1300
+
+livecd-rootfs (26.04.12) resolute; urgency=medium
+
+  * desktop: add variables pointing to the different models (stable & dangerous).
+  * desktop: fix snap components taken from original model when overriding a
+    snap with another model.
+    - if we decide to override the definition of a snap (i.e., by taking in
+      from a different model), we also need to override the definition of its
+      components.
+  * desktop: refactor how we filter the snaps when overriding
+  * desktop: update the dangerous model so that it includes core26 and the 6.17
+    kernel and components.
+
+ -- Olivier Gayot <olivier.gayot@canonical.com>  Tue, 16 Dec 2025 14:54:17 +0100
+
+livecd-rootfs (26.04.11) resolute; urgency=medium
+
+  [ Valentin Haudiquet ]
+  * refactor: added a function to generate grub config for netboot
+  * riscv/server: add grub efi bootloader in netboot tarballs
+
+  [ Olivier Gayot ]
+  * desktop: build with optional components included
+  * desktop: don't build the stable image with pc-kernel from 26.04/beta
+    - This was needed before because there was pc-kernel in 26.04/stable but
+      now there is one and it matches the components definition from the model.
+
+ -- Valentin Haudiquet <valentin.haudiquet@canonical.com>  Thu, 11 Dec 2025 09:28:37 +0100
+
+livecd-rootfs (26.04.10) resolute; urgency=medium
+
+  [ Olivier Gayot ]
+  * desktop: fix a comment typo
+
+  [ Michael Hudson-Doyle ]
+  * Build Ubuntu Server images with the 'restricted' component enabled.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 09 Dec 2025 21:07:54 +1300
+
+livecd-rootfs (26.04.9) resolute; urgency=medium
+
+  * desktop: Add mesa to the hybrid model required by core24 apps.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Wed, 26 Nov 2025 08:51:24 +0100
+
+livecd-rootfs (26.04.8) resolute; urgency=medium
+
+  * desktop: update TPM/FDE ubuntu model to use a GNOME platform snap
+    compatible with core24.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 25 Nov 2025 11:38:59 +0100
+
+livecd-rootfs (26.04.7) resolute; urgency=medium
+
+  * desktop: build both ISOs with snapd, firmware-updater and
+    desktop-security-center from edge for TPM/FDE.
+
+ -- Olivier Gayot <olivier.gayot@canonical.com>  Wed, 19 Nov 2025 10:41:17 +0100
+
+livecd-rootfs (26.04.6) resolute; urgency=medium
+
+  * desktop: build classic ISO with "grade: dangerous" and pull pc-kernel from
+    edge to workaround unavailability of pc-kernel in the stable 26.04 channel.
+  * desktop: refresh models to 26.04
+
+ -- Olivier Gayot <olivier.gayot@canonical.com>  Tue, 18 Nov 2025 17:01:47 +0100
+
+livecd-rootfs (26.04.5) resolute; urgency=medium
+
+  [ Dan Bungert ]
+  * desktop: fix build error when SUBPROJECT is unset
+
+ -- Sebastien Bacher <seb128@ubuntu.com>  Mon, 17 Nov 2025 12:05:26 +0100
+
+livecd-rootfs (26.04.4) resolute; urgency=medium
+
+  * desktop: update dangerous model for 26.04
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 31 Oct 2025 11:13:53 +0100
+
+livecd-rootfs (26.04.3) resolute; urgency=medium
+
+  * desktop: use dangerous model for TPMFDE bits until snaps are available on
+    stable channels.
+  * desktop: use snapd from edge.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Wed, 29 Oct 2025 10:58:00 +0100
+
+livecd-rootfs (26.04.2) resolute; urgency=medium
+
+  [ Gauthier Jolly ]
+  * ubuntu-cpc:
+    - Use the right specific UUID type for the root filesystem partition.
+    - Set a PARTLABEL (cloudimg-rootfs) on the root filesystem partition.
+
+ -- Gauthier Jolly <gauthier.jolly@canonical.com>  Thu, 23 Oct 2025 12:50:07 +1300
+
+livecd-rootfs (26.04.1) resolute; urgency=medium
+
+  [ Heinrich Schuchardt ]
+  * Remove unused riscv64 SUBARCHs
+
+  [ Chad Smith ]
+  * Refresh cloud-init service override for updated service netcat invocation
+    to cloud-init 25.3. (LP: #2128887)
+
+ -- Chad Smith <chad.smith@canonical.com>  Mon, 20 Oct 2025 16:32:36 -0600
+
+livecd-rootfs (25.10.24) questing; urgency=medium
+
+  [ Chad Smith ]
+  * Limit permissions for /etc/netplan/01-network-manager.yaml to
+    root read-write. (LP: #2119020)
+
+  [ Chloé 'kajiya' Smith ]
+  * Increase CPC disk-image base imagesize to 2.5GB
+    * In the ubuntu-cpc disk-image binary we need to avail of the ever increasing size
+      of packages. 2.2GB is now just a bit too small leading to `No space
+      left on device` errors when the binary hits `grub-install`. This change
+      increases $imagesize to 2.5GB (in the binary as an override, initially
+      implemented in ecaaf0484 by dlalaj). Also now run `df` just after the
+      grub-pc && grub2-common installs to make for easier debugging in the future.
+      (LP: #2115811)
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 19 Sep 2025 13:47:20 -0600
+
+livecd-rootfs (25.10.23) questing; urgency=medium
+
+  * Add 6.17 kernel apparmor features' preseeds.
+
+ -- Thomas Bechtold <thomasbechtold@jpberlin.de>  Thu, 18 Sep 2025 13:29:42 +0200
+
+livecd-rootfs (25.10.22) questing; urgency=medium
+
+  * Disable apparmor_restrict_unprivileged_userns in the live layers.
+    (LP: #2122675)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 16 Sep 2025 08:51:02 +1200
+
+livecd-rootfs (25.10.21) questing; urgency=medium
+
+  * Fix daily-dangerous builds:
+    - Copy hooks.
+    - Mangle the channel of seeded snaps to use the edge risk of whichever
+      track they are taken from.
+    - Update the dangerous model to reference tracks that actually exist.
+    - Include providers of content plugs when seeding snaps and creating
+      TPMFDE system.
+    - Do not attempt to build an UEFI boot image or hyperv desktop image for
+      this project/subproject combination.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 15 Sep 2025 12:16:08 +1200
+
+livecd-rootfs (25.10.20) questing; urgency=medium
+
+  * edubuntu: use dracut
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Wed, 10 Sep 2025 17:15:45 -0600
+
 livecd-rootfs (25.10.19) questing; urgency=medium

  * Increase default image size for buildd.
--- a/debian/control
+++ b/debian/control
@ -25,6 +25,7 @@ Depends: ${misc:Depends},
         git,
         gnupg,
         grep-dctrl,
+         jq,
         kpartx,
         live-build (>= 3.0~a57-1ubuntu31~),
         lsb-release,
@ -36,6 +37,7 @@ Depends: ${misc:Depends},
         procps,
         python3,
         python3-apt,
+         python3-click,
         python3-launchpadlib [!i386],
         python3-yaml,
         qemu-utils [!i386],
--- a/debian/livecd-rootfs.links
+++ b/debian/livecd-rootfs.links
@ -0,0 +1 @@
+usr/share/livecd-rootfs/live-build/build-livefs usr/bin/build-livefs
--- a/live-build/apparmor/6.17/capability
+++ b/live-build/apparmor/6.17/capability
@ -0,0 +1 @@
+0xffffff
--- a/live-build/apparmor/6.17/caps/extended
+++ b/live-build/apparmor/6.17/caps/extended
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/caps/mask
+++ b/live-build/apparmor/6.17/caps/mask
@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
--- a/live-build/apparmor/6.17/dbus/mask
+++ b/live-build/apparmor/6.17/dbus/mask
@ -0,0 +1 @@
+acquire send receive
--- a/live-build/apparmor/6.17/domain/attach_conditions/xattr
+++ b/live-build/apparmor/6.17/domain/attach_conditions/xattr
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/change_hat
+++ b/live-build/apparmor/6.17/domain/change_hat
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/change_hatv
+++ b/live-build/apparmor/6.17/domain/change_hatv
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/change_onexec
+++ b/live-build/apparmor/6.17/domain/change_onexec
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/change_profile
+++ b/live-build/apparmor/6.17/domain/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/computed_longest_left
+++ b/live-build/apparmor/6.17/domain/computed_longest_left
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/disconnected.ipc
+++ b/live-build/apparmor/6.17/domain/disconnected.ipc
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/disconnected.path
+++ b/live-build/apparmor/6.17/domain/disconnected.path
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/fix_binfmt_elf_mmap
+++ b/live-build/apparmor/6.17/domain/fix_binfmt_elf_mmap
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/interruptible
+++ b/live-build/apparmor/6.17/domain/interruptible
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/kill.signal
+++ b/live-build/apparmor/6.17/domain/kill.signal
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/post_nnp_subset
+++ b/live-build/apparmor/6.17/domain/post_nnp_subset
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/stack
+++ b/live-build/apparmor/6.17/domain/stack
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/unconfined_allowed_children
+++ b/live-build/apparmor/6.17/domain/unconfined_allowed_children
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/domain/version
+++ b/live-build/apparmor/6.17/domain/version
@ -0,0 +1 @@
+1.2
--- a/live-build/apparmor/6.17/file/mask
+++ b/live-build/apparmor/6.17/file/mask
@ -0,0 +1 @@
+create read write exec append mmap_exec link lock
--- a/live-build/apparmor/6.17/io_uring/mask
+++ b/live-build/apparmor/6.17/io_uring/mask
@ -0,0 +1 @@
+sqpoll override_creds
--- a/live-build/apparmor/6.17/ipc/posix_mqueue
+++ b/live-build/apparmor/6.17/ipc/posix_mqueue
@ -0,0 +1 @@
+create read write open delete setattr getattr label
--- a/live-build/apparmor/6.17/mount/mask
+++ b/live-build/apparmor/6.17/mount/mask
@ -0,0 +1 @@
+mount umount pivot_root
--- a/live-build/apparmor/6.17/mount/move_mount
+++ b/live-build/apparmor/6.17/mount/move_mount
@ -0,0 +1 @@
+detached
--- a/live-build/apparmor/6.17/namespaces/mask
+++ b/live-build/apparmor/6.17/namespaces/mask
@ -0,0 +1 @@
+userns_create
--- a/live-build/apparmor/6.17/namespaces/pivot_root
+++ b/live-build/apparmor/6.17/namespaces/pivot_root
@ -0,0 +1 @@
+no
--- a/live-build/apparmor/6.17/namespaces/profile
+++ b/live-build/apparmor/6.17/namespaces/profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/namespaces/userns_create
+++ b/live-build/apparmor/6.17/namespaces/userns_create
@ -0,0 +1 @@
+pciu&
--- a/live-build/apparmor/6.17/network/af_mask
+++ b/live-build/apparmor/6.17/network/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/6.17/network/af_unix
+++ b/live-build/apparmor/6.17/network/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/network_v8/af_inet
+++ b/live-build/apparmor/6.17/network_v8/af_inet
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/network_v8/af_mask
+++ b/live-build/apparmor/6.17/network_v8/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/6.17/network_v9/af_mask
+++ b/live-build/apparmor/6.17/network_v9/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/6.17/network_v9/af_unix
+++ b/live-build/apparmor/6.17/network_v9/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/metadata_tagging_version
+++ b/live-build/apparmor/6.17/policy/metadata_tagging_version
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/6.17/policy/notify/user
+++ b/live-build/apparmor/6.17/policy/notify/user
@ -0,0 +1 @@
+file tags
--- a/live-build/apparmor/6.17/policy/notify_versions/v3
+++ b/live-build/apparmor/6.17/policy/notify_versions/v3
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/notify_versions/v5
+++ b/live-build/apparmor/6.17/policy/notify_versions/v5
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/outofband
+++ b/live-build/apparmor/6.17/policy/outofband
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/6.17/policy/permstable32
+++ b/live-build/apparmor/6.17/policy/permstable32
@ -0,0 +1 @@
+allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
--- a/live-build/apparmor/6.17/policy/permstable32_version
+++ b/live-build/apparmor/6.17/policy/permstable32_version
@ -0,0 +1 @@
+0x000003
--- a/live-build/apparmor/6.17/policy/set_load
+++ b/live-build/apparmor/6.17/policy/set_load
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/state32
+++ b/live-build/apparmor/6.17/policy/state32
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/6.17/policy/unconfined_restrictions/change_profile
+++ b/live-build/apparmor/6.17/policy/unconfined_restrictions/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/unconfined_restrictions/io_uring
+++ b/live-build/apparmor/6.17/policy/unconfined_restrictions/io_uring
@ -0,0 +1 @@
+1
--- a/live-build/apparmor/6.17/policy/unconfined_restrictions/userns
+++ b/live-build/apparmor/6.17/policy/unconfined_restrictions/userns
@ -0,0 +1 @@
+1
--- a/live-build/apparmor/6.17/policy/versions/v5
+++ b/live-build/apparmor/6.17/policy/versions/v5
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/versions/v6
+++ b/live-build/apparmor/6.17/policy/versions/v6
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/versions/v7
+++ b/live-build/apparmor/6.17/policy/versions/v7
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/versions/v8
+++ b/live-build/apparmor/6.17/policy/versions/v8
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/policy/versions/v9
+++ b/live-build/apparmor/6.17/policy/versions/v9
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/ptrace/mask
+++ b/live-build/apparmor/6.17/ptrace/mask
@ -0,0 +1 @@
+read trace
--- a/live-build/apparmor/6.17/query/label/data
+++ b/live-build/apparmor/6.17/query/label/data
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/query/label/multi_transaction
+++ b/live-build/apparmor/6.17/query/label/multi_transaction
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.17/query/label/perms
+++ b/live-build/apparmor/6.17/query/label/perms
@ -0,0 +1 @@
+allow deny audit quiet
--- a/live-build/apparmor/6.17/rlimit/mask
+++ b/live-build/apparmor/6.17/rlimit/mask
@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
--- a/live-build/apparmor/6.17/signal/mask
+++ b/live-build/apparmor/6.17/signal/mask
@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
--- a/live-build/apparmor/7.0/capability
+++ b/live-build/apparmor/7.0/capability
@ -0,0 +1 @@
+0xffffff
--- a/live-build/apparmor/7.0/caps/extended
+++ b/live-build/apparmor/7.0/caps/extended
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/caps/mask
+++ b/live-build/apparmor/7.0/caps/mask
@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
--- a/live-build/apparmor/7.0/dbus/mask
+++ b/live-build/apparmor/7.0/dbus/mask
@ -0,0 +1 @@
+acquire send receive
--- a/live-build/apparmor/7.0/domain/attach_conditions/xattr
+++ b/live-build/apparmor/7.0/domain/attach_conditions/xattr
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_hat
+++ b/live-build/apparmor/7.0/domain/change_hat
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_hatv
+++ b/live-build/apparmor/7.0/domain/change_hatv
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_onexec
+++ b/live-build/apparmor/7.0/domain/change_onexec
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_profile
+++ b/live-build/apparmor/7.0/domain/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/computed_longest_left
+++ b/live-build/apparmor/7.0/domain/computed_longest_left
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/disconnected.ipc
+++ b/live-build/apparmor/7.0/domain/disconnected.ipc
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/disconnected.path
+++ b/live-build/apparmor/7.0/domain/disconnected.path
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/fix_binfmt_elf_mmap
+++ b/live-build/apparmor/7.0/domain/fix_binfmt_elf_mmap
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/interruptible
+++ b/live-build/apparmor/7.0/domain/interruptible
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/kill.signal
+++ b/live-build/apparmor/7.0/domain/kill.signal
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/post_nnp_subset
+++ b/live-build/apparmor/7.0/domain/post_nnp_subset
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/stack
+++ b/live-build/apparmor/7.0/domain/stack
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/unconfined_allowed_children
+++ b/live-build/apparmor/7.0/domain/unconfined_allowed_children
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/version
+++ b/live-build/apparmor/7.0/domain/version
@ -0,0 +1 @@
+1.2
--- a/live-build/apparmor/7.0/file/mask
+++ b/live-build/apparmor/7.0/file/mask
@ -0,0 +1 @@
+create read write exec append mmap_exec link lock
--- a/live-build/apparmor/7.0/io_uring/mask
+++ b/live-build/apparmor/7.0/io_uring/mask
@ -0,0 +1 @@
+sqpoll override_creds
--- a/live-build/apparmor/7.0/ipc/posix_mqueue
+++ b/live-build/apparmor/7.0/ipc/posix_mqueue
@ -0,0 +1 @@
+create read write open delete setattr getattr label
--- a/live-build/apparmor/7.0/mount/mask
+++ b/live-build/apparmor/7.0/mount/mask
@ -0,0 +1 @@
+mount umount pivot_root
--- a/live-build/apparmor/7.0/mount/move_mount
+++ b/live-build/apparmor/7.0/mount/move_mount
@ -0,0 +1 @@
+detached
--- a/live-build/apparmor/7.0/namespaces/mask
+++ b/live-build/apparmor/7.0/namespaces/mask
@ -0,0 +1 @@
+userns_create
--- a/live-build/apparmor/7.0/namespaces/pivot_root
+++ b/live-build/apparmor/7.0/namespaces/pivot_root
@ -0,0 +1 @@
+no
--- a/live-build/apparmor/7.0/namespaces/profile
+++ b/live-build/apparmor/7.0/namespaces/profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/namespaces/userns_create
+++ b/live-build/apparmor/7.0/namespaces/userns_create
@ -0,0 +1 @@
+pciu&
--- a/live-build/apparmor/7.0/network/af_mask
+++ b/live-build/apparmor/7.0/network/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network/af_unix
+++ b/live-build/apparmor/7.0/network/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/network_v8/af_inet
+++ b/live-build/apparmor/7.0/network_v8/af_inet
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/network_v8/af_mask
+++ b/live-build/apparmor/7.0/network_v8/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network_v9/af_mask
+++ b/live-build/apparmor/7.0/network_v9/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network_v9/af_unix
+++ b/live-build/apparmor/7.0/network_v9/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/metadata_tagging_version
+++ b/live-build/apparmor/7.0/policy/metadata_tagging_version
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/7.0/policy/notify/user
+++ b/live-build/apparmor/7.0/policy/notify/user
@ -0,0 +1 @@
+file tags
--- a/live-build/apparmor/7.0/policy/notify_versions/v3
+++ b/live-build/apparmor/7.0/policy/notify_versions/v3
@ -0,0 +1 @@
+yes
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`usr/share/livecd-rootfs/live-build/build-livefs usr/bin/build-livefs`
				`@ -0,0 +1 @@`
				`chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore`
				`@ -0,0 +1 @@`
				`create read write exec append mmap_exec link lock`
				`@ -0,0 +1 @@`
				`create read write open delete setattr getattr label`
				`@ -0,0 +1 @@`
				`unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp`
				`@ -0,0 +1 @@`
				`allow deny subtree cond kill complain prompt audit quiet hide xindex tag label`
				`@ -0,0 +1 @@`
				`cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime`
				`@ -0,0 +1 @@`
				`hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost`