diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 1d91233a09..b9ab1eb8c1 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -274,8 +274,8 @@ eclass/out-of-source-utils.eclass
 eclass/pam.eclass
 eclass/pax-utils.eclass
 eclass/perl-functions.eclass
-eclass/portability.eclass
 eclass/plocale.eclass
+eclass/portability.eclass
 eclass/prefix.eclass
 eclass/preserve-libs.eclass
 eclass/pypi.eclass
@@ -417,11 +417,11 @@ sys-firmware/ipxe
 sys-firmware/seabios-bin
 sys-firmware/sgabios
 
-sys-kernel/linux-headers
-
 sys-fs/e2fsprogs
 sys-fs/multipath-tools
 
+sys-kernel/linux-headers
+
 sys-libs/binutils-libs
 sys-libs/libcap
 sys-libs/libcap-ng
diff --git a/2023-06-02-sudo-1.9.13p3.md b/changelog/security/2023-06-02-sudo-1.9.13p3.md
similarity index 100%
rename from 2023-06-02-sudo-1.9.13p3.md
rename to changelog/security/2023-06-02-sudo-1.9.13p3.md
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
deleted file mode 100644
index d674bfb879..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ /dev/null
@@ -1,41 +0,0 @@
-# arm64 keywords
-# Keep these in alphabetical order.
-
-# needed by arm64-native SDK
-=app-emulation/open-vmdk-1.0 *
-=app-crypt/rhash-1.4.2 ~arm64
-
-=dev-embedded/u-boot-tools-2021.04_rc2 ~arm64
-
-# needed by arm64-native SDK
-=dev-lang/nasm-2.15.05 ~arm64
-
-=dev-lang/yasm-1.3.0-r1 ~arm64
-
-=net-dns/c-ares-1.17.2 ~arm64
-
-=net-firewall/conntrack-tools-1.4.6-r1 ~arm64
-=net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
-=net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64
-
-=sec-policy/selinux-base-2.20200818-r2 ~arm64
-=sec-policy/selinux-base-policy-2.20200818-r2 ~arm64
-=sec-policy/selinux-unconfined-2.20200818-r2 ~arm64
-=sec-policy/selinux-virt-2.20200818-r2 ~arm64
-=sys-apps/checkpolicy-3.1 ~arm64
-
-=sys-apps/policycoreutils-3.1-r3 ~arm64
-=sys-apps/kexec-tools-2.0.24 ~arm64
-
-=sys-apps/semodule-utils-3.1 ~arm64
-
-# needed to force enable ipvsadm for arm64
-=sys-cluster/ipvsadm-1.27-r1 **
-
-=sys-firmware/edk2-aarch64-18.02 **
-=sys-libs/libselinux-3.1-r2 ~arm64
-=sys-libs/libsemanage-3.1-r1 ~arm64
-=sys-libs/libsepol-3.1 ~arm64
-
-# Overwrite portage-stable mask - enable ding-libs for ARM64
-=dev-libs/ding-libs-0.6.1-r1 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 4d86200e84..ec10ee586c 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -1,48 +1,87 @@
 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved.
 # Copyright (c) 2013 The CoreOS Authors. All rights reserved.
 # Distributed under the terms of the GNU General Public License v2
+#
+# Keywords for all packages used by Flatcar.
+
+# Seems to be the only available ebuild in portage-stable right now.
+=app-crypt/adcli-0.9.2 ~amd64 ~arm64
+
+# Needed by arm64-native SDK.
+=app-crypt/efitools-1.9.2 ~arm64
+=app-crypt/rhash-1.4.2 ~arm64
+=app-emulation/open-vmdk-1.0 *
 
 # Required for addressing CVE-2022-3715.
 =app-shells/bash-5.2_p15-r2 ~amd64 ~arm64
 
+# No keyword for arm64 yet.
 =coreos-devel/fero-client-0.1.1 **
 
-# Accept unstable host Rust compilers
+# Needed by arm64-native SDK.
+=dev-embedded/u-boot-tools-2021.04_rc2 ~arm64
+=dev-lang/nasm-2.15.05 ~arm64
+
+# Accept unstable host Rust compilers.
 =dev-lang/rust-1.69.0 ~amd64 ~arm64
-=virtual/rust-1.69.0 ~amd64 ~arm64
+
+# Needed by arm64-native SDK.
+=dev-lang/yasm-1.3.0-r1 ~arm64
 
 # Keep versions on both arches in sync.
-=dev-libs/libbsd-0.11.7-r2 ~arm64
+=dev-libs/ding-libs-0.6.1-r1 ~arm64
 =dev-libs/libgcrypt-1.10.1-r3 ~arm64
-
-# To keep the same version on both arches
 =dev-util/bpftool-6.2.1 ~arm64
+=net-firewall/conntrack-tools-1.4.6-r1 ~arm64
 
 # Required for addressing CVE-2023-0361.
 =net-libs/gnutls-3.8.0 ~amd64 ~arm64
 
-# Required for addressing CVE-2023-28319, CVE-2023-28320, CVE-2023-28321 and CVE-2023-28322
+# Keep versions on both arches in sync.
+=net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64
+=net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64
+
+# Required for addressing CVE-2023-28319, CVE-2023-28320, CVE-2023-28321 and CVE-2023-28322.
 =net-misc/curl-8.1.0 ~amd64 ~arm64
 
-=sys-fs/cryptsetup-2.4.1-r1 ~amd64 ~arm64
+# Keep versions on both arches in sync.
+=sec-policy/selinux-base-2.20200818-r2 ~arm64
+=sec-policy/selinux-base-policy-2.20200818-r2 ~arm64
+=sec-policy/selinux-unconfined-2.20200818-r2 ~arm64
+=sec-policy/selinux-virt-2.20200818-r2 ~arm64
+=sys-apps/checkpolicy-3.1 ~arm64
 
-# To keep the same version on both arches
-=sys-fs/multipath-tools-0.9.4-r1 ~amd64
+# Keep versions on both arches in sync.
+=sys-apps/kexec-tools-2.0.24 ~arm64
+=sys-apps/policycoreutils-3.1-r3 ~arm64
+=sys-apps/semodule-utils-3.1 ~arm64
 
-# FIPS support is still being tested
+# Needed to force enable ipvsadm for arm64.
+=sys-cluster/ipvsadm-1.27-r1 **
+
+# Keep versions on both arches in sync.
+=sys-firmware/edk2-aarch64-18.02 **
+
+# FIPS support is still being tested.
 =sys-fs/cryptsetup-2.4.3-r1 ~amd64 ~arm64
 
-# Needed to address CVE-2023-2602 and CVE-2023-2603
+# Keep versions on both arches in sync.
+=sys-fs/multipath-tools-0.9.4-r1 ~amd64
+
+# Needed to address CVE-2023-2602 and CVE-2023-2603.
 =sys-libs/libcap-2.69 ~amd64 ~arm64
 
-=sys-power/acpid-2.0.33 ~amd64 ~arm64
+# Keep versions on both arches in sync.
+=sys-libs/libselinux-3.1-r2 ~arm64
+=sys-libs/libsemanage-3.1-r1 ~arm64
+=sys-libs/libsepol-3.1 ~arm64
 
 # A dependency of app-shells/bash version that we need for security
 # fixes.
 =sys-libs/readline-8.2_p1 ~amd64 ~arm64
 
-# Overwrite portage-stable mask - use latest liburing -r2 for ARM64 and AMD64
-=sys-libs/liburing-2.1-r2 ~amd64 ~arm64
+# ?
+=sys-power/acpid-2.0.33 ~amd64 ~arm64
 
-=app-crypt/adcli-0.9.2 ~amd64 ~arm64
-=sys-apps/nvme-cli-2.4-r2 ~amd64 ~arm64
+# Accept unstable host Rust compilers.
+=virtual/rust-1.69.0 ~amd64 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
index d1c5bff76f..04124822ce 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
@@ -14,10 +14,9 @@
 # Overwrite portage-stable mask. We are delaying the transition to
 # libxcrypt, because we need to figure out how to solve the dep loop
 # that results from the migration (python -> virtual/libcrypt ->
-# libxcrypt -> glibc -> python), and also we need to update gcc to
-# version 10 or later.
+# libxcrypt -> glibc -> python).
 >=virtual/libcrypt-2
 
 # Python 3.11 is stable in portage-stable, so avoid picking it
-# up. Drop this when we switch to it.
+# up. Update this to mask later versions when we switch to 3.11.
 >=dev-lang/python-3.11
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
index 0463755f1b..8f872bb0e0 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask
@@ -1,10 +1,5 @@
 # Overwrite portage-stable mask. We are delaying the transition to
 # libxcrypt, because we need to figure out how to solve the dep loop
 # that results from the migration (python -> virtual/libcrypt ->
-# libxcrypt -> glibc -> python), and also we need to update gcc to
-# version 10 or later.
+# libxcrypt -> glibc -> python).
 =virtual/libcrypt-1-r1
-
-# Overwrite portage-stable mask. OpenSSL-3* is building fine on Flatcar
-# and Flatcar's dependencies are building fine against it.
-=dev-libs/openssl-3.0*
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
deleted file mode 100644
index 40aeb5865c..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
+++ /dev/null
@@ -1 +0,0 @@
-=app-crypt/efitools-1.9.2 ~arm64