New version: alpha-4669.0.0

Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>

CODE_OF_CONDUCT.md

@@ -1,9 +0,0 @@
-# Code of Conduct
-
-The Flatcar project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
-
-For details on how we uphold community standards across all Flatcar repositories, please see the [main Flatcar Code of Conduct](https://github.com/flatcar/Flatcar/blob/main/CODE_OF_CONDUCT.md).
-
-## Reporting
-
-If you experience or witness unacceptable behavior, please report it following the process outlined in the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).

CONTRIBUTING.md

@@ -4,8 +4,6 @@ Whether you're fixing a bug, adding a feature, or improving docs — we apprecia
 
 For more detailed guidelines (finding issues, community meetings, PR lifecycle, commit message format, and more), check out the [main Flatcar CONTRIBUTING guide](https://github.com/flatcar/Flatcar/blob/main/CONTRIBUTING.md).
 
-If you want to file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
-
 ---
 
 ## Repository Specific Guidelines

GOVERNANCE.md

@@ -1,11 +0,0 @@
-# Governance
-
-For details on the Flatcar project governance model, decision-making process, and roles, please see the [main Flatcar Governance document](https://github.com/flatcar/Flatcar/blob/main/governance.md).
-
----
-
-## Repository-Specific Governance
-
-Any governance details specific to this repository will be listed here.
-
-<!-- Add repo-specific governance notes below this line -->

MAINTAINERS.md

@@ -1,11 +1,9 @@
 # Maintainers
 
-For the current list of maintainers and their responsibilities, please see the [main Flatcar MAINTAINERS file](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
+* Kai Lüke @pothos
+* Gabriel Samfira @gabriel-samfira
+* Thilo Fromm @t-lo
 
----
+See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
 
-## Repository-Specific Maintainers
+The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
-
-Any maintainers specific to this repository will be listed here.
-
-<!-- Add repo-specific maintainers below this line -->

README.md

@@ -1,20 +1,16 @@
+# Flatcar Container Linux SDK scripts
+
 <div style="text-align: center">
 
 [![Flatcar OS](https://img.shields.io/badge/Flatcar-Website-blue?logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAyNi4wLjMsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4wIiBpZD0ia2F0bWFuXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4Ig0KCSB2aWV3Qm94PSIwIDAgODAwIDYwMCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgODAwIDYwMDsiIHhtbDpzcGFjZT0icHJlc2VydmUiPg0KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCgkuc3Qwe2ZpbGw6IzA5QkFDODt9DQo8L3N0eWxlPg0KPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ0MCwxODIuOGgtMTUuOXYxNS45SDQ0MFYxODIuOHoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik00MDAuNSwzMTcuOWgtMzEuOXYxNS45aDMxLjlWMzE3Ljl6Ii8+DQo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNNTQzLjgsMzE3LjlINTEydjE1LjloMzEuOVYzMTcuOXoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik02NTUuMiw0MjAuOXYtOTUuNGgtMTUuOXY5NS40aC0xNS45VjI2MmgtMzEuOVYxMzQuOEgyMDkuNFYyNjJoLTMxLjl2MTU5aC0xNS45di05NS40aC0xNnY5NS40aC0xNS45djMxLjINCgloMzEuOXYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44SDI3M3YtMTUuOGgyNTQuOHYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44aDQ3Ljh2LTE1LjhoMzEuOXYtMzEuMkg2NTUuMnogTTQ4Ny44LDE1MWg3OS42djMxLjgNCgloLTIzLjZ2NjMuNkg1MTJ2LTYzLjZoLTI0LjJMNDg3LjgsMTUxTDQ4Ny44LDE1MXogTTIzMywyMTQuNlYxNTFoNjMuN3YyMy41aC0zMS45djE1LjhoMzEuOXYyNC4yaC0zMS45djMxLjhIMjMzVjIxNC42eiBNMzA1LDMxNy45DQoJdjE1LjhoLTQ3Ljh2MzEuOEgzMDV2NDcuN2gtOTUuNVYyODYuMUgzMDVMMzA1LDMxNy45eiBNMzEyLjYsMjQ2LjRWMTUxaDMxLjl2NjMuNmgzMS45djMxLjhMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjR6DQoJIE00NDguMywzMTcuOXY5NS40aC00Ny44di00Ny43aC0zMS45djQ3LjdoLTQ3LjhWMzAyaDE1Ljl2LTE1LjhoOTUuNVYzMDJoMTUuOUw0NDguMywzMTcuOXogTTQ0MCwyNDYuNHYtMzEuOGgtMTUuOXYzMS44aC0zMS45DQoJdi03OS41aDE1Ljl2LTE1LjhoNDcuOHYxNS44aDE1Ljl2NzkuNUg0NDB6IE01OTEuNiwzMTcuOXY0Ny43aC0xNS45djE1LjhoMTUuOXYzMS44aC00Ny44di0zMS43SDUyOHYtMTUuOGgtMTUuOXY0Ny43aC00Ny44VjI4Ni4xDQoJaDEyNy4zVjMxNy45eiIvPg0KPC9zdmc+DQo=)](https://www.flatcar.org/)
-[![Discord](https://img.shields.io/badge/Discord-Chat%20with%20us!-5865F2?logo=discord)](https://discord.gg/PMYjFUsJyq)
 [![Matrix](https://img.shields.io/badge/Matrix-Chat%20with%20us!-green?logo=matrix)](https://app.element.io/#/room/#flatcar:matrix.org)
 [![Slack](https://img.shields.io/badge/Slack-Chat%20with%20us!-4A154B?logo=slack)](https://kubernetes.slack.com/archives/C03GQ8B5XNJ)
 [![Twitter Follow](https://img.shields.io/twitter/follow/flatcar?style=social)](https://x.com/flatcar)
 [![Mastodon Follow](https://img.shields.io/badge/Mastodon-Follow-6364FF?logo=mastodon)](https://hachyderm.io/@flatcar)
 [![Bluesky](https://img.shields.io/badge/Bluesky-Follow-0285FF?logo=bluesky)](https://bsky.app/profile/flatcar.org)
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10926/badge)](https://www.bestpractices.dev/projects/10926)
 
-
-> **Note:** To file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
 </div>
 
-# Flatcar Container Linux SDK scripts
-
 Welcome to the scripts repo, your starting place for most things here in the Flatcar Container Linux SDK. To get started you can find our documentation on [the Flatcar docs website][flatcar-docs].
 
 The SDK can be used to
@@ -155,13 +151,3 @@ The script `./bootstrap_sdk_container` bootstraps a new SDK tarball using an exi
 # Automation stubs for continuous integration
 
 Script stubs for various build stages can be found in the [ci-automation](ci-automation) folder. These are helpful for gluing Flatcar Container Linux builds to a continuous integration system.
-
----
-
-## Community & Project Documentation
-
-- [Contributing Guidelines](CONTRIBUTING.md) — How to contribute, find issues, and submit pull requests
-- [Code of Conduct](CODE_OF_CONDUCT.md) — Standards for respectful and inclusive community participation
-- [Security Policy](SECURITY.md) — How to report vulnerabilities and security-related information
-- [Maintainers](MAINTAINERS.md) — Current project maintainers and their responsibilities
-- [Governance](GOVERNANCE.md) — Project governance model, decision-making process, and roles

SECURITY.md

@@ -1,15 +0,0 @@
-# Security Policy
-
-The Flatcar project takes security seriously. We appreciate your efforts to responsibly disclose your findings.
-
-For our full security policy, supported versions, and how to report a vulnerability, please see the [main Flatcar Security Policy](https://github.com/flatcar/Flatcar/blob/main/SECURITY.md).
-
-**Please do not open public issues for security vulnerabilities.**
-
----
-
-## Repository-Specific Security Notes
-
-Any security considerations specific to this repository will be listed here.
-
-<!-- Add repo-specific security notes below this line -->

build_image

@@ -49,8 +49,6 @@ DEFINE_string developer_data "" \
   "Insert a custom cloudinit file into the image."
 DEFINE_string devcontainer_binhost "${DEFAULT_DEVCONTAINER_BINHOST}" \
   "Override portage binhost configuration used in development container."
-DEFINE_string oem_sysexts "everything!" \
-  "A comma-separated list of OEMs to build, by default build all the OEM sysexts. Used only if building OEM sysexts"
 
 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
@@ -195,7 +193,7 @@ if [[ "${SYSEXT}" -eq 1 ]]; then
   create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
 fi
 if [[ "${OEM_SYSEXT}" -eq 1 ]]; then
-  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_oem_sysexts}"
+  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
 fi
 
 if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then

build_library/build_image_util.sh

@@ -152,12 +152,7 @@ emerge_to_image() {
   sudo -E ROOT="${root_fs_dir}" \
       FEATURES="-ebuild-locks -merge-wait" \
       PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
-      emerge \
+      emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
-      --usepkgonly \
-      --binpkg-respect-use=y \
-      --jobs="${NUM_JOBS}" \
-      --verbose \
-      "$@"
 
   # Shortcut if this was just baselayout
   [[ "$*" == *sys-apps/baselayout ]] && return

build_library/generate_au_zip.py

@@ -88,8 +88,8 @@ def _SplitAndStrip(data):
     if 'not found' in line:
       raise _LibNotFound(line)
     line = re.sub('.*not a dynamic executable.*', '', line)
-    line = re.sub(r'.* =>\s+', '', line)
+    line = re.sub('.* =>\s+', '', line)
-    line = re.sub(r'\(0x.*\)\s?', '', line)
+    line = re.sub('\(0x.*\)\s?', '', line)
     line = line.strip()
     if not len(line):
       continue

build_library/generate_grub_hashes.py

@@ -40,13 +40,13 @@ with open(os.path.join(outputdir, "grub_modules.config"), "w") as f:
     f.write(json.dumps({"9": {"binaryvalues": [{"prefix": "grub_module", "values": hashvalues}]}}))
 
 with open(os.path.join(outputdir, "kernel_cmdline.config"), "w") as f:
-    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": r"rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
+    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": "rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
 
-commands = [{"value": r'\[.*\]', "description": "Flatcar Grub configuration %s" % version},
+commands = [{"value": '\[.*\]', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'gptprio.next -d usr -u usr_uuid', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'insmod all_video', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set randomize_disk_guid --disk-uuid 00000000-0000-0000-0000-000000000001', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'search --no-floppy --set oem --part-label OEM --hint hd0,gpt1', "description": "Flatcar Grub configuration %s" % version},
             {"value": 'set .+', "description": "Flatcar Grub configuration %s" % version},

build_library/grub.cfg

@@ -79,7 +79,7 @@ if [ -z "$linux_console" ]; then
         terminal_output console serial_com0
     elif [ "$grub_platform" = efi ]; then
         if [ "$grub_cpu" = arm64 ]; then
-            set linux_console="console=ttyAMA0,115200n8 console=tty0"
+            set linux_console="console=ttyAMA0,115200n8"
         else
             set linux_console="console=ttyS0,115200n8 console=tty0"
        fi

build_library/grub_install.sh

@@ -37,9 +37,6 @@ switch_to_strict_mode
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 
-SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}"
-SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
-
 # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
@@ -205,8 +202,8 @@ case "${FLAGS_target}" in
 
             # Unofficial build: Sign shim with our development key.
             sudo sbsign \
-                --key "${SBSIGN_DB_KEY}" \
+                --key /usr/share/sb_keys/DB.key \
-                --cert "${SBSIGN_DB_CERT}" \
+                --cert /usr/share/sb_keys/DB.crt \
                 --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
                 "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
         else

build_library/prod_image_util.sh

@@ -276,26 +276,13 @@ create_prod_sysexts() {
 }
 
 create_oem_sysexts() {
-  local image_name=${1}; shift
+  local image_name="$1"
-  local requested_oem_sysexts_csv=${1}; shift
   local image_sysext_base="${image_name%.bin}_sysext.squashfs"
   local overlay_path
   overlay_path=$(portageq get_repo_path / coreos-overlay)
 
   local -a oem_sysexts
   get_oem_sysext_matrix "${ARCH}" oem_sysexts
-  if [[ ${requested_oem_sysexts_csv} != 'everything!' ]]; then
-      local -a all_oems requested_oems invalid_oems
-      all_oems=( "${oem_sysexts[@]}" )
-      all_oems=( "${all_oems[@]%%|*}" )
-      all_oems=( "${all_oems[@]#oem-}" )
-      mapfile -t requested_oems <<<"${requested_oem_sysexts_csv//,/$'\n'}"
-      mapfile -t invalid_oems < <(comm -23 <(printf '%s\n' "${requested_oems[@]}" | sort -u) <(printf '%s\n' "${all_oems[@]}" | sort -u))
-      if [[ ${#invalid_oems[@]} -gt 0 ]]; then
-          die "Requested OEMs to build sysexts for are invalid: ${invalid_oems[*]}, valid OEMs are ${all_oems[*]}"
-      fi
-      mapfile -t oem_sysexts < <(printf '%s\n' "${oem_sysexts[@]}" | grep '^oem-\('"${requested_oem_sysexts_csv//,/'\|'}"'\)|')
-  fi
 
   local sysext name metapkg useflags
   for sysext in "${oem_sysexts[@]}"; do

build_library/sbsign_util.sh

@@ -3,8 +3,8 @@
 # found in the LICENSE file.
 
 if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}"
+    SBSIGN_KEY="/usr/share/sb_keys/shim.key"
-    SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}"
+    SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
 else
     SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04"
     unset SBSIGN_CERT

build_library/vm_image_util.sh

@@ -806,12 +806,12 @@ _write_qemu_common() {
     cat >"${VM_README}" <<EOF
 If you have qemu installed (or in the SDK), you can start the image with:
   cd path/to/image
-  ./$(basename "${script}") -display curses
+  ./$(basename "${script}") -curses
 
 If you need to use a different ssh key or different ssh port:
-  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -display curses
+  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -curses
 
-If you rather you can use the -nographic option instad of '-display curses'. In this
+If you rather you can use the -nographic option instad of -curses. In this
 mode you can switch from the vm to the qemu monitor console with: Ctrl-a c
 See the qemu man page for more details on the monitor console.
 
@@ -890,17 +890,11 @@ _write_qemu_uefi_secure_conf() {
     esac
 
     # TODO: Remove the temporary flatcar shim signing cert
-    local _sb_db_cert="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
-    local _sb_extra_db_certs=()
-    if [[ -z ${SBSIGN_DB_CERT:-} ]]; then
-        # Default behavior: include the temporary dev shim cert alongside DB.crt
-        _sb_extra_db_certs=( --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" )
-    fi
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --add-db "${owner}" "${_sb_db_cert}" \
+        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
-        "${_sb_extra_db_certs[@]}"
+        --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
@@ -917,7 +911,7 @@ _write_pxe_conf() {
     cat >>"${VM_README}" <<EOF
 
 You can pass extra kernel parameters with -append, for example:
-  ./$(basename "${script}") -display curses -append 'sshkey="PUT AN SSH KEY HERE"'
+  ./$(basename "${script}") -curses -append 'sshkey="PUT AN SSH KEY HERE"'
 
 When using -nographic or -serial you must also enable the serial console:
   ./$(basename "${script}") -nographic -append 'console=ttyS0,115200n8'

build_sdk_container_image

@@ -125,6 +125,10 @@ fi
 
 # --
 
+docker_build() {
+    PROGRESS_NO_TRUNC=1 $docker build --progress plain "${@}"
+}
+
 # build plain SDK container w/o board support
 #
 import_image="flatcar-sdk-import:${docker_vernum}"

changelog/changes/2026-03-25-erofs-tools.md

@@ -1 +0,0 @@
-- Add EROFS tools for containerd ([Flatcar#2047](https://github.com/flatcar/Flatcar/issues/2047))

changelog/changes/2026-04-15-ignition-oem.md

@@ -1 +0,0 @@
-- Reworked how the OEM partition is mounted at boot time so that Ignition no longer has to handle this by itself, thereby requiring less patching. This should not affect any existing usage, but it is a significant underlying change, so it needs to be called out. Please report any unexpected issues. ([flatcar/script#3934](https://github.com/flatcar/scripts/pull/3934))

changelog/changes/2026-04-28-enable-vnc-console-logs-on-arm.md

@@ -1 +0,0 @@
-- Enable VNC console serial logs on ARM64 QEMU/KVM instances ([flatcar/scripts#2359](https://github.com/flatcar/scripts/pull/2359))

changelog/updates/2026-04-16-linux-firmware-20260410-update.md

@@ -1 +0,0 @@
-- Linux Firmware ([20260410](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20260410))

changelog/updates/2026-04-27-ca-certificates-3.123.1-update.md

@@ -1 +0,0 @@
-- ca-certificates ([3.123.1](https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123_1.html))

changelog/updates/2026-04-28-linux-6.12.84-update.md

@@ -1 +0,0 @@
-- Linux ([6.12.84](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.84) (includes [6.12.83](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.83), [6.12.82](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.82)))

changelog/updates/2026-05-01-linux-6.12.85-update.md

@@ -1 +0,0 @@
-- Linux ([6.12.85](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.85))

ci-automation/ci_automation_common.sh

@@ -232,15 +232,10 @@ function docker_image_from_buildcache() {
     local url="https://${BUILDCACHE_SERVER}/containers/${version}/${tgz}"
     local url_release="https://mirror.release.flatcar-linux.net/containers/${version}/${tgz}"
 
-    local curl_progress=(--silent --show-error)
+    curl --fail --silent --show-error --location --retry-delay 1 --retry 60 \
-    if [[ -t 2 ]]; then
-        curl_progress=(--progress-bar)
-    fi
-
-    curl --fail "${curl_progress[@]}" --location --retry-delay 1 --retry 60 \
         --retry-connrefused --retry-max-time 60 --connect-timeout 20 \
         --remote-name "${url}" \
-        || curl --fail "${curl_progress[@]}" --location --retry-delay 1 --retry 60 \
+        || curl --fail --silent --show-error --location --retry-delay 1 --retry 60 \
         --retry-connrefused --retry-max-time 60 --connect-timeout 20 \
         --remote-name "${url_release}"
 
@@ -259,7 +254,7 @@ function docker_image_from_registry_or_buildcache() {
         return
     fi
 
-    echo "Container image not found in registry, downloading SDK tarball instead (this is normal for nightly builds)..." >&2
+    echo "Falling back to tar ball download..." >&2
     docker_image_from_buildcache "${image}" "${version}" zst || \
         docker_image_from_buildcache "${image}" "${version}" gz
 }

image_to_vm.sh

@@ -48,10 +48,6 @@ DEFINE_string getbinpkgver "" \
 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
 
-# Override the default value to false so that
-# ./flatcar_production_qemu_uefi.sh can launch the qemu VM later.
-FLAGS_only_store_compressed=${FLAGS_FALSE}
-
 # Parse command line
 FLAGS "$@" || exit 1
 eval set -- "${FLAGS_ARGV}"

sdk_container/.repo/manifests/mantle-container

@@ -1 +1 @@
-ghcr.io/flatcar/mantle:git-859a6b1262f61e0aabc74c4c091d4fe49cb57af1
+ghcr.io/flatcar/mantle:git-ca80a2eaee4cc195ae6e17f9202c1d72e729d460

sdk_container/.repo/manifests/version.txt

@@ -1,4 +1,4 @@
-FLATCAR_VERSION=4690.0.0+nightly-20260504-2100
+FLATCAR_VERSION=4669.0.0
-FLATCAR_VERSION_ID=4690.0.0
+FLATCAR_VERSION_ID=4669.0.0
-FLATCAR_BUILD_ID="nightly-20260504-2100"
+FLATCAR_BUILD_ID=""
-FLATCAR_SDK_VERSION=4690.0.0+nightly-20260504-2100
+FLATCAR_SDK_VERSION=4669.0.0

sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest

@@ -1 +1 @@
-DIST nss-3.123.1.tar.gz 77762541 BLAKE2B 68cd408dce23a039ee91ffcfa156817310b56227ab9d9ce130a7909fe0b306777d82b1fe8aac64451b8266feb87d3c0f9d7a8bed757c5c451e077c96a6263f92 SHA512 988927a07d1ac4533e7e89d01a08504e6ff70a7b111c1267e54a9cfe0a3a5674bb8b25e14ad6dca0d8765da3ca591a9be4f977ca172be3cf7af95a52f2e19214
+DIST nss-3.122.tar.gz 77654239 BLAKE2B a34de23e316cff66f989074c91b6a33788db7fc21bbeadafeb76001aa198dbaf024d33845bbee2c319f5dc65850f0cd6a83cdd50419d2dead6b5ffc25484c03d SHA512 53847c2de0e4608b387d5688ecf005a2a78da67408bda31f522539306816e25580d6046656cd5bb7fb9642feb625a904a17d3102573be96a9fd8b46e14037ff7

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/Manifest

@@ -1 +1 @@
-DIST coreos-init-9c940ec78b8eb513397ece28bd6cb0d2af6cc342.tar.gz 60774 BLAKE2B b141646a9ff796825cd0726413c3deacc3d60ac1e9dedbfa72e2f563c4b10ef5f7db5dcafefae75f83a21dd83d811c73611598c27faf70e7d486ffff9d62377e SHA512 4532a1069313cacf2f2d92a71859f6550e87e6cfe1966326b2bfa0279770f2e58d9956ccebc1ddebca2336a8d0e0bc778e73fa0d79c63374a23de5c2b8638c9b
+DIST coreos-init-1660f54f79dbba285a64c52d3338f5566e1d770d.tar.gz 59695 BLAKE2B 02c67fa98ee0b97123cb322fb6eabacf7ae7a282914408a8246371552ed222cc3eb56f27d5c42230158a4f7907db9cdfd4b7f51e96995aac2a0f903ff34d034d SHA512 d1282837b52f550855e6c0990796e270c32d7b0882b062f401aff9c9eea7a7c8fba4f2a051f9c42be9316022fa8ee214dc28a8078b306577629d01d96e32d5e8

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -14,7 +14,7 @@ if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://github.com/flatcar/init.git"
 	inherit git-r3
 else
-	EGIT_VERSION="9c940ec78b8eb513397ece28bd6cb0d2af6cc342" # flatcar-master
+	EGIT_VERSION="1660f54f79dbba285a64c52d3338f5566e1d770d" # flatcar-master
 	SRC_URI="https://github.com/flatcar/init/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz"
 	S="${WORKDIR}/init-${EGIT_VERSION}"
 	KEYWORDS="amd64 arm arm64 x86"

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -192,7 +192,6 @@ RDEPEND="${RDEPEND}
 	sys-fs/cryptsetup
 	sys-fs/dosfstools
 	sys-fs/e2fsprogs
-	sys-fs/erofs-utils
 	sys-fs/lsscsi
 	sys-fs/lvm2
 	sys-fs/mdadm

sdk_container/src/third_party/coreos-overlay/coreos-base/ue-rs/Manifest

@@ -14,7 +14,7 @@ DIST bitflags-2.9.0.crate 47654 BLAKE2B df924872ccb929f3e428976764d50e5468112cb8
 DIST block-buffer-0.10.4.crate 10538 BLAKE2B d819c4f9c4be85868e8b105fb7e479d2e58d3ed85c3339bd677a3e111f85cb1ff624a54d7802ab79a6e1d9221115f66388568340480fe83eae1cb448f19f5b11 SHA512 b7d436d8e627e16e6ddc300ee8f706a6cef28ff6f09eff848eedee46f84bdcd03601303c92ab8996042e55922866a59259948177c0a4496eed723523e77f6fdb
 DIST bstr-1.12.0.crate 351557 BLAKE2B b57f018ad6c0767b23ff65f30fb7bde6199956e50200b7574c04df851aa7c5510874c98caed575c2d6b1984286d39df96a2f29773081915a4bc94257146b831c SHA512 a2b6bb347c4bda37bbc0908a4b1191261fe69de3f767e196b43410a757cd5ade65c9349be76f0d585b4250a9b811c7834fdfe34274a54e989985f353f5ba345a
 DIST bumpalo-3.17.0.crate 91975 BLAKE2B b0aca1d64373425384eddcdf8d60dc977058a3d1570451de944ce48aacdb984e73a29ab64fb5b23413582d57a8e32ad8155f6a1479eb00f804afe9d8a9d9e163 SHA512 b2acfb463aa705b9c6a9555858b84f565234110988c880cdb761ab8dc87892ee5d22e65fa935d2cfef9d58869fec0ab64d810b26bf122fdd89b454b6ce65ea1f
-DIST bytes-1.11.1.crate 78584 BLAKE2B 4985426ff626d880a0da3d592ba48d697c88a83f48177e2b7380cb55e736a43f3cdf662d99cf0908b599aa8eccfebff2910405559e490b71adcf3f078673cd72 SHA512 7933d18c1a2c1496add2c7193e92c3aa17029c530b7031604ccb7c77c68903f53cf7d41396448b32bdd4f540fef4b37564972dac7b225e6e2ca99cd61179a6ab
+DIST bytes-1.10.1.crate 76779 BLAKE2B 96573ff7852cd2d4f37a68cb4d76bc43d2018dc25b7b7e2164df022de4e1974f22d4d3ea7cbfb280667650cdb5063d600f4f76cbdca43dae508f29ced449b0f7 SHA512 03429f01927b94ba6c958c46b2e5bf92a23b39ce9385689e21accd34a5d3be01fd0f665f4bbffb1f7c5bdf1edfb1bf11d5ccad00eff0f9388be39fe2f753d296
 DIST bzip2-0.4.4.crate 34197 BLAKE2B b69f8ad38b44eb4912b33d53467492b0ebe6ed740451bdfe9133e71c47a8dbd85b1110a9607c4cc627fbabc44cd86fe0396bb545864632ffb6169f9cfa547b6c SHA512 9cd2b9159bd0b42ac908ecad41f0a737272af94ae0d6dcfe182d2f44bcea4632d32b0456f02322047ea9d6f46377db6cd083f468782bccd6126bcc75cb852555
 DIST bzip2-sys-0.1.13+1.0.8.crate 633818 BLAKE2B f33f1bf6f01fd30e9ac551caa0092a6346fdaf076ee52967ad7e7c68f3e5d9261413da5185aaafbb11add343a0cc0116dcd1392fe5575a9be779323b729acd48 SHA512 89631b05c21bd06a1fc5911c637d3308c3be2d7d6e0152dd62f1851d286cfbc30ad534800b718d5e273e88409b33f5aca478adccad2c7b05400b3e698eb796e7
 DIST cc-1.2.19.crate 105910 BLAKE2B 1c3d757f8155e2987ca8fa7709428905d3c66afe5d3379c3a3741c26b6abe288170bf414a9aaacd30eefa75f06dfde4e3f75cbe5cd384c558f2487ef29f1d012 SHA512 d56ebd19090e63bcdf65a738fbe34c03cdd294803ed46d66a6428ff60f2ac14a4eaf3e34870ca0ddb38e489878cb632b5912012e5ffb4e84fd813bb7585f2e2a
@@ -33,7 +33,7 @@ DIST env_logger-0.10.2.crate 36402 BLAKE2B 34ef02d0f53fea474e7284fd7021ed3b44b11
 DIST equivalent-1.0.2.crate 7419 BLAKE2B 7ce4fb7b911961cd4ccfb48323eea4952110a069789c6bd177a63391c270df861afadd00c07db7b22768f0864f320e429e0200c433284f528336e2f81d071eff SHA512 8e0e2dc070794a85b276e93f9e4a65d3bbb8587b33fda211c34479a0b88504c913d8bef9e84d7996254aeabe1efe4ff1ef6259ff4fe3f9ccb90dd90070b3e4d4
 DIST errno-0.3.11.crate 12048 BLAKE2B 6d370edb0712b4b527645460eb663f6434784abe8749356674dddfe7a655fa888a9894d870c44d514186d1ce226d0d4f44955b926a10b14cd3b54d07c40cce50 SHA512 95f64e6e71c9100c36e52f2aa720d244c1a4d1182b18708773bfb4fc69ad55ed78e4918b69a96eb7ce9a2bf6d39fcc23236bb38473d3046f4ab332c260005299
 DIST fastrand-2.3.0.crate 15076 BLAKE2B 15c9a1c4f64d94c4bfd38ae139c6fe19b6b621a495c1b57209edd6d76d978eaf018ba77f356b5086c3f462a6de044fb5e3b172fc288309569911a17ec39951bc SHA512 267fecbb7459c8840f03425733d278dd6c4e7637b85b99552877117ed5e8015e094d86aa95841f77064136b7f382276c3cb2c2bef7b2881d272f4aa57c5cf947
-DIST flatcar-ue-rs-f1e0301c36a2f5259f5d7ea2f2a60769f922b2f5.tar.gz 84543 BLAKE2B b9e179cfa0243eec98ac97d7aa130398827dde71af6ee532859f516a2db802008233c68eb668bbf0bc17475c9085d97d7aadb5968177081d110ebc069d23a8d2 SHA512 5f9a3e4b153ad8d913ec7753ff8750fcddddc0ef40d9e64bee588ab3ae5234bed7169aaa9cf20caa8f8d9bc650223942dc0ad1820bc4b923a82fdd619476a3b6
+DIST flatcar-ue-rs-8464c05429d9a034d38b48563d59479fa471606b.tar.gz 84209 BLAKE2B f3eb1d6a54670426d7c1ff7238d7394548ebd6b40af8b23046783c51f7e0b486bb19d7628c232da062f906a676961bf6f512c4f8fea400f4d27f36df46ac931b SHA512 4336be600f36e56dc577487ee47812470c45dc07d6d0c6c4f06754e9425120455821393723c5c99e370f3019ac1a0a49dace3ab1c2537f3fa1899243ad3e7ab7
 DIST fnv-1.0.7.crate 11266 BLAKE2B 81da85889c91b6567e0f555e37dd915f1bd919719d1ca10c31a6861d7aec29a49ae9c1e8bc500791bf9d6b8dbb318c096d04872c5872a4b1f7d45fbd8e12842d SHA512 2195a4b34a78e2dd9838caf0ee556bf87cbb4a8ef5505aac663b614eb59dcfc0c40f432463ede41ecca57bfe7711f72673d39a85fe03d426f1324097d5628334
 DIST foreign-types-0.3.2.crate 7504 BLAKE2B 520818b702d990d296ecd31a8646850202509ccfa18edd0e1b260289619a6c351e758f317ec0824bd76eccb209b6f087057c25f1bd01a47897715013dd834867 SHA512 bf27b8243ed482c202d120383374f19ff09422535e24b9c1aebccc66529bf300ca17b8bbc76d67f98ac092e614497afe3add9dc68aa69c93074df05762f91232
 DIST foreign-types-shared-0.1.1.crate 5672 BLAKE2B d2e42e04b6657e7a69fe0bd20c672176629c743e49a55fd007bb30e289710b70045d445ae9cae0eeaa747ee708c90e8abd9b5fc39bad8ec0666befe1b696d4f1 SHA512 bafdb2143e136fb0818e2ffd90b5c862b7181647d6568947d4e4531012bbf7a57b597221ec7056c1b562dfc0c3b5dead26d1a4111ebc15e7863737a873518a4a
@@ -97,10 +97,10 @@ DIST num-iter-0.1.45.crate 10320 BLAKE2B 9f2a60a819e31a6e7e048ae86f7fa029015a738
 DIST num-traits-0.2.19.crate 51631 BLAKE2B 78637360cbf32d172510a62bd9442708af9730c0296a2bb4ebd200c08facd49bc31bf8ddd58967e0df7273a938832b620265d9f8f4d26ad16049bf6dac1cb4e5 SHA512 180018a5eceb45085e4e8d103ff21bb4d5079cea874c42a0ad4c76c99d275d434bbc1cc289f0cdec172866daa89dbfe0871410b2cc3407233fe1129786905956
 DIST object-0.36.7.crate 329938 BLAKE2B 0b02cf2f44e99002909b38125edada1a259feae59fd0e5ef52001755b6878cac710c87c60fbafdbe405281e039f68572ea3d8093d16128899090fd70df7f2fa8 SHA512 dd69172349ecf51fd2351d32cc4453760ca1d15e854a1cf5ed99112032901a54b4645b24163b946deed11f81d3e3035e1a5afd8bff20f335dbd05eceab073478
 DIST once_cell-1.21.3.crate 34534 BLAKE2B 3578aaef305cad2fdffdc40c392775a3540bfab3f3aeafd22466d9507bf8346b9fcc200929d48525b051070c0aaa423ecbcaa12868b34dca007991effb224166 SHA512 32a87506c6f4598f3ca2c88556014ef2093d5db9a08602335e847caa537a866492fa74c894e7e1da2e4289a1d3dbffcb90a9e37a4a1453203832f434b8206990
-DIST openssl-0.10.78.crate 292622 BLAKE2B 17ec5a5efd1fa997a8179bb107912c62c47ea901d93df1c8c0c63e548427a01e57d79c23f0d4a7d614f0d2059c6c07097a4047aa91dfbc4d224c942615eb3587 SHA512 fc27483ebf36daf4b97a43aab2b347255a35e03268c4424df133c714da41a415025be7e6d12579590ab03d237eebaacf89c056d722a66591a7e77c1f45297b4d
+DIST openssl-0.10.72.crate 283852 BLAKE2B a221ff329fd068da6d88b98e32c0fb9750e074fd87eb261614ba08771df0879fefb80ed0b60a26fcf4ef808e0ff6484f7e4fcbc38146186d30ca4e74d17fa803 SHA512 ee4cfb893e7112fd274baef3283f3bc44385a3e014c9bb4eb24ffc6153fe56e2f66807d8d5874f97254390041cec3affc41bf7b2bc7e5d39bf60413ffb747786
 DIST openssl-macros-0.1.1.crate 5601 BLAKE2B 69dc1c1f3b7bc4f934cae0dce64c3efa501162e5279efd6af3b74f7a7716c04b6996b306b310f1c045cfa2eff2895314a47ecbb020a817e461c6d77d0bc11e92 SHA512 57e75c84f78fb83f884eeaedb0dd135ecb40192dad2facd908e6a575c9b65b38a2c93bca4630e09ea5a82c77d8bc8364cb2f5778cbfe9d8f484cafe3346b883c
 DIST openssl-probe-0.1.6.crate 8128 BLAKE2B 912371bbd0e105e7281eaa1462d68c6674ae11226f72a9e5c2808be12e975e39a257b5424cafdc527fac9d2313ed928f34ecf407cddbfb179283137e0817631d SHA512 6c2f02a9d42caf578fbd2a40277ad346bef32d191f27564d04a83477d62d6ad1f44945f40234e9425503e3f701a9e0ec8735ade52641170ff57fa6732666ac69
-DIST openssl-sys-0.9.114.crate 75617 BLAKE2B f4c313dae993116f249d27d9b161263e8ed770ea8ba0446738aa9fcb2f94d2aebb069f6a713f94ed64e99350f3241b095ef6f433b0e4f75cc3de2b0916d04a75 SHA512 a1404b613d77b039fee2e2195867f8db75520aaa558d125c99f1a6694e513e15454914dd8ab84ab1ef4ab729afd53eac8ddf5f3c42d152f758faa1d0c1fbd258
+DIST openssl-sys-0.9.107.crate 78156 BLAKE2B 7f4b43a7dbd9f58dba412fb87108547858aa74f4d891e5b446154be28afe7f034f5361427b52c3517c58e63eb0dbfe74452bf42031dc54358c4520992df9966f SHA512 e66e0f7cb43e3d8135bc1806d8be304b1b8da0de8254afdf1e5f6d2c52af7833389c06c457cb0c94e8917ce905b35ff73ddcf7bdc81cfb58cc1b177ec4e2d693
 DIST pem-rfc7468-0.7.0.crate 24159 BLAKE2B 478d355dd970b9705ebcf44d74d61ae0694db6de16b2018548fda88546f53e35b965ff72d939def399a49fe97d3c8317a10385ace94b3d552797ec64ace1eb8f SHA512 f47d3b6c7c8bf4547916acc2a3d6671f6c1308e74641419c8f1df810d8bd940aba8f94d361e4cbef3eae3b7f11587cd3996a11be3be41d19111abfcde7a9272a
 DIST percent-encoding-2.3.1.crate 10235 BLAKE2B cf8e2fd7b359a05b7bdaf731f9ae84c7fe6f468a53482eb2db7f93dfdaab64ac812b3664899db260055a93449462e6d219c695942fc5b030517b197b4df9b95f SHA512 5951ea8315e52cf3acfbaa023cb9e13a136b114c54a7da0bd44619ae24cd2159d4a96469d7572a2fdabd94e19513a033387117d7ca81d0eb409fb383e4acda44
 DIST pin-project-lite-0.2.16.crate 30504 BLAKE2B efd0b426fcc6ea8852bce499fac61f9755a11c6a2999cbec514f093ba7b3f94b1f2d437ee9abb243e31f3838ac1c74491a212851d7798eb249e209b35e015332 SHA512 971adfe54cfed304647fd944c1c915e78b37eaf0de3a582fb984a5e91f1b7d4db2cf0f53a9a64b64427062d4b41c0a36baddef782411a76ae3be0f8ca45f0718
@@ -128,7 +128,7 @@ DIST rustc-demangle-0.1.24.crate 29047 BLAKE2B 8248b014eedb26cdc0b748544ba91b9aa
 DIST rustix-1.0.5.crate 414160 BLAKE2B bc6d64d86501e5e97875fe290029bd6958db41ff90fa3f8d75fca88761a871904b96e0b452a7eaac7177de237ed2693ec8f32c940dce751ecaf1acedf582301a SHA512 df4c0ce07fcecadcccbb59c65e826eb327904f5a590a61539225c11ebcacf067896bb8577c73a490fbcc3ee20175782b847246095143c24f67e073f2073e8b07
 DIST rustls-0.23.35.crate 373700 BLAKE2B a4c219adfeed33e415f5cb3ca2d9df7980ed03bb43f2b1dc6f7f3b2723a69dd5d0a9d5f561d2d26da60f90a4106b54588b243c37baec7ec201df51e2abf411cd SHA512 f59f48bded60aad7b23e7c8c0f579713405ed7de45392f7984ceddaca42bc796f86674ec23b4576958042e699dd5a7ed82fac47923ae13dce930b7f3e8c0a039
 DIST rustls-pki-types-1.13.1.crate 34901 BLAKE2B ebe0a3ef59097ec96491337df232efc1644768ac1d7d9e465e9762a05282c072d9f6dbaf9dbca935405bcad48049f0a8b91db7b3182e16d4c5aca27f1b26033b SHA512 0357a3c66e31447fdf39ed9e29576e2dfbbb012171e71efe322c2cb13856e7441115936375555fb2f700e6a7bc97565c74dc4bc18f8b8b01d335357e220a2c1b
-DIST rustls-webpki-0.103.13.crate 87513 BLAKE2B c1b8db65355e598a240b545f5fdee8db234df9f4f1c2ffa41ab6e8759365fe88f867686a61dbf4002fb3330c67a172e1c97b53773e0378dbaad6c799646c74af SHA512 367829afe3432a9d80bb4da82e075dd05bc37ecaf801c0944e1af9184565d743abf92d59e6fd433e7f051daac15099273b823e6f417ec46b6b5da43bbdad59b6
+DIST rustls-webpki-0.103.8.crate 85810 BLAKE2B a6af950b130e130c0959013662b7be31d73d1bd98e00f507a20a9d980d7b133ee9bdeeeffa6313cdc75a02bbf06e24a314431a6f1a460ac4e00e37d046604412 SHA512 934f630a0c8be9bdc41d491ff8c6cdeb225f180c77b7f1b242d0c4a61390fce7c925ffa09527e5cf872993384a6197ba4685dd0b7466241b4e1811a557366336
 DIST rustversion-1.0.20.crate 20666 BLAKE2B 49fabcf276fe3f59b4a1c2e8a07364ba59c5ba4e0a33fe4150ce2eb93c6da42d32ad4d4a197baf6616c1cd703d34fcf5a90186c5467c1656388d55e7962d01a3 SHA512 250be168a4ee64f4b85d78658706659122d5fbbc748f321fe2b9baf48c547de4f0004c87882642645994b7798077c514a44e06b73784a800d04e4cc673aa8906
 DIST ryu-1.0.20.crate 48738 BLAKE2B b126085448cb58639a7b5867fe313dcaabaf19df478f67fcb6cf15b8e881a21e641878345e0bf1fea7d24b56b921e667fd26a39cb81fca7ea02585332068263f SHA512 329c581429d9b8baa7d9edd9cf20e23fb8002f339d9fb3d50ed4c7eb68fb19c1ba966d52a9c9602265ca5f59f2bd4393ddcb3a7ac20c64aee3096e137eb2a384
 DIST schannel-0.1.27.crate 42772 BLAKE2B 55b3cdf596d6d490fdbc10298eed7cb1b1bb8d6349ac8700ac2e7db66e1d75f0a5bea5b1b322bf30cc0f982262e96aa421998151a8ee1e620b5a09d25ad4263f SHA512 f469d03c2be014c248e7b6408f541584f250a9d58bc8dd8ff4d1e63f5720cadba1c0579b1e5d97b58844fadaeff10e9cfae6d5cd33c5de0fa4ebe699a8ead4a8

sdk_container/src/third_party/coreos-overlay/coreos-base/ue-rs/ue-rs-9999.ebuild

@@ -20,7 +20,7 @@ CRATES="
 	block-buffer@0.10.4
 	bstr@1.12.0
 	bumpalo@3.17.0
-	bytes@1.11.1
+	bytes@1.10.1
 	bzip2-sys@0.1.13+1.0.8
 	bzip2@0.4.4
 	cc@1.2.19
@@ -104,8 +104,8 @@ CRATES="
 	once_cell@1.21.3
 	openssl-macros@0.1.1
 	openssl-probe@0.1.6
-	openssl-sys@0.9.114
+	openssl-sys@0.9.107
-	openssl@0.10.78
+	openssl@0.10.72
 	pem-rfc7468@0.7.0
 	percent-encoding@2.3.1
 	pin-project-lite@0.2.16
@@ -132,7 +132,7 @@ CRATES="
 	rustc-demangle@0.1.24
 	rustix@1.0.5
 	rustls-pki-types@1.13.1
-	rustls-webpki@0.103.13
+	rustls-webpki@0.103.8
 	rustls@0.23.35
 	rustversion@1.0.20
 	ryu@1.0.20
@@ -235,7 +235,7 @@ if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://github.com/flatcar/ue-rs.git"
 	inherit git-r3
 else
-	EGIT_VERSION="f1e0301c36a2f5259f5d7ea2f2a60769f922b2f5" # main
+	EGIT_VERSION="8464c05429d9a034d38b48563d59479fa471606b" # main
 	SRC_URI="https://github.com/flatcar/${PN}/archive/${EGIT_VERSION}.tar.gz -> flatcar-${PN}-${EGIT_VERSION}.tar.gz
 		${CARGO_CRATE_URIS}"
 	S="${WORKDIR}/${PN}-${EGIT_VERSION}"

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-shells/bash/bash-jobs-del-pid-async.patch

@@ -1,45 +0,0 @@
-https://bugs.gentoo.org/970713
-
-From e359bdc261f9493d91b3cf792fe4fc480ecd6dc3 Mon Sep 17 00:00:00 2001
-From: Kerin Millar <kfm@plushkava.net>
-Date: Thu, 13 Nov 2025 18:39:28 +0000
-Subject: [PATCH] jobs.c: only call bgp_delete on a newly-created pid if
- asynchronous
-
-This is a backport of the following change from the devel branch.
-
-jobs.c
-    - make_child: only call bgp_delete on a newly-created pid if that
-      process is asynchronous, since that is what will cause it to be
-      put into the bgpids table. This mostly matters for procsubs and
-      asynchronous jobs, but will happen for comsubs in async jobs
-      and coprocs as well.
-
-Bug: https://bugs.gentoo.org/965423
-Signed-off-by: Kerin Millar <kfm@plushkava.net>
----
- jobs.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/jobs.c b/jobs.c
-index cbcc2c15..bafa7c26 100644
---- a/jobs.c
-+++ b/jobs.c
-@@ -2482,9 +2482,11 @@ make_child (char *command, int flags)
- 	 been reused. */
-       delete_old_job (pid);
- 
--      /* Perform the check for pid reuse unconditionally.  Some systems reuse
--	 PIDs before giving a process CHILD_MAX/_SC_CHILD_MAX unique ones. */
--      bgp_delete (pid);		/* new process, discard any saved status */
-+      /* Perform the check for background pid reuse unconditionally.
-+	 Some systems reuse PIDs before giving a process
-+	 CHILD_MAX/_SC_CHILD_MAX unique ones. */
-+      if (async_p)
-+	bgp_delete (pid);	/* new background process, discard any saved status */
- 
-       last_made_pid = pid;
- 
--- 
-2.51.2
-

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc

@@ -128,7 +128,7 @@ cros_pre_pkg_setup_sysroot_build_bin_dir() {
 # and also remove their associated debug files to avoid wasting space.
 cros_post_pkg_preinst_rm_masked_debug_files() {
 	local link debug dir=${ED}/usr/lib/debug
-	[[ -d ${dir}/.build-id ]] || return 0
+	[[ -d ${dir}/.build-id ]] || return
 	while read -d $'\n' -r link; do
 		debug=$(realpath "${link}.debug") || die
 		rm -f -- "${link}" "${link}.debug" "${debug}" || die

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild

@@ -94,7 +94,7 @@ pkg_preinst() {
 	libdirs=$(get_all_libdirs)
 	emake -C "${ED}/usr/share/${PN}" DESTDIR="${EROOT}" LIBDIRS="${libdirs}" layout
 	SYSTEMD_JOURNAL_GID=${ACCT_GROUP_SYSTEMD_JOURNAL_ID:-190} ROOT_UID=0 ROOT_GID=0 CORE_UID=500 CORE_GID=500 \
-		DESTDIR=${ROOT} "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" --exclude CZL+ "${ED}/usr/lib/tmpfiles.d" || die
+		DESTDIR=${D} "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" "${ED}/usr/lib/tmpfiles.d" || die
 	rm -f "${ED}/usr/share/${PN}/Makefile" "${ED}/usr/share/${PN}/dumb-tmpfiles-proc.sh" || die
 }
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0013-Revert-drop-OEM-URI-support.patch

@@ -1,21 +1,19 @@
-From df6384f8f0e93ab3b61cd04822cf808c7c2d289a Mon Sep 17 00:00:00 2001
+From b617624e830507f68268db881fdb1576ed25fb41 Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <jlecuirot@microsoft.com>
+From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
-Date: Wed, 1 Apr 2026 16:11:52 +0100
+Date: Wed, 25 May 2022 10:38:16 +0200
-Subject: [PATCH 13/17] Partially revert "*: drop OEM URI support"
+Subject: [PATCH 13/19] Revert "*: drop OEM URI support"
 
-This partially reverts commit 0c088d6de77aa1b1f47b9252a07f51cb1e249df3.
+This reverts commit 0c088d6de77aa1b1f47b9252a07f51cb1e249df3.
-
-Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
 ---
  config/v3_0/types/url.go    |  2 +-
  config/v3_1/types/url.go    |  2 +-
  config/v3_2/types/url.go    |  2 +-
  config/v3_3/types/url.go    |  2 +-
  config/v3_4/types/url.go    |  2 +-
- docs/supported-platforms.md |  2 ++
+ docs/supported-platforms.md |  1 +
- internal/distro/distro.go   |  3 +++
+ internal/distro/distro.go   | 11 ++++-
- internal/resource/url.go    | 27 +++++++++++++++++++++++++++
+ internal/resource/url.go    | 91 +++++++++++++++++++++++++++++++++++++
- 8 files changed, 37 insertions(+), 5 deletions(-)
+ 8 files changed, 106 insertions(+), 7 deletions(-)
 
 diff --git a/config/v3_0/types/url.go b/config/v3_0/types/url.go
 index 2d8c44b1..f560bc22 100644
@@ -83,23 +81,32 @@ index b1f96337..752044ce 100644
  	case "s3":
  		if v, ok := u.Query()["versionId"]; ok {
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index afd49437..897eeabd 100644
+index afd49437..f8e1d3ae 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -12,6 +12,8 @@ Ignition is currently supported for the following platforms:
+@@ -12,6 +12,7 @@ Ignition is currently supported for the following platforms:
  * [Amazon Web Services] (`aws`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Microsoft Azure] (`azure`)- Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
  * [Microsoft Azure Stack] (`azurestack`) - Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
 +* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
-+* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
  * [DigitalOcean] (`digitalocean`) - Ignition will read its configuration from the droplet userdata. Cloud SSH keys and network configuration are handled separately.
 diff --git a/internal/distro/distro.go b/internal/distro/distro.go
-index 9d9351e7..fb12b792 100644
+index 9d9351e7..f3c32aaf 100644
 --- a/internal/distro/distro.go
 +++ b/internal/distro/distro.go
-@@ -30,6 +30,8 @@ var (
+@@ -23,13 +23,17 @@ import (
+ // -X github.com/flatcar/ignition/v2/internal/distro.mdadmCmd=/opt/bin/mdadm
+ var (
+ 	// Device node directories and paths
+-	diskByLabelDir = "/dev/disk/by-label"
++	diskByLabelDir    = "/dev/disk/by-label"
++	diskByPartUUIDDir = "/dev/disk/by-partuuid"
++	oemDevicePath     = "/dev/disk/by-label/OEM"
+ 
+ 	// initrd file paths
+ 	kernelCmdlinePath = "/proc/cmdline"
  	bootIDPath        = "/proc/sys/kernel/random/boot_id"
  	// initramfs directory containing distro-provided base config
  	systemConfigDir = "/usr/lib/ignition"
@@ -108,7 +115,15 @@ index 9d9351e7..fb12b792 100644
  
  	// Helper programs
  	groupaddCmd  = "groupadd"
-@@ -88,6 +90,7 @@ func DiskByLabelDir() string { return diskByLabelDir }
+@@ -83,11 +87,14 @@ var (
+ 	luksCexSecureKeyRepo    = "/etc/zkey/repository/"
+ )
+ 
+-func DiskByLabelDir() string { return diskByLabelDir }
++func DiskByLabelDir() string    { return diskByLabelDir }
++func DiskByPartUUIDDir() string { return diskByPartUUIDDir }
++func OEMDevicePath() string     { return fromEnv("OEM_DEVICE", oemDevicePath) }
+ 
  func KernelCmdlinePath() string { return kernelCmdlinePath }
  func BootIDPath() string        { return bootIDPath }
  func SystemConfigDir() string   { return fromEnv("SYSTEM_CONFIG_DIR", systemConfigDir) }
@@ -117,10 +132,15 @@ index 9d9351e7..fb12b792 100644
  func GroupaddCmd() string  { return groupaddCmd }
  func GroupdelCmd() string  { return groupdelCmd }
 diff --git a/internal/resource/url.go b/internal/resource/url.go
-index 5f08f059..ab1d80fa 100644
+index 5f08f059..a9f7f7ba 100644
 --- a/internal/resource/url.go
 +++ b/internal/resource/url.go
-@@ -27,6 +27,7 @@ import (
+@@ -23,10 +23,12 @@ import (
+ 	"fmt"
+ 	"hash"
+ 	"io"
++	"io/ioutil"
+ 	"net"
  	"net/http"
  	"net/url"
  	"os"
@@ -128,15 +148,17 @@ index 5f08f059..ab1d80fa 100644
  	"strings"
  	"syscall"
  	"time"
-@@ -34,6 +35,7 @@ import (
+@@ -34,7 +36,9 @@ import (
  	"cloud.google.com/go/compute/metadata"
  	"cloud.google.com/go/storage"
  	configErrors "github.com/flatcar/ignition/v2/config/shared/errors"
 +	"github.com/flatcar/ignition/v2/internal/distro"
  	"github.com/flatcar/ignition/v2/internal/log"
++	"github.com/flatcar/ignition/v2/internal/systemd"
  	"github.com/flatcar/ignition/v2/internal/util"
  	"golang.org/x/oauth2/google"
-@@ -165,6 +167,8 @@ func (f *Fetcher) FetchToBuffer(u url.URL, opts FetchOptions) ([]byte, error) {
+ 	"google.golang.org/api/option"
+@@ -165,6 +169,8 @@ func (f *Fetcher) FetchToBuffer(u url.URL, opts FetchOptions) ([]byte, error) {
  		err = f.fetchFromTFTP(u, dest, opts)
  	case "data":
  		err = f.fetchFromDataURL(u, dest, opts)
@@ -145,7 +167,7 @@ index 5f08f059..ab1d80fa 100644
  	case "s3", "arn":
  		buf := &s3buf{
  			WriteAtBuffer: manager.NewWriteAtBuffer([]byte{}),
-@@ -237,6 +241,8 @@ func (f *Fetcher) Fetch(u url.URL, dest *os.File, opts FetchOptions) error {
+@@ -237,6 +243,8 @@ func (f *Fetcher) Fetch(u url.URL, dest *os.File, opts FetchOptions) error {
  		return f.fetchFromTFTP(u, dest, opts)
  	case "data":
  		return f.fetchFromDataURL(u, dest, opts)
@@ -154,7 +176,7 @@ index 5f08f059..ab1d80fa 100644
  	case "s3", "arn":
  		return f.fetchFromS3(u, dest, opts)
  	case "gs":
-@@ -447,6 +453,27 @@ type s3target interface {
+@@ -447,6 +455,53 @@ type s3target interface {
  	io.ReadSeeker
  }
  
@@ -173,15 +195,81 @@ index 5f08f059..ab1d80fa 100644
 +	if fi, err := os.Open(absPath); err == nil {
 +		defer fi.Close()
 +		return f.decompressCopyHashAndVerify(dest, fi, opts)
-+	} else {
++	} else if !os.IsNotExist(err) {
 +		f.Logger.Err("failed to read oem config: %v", err)
 +		return ErrFailed
 +	}
++
++	f.Logger.Info("oem config not found in %q, looking on oem partition",
++		distro.OEMLookasideDir())
++
++	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
++	if err != nil {
++		f.Logger.Err("failed to create mount path for oem partition: %v", err)
++		return ErrFailed
++	}
++	// try oemMountPath, requires mounting it.
++	if err := f.mountOEM(oemMountPath); err != nil {
++		f.Logger.Err("failed to mount oem partition: %v", err)
++		return ErrFailed
++	}
++	defer os.Remove(oemMountPath)
++	defer f.umountOEM(oemMountPath)
++
++	absPath = filepath.Join(oemMountPath, path)
++	fi, err := os.Open(absPath)
++	if err != nil {
++		f.Logger.Err("failed to read oem config: %v", err)
++		return ErrFailed
++	}
++	defer fi.Close()
++
++	return f.decompressCopyHashAndVerify(dest, fi, opts)
 +}
 +
  // FetchFromS3 gets data from an S3 bucket as described by u and writes it into
  // dest, returning an error if one is encountered. It will attempt to acquire
  // IAM credentials from the EC2 metadata service, and if this fails will attempt
+@@ -735,3 +790,39 @@ func (f *Fetcher) parseARN(arnURL string) (string, string, string, string, error
+ 	key := strings.Join(urlSplit[1:], "/")
+ 	return bucket, key, "", regionHint, nil
+ }
++
++// mountOEM waits for the presence of and mounts the oem partition at
++// oemMountPath. oemMountPath will be created if it does not exist.
++func (f *Fetcher) mountOEM(oemMountPath string) error {
++	dev := []string{distro.OEMDevicePath()}
++	if err := systemd.WaitOnDevices(context.Background(), dev, "oem-cmdline"); err != nil {
++		f.Logger.Err("failed to wait for oem device: %v", err)
++		return err
++	}
++
++	if err := os.MkdirAll(oemMountPath, 0700); err != nil {
++		f.Logger.Err("failed to create oem mount point: %v", err)
++		return err
++	}
++
++	if err := f.Logger.LogOp(
++		func() error {
++			return syscall.Mount(dev[0], oemMountPath, "ext4", 0, "")
++		},
++		"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
++	); err != nil {
++		return fmt.Errorf("failed to mount device %q at %q: %v",
++			distro.OEMDevicePath(), oemMountPath, err)
++	}
++
++	return nil
++}
++
++// umountOEM unmounts the oem partition at oemMountPath.
++func (f *Fetcher) umountOEM(oemMountPath string) {
++	// ignore the error for the linter
++	_ = f.Logger.LogOp(
++		func() error { return syscall.Unmount(oemMountPath, 0) },
++		"unmounting %q", oemMountPath,
++	)
++}
 -- 
-2.53.0
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0014-config-Support-oem-schema-in-newer-config-spec-versi.patch

@@ -1,41 +0,0 @@
-From 22332650e3b97479aca7144b04a6dbd2590596de Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <jlecuirot@microsoft.com>
-Date: Mon, 6 Apr 2026 13:13:58 +0100
-Subject: [PATCH 14/18] config: Support oem:// schema in newer config spec
- versions
-
-Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
----
- config/v3_5/types/url.go              | 2 +-
- config/v3_6_experimental/types/url.go | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/config/v3_5/types/url.go b/config/v3_5/types/url.go
-index b1f96337..752044ce 100644
---- a/config/v3_5/types/url.go
-+++ b/config/v3_5/types/url.go
-@@ -32,7 +32,7 @@ func validateURL(s string) error {
- 	}
- 
- 	switch u.Scheme {
--	case "http", "https", "tftp", "gs":
-+	case "http", "https", "tftp", "gs", "oem":
- 		return nil
- 	case "s3":
- 		if v, ok := u.Query()["versionId"]; ok {
-diff --git a/config/v3_6_experimental/types/url.go b/config/v3_6_experimental/types/url.go
-index b1f96337..752044ce 100644
---- a/config/v3_6_experimental/types/url.go
-+++ b/config/v3_6_experimental/types/url.go
-@@ -32,7 +32,7 @@ func validateURL(s string) error {
- 	}
- 
- 	switch u.Scheme {
--	case "http", "https", "tftp", "gs":
-+	case "http", "https", "tftp", "gs", "oem":
- 		return nil
- 	case "s3":
- 		if v, ok := u.Query()["versionId"]; ok {
--- 
-2.53.0
-

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0014-internal-resource-url-support-btrfs-as-OEM-partition.patch

@@ -0,0 +1,39 @@
+From ca4cd35a3124d696c236549111b1655f6feffb97 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Kai=20L=C3=BCke?= <kailuke@microsoft.com>
+Date: Wed, 7 Jul 2021 18:40:52 +0200
+Subject: [PATCH 14/19] internal/resource/url: support btrfs as OEM partition
+ filesystem
+
+When btrfs is used to fit more content into the partition, mounting
+fails because ext4 was hardcoded.
+When mounting ext4 fails, try mounting as btrfs.
+---
+ internal/resource/url.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/internal/resource/url.go b/internal/resource/url.go
+index a9f7f7ba..4471db96 100644
+--- a/internal/resource/url.go
++++ b/internal/resource/url.go
+@@ -811,8 +811,17 @@ func (f *Fetcher) mountOEM(oemMountPath string) error {
+ 		},
+ 		"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
+ 	); err != nil {
+-		return fmt.Errorf("failed to mount device %q at %q: %v",
++		f.Logger.Err("failed to mount ext4 device %q at %q, trying btrfs: %v",
+ 			distro.OEMDevicePath(), oemMountPath, err)
++		if err := f.Logger.LogOp(
++			func() error {
++				return syscall.Mount(dev[0], oemMountPath, "btrfs", 0, "")
++			},
++			"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
++		); err != nil {
++			return fmt.Errorf("failed to mount btrfs device %q at %q: %v",
++				distro.OEMDevicePath(), oemMountPath, err)
++		}
+ 	}
+ 
+ 	return nil
+-- 
+2.51.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0017-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch

@@ -1,7 +1,7 @@
-From f0030362abcedf24149860673ef0596cf3051787 Mon Sep 17 00:00:00 2001
+From 9840bd7740f5667f8b2d6e3d87da226dab14bf83 Mon Sep 17 00:00:00 2001
 From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 Date: Mon, 4 Mar 2024 15:05:14 +0100
-Subject: [PATCH 17/18] docs: Add re-added platforms to docs to pass tests
+Subject: [PATCH 17/19] docs: Add re-added platforms to docs to pass tests
 
 Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 Co-Authored-By: Krzesimir Nowak <knowak@microsoft.com
@@ -10,18 +10,18 @@ Co-Authored-By: Krzesimir Nowak <knowak@microsoft.com
  1 file changed, 4 insertions(+)
 
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index 897eeabd..2a861637 100644
+index f8e1d3ae..0a30664c 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -16,6 +16,7 @@ Ignition is currently supported for the following platforms:
+@@ -15,6 +15,7 @@ Ignition is currently supported for the following platforms:
- * PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
+ * Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
 +* `cloudsigma` - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [DigitalOcean] (`digitalocean`) - Ignition will read its configuration from the droplet userdata. Cloud SSH keys and network configuration are handled separately.
  * [Exoscale] (`exoscale`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Google Cloud] (`gcp`) - Ignition will read its configuration from the instance metadata entry named "user-data". Cloud SSH keys are handled separately.
-@@ -31,6 +32,9 @@ Ignition is currently supported for the following platforms:
+@@ -30,6 +31,9 @@ Ignition is currently supported for the following platforms:
  * [Equinix Metal] (`packet`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [IBM Power Systems Virtual Server] (`powervs`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [QEMU] (`qemu`) - Ignition will read its configuration from the 'opt/com.coreos/config' key on the QEMU Firmware Configuration Device (available in QEMU 2.4.0 and higher).
@@ -32,5 +32,5 @@ index 897eeabd..2a861637 100644
  * [UpCloud] (`upcloud`) - Ignition will read its configuration from the instance userdata fetched from the metadata service (which is NOT enabled by default, make sure you enable it if you use custom images). Cloud SSH keys are handled separately.
  * [VirtualBox] (`virtualbox`) - Use the VirtualBox guest property `/Ignition/Config` to provide the config to the virtual machine.
 -- 
-2.53.0
+2.51.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0018-usr-share-oem-oem.patch

@@ -1,18 +1,16 @@
-From 8f5d1b4685b12817ea7d65673de51b3ee384988d Mon Sep 17 00:00:00 2001
+From 8bf635277ccd8f0aeb3bb2e2c67f73dd4188e618 Mon Sep 17 00:00:00 2001
 From: James Le Cuirot <jlecuirot@microsoft.com>
 Date: Wed, 25 Mar 2026 10:55:24 +0000
-Subject: [PATCH 18/18] /usr/share/oem -> /oem
+Subject: [PATCH 18/21] /usr/share/oem -> /oem
 
 Flatcar previously kept looking at the initrd's /usr/share/oem even
 after the migration for compatibility, but the minimal initrd now moves
 it to /oem before Ignition starts.
-
-Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
 ---
  config/util/translate.go    | 2 +-
- docs/supported-platforms.md | 4 ++--
+ docs/supported-platforms.md | 2 +-
  internal/distro/distro.go   | 2 +-
- 3 files changed, 4 insertions(+), 4 deletions(-)
+ 3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/config/util/translate.go b/config/util/translate.go
 index 347d148c..d4c057b2 100644
@@ -28,25 +26,23 @@ index 347d148c..d4c057b2 100644
  			// generate a new path
  			fsMap[name] = "/tmp/" + name + "-ign" + strconv.FormatUint(addedSuffixCounter, 10)
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index 2a861637..084f5964 100644
+index 0a30664c..1522d0ef 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -12,8 +12,8 @@ Ignition is currently supported for the following platforms:
+@@ -12,7 +12,7 @@ Ignition is currently supported for the following platforms:
  * [Amazon Web Services] (`aws`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Microsoft Azure] (`azure`)- Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
  * [Microsoft Azure Stack] (`azurestack`) - Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
 -* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
--* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
 +* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/oem`.
-+* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
  * `cloudsigma` - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
 diff --git a/internal/distro/distro.go b/internal/distro/distro.go
-index fb12b792..3a6c2ae3 100644
+index f3c32aaf..36bdf3f5 100644
 --- a/internal/distro/distro.go
 +++ b/internal/distro/distro.go
-@@ -31,7 +31,7 @@ var (
+@@ -33,7 +33,7 @@ var (
  	// initramfs directory containing distro-provided base config
  	systemConfigDir = "/usr/lib/ignition"
  	// initramfs directory to check before retrieving file from OEM partition

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch

@@ -0,0 +1,44 @@
+From 14b7be1a0a51408df54b36590a25d2cbab228bbc Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 25 Mar 2026 11:09:40 +0000
+Subject: [PATCH 20/21] Create /mnt directory before attempting to mount OEM
+ partition
+
+This was previously fixed, but it then broke again when the /mnt/oem
+mount path was replaced with a temp directory under /mnt. Parent
+directories are not created for you when requesting a temp directory.
+---
+ internal/resource/url.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/internal/resource/url.go b/internal/resource/url.go
+index 4471db96..86136422 100644
+--- a/internal/resource/url.go
++++ b/internal/resource/url.go
+@@ -478,6 +478,11 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
+ 	f.Logger.Info("oem config not found in %q, looking on oem partition",
+ 		distro.OEMLookasideDir())
+ 
++	if err := os.MkdirAll("/mnt", 0755); err != nil {
++		f.Logger.Err("failed to create /mnt directory for oem mount path: %v", err)
++		return err
++	}
++
+ 	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
+ 	if err != nil {
+ 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
+@@ -800,11 +805,6 @@ func (f *Fetcher) mountOEM(oemMountPath string) error {
+ 		return err
+ 	}
+ 
+-	if err := os.MkdirAll(oemMountPath, 0700); err != nil {
+-		f.Logger.Err("failed to create oem mount point: %v", err)
+-		return err
+-	}
+-
+ 	if err := f.Logger.LogOp(
+ 		func() error {
+ 			return syscall.Mount(dev[0], oemMountPath, "ext4", 0, "")
+-- 
+2.53.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch

@@ -0,0 +1,34 @@
+From daab4ae13c6511183609c5160999ab1e011a0d8c Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 25 Mar 2026 11:12:37 +0000
+Subject: [PATCH 21/21] Replace deprecated ioutil.TempDir call with
+ os.MkdirTemp
+
+---
+ internal/resource/url.go | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/internal/resource/url.go b/internal/resource/url.go
+index 86136422..a38f4e87 100644
+--- a/internal/resource/url.go
++++ b/internal/resource/url.go
+@@ -23,7 +23,6 @@ import (
+ 	"fmt"
+ 	"hash"
+ 	"io"
+-	"io/ioutil"
+ 	"net"
+ 	"net/http"
+ 	"net/url"
+@@ -483,7 +482,7 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
+ 		return err
+ 	}
+ 
+-	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
++	oemMountPath, err := os.MkdirTemp("/mnt", "oem")
+ 	if err != nil {
+ 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
+ 		return ErrFailed
+-- 
+2.53.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild

@@ -28,13 +28,15 @@ else
 		"${FILESDIR}/0010-VMware-Fix-guestinfo.-.config.data-and-.config.url-v.patch"
 		"${FILESDIR}/0011-config-version-handle-configuration-version-1.patch"
 		"${FILESDIR}/0012-config-util-add-cloud-init-detection-to-initial-pars.patch"
-		"${FILESDIR}/0013-Partially-revert-drop-OEM-URI-support.patch"
+		"${FILESDIR}/0013-Revert-drop-OEM-URI-support.patch"
-		"${FILESDIR}/0014-config-Support-oem-schema-in-newer-config-spec-versi.patch"
+		"${FILESDIR}/0014-internal-resource-url-support-btrfs-as-OEM-partition.patch"
 		"${FILESDIR}/0015-translation-support-OEM-and-oem.patch"
 		"${FILESDIR}/0016-revert-internal-oem-drop-noop-OEMs.patch"
 		"${FILESDIR}/0017-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch"
 		"${FILESDIR}/0018-usr-share-oem-oem.patch"
 		"${FILESDIR}/0019-internal-exec-stages-mount-Mount-oem.patch"
+		"${FILESDIR}/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch"
+		"${FILESDIR}/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch"
 	)
 fi
 

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild

@@ -54,7 +54,7 @@ src_compile() {
     fi
     emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" )
   else
-    emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE:-/usr/share/sb_keys/shim.der}" )
+    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
   fi
   emake "${emake_args[@]}" || die
 }

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest

@@ -1 +1 @@
-DIST bootengine-003a67d93a99705391a0a1fa825f018b074d8e8b.tar.gz 37805 BLAKE2B 25abb7cf425a02c330245c7efc63406ee823fd9921afd39f9b413eda1451fa48ed150dd104cb550f9b81e7445b4c9e50a0ec55077dbf6de0c712cbcb7339dd67 SHA512 a9246398a560a7bbdb7b1d714012fdca65a2475843cfcb5fd20551086165623d248c577b6170fb32a75709a67014b33581c415e4c5410202e29a57e6a0ff6d88
+DIST bootengine-9c6a9e4c03e27cdfc5056bf6a76788d2b7165cbb.tar.gz 37123 BLAKE2B a3fafdd8ca38f5eca2df8cfe7fb7825ecfa3b41146c1be327fdf261444d52fa7c582b8351239d1c50532db89d3b863dde445de5dfe60ad167c36c8c8460c2a40 SHA512 e3569138b05b7c07554a37a767a60318f1df918532317f1a9f11b2cd12fc5e7079f8c713287104169575eea93fd83c4238cf230787941341f1d157e9069527bb

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild

@@ -10,7 +10,7 @@ if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://github.com/flatcar/bootengine.git"
 	inherit git-r3
 else
-	EGIT_VERSION="003a67d93a99705391a0a1fa825f018b074d8e8b" # flatcar-master
+	EGIT_VERSION="9c6a9e4c03e27cdfc5056bf6a76788d2b7165cbb" # flatcar-master
 	SRC_URI="https://github.com/flatcar/bootengine/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz"
 	S="${WORKDIR}/${PN}-${EGIT_VERSION}"
 	KEYWORDS="amd64 arm arm64 x86"
@@ -20,14 +20,26 @@ LICENSE="BSD"
 SLOT="0/${PVR}"
 
 src_install() {
+	insinto /usr/lib/dracut/modules.d/
+	doins -r dracut/.
 	dosbin update-bootengine
 	dosbin minimal-init
 
-	insinto /usr/lib/dracut/modules.d
-	doins -r dracut/.
-
 	# must be executable since dracut's install scripts just
 	# re-use existing filesystem permissions during initrd creation.
-	cd "${ED}"/usr/lib/dracut/modules.d || die
+	chmod +x \
-	find "${S}"/dracut -type f -executable -printf "%P\0" | xargs -0 chmod +x || die
+		"${ED}"/usr/lib/dracut/modules.d/51*-generator/*-generator \
+		"${ED}"/usr/lib/dracut/modules.d/51diskless-generator/diskless-btrfs \
+		"${ED}"/usr/lib/dracut/modules.d/51networkd-dependency-generator/*-generator \
+		"${ED}"/usr/lib/dracut/modules.d/50flatcar-network/parse-ip-for-networkd.sh \
+		"${ED}"/usr/lib/dracut/modules.d/53disk-uuid/disk-uuid.sh \
+		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-generator \
+		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-setup.sh \
+		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-setup-pre.sh \
+		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-kargs-helper \
+		"${ED}"/usr/lib/dracut/modules.d/53ignition/retry-umount.sh \
+		"${ED}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root \
+		"${ED}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root-after-ignition \
+		"${ED}"/usr/lib/dracut/modules.d/99setup-root/gpg-agent-wrapper \
+		|| die chmod
 }

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest

@@ -1 +1 @@
-DIST linux-firmware-20260410.tar.xz 619615856 BLAKE2B c35531a94841d733690dbfd1e08c6be6c24124a20eac1c75b290820839e962773640a33b29c29376137d55be95d8e5304a86425e2a631b1a0dcc62d45a5d1f6d SHA512 b16c603e058cb1a92cf199c95318adc6dee874920bee377b7c95ca8cc8dabd26d53a97f3aef52c01fde8d186352895e909483fa7c729c8793b9974ccc130a4a6
+DIST linux-firmware-20260309.tar.xz 610973936 BLAKE2B 62ec056ad09d3e6740b12454845ffeea250785b566f9c6239ebae19e52d3237a49eeb18bae3726cb7a1bb0bca7ad24b9bbac440132ba8fac3d0adccf654ab4c4 SHA512 2feb9f1221d72e909e36b1d56f50c8f4f20eb00dfcbbb1fa0e9661d0f4cc1a731ef9d8167e1dbe3edd637be9fcc20a3844dae44e05826bd441f77d6b44614e53

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12

@@ -169,12 +169,12 @@ CONFIG_DM_UEVENT=y
 CONFIG_DM_VERITY=m
 CONFIG_DM_ZERO=m
 CONFIG_DNS_RESOLVER=y
-CONFIG_DRM=y
+CONFIG_DRM=m
 CONFIG_DRM_FBDEV_EMULATION=y
 CONFIG_DRM_QXL=m
 CONFIG_DRM_SIMPLEDRM=m
 CONFIG_DRM_TTM_HELPER=m
-CONFIG_DRM_VIRTIO_GPU=y
+CONFIG_DRM_VIRTIO_GPU=m
 CONFIG_DST_CACHE=y
 CONFIG_DUMMY=m
 CONFIG_DYNAMIC_DEBUG=y
@@ -1009,7 +1009,7 @@ CONFIG_VIA_RHINE=m
 CONFIG_VIA_RHINE_MMIO=y
 CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
-CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_CONSOLE=m
 CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 CONFIG_VIRTIO_MMIO=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
 DIST linux-6.12.tar.xz 147906904 BLAKE2B b2ec2fc69218cacabbbe49f78384a5d259ca581b717617c12b000b16f4a4c59ee348ea886b37147f5f70fb9a7a01c1e2c8f19021078f6b23f5bc62d1c48d5e5e SHA512 a37b1823df7b4f72542f689b65882634740ba0401a42fdcf6601d9efd2e132e5a7650e70450ba76f6cd1f13ca31180f2ccee9d54fe4df89bc0000ade4380a548
-DIST patch-6.12.85.xz 4377956 BLAKE2B a4ce6472229c01003884ece108f60f2e9458d7fae38ebc47e7b598e1245e7a396fbc01aca3a7d310825b1f39acbe588b6865311d3ac7b4f48d2f404a728c942e SHA512 6b7c0c220ca26b900462b21641f8615f7c84dc25cc79527c8d32e9ac5742bb89851d30a69e1f1b1bfdb5bd353153c31ae523538eca1cead8cc12261a47f4a18b
+DIST patch-6.12.81.xz 4327232 BLAKE2B eb81e142bc7825061ae43efb062248f88868346bc6d449de0fd524b419ab1f5d524e9042390778971321229035c0f4dc5b481101bb2aa2f47512975e5ff5c790 SHA512 fbd813a24adeb4892079bae49b13c46acb7bb234f19a996de00b7ac2d95ca382d0e56195e393c1bd0a09051f1e36301e972924bd1fba2848e62c5d531d092b3d

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,24 +1,24 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 607306 BLAKE2B 92017b6799c6b9c6711d15259ccc5be7553c29a3562d24a367c7d7fa515cce981f1217aad923c07afa53479c855092c79ea478c7db5c27df5970742f0481eaaf SHA512 4fb6dcd2062715f4926aa685e41323a46d1b1f83e7be9008f32bd997a354c2cf495d9a497cf42a39b59bc734dabbeb4a8cb987031227e5f6741d4c6fc3ec95bf
+MANIFEST Manifest.files.gz 606986 BLAKE2B a1a7c8f65fa2d227109ddc598ecd792925cbf4dd59fd721d0e3d30d2ca2d680abe6f48efd8c7f747286a8b9b83dd77ab08effbd12fd5cff7aea22ff05b4b3249 SHA512 1d46d342b6898d53ef6e234a4ca25659b7a64373067f8d911b4a7efe73a227178e519cb54901fc15172d8a4113aeafaf14390ce5e552d1e17e50d3297a8f0701
-TIMESTAMP 2026-05-01T07:08:09Z
+TIMESTAMP 2026-04-01T07:08:01Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKvBAEBCgCZFiEE4dartjv8+0ugL98c7FkO6skYklAFAmn0UVkbFIAAAAAABAAO
+iQKvBAEBCgCZFiEE4dartjv8+0ugL98c7FkO6skYklAFAmnMxFEbFIAAAAAABAAO
 bWFudTIsMi41KzEuMTEsMiwyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25z
 Lm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFMUQ2QUJCNjNCRkNGQjRCQTAyRkRG
-MUNFQzU5MEVFQUM5MTg5MjUwAAoJEOxZDurJGJJQehAQAIbfYrOfZXXVM5NCsVSH
+MUNFQzU5MEVFQUM5MTg5MjUwAAoJEOxZDurJGJJQCCMQAJqLP7jt/MtqrWUu66/N
-s9QR1OC6QdiSTci3jmOmSqRzMQtIEq0MpOmuFYtJuoCZcGuE8jKpSyx12PArZRYW
+g4C4QYQY65p5tHkq6lFs/X24MeAtuRUgKbaOQm02KZJNb61bvZBdgtNE8P14qWJX
-abGU7C+hGt6qF73p47FewiTLHQv3kBEKV8H/sJCuFv6aoOqczSxFnpJiIDP2Cr2O
+LtJ8hqYOJiDT3hDhnL5Z+UbjIxDdn6m2udztvXvdkgRiQEUnhaTv8BpeOwvdGnZ4
-5oQtnpvS06Yu+GcRzkwiKQ05UP4yprfoFk7Y7RlaTniVoSNdXwTEVF33CuJNQyT8
+nswP+jJ5hMK4tYuMFy96jO39jKAbKo4HNYQCW8CJe4/HRSboXe20Z+N74xqq5M2e
-7mD68mxYAlL71M56yE7a6AZPMd+QpqJf+mqpGBMAO3A9J0UHdYTnQG4RZZsgLvvy
+aajm7K7adRALxIYM2Ih3V64LfVsPn31TzMfXaFk0y4p3f82uZ/hTophDZIdePR0M
-Zg0hSafEedVmokw5Iw8QqGdBHscCoL2H5I+0rPhjwHto9MrD5lmFYWh10xi3ncGW
+a1hkcQRPdHOmbVftt3llye5XoSmq0d+Pie7axQUJVwlFd+gORzNqvK3U+9PeeKjB
-EV7YKfY7nzr2UdPWyingtMcHXgUz4oo1rNHSfBJ9bNizqxraJUFo4ZEC7xTHyeiB
+FU6wU1vmR2mlIE90prbdDKPkoNhOnn9CVLHRHYl0M8WLh4TATrDl0HcUbEOrE/CC
-yjKPVOFXkr0njGso3O6Xo+KRyG5bfNWst3Bz5E6rxlGozwEZtvtfOHYrUe8vzQHp
+vay9V4s+lABWZh2D/BToIrWUs0UMpWtt/5e5ZANrECj7T5ExWngHY7zCCDn1dySw
-LNmczBy8M13dMC6DIYtalp9Gdi9K8Si+bFCepe9Ux92DFDcaymT3WyJauva+3NT/
+Poabc3KIQlBzmstxNBqTUIvxdaxhvF+Hh7Fj4Grzzmsgio76mBhQLUF2ML8vquVe
-g76MRRW9Ez/p7h1J0wRYF0GLLaYC7l7kr4pavUHu8VvP0SS/fQanCmIpnPYUUqwe
+ipeNd0fnGIWUN6eGdC6BZ73wVC66r53bSjHPMa+N6KyCgmHbGP/HCE0GuUvnKtBc
-/rzIzuZGtU1lW0ynXlGiosxh3zIQgw7WthjlsQTWH3XiRu02ZKrkCDY56ZDmmGl0
+joBONGhatuZEM3zLIMLLxHg4cMYVEF2vA19Mh89OhYQDlIbEf5Bc/LpPYOtN3LdD
-INhWuascPpUN8zEuK0URt1zS
+vHcXTmn2vbBiAIieKmqm6Elk
-=xCZR
+=iTBC
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-03.xml

@@ -1,43 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
-<glsa id="202604-03">
-    <title>FUSE: Multiple Vulnerabilities</title>
-    <synopsis>Multiple vulnerabilities have been found in FUSE, the worst of which can lead to code execution.</synopsis>
-    <product type="ebuild">fuse</product>
-    <announced>2026-04-17</announced>
-    <revised count="1">2026-04-17</revised>
-    <bug>971552</bug>
-    <access>remote</access>
-    <affected>
-        <package name="sys-fs/fuse" auto="yes" arch="*">
-            <unaffected range="ge" slot="3">3.18.1</unaffected>
-            <vulnerable range="lt" slot="3">3.18.1</vulnerable>
-        </package>
-    </affected>
-    <background>
-        <p>FUSE (Filesystem in Userspace) is an interface for userspace programs to export a filesystem to the Linux kernel.</p>
-    </background>
-    <description>
-        <p>The following vulnerabilities have been discovered in FUSE: a NULL pointer dereference (when running with the NUMA architecture) and a use-after-free. The worst of which can lead to code execution. Please review the CVE identifiers referenced below for details.</p>
-    </description>
-    <impact type="normal">
-        <p>The following is a possible outcome: denial of service (crash) and potential code execution.</p>
-    </impact>
-    <workaround>
-        <p>There is no known workaround at this time.</p>
-    </workaround>
-    <resolution>
-        <p>All FUSE users should upgrade to the latest version:</p>
-        
-        <code>
-          # emerge --sync
-          # emerge --ask --oneshot --verbose ">=sys-fs/fuse-3.18.1:3"
-        </code>
-    </resolution>
-    <references>
-        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-33150">CVE-2026-33150</uri>
-        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-33179">CVE-2026-33179</uri>
-    </references>
-    <metadata tag="requester" timestamp="2026-04-17T19:33:25.077082Z">csfore</metadata>
-    <metadata tag="submitter" timestamp="2026-04-17T19:33:25.079638Z">csfore</metadata>
-</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-04.xml

@@ -1,42 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
-<glsa id="202604-04">
-    <title>DTrace: Arbitrary file creation via dtprobed</title>
-    <synopsis>A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.</synopsis>
-    <product type="ebuild">dtrace</product>
-    <announced>2026-04-17</announced>
-    <revised count="1">2026-04-17</revised>
-    <bug>971491</bug>
-    <access>local</access>
-    <affected>
-        <package name="dev-debug/dtrace" auto="yes" arch="*">
-            <unaffected range="ge">2.0.6</unaffected>
-            <vulnerable range="lt">2.0.6</vulnerable>
-        </package>
-    </affected>
-    <background>
-        <p>DTrace is a dynamic tracing tool for analysing or debugging the whole system. Specifically, dtprobed is a component of the DTrace system that keeps track of USDT probes within running processes, parsing and storing the DOF they provide for later consumption by dtrace proper.</p>
-    </background>
-    <description>
-        <p>A vulnerability has been found in dtprobed that allows for arbitrary file creation through specially crafted USDT provider names.</p>
-    </description>
-    <impact type="normal">
-        <p>The worst possible outcome is the ability for an attacker to run arbitrary code via the maliciously created file.</p>
-    </impact>
-    <workaround>
-        <p>There is no known workaround at this time.</p>
-    </workaround>
-    <resolution>
-        <p>All DTrace users should upgrade to the latest version:</p>
-        
-        <code>
-          # emerge --sync
-          # emerge --ask --oneshot --verbose ">=dev-debug/dtrace-2.0.6"
-        </code>
-    </resolution>
-    <references>
-        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-21991">CVE-2026-21991</uri>
-    </references>
-    <metadata tag="requester" timestamp="2026-04-17T20:47:15.308512Z">csfore</metadata>
-    <metadata tag="submitter" timestamp="2026-04-17T20:47:15.311877Z">csfore</metadata>
-</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-Fri, 01 May 2026 07:08:08 +0000
+Wed, 01 Apr 2026 07:08:00 +0000

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit

@@ -1 +1 @@
-f40d2fdd24a34342a4c050396f064a038ebebb9b 1776459195 2026-04-17T20:53:15Z
+d2078931cc4cb1c6d04130dacbed885a7d2bf71c 1773030064 2026-03-09T04:21:04Z

sdk_lib/Dockerfile.sdk-import

@@ -17,6 +17,11 @@ RUN if ! grep -q portage /etc/passwd; then \
         echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >>/etc/passwd; \
     fi
 
+# fix "Unable to unshare: EPERM ..." in containers
+#  (see https://github.com/gentoo/gentoo-docker-images/issues/81)
+RUN echo 'export FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox"' \
+        >> /etc/skel/.bashrc
+
 RUN groupadd sdk
 RUN useradd -g sdk -G portage sdk
 RUN echo "sdk ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sdk-user

sdk_lib/Dockerfile.sdk-update

@@ -4,13 +4,22 @@ FROM ${BASE}
 COPY --chown=sdk:sdk sdk_container/ /mnt/host/source
 COPY --chown=sdk:sdk . /mnt/host/source/src/scripts
 
+# Disable all sandboxing for SDK updates since some core packages
+#  (like GO) fail to build from a permission error otherwise.
+RUN cp /home/sdk/.bashrc /home/sdk/.bashrc.bak
+RUN echo 'export FEATURES="-sandbox -usersandbox -ipc-sandbox -network-sandbox -pid-sandbox"' \
+        >> /home/sdk/.bashrc
+
 RUN chown sdk:sdk /mnt/host/source
-RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
-        /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
 
 RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --regen_configs
 RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs
 
+# Restore original .bashrc to remove sandbox disablement
+RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc
+RUN chown sdk:sdk /home/sdk/.bashrc
+
 # Clean up ephemeral key directory variables that were added during build
 RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \
         -e '/export MODULES_SIGN_KEY=/d' \

sdk_lib/sdk_container_common.sh

@@ -41,11 +41,6 @@ docker=${docker_a[*]}
 function call_docker() {
     "${docker_a[@]}" "${@}"
 }
-
-function docker_build() {
-    PROGRESS_NO_TRUNC=1 call_docker build --progress plain "${@}"
-}
-
 # --
 
 # Common "echo" function
@@ -218,9 +213,6 @@ function setup_sdk_env() {
         \
         USE FEATURES PORTAGE_USERNAME FORCE_STAGES \
         SIGNER \
-        SBSIGN_KEY SBSIGN_CERT SBSIGN_DB_KEY SBSIGN_DB_CERT \
-        SHIM_SIGNING_CERTIFICATE \
-        MODULE_SIGNING_KEY_DIR SYSEXT_SIGNING_KEY_DIR \
         all_proxy ftp_proxy http_proxy https_proxy no_proxy; do
 
         if [ -n "${!var:-}" ] ; then
@@ -308,7 +300,6 @@ function gnupg_ssh_gcloud_mount_opts() {
     if [[ -e ${GOOGLE_APPLICATION_CREDENTIALS:-} ]] ; then
         creds_dir=$(dirname "${GOOGLE_APPLICATION_CREDENTIALS}")
         if [[ -d ${creds_dir} ]] ; then
-            echo "Mounting gcloud credentials from ${creds_dir} (used for artifact uploads, safe to ignore if not needed, not baked into any image)"
             echo "-v $creds_dir:$creds_dir"
             args_ref+=( -v "${creds_dir}:${creds_dir}" )
         fi

sdk_lib/sdk_entry.sh

@@ -72,14 +72,10 @@ fi
 
 # Create key directory if not already configured in .bashrc
 if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then
-    if [[ -n ${MODULE_SIGNING_KEY_DIR:-} ]]; then
+    # For official builds, use ephemeral keys. For unofficial builds, use persistent directory
-        # Pre-set via environment (e.g. .sdkenv) — use as-is
+    if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
-        :
-    elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
-        # For official builds, use ephemeral keys
         MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
     else
-        # For unofficial builds, use persistent directory
         MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys"
         su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}"
     fi
@@ -101,10 +97,7 @@ if grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
     fi
 fi
 grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
-    if [[ -n ${SYSEXT_SIGNING_KEY_DIR:-} ]]; then
+    if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
-        # Pre-set via environment (e.g. .sdkenv) — use as-is
-        :
-    elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
         SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
     else
         SYSEXT_SIGNING_KEY_DIR="/home/sdk/.sysext-signing-keys"

update_chroot

@@ -80,7 +80,7 @@ info "Setting up portage..."
 sudo mkdir -p "${REPO_CACHE_DIR}/distfiles"
 sudo chown "${PORTAGE_USERNAME}:portage" "${REPO_CACHE_DIR}/distfiles"
 sudo mkdir -p /etc/portage/repos.conf /var/lib/portage/pkgs
-sudo ln -sfT "${REPO_ROOT}/src/third_party/coreos-overlay/coreos/user-patches" /etc/portage/patches
+sudo ln -sfT "${COREOS_OVERLAY}/coreos/user-patches" '/etc/portage/patches'
 sudo touch /etc/portage/make.conf.user
 
 sudo_clobber "/etc/portage/make.conf" <<EOF

update_sdk_container_image

@@ -75,8 +75,7 @@ fi
 yell "Creating new SDK container image ${new_sdk_version} from ${base_sdk_version}"
 create_versionfile "${new_sdk_version}" "${os_version}"
 
-docker_build \
+$docker build -t "${sdk_build_image}" \
-    -t "${sdk_build_image}" \
     --build-arg BASE="$sdk_container_common_registry/flatcar-sdk-all:${base_sdk_version}" \
     -f sdk_lib/Dockerfile.sdk-update \
     .
@@ -88,7 +87,7 @@ for a in all arm64 amd64; do
         arm64) rmarch="amd64-usr"; rmcross="x86_64-cros-linux-gnu";;
         amd64) rmarch="arm64-usr"; rmcross="aarch64-cros-linux-gnu";;
     esac
-    docker_build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
+    $docker build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
                  --build-arg VERSION="${docker_vernum}" \
                  --build-arg RMARCH="${rmarch}" \
                  --build-arg RMCROSS="${rmcross}" \