v4.8.2 - Mitigate rpm-ostree regression

Reminder: releases are symbolic. Builds are created and published immediately after new commits are merged.

There is a critical rpm-ostree regression in version 2026.1 causing upgrade failures. To confirm whether you are on the impacted version, check rpm-ostree --version. If the version shows 2026.1, follow these mitigation steps verbatim, allowing you to bypass the regression and resume upgrades to the latest tag, wherein the issue has already been mitigated by pinning the previous rpm-ostree version:

$ run0
# rpm-ostree usroverlay
# dnf5 install -y --from-repo=updates-archive rpm-ostree-2025.12-1.fc43
# ujust update-system
# systemctl reboot

We will be working with upstream to help close the gap in continuous integration coverage that allowed this regression to ship.

What's Changed

• chore: add new mirrors by @RoyalOughtness in #1919
• fix: swap discover icon for Bazaar by @RoyalOughtness in #1916
• fix: add workaround for QEMU user session bug by @HastD in #1918
• fix: syntax error in ujust install-vpn by @HastD in #1922
• chore(deps): bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 by @dependabot[bot] in #1925
• fix: pin trivalent to 144.0.7559.132 temporarily by @RoyalOughtness in #1931
• fix: don't clear the layer plan if no existing plan can be found by @RoyalOughtness in #1934
• chore: revert pinning Trivalent to version 144 by @HastD in #1936
• fix(nvidia-open): temporarily pin nvidia kmod release by @RoyalOughtness in #1938
• chore(deps): update BlueBuild modules by @github-actions[bot] in #1902
• fix: set LANG to ensure msginit works properly in update_po.py by @HastD in #1924
• fix: use tmpfiles.d to set default config in home dirs by @HastD in #1926
• chore: revert nvidia-open pinning by @RoyalOughtness in #1939
• fix: SELinux contexts for /var/lib/libvirt and /var/log/libvirt by @HastD in #1933
• chore: add com.jiosphere.JioSphere to Bazaar blocklist by @HastD in #1941
• chore(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 by @dependabot[bot] in #1944
• feat: disable automatic systemd SSH vsock creation by @HastD in #1946
• chore(deps): bump bats-core/bats-action from 3.0.1 to 4.0.0 by @dependabot[bot] in #1948
• feat: add trivalent and kernel updates to security update notification by @RoyalOughtness in #1943
• fix(build): remove icon swap script that applies to file that no long… by @RoyalOughtness in #1952
• chore: add missing mirrors by @RoyalOughtness in #1957
• chore(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @dependabot[bot] in #1962
• chore: add additional mirror and sort mirrors by @RoyalOughtness in #1958
• fix(iot): multiple dns issues by @RoyalOughtness in #1964
• fix: swap Discover icon for Bazaar in Plasma 6.6 by @HastD in #1961
• fix: add missing quotes to chrony OPTIONS variable by @pxlkng in #1966
• feat(audit): check if Homebrew automatic updates are enabled by @HastD in #1945
• fix: make libvirt daemons toggle self-documenting by @HastD in #1959
• fix: enable securebluecleanup on all images by @pxlkng in #1969
• fix: install_dangerzone.py warning should refer to correct ptrace permission by @jherzstein in #1965
• fix: secureblue-unbound-key systemd unit by @pxlkng in #1967
• chore(deps): update BlueBuild modules by @github-actions[bot] in #1971
• chore: move brew update/upgrade timers to user presets by @HastD in #1968
• feat: add ujust toggle for dhcp hostname sending by @Felakgundu in #1937
• chore: bump bluebuild to 0.9.32 by @RoyalOughtness in #1956
• chore: add Mypy workflow, fix type issues by @HastD in #1974
• refactor: use --short for mokutil; clean up + test MOTD script by @HastD in #1914
• chore: eliminate dependence of initramfs on build date by @HastD in #1923
• fix(po): set all necessary locale env vars for msginit by @HastD in #1947
• feat: set older Electron flatpaks to use Wayland by default by @HastD in #1960
• fix: typo in initramfs script by @HastD in #1979
• chore(deps): bump github/codeql-action from 4.31.10 to 4.32.4 by @dependabot[bot] in #1982
• fix(selinux): respect deny_ptrace in Trivalent policy by @HastD in #1983
• fix(selinux): allow only specified domains to create userns by @HastD in #1985
• fix(cosmic): replace firefox shortcut with trivalent by @underscorejoser in #1988
• chore: update ujust set-brew to use tmpfiles.d config by @HastD in #1930
• feat: add provenance verification to the rebase script by @RoyalOughtness in #1995
• chore: remove unnecessary font setting by @underscorejoser in #1991
• feat(config): Disable Xwayland eavesdropping in KWin by default by @RoyalOughtness in #1996
• fix: disable KSplash properly using KDE Kiosk by @HastD in #1997
• fix(cosmic): remove cosmic-store and replace shortcut with bazaar by @underscorejoser in #1992
• fix: toggle-anticheat-support dangerzone warning by @jherzstein in #1973
• chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #2002
• fix: workaround for the flatpak-system-update service bug by @Exponent64 in #2003
• chore: remove old check that's no longer necessary by @RoyalOughtness in #2004
• ci: allow manually clearing layer plan by @HastD in #2006
• refactor: remove unused assignments from install script by @spaceoden in #2010
• chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #2016
• fix: set default pinned apps in Plasma task manager by @HastD in #2005
• fix: create libvirt directories if they don't exist by @HastD in #1986
• fix(rpm-ostree): pin rpm-ostree to 2025.12-1 by @RoyalOughtness in #2021

New Contributors

• @jherzstein made their first contribution in #1965
• @Felakgundu made their first contribution in #1937
• @underscorejoser made their first contribution in #1988
• @Exponent64 made their first contribution in #2003

Full Changelog: v4.8.1...v4.8.2

v4.8.1 - Switch to Bazaar App Store

All app stores (Gnome Software, Discover, Cosmic Stores) have been removed and replaced with Bazaar. Corresponding firmware update notifications provided by those stores have been replaced with systemd timers. In addition to being Flatpak-first, Bazaar doesn't suffer from a number of issues that have plagued other app stores, causing a confusing and messy user experience. Bazaar allows us to streamline the Flatpak management experience. Many thanks to @kolumni for the awesome work on Bazaar.

What's Changed

• fix: disable fedora flatpak via systemctl command as well by @Tiagoquix in #1839
• fix: move image info to final-modules by @RoyalOughtness in #1827
• fix: nautilus policy for thumbnailing by @RoyalOughtness in #1845
• perf: stop disabling TCP SACK on desktop images by @HastD in #1852
• chore: remove authselect check from audit script by @HastD in #1851
• fix: text in ujust set-container-userns by @HastD in #1841
• chore: clear dnf transaction history from build by @HastD in #1856
• chore: migrate to combined copr by @RoyalOughtness in #1855
• chore(deps): bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 by @dependabot[bot] in #1857
• chore(i18n): update PO files by @github-actions[bot] in #1854
• ci: use ubuntu-slim runner for lightweight jobs by @HastD in #1858
• feat: Remove XWayland requirement for mullvad by @friskyungulate in #1859
• feat: disable geoclue demo agent autostart by @Tiagoquix in #1863
• fix: unbreak + add images + improvements for provenance.yml by @HastD in #1868
• chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 by @dependabot[bot] in #1871
• fix: update dangerzone repo by @HastD in #1877
• chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @dependabot[bot] in #1878
• chore: recommend flatpak for Steam installation by @RoyalOughtness in #1883
• fix: bug where ujust update-system keeps running until the notification clears by @RoyalOughtness in #1886
• fix: remove unneeded reboot from luks-enable-tpm2-autounlock.sh by @spaceoden in #1888
• fix: copy/pasting between trivalent and distroboxed apps by @RoyalOughtness in #1895
• fix: allow fs_remount_tmpfs to enable trivalent printing functionality by @RoyalOughtness in #1894
• feat: special-case kernel.printk in sysctl audit by @HastD in #1890
• fix: make dependency installation work with ubuntu-slim by @HastD in #1900
• chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @dependabot[bot] in #1901
• fix: revert Xwayland requirement removal for mullvad by @RoyalOughtness in #1906
• fix: adjust install-vpn messages for clarity and default no to gui by @spaceoden in #1908
• feat: add Bazaar app store by @alexvojproc in #1898

Full Changelog: v4.8...v4.8.1

v4.8 - Provenance, egress blocking, virtualization, and rechunking

Provenance

Image upgrades now include automatic SLSA provenance verification. Provenance verification can also be done when manually upgrading, using ujust update-system. This verification complements image signing by cryptographically verifying that the image was built on a valid GitHub runner from a commit in the live branch of the secureblue repo. An image built outside of a valid GitHub runner and/or from an invalid commit will be rejected by provenance verification, even if signed with a valid private key.

Egress blocking

Build egress traffic is now secured via StepSecurity's harden-runner. This enables us to specify which domains the build is allowed to make requests to, and block all other requests. This improves supply chain security by preventing exfiltration of secrets, preventing source code tampering, and ensuring content ingested by the build doesn't come from anomalous sources.

Virtualization

virt-manager and corresponding packages are now preinstalled. This allows us to strip those packages of SUID-root binaries after installing them into the image, which is only practical at build time. Given the prevalence of virtualization in security use cases, ensuring that it can be used without SUID-root binaries is important. Note that none of the corresponding virtualization services are enabled by default, in an effort to not increase attack surface for users who aren't using virtualization. To enable virtualization services, run ujust set-libvirt-daemons.

Rechunking

Images are now rechunked with BlueBuild's build-chunked-oci function. This moderately decreases image sizes and significantly decreases update sizes. Further efforts are in progress to decrease update sizes even further.

What's Changed

• chore: prepare iso.yml for new ISOs by @RoyalOughtness in #1573
• chore(deps): bump secureblue/bootc-integration-test-action from 0.0.8 to 0.0.9 by @dependabot[bot] in #1571
• chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 by @dependabot[bot] in #1504
• chore(deps): bump umbrelladocs/action-linkspector from 1.3.7 to 1.4.0 by @dependabot[bot] in #1513
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #1570
• chore: move modprobe.d blacklists from /etc/ to /usr/lib/ by @alexvojproc in #1489
• fix: set [no-cd] for ujust with-standard-malloc by @HastD in #1506
• chore(i18n): update PO files by @github-actions[bot] in #1497
• chore: don't run build-all for actions-generated branches by @RoyalOughtness in #1574
• fix: modprobe override handling + audit by @HastD in #1577
• ci: print image URL in verify-provenance workflow by @HastD in #1512
• fix: target branch for zizmor pushes by @RoyalOughtness in #1521
• feat: add interactive mode to set-bluetooth-modules by @alexvojproc in #1491
• feat(supplychain): add provenance verification when installing trivalent by @RoyalOughtness in #1487
• chore(deps): bump github/codeql-action from 4.30.8 to 4.31.2 by @dependabot[bot] in #1582
• feat: mask uresourced for the user by @RoyalOughtness in #1522
• fix: suppress spammy AVC denials from Trivalent reading /proc by @HastD in #1526
• fix: detect non-system users by presence of /var/home/$USER by @HastD in #1580
• chore: Include pipewire-libs-extra now that pipewire-1.4.9-1 is shipping. by @ZekeZDev in #1581
• chore: fix various zizmor findings by @RoyalOughtness in #1584
• feat: Port kargs hardening scripts to Python by @HastD in #1509
• fix(selinux): use domain interface for trivalent dontaudit by @HastD in #1591
• fix: prompt utils formatting by @HastD in #1592
• feat(supplychain): directly install brew by @RoyalOughtness in #1590
• feat: add two more kernel arguments by @HastD in #1587
• chore: add an additional concurrency group by @RoyalOughtness in #1588
• fix: list concatenation in remove_kargs_hardening by @RoyalOughtness in #1595
• chore: move provenance verification an hour later for consistency by @RoyalOughtness in #1597
• feat(audit): check user group memberships by @HastD in #1596
• feat(selinux): make Trivalent policy role-agnostic by @HastD in #1593
• chore(i18n): update PO files by @github-actions[bot] in #1594
• chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by @dependabot[bot] in #1602
• fix(integtests): update expected audit results by @RoyalOughtness in #1612
• feat: rewrite ujust harden-flatpak in Python by @HastD in #1599
• feat: add steam-devices udev rules by @RoyalOughtness in #1614
• fix: pass args to ujust harden-flatpak by @HastD in #1616
• feat: python based create-admin script by @ShadowSlayer1441 in #1603
• feat: add two kernel hardening parameters by @raja-grewal in #1615
• fix: create admin filename by @RoyalOughtness in #1620
• chore: opt out of installing cosign to images by @HastD in #1605
• feat: add unauthenticated NIST time server as a fallback by @RoyalOughtness in #1624
• feat: add bluebuild deps to container policy by @RoyalOughtness in #938
• chore(i18n): update PO files by @github-actions[bot] in #1613
• chore: remove unused/redundant server scripts by @HastD in #1622
• feat: add aarch64 images (beta) by @RoyalOughtness in #1589
• fix: make ujust harden-flatpak work on aarch64 by @HastD in #1629
• chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @dependabot[bot] in #1630
• fix: invoke installrar.sh by @RoyalOughtness in #1633
• ci: update BlueBuild, use BlueBuild action for PR builds by @HastD in #1632
• feat: add ujust for enabling/disabling brew by @RoyalOughtness in #1609
• fix: generate correct provenance on non-default branches by @HastD in #1637
• feat: pin bluebuild modules to sha256 by @RoyalOughtness in #1642
• fix: run setchronysysconfig.sh by @RoyalOughtness in #1640
• fix: make curl usage more robust by @HastD in #1638
• fix: use signed toolbox source by @RoyalOughtness in #1639
• fix: remove invalid os module option by @RoyalOughtness in #1641
• fix: let pr_builds read package manifests by @RoyalOughtness in #1643
• build: rechunk main images by @HastD in #1648
• chore(deps): bump zizmorcore/zizmor-action from 0.2.0 to 0.3.0 by @dependabot[bot] in #1650
• chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 by @dependabot[bot] in #1651
• chore(deps): bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 by @dependabot[bot] in #1653
• chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #1652
• fix: improve recipe parsing in build workflows by @HastD in #1654
• fix: unbreak thunar thumbnailing by @RoyalOughtness in #1655
• fix: force install 7zip by @RoyalOughtness in #1656
• fix: allow loading intel modules required for low power sleep by @RoyalOughtness in https://github.com/se...

What's Changed

• chore(po): update PO files to reflect changes to audit script by @HastD in #1320
• chore(audit): add Bazaar to "expected arbitrary permissions" list by @HastD in #1290
• feat: don't install Noto fonts by default by @HastD in #1322
• feat: toggle-bluetooth rewrite in python with systemd run0 sandboxing by @ShadowSlayer1441 in #1215
• build: opt out of Nushell in BlueBuild by @HastD in #1323
• chore(deps): bump github/codeql-action from 3.30.1 to 3.30.2 by @dependabot[bot] in #1326
• ci: optimize build times by @HastD in #1325
• build: improved zfs efficiency by @RoyalOughtness in #1327
• build: use more descriptive names by @RoyalOughtness in #1328
• fix: install Noto fonts by default again by @alexvojproc in #1329
• chore(deps): bump github/codeql-action from 3.30.2 to 3.30.3 by @dependabot[bot] in #1330
• fix: remove unnecessary cap from bluetooth script by @HastD in #1332
• fix: JUST_CHOOSER should preview commands by @RoyalOughtness in #1334
• chore(deps): bump zizmorcore/zizmor-action from 0.1.2 to 0.2.0 by @dependabot[bot] in #1337
• fix: remove securecoreremovemigrationmotd.sh by @HastD in #1339
• fix: allow accountsd to access systemsettings tmp files by @RoyalOughtness in #1336
• chore: make SELinux module installation more efficient by @HastD in #1340
• build: [StepSecurity] Add egress auditing as a supply chain security measure by @step-security-bot in #1341
• docs: add OpenSSF Best Practices badge by @RoyalOughtness in #1342
• docs: add openssf scorecard badge by @RoyalOughtness in #1343
• chore: add reboot notice to toggle-anticheat-support by @Anbiona in #1348
• docs: fit badges on one line by @RoyalOughtness in #1344
• build: set dracut log levels for efficiency by @HastD in #1349
• chore: add back fzf by @RoyalOughtness in #1345
• build: replace disk space action by @RoyalOughtness in #1347
• build: replace cosign action with official installer by @RoyalOughtness in #1346
• chore: Remove regenerate-grub from utilities.just by @lacklustrelife in #1350
• fix: move https mirrors early in the build by @RoyalOughtness in #1351
• chore: drop approvals action in favor of strict branch policies by @RoyalOughtness in #1352
• fix: unbreak local initramfs regeneration by @HastD in #1354
• fix: Update hardenlogindefs.patch yescrypt factor by @ShadowSlayer1441 in #1360
• chore(deps): bump actions/checkout from 4.3.0 to 5.0.0 by @dependabot[bot] in #1358
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @dependabot[bot] in #1357
• chore(cicd): add back unprivileged approvals action by @RoyalOughtness in #1363
• fix(trivalent): allow reading memory pressure by @WavyEbuilder in #1361
• fix(trivalent): allow talking to bluetooth daemon over dbus by @WavyEbuilder in #1362
• feat: switch DNS resolver to Unbound from systemd-resolved by @alexvojproc in #1365
• chore: use hashes for pip deps for scorecard by @RoyalOughtness in #1353
• fix(securedns): restore root.key if missing by @alexvojproc in #1371
• feat(securedns): add NetworkManager dispatcher (#1370) by @alexvojproc in #1374
• feat(audit): test for more flatpak sandbox escape bus names by @HastD in #1375
• feat(supplychain): add SLSA provenance generation by @RoyalOughtness in #1366
• build(slsa): remove unused tag conditional by @RoyalOughtness in #1377
• fix(slsa): set provenance registry by @RoyalOughtness in #1379
• fix(audit): unformatted placeholder in environment audit by @alexvojproc in #1376
• feat: add Spanish translation for the audit script by @Cup-png in #1338
• chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @dependabot[bot] in #1389
• feat(securedns): add systemd-resolved support to dns-selector by @alexvojproc in #1391
• fix(ujust): bug in IVPN installation script by @HastD in #1392
• feat: add reboot confirmation for ujust bios by @mathbreed in #1386
• feat: show INFO in audit script if secure boot is not supported by @ssdrive-flaktra in #1384
• feat(justfile): add ujust script to add an admin user by @ssdrive-flaktra in #1397
• feat: add an option to exit the dns-selector script by @ssdrive-flaktra in #1400
• chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5 by @dependabot[bot] in #1403
• test: update expected results of audit script by @HastD in #1401
• chore: bump bluebuild cli by @RoyalOughtness in #1413
• chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in #1412
• chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #1408
• feat: Set vdso32=0 boot parameter by @raja-grewal in #1407
• feat: add ujust completions for fish by @HastD in #1402
• feat(cicd): add provenance verification test by @RoyalOughtness in #1395
• chore(po): add update_po.py script to update PO/POT files by @HastD in #1396
• feat: Add network related sysctl settings by @raja-grewal in #1406
• chore(cicd): add approver alexvojproc by @alexvojproc in #1420
• feat: enable IPv6 privacy extensions in NetworkManager conf by @HastD in #1415
• feat: set title for flatpak-verified by @spaceoden in #1426
• feat: add retries for update services by @RoyalOughtness in #1421
• fix(securedns): restrict dns-selector menu for unknown DNS by @alexvojproc in #1424
• fix(securedns): clearly inform user when VPN DNS is in use by @alexvojproc in #1423
• feat: add support for multiple paths to label-external-drives ujust by @pxlkng in #1410
• feat: use textarea for issue templates by @Commenter25 in #1428
• feat(supplychain): verify SLSA during builds where the base image is … by @RoyalOughtness in #1434
• fix(build): reference ~/go/bin for provenance verification by @RoyalOughtness in #1435
• fix: use "all" instead of "*" for drop_gratuitous_arp sysctl by @HastD in #1432
• chore(deps): bump github/codeql-action from 3.30.6 to 4.30.7 by @dependabot[bot] in #1442
• feat: show desktop notification when an upgrade with SecAdvisories is applied by @mathbreed in #1373
• feat: notify users attempting to use sudo by @HastD in #1440
• feat: give steam flatpak basic perms on install by @Commenter25 in #1437
• ci: add workflow to create PR to update PO files weekly by @HastD in #1427
• feat: Set ssbd=force-on by @raja-grewal in #1443
• feat: Set kvm.mitigate_smt_rsb=1 by @raja-grewal in #1444
• chore(deps): bum...

What's Changed

• fix: add LD_PRELOAD=libhardened_malloc.so to /etc/profile.d by @HastD in #1168
• fix: missing timer preset by @RoyalOughtness in #1165
• chore(deps): bump aquasecurity/trivy-action from 0.31.0 to 0.32.0 by @dependabot[bot] in #1166
• fix: flatpak-permission-lockdown grants Warehouse needed bus by @spaceoden in #1158
• chore(kinoite): remove trivalent qt ui by @RoyalOughtness in #1172
• feat: Disable initramfs debug shell by @furuycom in #1169
• fix: enable timers, not services, for timer-triggered units by @HastD in #1171
• fix(kde): don't start X11-dependent services if xwayland is disabled by @HastD in #1178
• chore: bump bluebuild by @RoyalOughtness in #1180
• chore(image-info): align ID and ID_LIKE by @RoyalOughtness in #1181
• chore: update example.butane to fcos config to 1.6 by @MineGene in #1175
• chore(securecore): remove coreos oci migration motd by @RoyalOughtness in #1176
• chore(cicd): add exec bit validator by @RoyalOughtness in #1182
• chore(deps): bump blue-build/github-action from 1.8.2 to 1.8.3 by @dependabot[bot] in #1183
• feat: Update toggle-cups to enable use of USB connected printers/scanners in #1135
• fix: apply hardened_malloc to systemd manager and PAM env by @HastD in #1189
• feat: Warn user of exited (failed) service when running ujust audit-secureblue in #1184
• fix: mask akmods-keygen on zfs images by @RoyalOughtness in #1192
• chore: firstrun service cleanup and reliability improvements by @RoyalOughtness in #1193
• chore: bump bluebuild by @RoyalOughtness in #1194
• chore(deps): bump umbrelladocs/action-linkspector from 1.3.6 to 1.3.7 by @dependabot[bot] in #1196
• chore(deps): bump github/codeql-action from 3.29.2 to 3.29.3 by @dependabot[bot] in #1197
• chore: drop cap for no longer present executable by @RoyalOughtness in #1199
• fix(build): remove negativo dropped package by @RoyalOughtness in #1207
• fix: sandbox sed commands, style/clarity improvements by @HastD in #1208
• fix: deny userns creation for userdomain, not just unconfined_t by @HastD in #1204
• fix: close gaps in userns relabeling restrictions by @HastD in #1216
• feat: switch to bluebuild secret mounts by @RoyalOughtness in #1202
• chore(deps): bump github/codeql-action from 3.29.3 to 3.29.5 by @dependabot[bot] in #1214
• fix: allow initrc_t to relabel to userns-privileged types by @HastD in #1224
• feat: add integration testing framework and minimal initial integration tests by @RoyalOughtness in #1217
• chore(i18n): prepare audit script for localization by @HastD in #1223
• chore: add integration tests badge by @RoyalOughtness in #1225
• fix: ujust libvirt documentation by @ShadowSlayer1441 in #1226
• chore(deps): bump secureblue/bootc-virtual-machine-action from 0.0.1 to 0.0.3 by @dependabot[bot] in #1233
• chore: relicense selinux policy to dual Apache2/MIT by @RoyalOughtness in #1236
• test: add integration test for audit script results by @HastD in #1235
• feat: Add German translation for the audit script by @MatsG23 in #1227
• fix: include full upstream copyright declaration from ubuntu source by @RoyalOughtness in #1238
• chore: upgrade PR approvals action by @RoyalOughtness in #1239
• chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 by @dependabot[bot] in #1237
• fix(test): correct path to expected audit script results by @HastD in #1240
• fix: ensure toggle-gnome-extensions uses system gsettings by @HastD in #1241
• fix(tests): update integration test workflow, add data file by @HastD in #1242
• chore: ensure all images have rsync by @RoyalOughtness in #1249
• chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 by @dependabot[bot] in #1251
• chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 by @dependabot[bot] in #1254
• ci: split up PR build workflow using reusable workflow by @HastD in #1245
• chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #1246
• fix: add retry logic for secureblue-flatpak-setup.service by @HastD in #1257
• fix: only inform about --skip flatpak option if flatpak installed by @HastD in #1263
• ci: set concurrency to reduce actions time by @RoyalOughtness in #1258
• feat(resolved): disable LLMNR resolution by default by @alexvojproc in #1267
• chore(deps): bump github/codeql-action from 3.29.9 to 3.29.10 by @dependabot[bot] in #1270
• fix: separate justfiles that only apply to some images by @HastD in #1272
• fix: use OnStartupSec instead of OnBootSec for user timers by @HastD in #1268
• fix: wheel account link by @RoyalOughtness in #1269
• chore: isolate desktop services to desktop images by @RoyalOughtness in #1255
• fix: specify flathub-verified remote for initial flatpak installs by @HastD in #1278
• chore(deps): bump github/codeql-action from 3.29.10 to 3.29.11 by @dependabot[bot] in #1280
• fix(test): add 5 second sleep to integration test by @HastD in #1281
• feat: additional kmod blacklisting and utils by @RoyalOughtness in #1276
• fix: gstreamer negativo packages by @RoyalOughtness in #1285
• fix: decline to support fido2 multi drive setups by @ShadowSlayer1441 in #1109
• fix: undo package changes that caused an image size increase by @RoyalOughtness in #1286
• fix(test): adjust flatpak setup test to fix failures by @HastD in #1283
• ci: optimize build process by @RoyalOughtness in #1284
• fix: ci efficiencies by @RoyalOughtness in #1287
• feat: make default bash prompt display nonzero exit codes by @HastD in #1209
• feat: add webcam check to the audit by @RoyalOughtness in #1282
• chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by @dependabot[bot] in #1292
• fix(test): update expected audit results in integration test by @HastD in #1291
• fix: mark non-printable characters in bash prompt by @HastD in #1296
• fix(nvidia): switch back to ngl renderer by @alexvojproc in #1294
• fix: check bash session is interactive before modifying prompt by @HastD in #1299
• chore: bump integration test action by @RoyalOughtness in #1300
• chore(deps): bump secureblue/bootc-integration-test-action from 0.0.5 to 0.0.6 by @dependabot[bot] in #1302
• chore(deps): bump github/codeql-action from 3.29.11 to 3.30.0 by @dependabot[bot] in #1301
• fix: run user services only for non-system users by @HastD in #1305
• fix(nvidia): switch back to default renderer (close #1293) by @alexvojproc in https://github.com/secureblue/s...

v4.6 - ISOs and Torrents!

ISOs and Torrents are now available on the install page! Please seed if you can. 🙂

Important note

System initialization is now dependent on using an ISO, so ISO installation is now the only supported method of installation. Unsupported installation is still possible via rebasing.

What's Changed

• fix: Fido2 unlock script by @ShadowSlayer1441 in #1049
• fix: kinoite builds and CICD by @RoyalOughtness in #1060
• chore(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @dependabot in #1059
• feat: update run0edit to v0.4.3 w/ support for immutable flag by @HastD in #1055
• fix: file extensions are required for codacy scanning by @RoyalOughtness in #1066
• chore: clarify resolver prompts to specify IPv4 by @MineGene in #1063
• feat(audit): more flatpak checks, adjust warning severity, JSON support by @HastD in #1057
• fix: luks-enable-tpm2-autounlock by @ShadowSlayer1441 in #1067
• fix: set exec perms for luks script by @RoyalOughtness in #1073
• chore: allow mullvad-browser from mullvad repo by @pxlkng in #1075
• fix(ujust dns-selector): chmod 644 on the conf file by @HastD in #1072
• chore: remove net.ipv4.tcp_fack=0 by @TommyTran732 in #1079
• chore: remove net.ipv6.conf.*.accept_ra = 0 by @TommyTran732 in #1078
• fix(audit): only check permissions of flatpak apps, not runtimes by @HastD in #1071
• chore: manually install just by @RoyalOughtness in #1081
• chore: add automod for github issues by @RoyalOughtness in #1083
• chore: switch to simpler method for disabling wlr portals by @RoyalOughtness in #1077
• fix: run the new wlr portals script by @RoyalOughtness in #1087
• chore: use shorter status text in the audit script by @RoyalOughtness in #1085
• chore: remove stray 'the' from install-vpn ujust by @pxlkng in #1088
• feat(audit): add legend to help text, explaining status meanings by @HastD in #1090
• chore: add license declarations across files and remove deprecated images by @RoyalOughtness in #1082
• chore: bump bluebuild and fix conditional by @RoyalOughtness in #1094
• chore: require pin for tpm unlock by @RoyalOughtness in #1100
• ci: add workflow to run Ruff on Python code by @HastD in #1095
• fix: small text change in yafti by @RoyalOughtness in #1091
• feat(audit): special-case Flatseal and Warehouse permission checks by @HastD in #1101
• feat(ujust harden-flatpak): rewrite script to check app ID and existing overrides by @HastD in #1069
• feat(audit): merge kargs checks into single report by @HastD in #1103
• chore: remove unused script by @RoyalOughtness in #1104
• chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 by @dependabot in #1099
• chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.31.0 by @dependabot in #1098
• fix(ujust dns-selector): make directories with mode 755 by @HastD in #1105
• fix: add selinux policies required for process detection by @RoyalOughtness in #1106
• chore: cyclomatic complexity improvements and other codacy fixes by @RoyalOughtness in #1107
• fix: remove brew reference from securecore motd by @RoyalOughtness in #1114
• chore: remove unused openh264 repo by @RoyalOughtness in #1115
• chore(deps): bump umbrelladocs/action-linkspector from 1.3.4 to 1.3.5 by @dependabot in #1118
• chore(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @dependabot in #1117
• feat(audit): merge flatpak recommendations by permission by @HastD in #1116
• chore(isoprep): move yafti items to firstrun services by @RoyalOughtness in #1119
• chore: ensure wireguard-tools is present on all images by @RoyalOughtness in #1123
• chore: remove chfn by @RoyalOughtness in #1124
• chore: switch to run0edit rpm by @RoyalOughtness in #1126
• chore: add zizmor scanning for github actions by @RoyalOughtness in #1128
• chore(isoprep): set stable kargs in bootc's kargs.d by @RoyalOughtness in #1131
• chore: codacy fixes by @RoyalOughtness in #1129
• fix: import both zfs public keys by @RoyalOughtness in #1134
• chore(isoprep): drop yafti and preinstall flatseal by @RoyalOughtness in #1133
• fix(isoprep): set -y for preinstalled flatpaks by @RoyalOughtness in #1136
• feat: added wallpapers in black, blue and black & white variants in svg 4k by @kanzenminarai in #1137
• feat(isoprep): set default wallpapers for GNOME/KDE/Sway by @RoyalOughtness in #1138
• chore: remove additional unused repo files by @RoyalOughtness in #1139
• fix: universally preinstall flatseal on new installs, until kde flatp… by @RoyalOughtness in #1142
• fix: add shebang to install-libvirt-packages by @lescx in #1144
• chore(deps): bump blue-build/github-action from 1.8.1 to 1.8.2 by @dependabot in #1143
• chore(cicd): disable autobuild for dependabot by @RoyalOughtness in #1146
• feat: add notify-send alert if the user needs to update by @RoyalOughtness in #1141
• style: enable lots more Ruff lints, apply lint suggestions by @HastD in #1127
• feat: add ISO generation by @RoyalOughtness in #1145
• feat: apply hardened_malloc using LD_PRELOAD for user processes by @HastD in #1150
• fix: use standard malloc for KDE system settings by @HastD in #1151
• fix: don't install Flatseal on KDE by @HastD in #1147
• fix: allow plasma systemsettings to use userns for nextcloud login by @RoyalOughtness in #1152
• chore(deps): bump github/codeql-action from 3.29.0 to 3.29.1 by @dependabot in #1153
• fix: erase LD_PRELOAD in distroboxes by @HastD in #1154
• docs: have icon image in readme link to website instead of this repo by @spaceoden in #1155
• chore: bump bluebuild cli by @RoyalOughtness in #1157
• chore: also set latest cli version in PR builds by @RoyalOughtness in #1159
• chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2 by @dependabot in #1156
• chore(deps): bump umbrelladocs/action-linkspector from 1.3.5 to 1.3.6 by @dependabot in #1160
• fix: variant info in os-release by @RoyalOughtness in #1161

New Contributors

• @MineGene made their first contribution in #1063
• @kanzenminarai made their first contribution in #1137

Full Changelog: v4.5.1...v4.6

v4.5.1 - Consolidation and fixes

Note: This release includes the deprecation of low-usage wayblue-based images. For more information, see the image deprecation notice. Users must rebase to another image using ujust rebase-secureblue. If users want to continue using a tiling wayland compositor directly, secureblue's sericea images remain available.

What's Changed

• chore(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot in #1019
• fix: ujust setup-luks scripts key slot prefer and sed command by @ShadowSlayer1441 in #855
• fix: openzfs build by @RoyalOughtness in #1026
• chore: cleanup distrobox defaults by @RoyalOughtness in #1027
• chore: explicitly define workflow permissions by @RoyalOughtness in #1029
• chore(deps): bump github/codeql-action from 3.28.16 to 3.28.17 by @dependabot in #1028
• feat: rewrite audit script in Python by @HastD in #960
• fix: mac randomization file perms by @RoyalOughtness in #1031
• fix: Update toggles.just for bash_completion by @0xn1h1Lo in #1025
• fix: improve audit script logic by @HastD in #1033
• fix(audit): handle errors better; add rec for ld.so.preload check. by @HastD in #1034
• feat: Sway security improvements, image deprecations, and minor fixes by @RoyalOughtness in #1035
• chore: properly isolate DE-specific config files by @RoyalOughtness in #841
• fix: indentation in sericea modules by @RoyalOughtness in #1042
• fix: luks-enable-fido2-unlock by @ShadowSlayer1441 in #1039
• feat: automatic deprecated image notification service by @ShadowSlayer1441 in #1036
• fix(audit): Ensure DE-specific checks are only run on the right DE. by @HastD in #1044
• fix: ensure hdparm is present on all images by @RoyalOughtness in #1046
• fix: add udev rule to disable binfmt_misc sysctl when module loads by @HastD in #1048
• feat: clearer error message for with-standard-malloc by @HastD in #1005
• chore: adjust default resolved state by @RKNF404 in #1023
• fix: udev rule to disable binfmt_misc by @HastD in #1051
• fix: remove netfs from kernel module blacklist by @HastD in #1052
• feat: add upstream kernel documentation links and new sysctls and kargs by @RoyalOughtness in #1050
• chore: remove unused packages by @RoyalOughtness in #1058

New Contributors

• @0xn1h1Lo made their first contribution in #1025

Full Changelog: v4.5...v4.5.1

v4.5 - Fedora 42

Note: As part of the Fedora 42 upgrade, RPMFusion repos are no longer installed into the images due to build and package conflicts. Negativo17's multimedia repo is included instead.

Known upstream issues

systemd-remount-fs.service fails to start: https://gitlab.com/fedora/ostree/sig/-/issues/72

What's Changed

• feat: ujust install-vpn by @pxlkng in #947
• feat: f42 by @RoyalOughtness in #1012

Full Changelog: v4.4.2...v4.5

v4.4.2 - Supply chain improvements

In an effort to unify our supply chain, improve supply chain security, remove external dependencies, and eliminate kernel package drift, we have moved off of uBlue's akmods and kernel cache for kmods and resigned kernels. This means that all kmod generation and kernel signing now happens inside our repo, with our own Secure Boot key. It also means secureblue has removed the last of its dependencies on uBlue modules. Everything comes directly from Fedora and Negativo.

Important Note

Over the past week, you probably saw the following enrollment alert. If you haven't already, you need to enroll the new secureblue Secure Boot key. This is especially important for Nvidia and ZFS users:

What's Changed

• chore: bump bluebuild cli to 0.9.9 by @RoyalOughtness in #971
• chore: fix image info by @RoyalOughtness in #969
• chore: remove setroubleshootd by @RoyalOughtness in #977
• chore: use negativo intel-gmmlib by @RoyalOughtness in #976
• chore: include nvme-cli by @RoyalOughtness in #989
• chore: bump actions versions by @RoyalOughtness in #990
• feat: pull secure boot key enrollment and other changes from staging by @RoyalOughtness in #991
• fix: include libheif dep before installing it by @RoyalOughtness in #996
• feat: add necessary SELinux permissions for trivalent.sh to use bwrap by @RoyalOughtness in #998
• fix: allow trivalent to interface with flatpaks properly by @RoyalOughtness in #999
• chore(selinux): cleanup policy-module formatting by @WavyEbuilder in #1000
• feat: add libvirt packages ujust by @RoyalOughtness in #1001
• chore: grant trivalent script and trivalent internal ptrace perms by @RoyalOughtness in #1003
• fix: properly disable KDE splash screen for all users by @pxlkng in #995
• feat: remove and replace ublue akmods and switch to secureblue secure boot key by @RoyalOughtness in #1004

New Contributors

• @WavyEbuilder made their first contribution in #1000

Full Changelog: v4.4.1...v4.4.2

What's Changed

• feat: switch to Trivalent by @RoyalOughtness in #791
• chore: switch to new repo by @RoyalOughtness in #799
• docs: change hyperlink to Trivalent instead of hardened-chromium by @grapheneloverdev in #801
• chore: fully remove old repo by @RoyalOughtness in #810
• docs: cleanup and remove remaining references to hardened-chromium by @RoyalOughtness in #811
• feat: Debug toggle (coredump) by @Rubiginosa in #817
• feat: Add check for coreos/atomic in install script by @Rubiginosa in #819
• chore: Don't install cliwrap, as it's deprecated & not needed anymore by @RoyalOughtness in #821
• chore(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 by @dependabot in #826
• chore(deps): bump dataaxiom/ghcr-cleanup-action from 1.0.15 to 1.0.16 by @dependabot in #827
• chore(deps): bump umbrelladocs/action-linkspector from 1.2.4 to 1.2.5 by @dependabot in #828
• chore(deps): bump github/codeql-action from 3.27.1 to 3.28.8 by @dependabot in #829
• chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #830
• fix: undo upstream addition of gnome-software to cosmic images by @RoyalOughtness in #831
• feat: Audit only checks flatpak or uses gum if available by @Rubiginosa in #822
• feat: switch to new website by @RoyalOughtness in #835
• chore: replace old links in the motd template by @EsseLowNitro in #837
• fix: correct reference to hardening.conf in toggle-anticheat-support by @Rubiginosa in #836
• chore: add selection/state output to MAC randomization toggle by @RKNF404 in #800
• chore: fix links by @RoyalOughtness in #843
• chore: bump bluebuild cli by @RoyalOughtness in #845
• feat: switch to new trivalent repo by @RoyalOughtness in #846
• chore: reject more bus names by @RKNF404 in #839
• feat: add additional required steps to the usbguard setup ujust by @RoyalOughtness in #834
• feat: add additional checks on dispatched jobs by @RoyalOughtness in #844
• chore: secureblue-audit bug fixes by @ShadowSlayer1441 in #832
• chore: cleanup cosmic packages by @RoyalOughtness in #848
• chore: pull cached kernels from new upstream location by @RoyalOughtness in #851
• chore: add upstream signature validation by @RoyalOughtness in #859
• chore: use custom action to enforce approvers list by @RoyalOughtness in #862
• fix: exclude securecore from desktop verification step by @RoyalOughtness in #861
• fix: remove unused dep for mesa 25 by @RoyalOughtness in #870
• feat: significantly improve trivalent confinement by @RoyalOughtness in #879
• fix: luks-enable-fido2-unlock localization bug by @ShadowSlayer1441 in #854
• docs: add links to DNS address documentation by @RKNF404 in #874
• fix: add map permission to various files needed by trivalent by @RoyalOughtness in #881
• chore: more comprehensive toggle-container-domain-userns-creation and toggle-unconfined-domain-userns-creation by @Ganipotes in #872
• feat: add option to not run flatpak audits to secureblue-audit by @ShadowSlayer1441 in #833
• feat: add userns creation toggle checks to audit-secureblue (#676) by @HastD in #868
• fix: temporarily pin kernel to 6.12.15 to shield users from a kernel regression by @RoyalOughtness in #884
• fix: os-release info by @RoyalOughtness in #889
• fix: revert kernel pinning by @RoyalOughtness in #895
• fix: typos in hardening justfile by @equirosa in #886
• fix: Don't enable usbguard-notifier for securecore by @pxlkng in #894
• chore: add /bin/bash to all justfiles by @Ganipotes in #883
• fix: SELinux: prevent unconfined relabelling to userns-permissive types by @RoyalOughtness in #897
• fix:make amd_iommu=force_isolation an unstable karg by @ShadowSlayer1441 in #878
• chore: move approvals action to its own repo by @RoyalOughtness in #908
• feat: ujust label-external-drives by @pxlkng in #901
• chore: switch to patchfile for login.defs by @RoyalOughtness in #858
• fix: allow trivalent to write to the terminal by @RoyalOughtness in #911
• fix: trivalent screenshare by @RoyalOughtness in #912
• fix: trivalent relaunching itself by @RoyalOughtness in #918
• fix: grant trivalent's script RO proc permissions by @RoyalOughtness in #917
• feat: Prevent loading Homebrew env if user is root. by @HastD in #914
• chore: add approver by @RoyalOughtness in #928
• feat: Inform users that cups-browsed remains disabled when CUPS is toggled on. by @HastD in #927
• chore: various codacy recommendations by @RoyalOughtness in #920
• fix: prohibit unconfined processes from relabeling to additional types by @RoyalOughtness in #922
• fix: selinux denial for trivalent interfacing with flatpaks by @RoyalOughtness in #932
• feat: improve userns handling in ujust utility scripts by @pxlkng in #907
• fix: container userns audit & podman shutdown by @HastD in #937
• fix: disable kde splash screen for new users by setting initial config to none by @pxlkng in #939
• fix: add user confirmation check to flatpak-permissions-lockdown by @spaceoden in #930
• fix: harden-flatpak: add "or" logic to grep search for compatibility with set -e check by @spaceoden in #921
• chore: add approver by @pxlkng in #945
• fix: MOTD broken after bluebuild rebase by @greenrd in #940
• feat: Add run0edit, a sudoedit equivalent for run0. by @HastD in #919
• fix: toggle-mac-randomization: correct logic to allow "random" option by @spaceoden in #944
• chore: update wording of enrollment ujust by @RoyalOughtness in #950
• fix: allow trivalent to interface with media keys daemon by @RoyalOughtness in #949
• chore: allow erofs by @RoyalOughtness in #951
• chore: update yafti apps list for f42 by @RoyalOughtness in #953
• feat: improved toggle-bash-environment-lockdown by @ShadowSlayer1441 in #771
• fix: make shell script changes recommended by ShellCheck by @HastD in #948
• fix: make bash lockdown audit work with set -euo pipefail by @HastD in #955
• fix: logic error in audit script bluetooth handling by @HastD in #956
• fix: trivalent selinux policy for v4l devices by @RoyalOughtness in #961
• chore: improve bash toggle UX by @RoyalOughtness in #959
• fix: unbreak and optimize harden-flatpak script by @pxlkng in #962
• chore: update templates by @RoyalOughtness in #967
• chore: refactor and streamline nvidia installation, and add validations by @RoyalOughtness in https://github.com/sec...