New version: stable-4459.2.4

Signed-off-by: Sayan Chowdhury <sayan.chowdhury2012@gmail.com>
Merge pull request #3742 from flatcar/linux-6.12.74-flatcar-4459
2026-05-06 12:46:14 +02:00 · 2026-03-03 15:11:48 +05:30 · 2026-03-03 14:37:33 +05:30 · 2026-03-03 10:05:49 +01:00 · 2026-03-03 08:49:46 +00:00 · 2026-02-26 21:00:23 +00:00
3018 changed files with 57963 additions and 92704 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -34,7 +34,11 @@ permissions:
 jobs:
  packages:
    name: "Build Flatcar packages"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
      - self-hosted
      - ubuntu
      - build
      - amd64
    strategy:
      fail-fast: false
      matrix:
@ -177,7 +181,7 @@ jobs:
          ./run_sdk_container -n "${container_name}" \
                  ./build_image --board="${arch}-usr" --group="${channel}" \
                                --output_root="${CI_CONTAINER_ARTIFACT_ROOT}" \
-                                prodtar container sysext oem_sysext
+                                prodtar container sysext
      - name: Build VM image(s)
        shell: bash
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@ -3,8 +3,6 @@
 acct-group/adm
 acct-group/audio
 acct-group/cdrom
 acct-group/clock
 acct-group/cuse
 acct-group/dialout
 acct-group/disk
 acct-group/dnsmasq
@ -13,7 +11,6 @@ acct-group/floppy
 acct-group/incus
 acct-group/incus-admin
 acct-group/input
 acct-group/jobserver
 acct-group/kmem
 acct-group/kvm
 acct-group/lp
@ -32,7 +29,6 @@ acct-group/portage
 acct-group/render
 acct-group/root
 acct-group/sgx
 acct-group/shadow
 acct-group/sshd
 acct-group/systemd-coredump
 acct-group/systemd-journal
@ -83,7 +79,6 @@ app-alternatives/awk
 app-alternatives/bc
 app-alternatives/bzip2
 app-alternatives/cpio
 app-alternatives/gpg
 app-alternatives/gzip
 app-alternatives/lex
 app-alternatives/ninja
@ -154,7 +149,6 @@ app-editors/nano
 app-editors/vim
 app-editors/vim-core
 app-emulation/open-vmdk
 app-emulation/qemu
 app-emulation/qemu-guest-agent
 app-emulation/virt-firmware
@ -184,11 +178,9 @@ app-shells/gentoo-bashcomp
 app-text/asciidoc
 app-text/build-docbook-catalog
 app-text/docbook-xml-dtd
 app-text/docbook-xsl-ns-stylesheets
 app-text/docbook-xsl-stylesheets
 app-text/mandoc
 app-text/manpager
 app-text/scdoc
 app-text/sgml-common
 app-text/xmlto
@ -215,7 +207,6 @@ dev-cpp/gflags
 dev-cpp/glog
 dev-cpp/gtest
 dev-db/etcd
 dev-db/sqlite
 dev-debug/gdb
@ -252,7 +243,6 @@ dev-libs/gmp
 dev-libs/gobject-introspection-common
 dev-libs/inih
 dev-libs/jansson
 dev-libs/jose
 dev-libs/json-c
 dev-libs/jsoncpp
 dev-libs/libaio
@ -296,15 +286,12 @@ dev-libs/openssl
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/raft
 dev-libs/rapidjson
 dev-libs/tree-sitter
 dev-libs/tree-sitter-bash
 dev-libs/userspace-rcu
 dev-libs/xmlsec
 dev-libs/xxhash
 dev-libs/yajl
 dev-perl/File-Slurper
 dev-perl/Parse-Yapp
 dev-python/backports-tarfile
@ -324,13 +311,14 @@ dev-python/docutils
 dev-python/editables
 dev-python/ensurepip-pip
 dev-python/ensurepip-setuptools
 dev-python/ensurepip-wheels
 dev-python/fasteners
 dev-python/fastjsonschema
 dev-python/flit-core
 dev-python/gentoo-common
 dev-python/gpep517
 dev-python/hatch-vcs
 dev-python/hatchling
 dev-python/hatch-vcs
 dev-python/idna
 dev-python/installer
 dev-python/jaraco-collections
@ -347,9 +335,11 @@ dev-python/markupsafe
 dev-python/mdurl
 dev-python/more-itertools
 dev-python/msgpack
 dev-python/olefile
 dev-python/packaging
 dev-python/pathspec
 dev-python/pefile
 dev-python/pillow
 dev-python/pip
 dev-python/platformdirs
 dev-python/pluggy
@ -380,7 +370,6 @@ dev-python/wheel
 dev-util/bpftool
 dev-util/bsdiff
 dev-util/catalyst
 dev-util/debugedit
 dev-util/gdbus-codegen
 dev-util/glib-utils
 dev-util/gperf
@ -393,7 +382,6 @@ dev-util/pkgcheck
 dev-util/pkgconf
 dev-util/re2c
 dev-util/xdelta
 dev-util/xxd
 dev-vcs/git
@ -403,7 +391,6 @@ eclass/alternatives.eclass
 eclass/app-alternatives.eclass
 eclass/autotools.eclass
 eclass/bash-completion-r1.eclass
 eclass/branding.eclass
 eclass/cargo.eclass
 eclass/check-reqs.eclass
 eclass/cmake-multilib.eclass
@ -516,8 +503,8 @@ licenses
 media-libs/libpng
 net-analyzer/netperf
 net-analyzer/openbsd-netcat
 net-analyzer/netperf
 net-analyzer/tcpdump
 net-analyzer/traceroute
@ -525,6 +512,7 @@ net-dialup/lrzsz
 net-dialup/minicom
 net-dns/bind
 net-dns/bind-tools
 net-dns/c-ares
 net-dns/dnsmasq
 net-dns/libidn2
@ -548,6 +536,7 @@ net-libs/libnetfilter_cttimeout
 net-libs/libnetfilter_queue
 net-libs/libnfnetlink
 net-libs/libnftnl
 net-libs/libnsl
 net-libs/libpcap
 net-libs/libpsl
 net-libs/libslirp
@ -592,7 +581,6 @@ sys-apps/acl
 sys-apps/attr
 sys-apps/azure-vm-utils
 sys-apps/bubblewrap
 sys-apps/busybox
 sys-apps/checkpolicy
 sys-apps/config-site
 sys-apps/coreutils
@ -636,14 +624,12 @@ sys-apps/sed
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
 sys-apps/systemd
 sys-apps/texinfo
 sys-apps/usbutils
 sys-apps/util-linux
 sys-apps/which
 sys-apps/zram-generator
 sys-auth/pambase
 sys-auth/polkit
 sys-auth/sssd
@ -662,7 +648,6 @@ sys-devel/binutils
 sys-devel/binutils-config
 sys-devel/bison
 sys-devel/crossdev
 sys-devel/dwz
 sys-devel/flex
 sys-devel/gcc
 sys-devel/gcc-config
@ -681,7 +666,6 @@ sys-fs/btrfs-progs
 sys-fs/cryptsetup
 sys-fs/dosfstools
 sys-fs/e2fsprogs
 sys-fs/erofs-utils
 sys-fs/fuse
 sys-fs/fuse-common
 sys-fs/fuse-overlayfs
@ -707,6 +691,7 @@ sys-libs/cracklib
 sys-libs/efivar
 sys-libs/gdbm
 sys-libs/glibc
 sys-libs/ldb
 sys-libs/libcap
 sys-libs/libcap-ng
 sys-libs/libnvme
@ -717,7 +702,6 @@ sys-libs/libunwind
 sys-libs/liburing
 sys-libs/libxcrypt
 sys-libs/ncurses
 sys-libs/pam
 sys-libs/readline
 sys-libs/talloc
 sys-libs/tdb
@ -750,10 +734,10 @@ virtual/openssh
 virtual/os-headers
 virtual/package-manager
 virtual/pager
-virtual/perl-Carp
+virtual/perl-Data-Dumper
 virtual/perl-Encode
 virtual/perl-Exporter
 virtual/perl-ExtUtils-MakeMaker
 virtual/perl-Unicode-Collate
 virtual/pkgconfig
 virtual/resolvconf
 virtual/service-manager
--- a/.github/workflows/pr-comment-build-dispatcher.yaml
+++ b/.github/workflows/pr-comment-build-dispatcher.yaml
@ -13,7 +13,7 @@ concurrency:
 jobs:
  run_pre_checks:
    # Only run if this is a PR comment that contains a valid command
-    if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk')) }}
+    if: ${{ github.event.issue.pull_request }} && ( contains(github.event.comment.body, '/build-image') || contains(github.event.comment.body, '/update-sdk'))
    name: Check if commenter is in the Flatcar maintainers team
    outputs:
      maintainers: steps.step1.output.maintainers
--- a/.github/workflows/run-kola-tests.yaml
+++ b/.github/workflows/run-kola-tests.yaml
@ -17,11 +17,15 @@ on:
 jobs:
  tests:
    name: "Run Kola tests"
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
      - self-hosted
      - ubuntu
      - kola
      - ${{ matrix.arch }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
+        arch: ["amd64", "arm64"]
    steps:
      - name: Prepare machine
@ -30,7 +34,9 @@ jobs:
        run: |
          sudo rm /bin/sh
          sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3 zstd iproute2 iptables
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release qemu-system git bzip2 jq dnsmasq python3 zstd
          sudo systemctl stop dnsmasq
          sudo systemctl mask dnsmasq
          # Set up MASQUERADE. Don't care much to secure it.
          # This is needed for the VMs kola spins up to have internet access.
@ -180,7 +186,7 @@ jobs:
          source ci-automation/test.sh
-          PARALLEL_ARCH=5
+          PARALLEL_ARCH=10
          cat > sdk_container/.env <<EOF
          # export the QEMU_IMAGE_NAME to avoid to download it.
@ -233,7 +239,10 @@ jobs:
    name: "Merge TAP reports and post results"
    needs: tests
    if: always() && !cancelled()
-    runs-on: oracle-vm-32cpu-128gb-x86-64
+    runs-on:
      - self-hosted
      - ubuntu
      - kola
    permissions:
      pull-requests: write
@ -244,7 +253,7 @@ jobs:
        run: |
          sudo rm /bin/sh
          sudo ln -s /bin/bash /bin/sh
-          sudo apt update && sudo apt install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
+          sudo apt-get install -y ca-certificates curl gnupg lsb-release git bzip2 jq sqlite3
      - uses: actions/checkout@v4
        with:
@ -276,6 +285,12 @@ jobs:
          name: amd64-raw-tapfiles
          path: scripts/__TAP__/amd64
      - name: Download arm64 tapfiles
        uses: actions/download-artifact@v4
        with:
          name: arm64-raw-tapfiles
          path: scripts/__TAP__/arm64
      - name: Create Test Summary
        shell: bash
        run: |
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -1,9 +0,0 @@
 # Code of Conduct
 The Flatcar project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
 For details on how we uphold community standards across all Flatcar repositories, please see the [main Flatcar Code of Conduct](https://github.com/flatcar/Flatcar/blob/main/CODE_OF_CONDUCT.md).
 ## Reporting
 If you experience or witness unacceptable behavior, please report it following the process outlined in the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,15 +1,71 @@
-Welcome! We're so glad you're here and interested in contributing to Flatcar! 💖
+# How to Contribute
-Whether you're fixing a bug, adding a feature, or improving docs — we appreciate you!
+CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
 GitHub pull requests.  This document outlines some of the conventions on
 development workflow, commit message formatting, contact points and other
 resources to make it easier to get your contribution accepted.
-For more detailed guidelines (finding issues, community meetings, PR lifecycle, commit message format, and more), check out the [main Flatcar CONTRIBUTING guide](https://github.com/flatcar/Flatcar/blob/main/CONTRIBUTING.md).
+# Certificate of Origin
-If you want to file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
+By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
 simple statement that you, as a contributor, have the legal right to make the
 contribution. See the [DCO](DCO) file for details.
---
+# Email and Chat
-## Repository Specific Guidelines
+The project currently uses the general CoreOS email list and IRC channel:
 - Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
 - IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
-Any guidelines specific to this repository that are not covered in the main contribution guide will be listed here.
+Please avoid emailing maintainers found in the MAINTAINERS file directly. They
 are very busy and read the mailing lists.
-<!-- Add repo-specific guidelines below this line -->
+## Getting Started
 - Fork the repository on GitHub
 - Read the [README](README.md) for build and test instructions
 - Play with the project, submit bugs, submit patches!
 ## Contribution Flow
 This is a rough outline of what a contributor's workflow looks like:
 - Create a topic branch from where you want to base your work (usually master).
 - Make commits of logical units.
 - Make sure your commit messages are in the proper format (see below).
 - Push your changes to a topic branch in your fork of the repository.
 - Make sure the tests pass, and add any new tests as appropriate.
 - Submit a pull request to the original repository.
 Thanks for your contributions!
 ### Format of the Commit Message
 We follow a rough convention for commit messages that is designed to answer two
 questions: what changed and why. The subject line should feature the what and
 the body of the commit should describe the why.
 ```
 scripts: add the test-cluster command
 this uses tmux to setup a test cluster that you can easily kill and
 start for debugging.
 Fixes #38
 ```
 The format can be described more formally as follows:
 ```
 <subsystem>: <what changed>
 <BLANK LINE>
 <why this change was made>
 <BLANK LINE>
 <footer>
 ```
 The first line is the subject and should be no longer than 70 characters, the
 second line is always blank, and other lines should be wrapped at 80 characters.
 This allows the message to be easier to read on GitHub as well as in various
 git tools.
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@ -1,11 +0,0 @@
 # Governance
 For details on the Flatcar project governance model, decision-making process, and roles, please see the [main Flatcar Governance document](https://github.com/flatcar/Flatcar/blob/main/governance.md).
 ---
 ## Repository-Specific Governance
 Any governance details specific to this repository will be listed here.
 <!-- Add repo-specific governance notes below this line -->
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -1,11 +1,9 @@
 # Maintainers
-For the current list of maintainers and their responsibilities, please see the [main Flatcar MAINTAINERS file](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
+* Kai Lüke @pothos
 * Gabriel Samfira @gabriel-samfira
 * Thilo Fromm @t-lo
---
+See [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, commit, and vote guidelines as well as maintainer responsibilities. Everybody listed in this file is a committer as per governance definition.
-## Repository-Specific Maintainers
+The contents of this file are synchronized from [Flatcar/MAINTAINERS.md](https://github.com/flatcar/Flatcar/blob/main/MAINTAINERS.md).
 Any maintainers specific to this repository will be listed here.
 <!-- Add repo-specific maintainers below this line -->
--- a/README.md
+++ b/README.md
@ -1,20 +1,16 @@
 # Flatcar Container Linux SDK scripts
 <div style="text-align: center">
 [![Flatcar OS](https://img.shields.io/badge/Flatcar-Website-blue?logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0gR2VuZXJhdG9yOiBBZG9iZSBJbGx1c3RyYXRvciAyNi4wLjMsIFNWRyBFeHBvcnQgUGx1Zy1JbiAuIFNWRyBWZXJzaW9uOiA2LjAwIEJ1aWxkIDApICAtLT4NCjxzdmcgdmVyc2lvbj0iMS4wIiBpZD0ia2F0bWFuXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4Ig0KCSB2aWV3Qm94PSIwIDAgODAwIDYwMCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgODAwIDYwMDsiIHhtbDpzcGFjZT0icHJlc2VydmUiPg0KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCgkuc3Qwe2ZpbGw6IzA5QkFDODt9DQo8L3N0eWxlPg0KPHBhdGggY2xhc3M9InN0MCIgZD0iTTQ0MCwxODIuOGgtMTUuOXYxNS45SDQ0MFYxODIuOHoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik00MDAuNSwzMTcuOWgtMzEuOXYxNS45aDMxLjlWMzE3Ljl6Ii8+DQo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNNTQzLjgsMzE3LjlINTEydjE1LjloMzEuOVYzMTcuOXoiLz4NCjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik02NTUuMiw0MjAuOXYtOTUuNGgtMTUuOXY5NS40aC0xNS45VjI2MmgtMzEuOVYxMzQuOEgyMDkuNFYyNjJoLTMxLjl2MTU5aC0xNS45di05NS40aC0xNnY5NS40aC0xNS45djMxLjINCgloMzEuOXYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44SDI3M3YtMTUuOGgyNTQuOHYxNS44aDQ3Ljh2LTE1LjhoMTUuOXYxNS44aDQ3Ljh2LTE1LjhoMzEuOXYtMzEuMkg2NTUuMnogTTQ4Ny44LDE1MWg3OS42djMxLjgNCgloLTIzLjZ2NjMuNkg1MTJ2LTYzLjZoLTI0LjJMNDg3LjgsMTUxTDQ4Ny44LDE1MXogTTIzMywyMTQuNlYxNTFoNjMuN3YyMy41aC0zMS45djE1LjhoMzEuOXYyNC4yaC0zMS45djMxLjhIMjMzVjIxNC42eiBNMzA1LDMxNy45DQoJdjE1LjhoLTQ3Ljh2MzEuOEgzMDV2NDcuN2gtOTUuNVYyODYuMUgzMDVMMzA1LDMxNy45eiBNMzEyLjYsMjQ2LjRWMTUxaDMxLjl2NjMuNmgzMS45djMxLjhMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjRMMzEyLjYsMjQ2LjR6DQoJIE00NDguMywzMTcuOXY5NS40aC00Ny44di00Ny43aC0zMS45djQ3LjdoLTQ3LjhWMzAyaDE1Ljl2LTE1LjhoOTUuNVYzMDJoMTUuOUw0NDguMywzMTcuOXogTTQ0MCwyNDYuNHYtMzEuOGgtMTUuOXYzMS44aC0zMS45DQoJdi03OS41aDE1Ljl2LTE1LjhoNDcuOHYxNS44aDE1Ljl2NzkuNUg0NDB6IE01OTEuNiwzMTcuOXY0Ny43aC0xNS45djE1LjhoMTUuOXYzMS44aC00Ny44di0zMS43SDUyOHYtMTUuOGgtMTUuOXY0Ny43aC00Ny44VjI4Ni4xDQoJaDEyNy4zVjMxNy45eiIvPg0KPC9zdmc+DQo=)](https://www.flatcar.org/)
 [![Discord](https://img.shields.io/badge/Discord-Chat%20with%20us!-5865F2?logo=discord)](https://discord.gg/PMYjFUsJyq)
 [![Matrix](https://img.shields.io/badge/Matrix-Chat%20with%20us!-green?logo=matrix)](https://app.element.io/#/room/#flatcar:matrix.org)
 [![Slack](https://img.shields.io/badge/Slack-Chat%20with%20us!-4A154B?logo=slack)](https://kubernetes.slack.com/archives/C03GQ8B5XNJ)
 [![Twitter Follow](https://img.shields.io/twitter/follow/flatcar?style=social)](https://x.com/flatcar)
 [![Mastodon Follow](https://img.shields.io/badge/Mastodon-Follow-6364FF?logo=mastodon)](https://hachyderm.io/@flatcar)
 [![Bluesky](https://img.shields.io/badge/Bluesky-Follow-0285FF?logo=bluesky)](https://bsky.app/profile/flatcar.org)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10926/badge)](https://www.bestpractices.dev/projects/10926)
 > **Note:** To file an issue for any Flatcar repository, please use the [central Flatcar issue tracker](https://github.com/flatcar/Flatcar/issues).
 </div>
 # Flatcar Container Linux SDK scripts
 Welcome to the scripts repo, your starting place for most things here in the Flatcar Container Linux SDK. To get started you can find our documentation on [the Flatcar docs website][flatcar-docs].
 The SDK can be used to
@ -155,13 +151,3 @@ The script `./bootstrap_sdk_container` bootstraps a new SDK tarball using an exi
 # Automation stubs for continuous integration
 Script stubs for various build stages can be found in the [ci-automation](ci-automation) folder. These are helpful for gluing Flatcar Container Linux builds to a continuous integration system.
 ---
 ## Community & Project Documentation
 - [Contributing Guidelines](CONTRIBUTING.md) — How to contribute, find issues, and submit pull requests
 - [Code of Conduct](CODE_OF_CONDUCT.md) — Standards for respectful and inclusive community participation
 - [Security Policy](SECURITY.md) — How to report vulnerabilities and security-related information
 - [Maintainers](MAINTAINERS.md) — Current project maintainers and their responsibilities
 - [Governance](GOVERNANCE.md) — Project governance model, decision-making process, and roles
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,15 +0,0 @@
 # Security Policy
 The Flatcar project takes security seriously. We appreciate your efforts to responsibly disclose your findings.
 For our full security policy, supported versions, and how to report a vulnerability, please see the [main Flatcar Security Policy](https://github.com/flatcar/Flatcar/blob/main/SECURITY.md).
 **Please do not open public issues for security vulnerabilities.**
 ---
 ## Repository-Specific Security Notes
 Any security considerations specific to this repository will be listed here.
 <!-- Add repo-specific security notes below this line -->
--- a/8
+++ b/8
@ -11,7 +11,6 @@ source sdk_lib/sdk_container_common.sh
 seed_version=""
 target_version=""
 logdir=''
 declare -a cleanup
@ -31,7 +30,6 @@ usage() {
    echo "      -x <cleanup-script> - For each resource generated during build (container etc.)"
    echo "                             add a cleanup line to <script> which, when run, will free"
    echo "                             the resource. Useful for CI."
    echo "      -l <directory>      - Gather build logs here."
    echo "      -h                  - Print this help."
    echo
 }
@ -40,7 +38,6 @@ usage() {
 while [ 0 -lt $# ] ; do
    case "$1" in
    -h) usage; exit 0;;
    -l) logdir=${2}; shift 2;;
    -x) cleanup=("-x" "$2"); shift; shift;;
    *)  if [ -z "$seed_version" ] ; then
            seed_version="$1"
@ -75,11 +72,8 @@ if $official; then
 fi
 # bootstrap_sdk needs FLATCAR_SDK_VERSION set to the seed version
 failed=''
 ./run_sdk_container "${cleanup[@]}" -V "$seed_version" -v "$target_version" \
-          sudo -E ./bootstrap_sdk || failed=x
+          sudo -E ./bootstrap_sdk
 # Update versionfile to the actual SDK version
 create_versionfile "${target_version}"
 if [[ -n ${failed} ]]; then exit 1; fi
--- a/14
+++ b/14
@ -49,8 +49,6 @@ DEFINE_string developer_data "" \
  "Insert a custom cloudinit file into the image."
 DEFINE_string devcontainer_binhost "${DEFAULT_DEVCONTAINER_BINHOST}" \
  "Override portage binhost configuration used in development container."
 DEFINE_string oem_sysexts "everything!" \
  "A comma-separated list of OEMs to build, by default build all the OEM sysexts. Used only if building OEM sysexts"
 # include upload options
 . "${BUILD_LIBRARY_DIR}/release_util.sh" || exit 1
@ -62,12 +60,10 @@ different forms.  This scripts can be used to build the following:
 prod - Production image for CoreOS. This image is for booting (default if no argument is given).
 prodtar - Production container tar ball (implies prod). This can e.g. be used to run the Flatcar production image as a container (run machinectl import-tar or docker import).
 container - Developer image with single filesystem, bootable by nspawn.
 sysext - Build extra sysexts (podman, python, zfs, etc.).
 oem_sysext - Build OEM sysexts for all supported platforms.
 Examples:
-build_image --board=<board> [prod] [prodtar] [container] [sysext] [oem_sysext] - builds developer and production images/tars.
+build_image --board=<board> [prod] [prodtar] [container] - builds developer and production images/tars.
 ...
 "
 show_help_if_requested "$@"
@ -85,7 +81,7 @@ DEFINE_string version "" \
 # Parse command line.
 FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV:-prod oem_sysext}"
+eval set -- "${FLAGS_ARGV:-prod}"
 # Only now can we die on error.  shflags functions leak non-zero error codes,
 # so will die prematurely if 'switch_to_strict_mode' is specified before now.
@ -107,20 +103,17 @@ fi
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/vm_image_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 PROD_IMAGE=0
 PROD_TAR=0
 CONTAINER=0
 SYSEXT=0
 OEM_SYSEXT=0
 for arg in "$@"; do
  case "${arg}" in
    prod) PROD_IMAGE=1 ;;
    prodtar) PROD_IMAGE=1 PROD_TAR=1 ;;
    container) CONTAINER=1 ;;
    sysext) SYSEXT=1 ;;
    oem_sysext) OEM_SYSEXT=1 ;;
    *)    die_notrace "Unknown image type ${arg}" ;;
  esac
 done
@ -194,9 +187,6 @@ fi
 if [[ "${SYSEXT}" -eq 1 ]]; then
  create_prod_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}"
 fi
 if [[ "${OEM_SYSEXT}" -eq 1 ]]; then
  create_oem_sysexts "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_oem_sysexts}"
 fi
 if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
  zip_update_tools
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@ -150,14 +150,9 @@ emerge_to_image() {
  fi
  sudo -E ROOT="${root_fs_dir}" \
-      FEATURES="-ebuild-locks -merge-wait" \
+      FEATURES="-ebuild-locks" \
      PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
-      emerge \
+      emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
      --usepkgonly \
      --binpkg-respect-use=y \
      --jobs="${NUM_JOBS}" \
      --verbose \
      "$@"
  # Shortcut if this was just baselayout
  [[ "$*" == *sys-apps/baselayout ]] && return
@ -171,6 +166,26 @@ emerge_to_image() {
      test_image_content "${root_fs_dir}"
 }
 # emerge_to_image without a rootfs check; you should use emerge_to_image unless
 # here's a good reason not to.
 emerge_to_image_unchecked() {
  local root_fs_dir="$1"; shift
  if [[ ${FLAGS_getbinpkg} -eq ${FLAGS_TRUE} ]]; then
    set -- --getbinpkg "$@"
  fi
  sudo -E ROOT="${root_fs_dir}" \
      PORTAGE_CONFIGROOT="${BUILD_DIR}"/configroot \
      emerge --usepkgonly --jobs="${NUM_JOBS}" --verbose "$@"
  # Shortcut if this was just baselayout
  [[ "$*" == *sys-apps/baselayout ]] && return
  # Make sure profile.env has been generated
  sudo -E ROOT="${root_fs_dir}" env-update --no-ldconfig
 }
 # Switch to the dev or prod sub-profile
 set_image_profile() {
  local suffix="$1"
@ -289,12 +304,13 @@ get_metadata() {
    if [ "${key}" = "SRC_URI" ]; then
        local package_name="$(echo "${pkg%%:*}" | cut -d / -f 2)"
        local ebuild_path="${prefix}/var/db/pkg/${pkg%%:*}/${package_name}.ebuild"
        # SRC_URI is empty for the special github.com/flatcar projects
        if [ -z "${val}" ]; then
            # The grep invocation gives errors when the ebuild file is not present.
            # This can happen when the binary packages from ./build_packages are outdated.
            val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
            if [ -n "${val}" ]; then
-                # If using git, then the package was probably pinned to a commit.
+                # All github.com/flatcar projects specify their commit
                local commit=""
                commit="$(grep "EGIT_COMMIT=" "${ebuild_path}" | cut -d '"' -f 2)"
                if [ -n "${commit}" ]; then
@ -307,6 +323,10 @@ get_metadata() {
            # Do not attempt to postprocess by resolving ${P} and friends because it does not affect production images
            val="$(cat "${ebuild_path}" | tr '\n' ' ' | grep -P -o 'SRC_URI=".*?"' | cut -d '"' -f 2)"
        fi
        # Some packages use nothing from the above but EGIT_REPO_URI (currently only app-crypt/go-tspi)
        if [ -z "${val}" ]; then
            val="$(grep "EGIT_REPO_URI=" "${ebuild_path}" | cut -d '"' -f 2)"
        fi
        # Replace all mirror://MIRRORNAME/ parts with the actual URL prefix of the mirror
        new_val=""
        for v in ${val}; do
@ -562,8 +582,6 @@ finish_image() {
  local image_initrd_contents="${11}"
  local image_initrd_contents_wtd="${12}"
  local image_disk_space_usage="${13}"
  local image_realinitrd_contents="${14}"
  local image_realinitrd_contents_wtd="${15}"
  local install_grub=0
  local disk_img="${BUILD_DIR}/${image_name}"
@ -708,17 +726,6 @@ EOF
    sudo setfiles -Dv -r "${root_fs_dir}" "${root_fs_dir}"/etc/selinux/mcs/contexts/files/file_contexts "${root_fs_dir}"/etc
  fi
  # Temporary hack: set group ownership of /etc/{g,}shadow to the
  # shadow group, that way unix_chkpwd, chage and expiry can act on
  # those files.
  #
  # This permissions setting should likely be done in some ebuild, but
  # currently files in /usr/share/baselayout are installed by the
  # baselayout package, we don't want to add more deps to it.
  sudo chgrp \
      --reference="${root_fs_dir}/usr/bin/chage" \
      "${root_fs_dir}"/{etc,usr/share/baselayout}/{g,}shadow
  # Backup the /etc contents to /usr/share/flatcar/etc to serve as
  # source for creating missing files. Make sure that the preexisting
  # /usr/share/flatcar/etc does not have any meaningful (non-empty)
@ -728,35 +735,12 @@ EOF
  if [[ $(sudo find "${root_fs_dir}/usr/share/flatcar/etc" -size +0 ! -type d 2>/dev/null | wc -l) -gt 0 ]]; then
    die "Unexpected non-empty files in ${root_fs_dir}/usr/share/flatcar/etc"
  fi
  # Some backwards-compat symlinks still use this folder as target,
  # we can't remove it yet
  sudo rm -rf "${root_fs_dir}/usr/share/flatcar/etc"
  sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/share/flatcar/etc"
  # Now set up a default confext and enable it.
  # It's important to use dm-verity not only for stricter image policies
  # but also because it allows us the refresh to identify this image and
  # skip setting it up again in the final boot, which not only saves us
  # a daemon-reload during boot but also from /etc contents shortly
  # disappearing until systemd-sysext uses mount beneath for an atomic
  # remount. Instead of a temporary directory we first prepare it as
  # folder and then convert it to a DDI and remove the folder.
  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
  # Do a copy because we keep /etc for the flatcar (.tar) container and the developer container
  sudo cp -a "${root_fs_dir}/etc" "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc"
  sudo mkdir -p "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/"
  echo ID=_any | sudo tee "${root_fs_dir}/usr/lib/confexts/00-flatcar-default/etc/extension-release.d/extension-release.00-flatcar-default" > /dev/null
  sudo systemd-repart \
    --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
    --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
    --make-ddi=confext \
    --copy-source="${root_fs_dir}/usr/lib/confexts/00-flatcar-default" \
    "${root_fs_dir}/usr/lib/confexts/00-flatcar-default.raw"
  sudo rm -rf "${root_fs_dir}/usr/lib/confexts/00-flatcar-default"
-  # Remove the rootfs state as it should be recreated through tmpfiles
+  # Remove the rootfs state as it should be recreated through the
-  # (and for /etc we use a confext) and may not be present on updating machines.
+  # tmpfiles and may not be present on updating machines. This
-  # This makes sure our tests cover the case of missing files in the
+  # makes sure our tests cover the case of missing files in the
  # rootfs and don't rely on the new image. Not done for the developer
  # container.
  if [[ -n "${image_kernel}" ]]; then
@ -893,20 +877,6 @@ EOF
      rm -rf "${BUILD_DIR}/tmp_initrd_contents"
  fi
  if [[ -n ${image_realinitrd_contents} || -n ${image_realinitrd_contents_wtd} ]]; then
        mkdir -p "${BUILD_DIR}/tmp_initrd_contents"
        sudo mount "${root_fs_dir}/usr/lib/flatcar/bootengine.img" "${BUILD_DIR}/tmp_initrd_contents"
        if [[ -n ${image_realinitrd_contents} ]]; then
            write_contents "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents}"
        fi
        if [[ -n ${image_realinitrd_contents_wtd} ]]; then
            write_contents_with_technical_details "${BUILD_DIR}/tmp_initrd_contents" "${BUILD_DIR}/${image_realinitrd_contents_wtd}"
        fi
        sudo umount "${BUILD_DIR}/tmp_initrd_contents"
        rm -rf "${BUILD_DIR}/tmp_initrd_contents"
    fi
  if [[ -n "${image_disk_space_usage}" ]]; then
      write_disk_space_usage "${root_fs_dir}" "${BUILD_DIR}/${image_disk_space_usage}"
  fi
--- a/build_library/catalyst.sh
+++ b/build_library/catalyst.sh
@ -80,8 +80,7 @@ export ac_cv_posix_semaphores_enabled=yes
 EOF
 }
-# Common values for all stage spec files. Takes a stage number and,
+# Common values for all stage spec files
 # optionally, a profile name as parameters.
 catalyst_stage_default() {
 cat <<EOF
 target: stage$1
@ -90,7 +89,7 @@ rel_type: $TYPE
 portage_confdir: $TEMPDIR/portage
 repos: $FLAGS_coreos_overlay
 keep_repos: portage-stable coreos-overlay
-profile: ${2:-$FLAGS_profile}
+profile: $FLAGS_profile
 snapshot_treeish: $FLAGS_version
 version_stamp: $FLAGS_version
 cflags: -O2 -pipe
@ -108,7 +107,7 @@ pkgcache_path: ${TEMPDIR}/stage1-${ARCH}-packages
 update_seed: yes
 update_seed_command: --exclude cross-*-cros-linux-gnu/* --exclude dev-lang/rust --exclude dev-lang/rust-bin --ignore-world y --ignore-built-slot-operator-deps y @changed-subslot
 EOF
-catalyst_stage_default 1 "${FLAGS_profile}/transition"
+catalyst_stage_default 1
 }
 catalyst_stage3() {
@ -242,13 +241,13 @@ build_stage() {
    fi
    info "Starting $stage"
    # Clean up possible leftovers from possible previous runs
    rm -rf "$TEMPDIR/$stage-${ARCH}-${FLAGS_version}"
    catalyst \
        "${DEBUG[@]}" \
        --verbose \
        --config "$TEMPDIR/catalyst.conf" \
        --file "$TEMPDIR/${stage}.spec"
    # Catalyst does not clean up after itself...
    rm -rf "$TEMPDIR/$stage-${ARCH}-${FLAGS_version}"
    ln -sf "$stage-${ARCH}-${FLAGS_version}.tar.bz2" \
        "$BUILDS/$stage-${ARCH}-latest.tar.bz2"
    info "Finished building $target_tarball"
--- a/build_library/catalyst_toolchains.sh
+++ b/build_library/catalyst_toolchains.sh
@ -28,37 +28,13 @@ build_target_toolchain() {
    local ROOT="/build/${board}"
    local SYSROOT="/usr/$(get_board_chost "${board}")"
-    function btt_emerge() {
+    mkdir -p "${ROOT}/usr"
-        # --root is required because run_merge overrides ROOT=
+    cp -at "${ROOT}" "${SYSROOT}"/lib*
-        PORTAGE_CONFIGROOT="$ROOT" run_merge --root="$ROOT" --sysroot="$ROOT" "${@}"
+    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include "${SYSROOT}"/usr/lib*
    }
-    # install baselayout first so we have the basic directory
+    # --root is required because run_merge overrides ROOT=
-    # structure for libraries and binaries copied from sysroot
+    PORTAGE_CONFIGROOT="$ROOT" \
-    btt_emerge --oneshot --nodeps sys-apps/baselayout
+        run_merge -u --root="$ROOT" --sysroot="$ROOT" "${TOOLCHAIN_PKGS[@]}"
    # copy libraries, binaries and header files from sysroot to root -
    # sysroot may be using split-usr, whereas root does not, so take
    # this into account
    (
        shopt -s nullglob
        local d f
        local -a files
        for d in "${SYSROOT}"/{,usr/}{bin,sbin,lib*}; do
            if [[ ! -d ${d} ]]; then
                continue
            fi
            files=( "${d}"/* )
            if [[ ${#files[@]} -gt 0 ]]; then
                f=${d##*/}
                cp -at "${ROOT}/usr/${f}" "${files[@]}"
            fi
        done
        cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include
    )
    btt_emerge --update "${TOOLCHAIN_PKGS[@]}"
    unset -f btt_emerge
 }
 configure_crossdev_overlay / /usr/local/portage/crossdev
--- a/build_library/disk_layout.json
+++ b/build_library/disk_layout.json
@ -13,7 +13,7 @@
        "label":"EFI-SYSTEM",
        "fs_label":"EFI-SYSTEM",
        "type":"efi",
-        "blocks":"2097152",
+        "blocks":"262144",
        "fs_type":"vfat",
        "mount":"/boot",
        "features": []
@ -27,8 +27,7 @@
        "label":"USR-A",
        "uuid":"7130c94a-213a-4e5a-8e26-6cce9662f132",
        "type":"flatcar-rootfs",
-        "blocks":"4194304",
+        "blocks":"2097152",
        "extract_blocks":"2097152",
        "fs_blocks":"260094",
        "fs_type":"btrfs",
        "fs_compression":"zstd",
@ -39,8 +38,7 @@
        "label":"USR-B",
        "uuid":"e03dd35c-7c2d-4a47-b3fe-27f15780a57c",
        "type":"flatcar-rootfs",
-        "blocks":"4194304",
+        "blocks":"2097152",
        "extract_blocks":"2097152",
        "fs_blocks":"262144"
      },
      "5":{
@ -53,7 +51,7 @@
        "label":"OEM",
        "fs_label":"OEM",
        "type":"data",
-        "blocks":"2097152",
+        "blocks":"262144",
        "fs_type":"btrfs",
        "fs_compression":"zlib",
        "mount":"/oem"
@ -72,7 +70,7 @@
        "label":"ROOT",
        "fs_label":"ROOT",
        "type":"flatcar-resize",
-        "blocks":"3653632",
+        "blocks":"4427776",
        "fs_type":"ext4",
        "mount":"/"
      }
@ -88,7 +86,7 @@
      "9":{
        "label":"ROOT",
        "fs_label":"ROOT",
-        "blocks":"50876416"
+        "blocks":"58875904"
      }
    },
    "vagrant":{
--- a/build_library/disk_util
+++ b/build_library/disk_util
@ -40,10 +40,10 @@ def LoadPartitionConfig(options):
      '_comment', 'type', 'num', 'label', 'blocks', 'block_size', 'fs_blocks',
      'fs_block_size', 'fs_type', 'features', 'uuid', 'part_alignment', 'mount',
      'binds', 'fs_subvolume', 'fs_bytes_per_inode', 'fs_inode_size', 'fs_label',
-      'fs_compression', 'extract_blocks'))
+      'fs_compression'))
  integer_layout_keys = set((
      'blocks', 'block_size', 'fs_blocks', 'fs_block_size', 'part_alignment',
-      'fs_bytes_per_inode', 'fs_inode_size', 'extract_blocks'))
+      'fs_bytes_per_inode', 'fs_inode_size'))
  required_layout_keys = set(('type', 'num', 'label', 'blocks'))
  filename = options.disk_layout_file
@ -136,13 +136,6 @@ def LoadPartitionConfig(options):
      part.setdefault('fs_block_size', metadata['fs_block_size'])
      part.setdefault('fs_blocks', part['bytes'] // part['fs_block_size'])
      part['fs_bytes'] = part['fs_blocks'] * part['fs_block_size']
      # The partition may specify extract_blocks to limit what content gets
      # extracted. The use case is the /usr partition where we can grow the
      # partition but can't directly grow the filesystem and the update
      # payload until all (or most) nodes are running the partition layout
      # with the grown /usr partition (which can take a few years).
      if part.get('extract_blocks', None):
        part['extract_bytes'] = part['extract_blocks'] * metadata['block_size']
      if part['fs_bytes'] > part['bytes']:
        raise InvalidLayout(
@ -830,7 +823,6 @@ def Extract(options):
  if not part['image_compat']:
    raise InvalidLayout("Disk layout is incompatible with existing image")
  extract_size = part.get('extract_bytes', part['image_bytes'])
  subprocess.check_call(['dd',
                         'bs=10MB',
                         'iflag=count_bytes,skip_bytes',
@ -839,7 +831,7 @@ def Extract(options):
                         'if=%s' % options.disk_image,
                         'of=%s' % options.output,
                         'skip=%s' % part['image_first_byte'],
-                         'count=%s' % extract_size])
+                         'count=%s' % part['image_bytes']])
 def GetPartitionByNumber(partitions, num):
--- a/build_library/generate_au_zip.py
+++ b/build_library/generate_au_zip.py
@ -88,8 +88,8 @@ def _SplitAndStrip(data):
    if 'not found' in line:
      raise _LibNotFound(line)
    line = re.sub('.*not a dynamic executable.*', '', line)
-    line = re.sub(r'.* =>\s+', '', line)
+    line = re.sub('.* =>\s+', '', line)
-    line = re.sub(r'\(0x.*\)\s?', '', line)
+    line = re.sub('\(0x.*\)\s?', '', line)
    line = line.strip()
    if not len(line):
      continue
--- a/build_library/generate_grub_hashes.py
+++ b/build_library/generate_grub_hashes.py
@ -40,13 +40,13 @@ with open(os.path.join(outputdir, "grub_modules.config"), "w") as f:
    f.write(json.dumps({"9": {"binaryvalues": [{"prefix": "grub_module", "values": hashvalues}]}}))
 with open(os.path.join(outputdir, "kernel_cmdline.config"), "w") as f:
-    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": r"rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
+    f.write(json.dumps({"8": {"asciivalues": [{"prefix": "grub_kernel_cmdline", "values": [{"value": "rootflags=rw mount.usrflags=ro BOOT_IMAGE=/flatcar/vmlinuz-[ab] mount.usr=PARTUUID=\S{36} rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)? verity.usrhash=\\S{64}", "description": "Flatcar kernel command line %s" % version}]}]}}))
-commands = [{"value": r'\[.*\]', "description": "Flatcar Grub configuration %s" % version},
+commands = [{"value": '\[.*\]', "description": "Flatcar Grub configuration %s" % version},
            {"value": 'gptprio.next -d usr -u usr_uuid', "description": "Flatcar Grub configuration %s" % version},
            {"value": 'insmod all_video', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'linux /flatcar/vmlinuz-[ab] rootflags=rw mount.usrflags=ro consoleblank=0 root=LABEL=ROOT (console=\S+)? (flatcar.autologin=\S+)?', "description": "Flatcar Grub configuration %s" % version},
-            {"value": r'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
+            {"value": 'menuentry Flatcar \S+ --id=flatcar\S* {', "description": "Flatcar Grub configuration %s" % version},
            {"value": 'search --no-floppy --set randomize_disk_guid --disk-uuid 00000000-0000-0000-0000-000000000001', "description": "Flatcar Grub configuration %s" % version},
            {"value": 'search --no-floppy --set oem --part-label OEM --hint hd0,gpt1', "description": "Flatcar Grub configuration %s" % version},
            {"value": 'set .+', "description": "Flatcar Grub configuration %s" % version},
--- a/build_library/grub.cfg
+++ b/build_library/grub.cfg
@ -79,7 +79,7 @@ if [ -z "$linux_console" ]; then
        terminal_output console serial_com0
    elif [ "$grub_platform" = efi ]; then
        if [ "$grub_cpu" = arm64 ]; then
-            set linux_console="console=ttyAMA0,115200n8 console=tty0"
+            set linux_console="console=ttyAMA0,115200n8"
        else
            set linux_console="console=ttyS0,115200n8 console=tty0"
       fi
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -37,9 +37,6 @@ switch_to_strict_mode
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}"
 SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
 # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
@ -205,8 +202,8 @@ case "${FLAGS_target}" in
            # Unofficial build: Sign shim with our development key.
            sudo sbsign \
-                --key "${SBSIGN_DB_KEY}" \
+                --key /usr/share/sb_keys/DB.key \
-                --cert "${SBSIGN_DB_CERT}" \
+                --cert /usr/share/sb_keys/DB.crt \
                --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
                "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
        else
--- a/build_library/oem_sysexts.sh
+++ b/build_library/oem_sysexts.sh
@ -1,83 +0,0 @@
 #!/bin/bash
 # OEM sysext helpers.
 # Auto-detect scripts repo root from this file's location.
 # oem_sysexts.sh is at: <scripts_repo>/build_library/oem_sysexts.sh
 _OEM_SYSEXTS_SCRIPTS_ROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
 get_oem_overlay_root() {
  local overlay_root="/mnt/host/source/src/third_party/coreos-overlay"
  if [[ ! -d "${overlay_root}" ]]; then
    overlay_root="${_OEM_SYSEXTS_SCRIPTS_ROOT}/sdk_container/src/third_party/coreos-overlay"
  fi
  if [[ ! -d "${overlay_root}" ]]; then
    echo "No coreos-overlay repo found (tried SDK and ${_OEM_SYSEXTS_SCRIPTS_ROOT})" >&2
    exit 1
  fi
  printf '%s' "${overlay_root}"
 }
 _get_oem_ids() {
  local arch list_var_name
  arch=${1}; shift
  list_var_name=${1}; shift
  local overlay_root
  overlay_root=$(get_oem_overlay_root)
  local -a ebuilds=("${overlay_root}/coreos-base/common-oem-files/common-oem-files-"*'.ebuild')
  if [[ ${#ebuilds[@]} -eq 0 ]] || [[ ! -e ${ebuilds[0]} ]]; then
    echo "No coreos-base/common-oem-files ebuilds?!" >&2
    exit 1
  fi
  # This defines local COMMON_OEMIDS, AMD64_ONLY_OEMIDS,
  # ARM64_ONLY_OEMIDS and OEMIDS variable. We don't use the last
  # one. Also defines global-by-default EAPI, which we make local
  # here to avoid making it global.
  local EAPI
  source "${ebuilds[0]}" flatcar-local-variables
  local -n arch_oemids_ref="${arch^^}_ONLY_OEMIDS"
  local all_oemids=(
    "${COMMON_OEMIDS[@]}"
    "${arch_oemids_ref[@]}"
  )
  mapfile -t "${list_var_name}" < <(printf '%s\n' "${all_oemids[@]}" | sort)
 }
 # Gets a list of OEMs that are using sysexts.
 #
 # 1 - arch
 # 2 - name of an array variable to store the result in
 get_oem_id_list() {
  _get_oem_ids "$@"
 }
 # Gets a list of OEM sysext descriptors.
 #
 # 1 - arch
 # 2 - name of an array variable to store the result in
 #
 # Format: "name|metapackage|useflags"
 get_oem_sysext_matrix() {
  local arch list_var_name
  arch=${1}; shift
  list_var_name=${1}; shift
  local -a oem_ids
  _get_oem_ids "${arch}" oem_ids
  local -a matrix=()
  local oem_id
  for oem_id in "${oem_ids[@]}"; do
    matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|${oem_id}")
  done
  local -n matrix_ref="${list_var_name}"
  matrix_ref=("${matrix[@]}")
 }
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@ -3,8 +3,6 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 source "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 # Lookup the current version of a binary package, downloading it if needed.
 # Usage: get_binary_pkg some-pkg/name
 # Prints: some-pkg/name-1.2.3
@ -85,8 +83,6 @@ create_prod_image() {
  local image_initrd_contents="${image_name%.bin}_initrd_contents.txt"
  local image_initrd_contents_wtd="${image_name%.bin}_initrd_contents_wtd.txt"
  local image_disk_usage="${image_name%.bin}_disk_usage.txt"
  local image_realinitrd_contents="${image_name%.bin}_realinitrd_contents.txt"
  local image_realinitrd_contents_wtd="${image_name%.bin}_realinitrd_contents_wtd.txt"
  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
  start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
@ -160,22 +156,14 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
-  local -a bad_pam_files
+  # Move the PAM configuration into /usr
-  mapfile -t -d '' bad_pam_files < <(find "${root_fs_dir}"/etc/security "${root_fs_dir}"/etc/pam.d ! -type d ! -name '.keep*' -print0)
+  sudo mkdir -p ${root_fs_dir}/usr/lib/pam.d
-  if [[ ${#bad_pam_files[@]} -gt 0 ]]; then
+  sudo mv -n ${root_fs_dir}/etc/pam.d/* ${root_fs_dir}/usr/lib/pam.d/
-    error "Found following PAM config files: ${bad_pam_files[@]#"${root_fs_dir}"}"
+  sudo rmdir ${root_fs_dir}/etc/pam.d
    error "Expected them to be either removed or, better, vendored (/etc/pam.d files should be in /usr/lib/pam, /etc/security files should be in /usr/lib/pam/security)."
    error "Vendoring can be done with vendorize_pam_files inside a post_src_install hook for the package that installed the config file."
    die "PAM config errors spotted"
  fi
  # Remove source locale data, only need to ship the compiled archive.
  sudo rm -rf ${root_fs_dir}/usr/share/i18n/
  # Inject ephemeral sysext signing certificate
  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
  # Finish image will move files from /etc to /usr/share/flatcar/etc.
  # Note that image filesystem contents generated by finish_image will not
  # include sysext contents (only the sysext squashfs files themselves).
@ -192,9 +180,7 @@ EOF
      "${image_kconfig}" \
      "${image_initrd_contents}" \
      "${image_initrd_contents_wtd}" \
-      "${image_disk_usage}" \
+      "${image_disk_usage}"
      "${image_realinitrd_contents}" \
      "${image_realinitrd_contents_wtd}"
  # Official builds will sign and upload these files later, so remove them to
  # prevent them from being uploaded now.
@ -275,65 +261,6 @@ create_prod_sysexts() {
  done
 }
 create_oem_sysexts() {
  local image_name=${1}; shift
  local requested_oem_sysexts_csv=${1}; shift
  local image_sysext_base="${image_name%.bin}_sysext.squashfs"
  local overlay_path
  overlay_path=$(portageq get_repo_path / coreos-overlay)
  local -a oem_sysexts
  get_oem_sysext_matrix "${ARCH}" oem_sysexts
  if [[ ${requested_oem_sysexts_csv} != 'everything!' ]]; then
      local -a all_oems requested_oems invalid_oems
      all_oems=( "${oem_sysexts[@]}" )
      all_oems=( "${all_oems[@]%%|*}" )
      all_oems=( "${all_oems[@]#oem-}" )
      mapfile -t requested_oems <<<"${requested_oem_sysexts_csv//,/$'\n'}"
      mapfile -t invalid_oems < <(comm -23 <(printf '%s\n' "${requested_oems[@]}" | sort -u) <(printf '%s\n' "${all_oems[@]}" | sort -u))
      if [[ ${#invalid_oems[@]} -gt 0 ]]; then
          die "Requested OEMs to build sysexts for are invalid: ${invalid_oems[*]}, valid OEMs are ${all_oems[*]}"
      fi
      mapfile -t oem_sysexts < <(printf '%s\n' "${oem_sysexts[@]}" | grep '^oem-\('"${requested_oem_sysexts_csv//,/'\|'}"'\)|')
  fi
  local sysext name metapkg useflags
  for sysext in "${oem_sysexts[@]}"; do
    IFS="|" read -r name metapkg useflags <<< "${sysext}"
    # Check for manglefs script in the package's files directory
    local mangle_script="${overlay_path}/${metapkg}/files/manglefs.sh"
    if [[ ! -x "${mangle_script}" ]]; then
      mangle_script=
    fi
    sudo rm -f "${BUILD_DIR}/${name}.raw" \
        "${BUILD_DIR}/flatcar_test_update-${name}.gz" \
        "${BUILD_DIR}/${name}_"*
    info "Building OEM sysext ${name} with USE=${useflags}"
    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
    # important - it sets the name of a rootfs directory, which is
    # used to determine the package target in
    # coreos/base/profile.bashrc
    #
    # OEM sysexts use no compression here since they will be stored
    # in a compressed OEM partition.
    USE="${useflags}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
        --image_builddir="${BUILD_DIR}" \
        --metapkgs="${metapkg}" \
        --install_root_basename="${name}-oem-sysext-rootfs" \
        --compression=none \
        ${mangle_script:+--manglefs_script="${mangle_script}"} \
        "${name}"
    delta_generator \
      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
      -new_image "${BUILD_DIR}/${name}.raw" \
      -out_file "${BUILD_DIR}/flatcar_test_update-${name}.gz"
  done
 }
 sbsign_prod_image() {
  local image_name="$1"
  local disk_layout="$2"
--- a/build_library/sbsign_util.sh
+++ b/build_library/sbsign_util.sh
@ -3,17 +3,17 @@
 # found in the LICENSE file.
 if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}"
+    SBSIGN_KEY="/usr/share/sb_keys/shim.key"
-    SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}"
+    SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
 else
-    SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04"
+    SBSIGN_KEY="pkcs11:token=flatcar-sb-dev-hsm-sign-2025"
    unset SBSIGN_CERT
 fi
 PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
 PKCS11_ENV=(
-    AZURE_KEYVAULT_URL="https://flatcar-hsm0001.vault.azure.net/"
+    AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
    PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
    AZURE_KEYVAULT_PKCS11_DEBUG=1
 )
--- a/build_library/set_lsb_release
+++ b/build_library/set_lsb_release
@ -25,38 +25,40 @@ ROOT_FS_DIR="$FLAGS_root"
 [ -n "$ROOT_FS_DIR" ] || die "--root is required."
 [ -d "$ROOT_FS_DIR" ] || die "Root FS does not exist? ($ROOT_FS_DIR)"
-# These variables are set in the base profile.
+OS_NAME="Flatcar Container Linux by Kinvolk"
-eval $("portageq${FLAGS_board:+-}${FLAGS_board}" envvar -v BRANDING_OS_\*)
+OS_CODENAME="Oklo"
-BRANDING_OS_PRETTY_NAME="${BRANDING_OS_NAME} ${FLATCAR_VERSION}"
+OS_ID="flatcar"
 OS_ID_LIKE="coreos"
 OS_PRETTY_NAME="$OS_NAME $FLATCAR_VERSION (${OS_CODENAME})"
 FLATCAR_APPID="{e96281a6-d1af-4bde-9a0a-97b76e56dc57}"
 # DISTRIB_* are the standard lsb-release names
 sudo mkdir -p "${ROOT_FS_DIR}/usr/share/flatcar" "${ROOT_FS_DIR}/etc/flatcar"
 sudo_clobber "${ROOT_FS_DIR}/usr/share/flatcar/lsb-release" <<EOF
-DISTRIB_ID="$BRANDING_OS_NAME"
+DISTRIB_ID="$OS_NAME"
 DISTRIB_RELEASE=$FLATCAR_VERSION
-DISTRIB_DESCRIPTION="$BRANDING_OS_PRETTY_NAME"
+DISTRIB_CODENAME="$OS_CODENAME"
 DISTRIB_DESCRIPTION="$OS_PRETTY_NAME"
 EOF
 sudo ln -sf "../usr/share/flatcar/lsb-release" "${ROOT_FS_DIR}/etc/lsb-release"
 # And the new standard, os-release
 # https://www.freedesktop.org/software/systemd/man/os-release.html
 sudo_clobber "${ROOT_FS_DIR}/usr/lib/os-release" <<EOF
-NAME="$BRANDING_OS_NAME"
+NAME="$OS_NAME"
-ID="$BRANDING_OS_ID"
+ID=$OS_ID
-ID_LIKE="$BRANDING_OS_ID_LIKE"
+ID_LIKE=$OS_ID_LIKE
-VERSION="$FLATCAR_VERSION"
+VERSION=$FLATCAR_VERSION
-VERSION_ID="$FLATCAR_VERSION_ID"
+VERSION_ID=$FLATCAR_VERSION_ID
-BUILD_ID="$FLATCAR_BUILD_ID"
+BUILD_ID=$FLATCAR_BUILD_ID
-SYSEXT_LEVEL="1.0"
+SYSEXT_LEVEL=1.0
-PRETTY_NAME="$BRANDING_OS_PRETTY_NAME"
+PRETTY_NAME="$OS_PRETTY_NAME"
 ANSI_COLOR="38;5;75"
-HOME_URL="$BRANDING_OS_HOME_URL"
+HOME_URL="https://flatcar.org/"
-BUG_REPORT_URL="$BRANDING_OS_BUG_REPORT_URL"
+BUG_REPORT_URL="https://issues.flatcar.org"
 SUPPORT_URL="$BRANDING_OS_SUPPORT_URL"
 FLATCAR_BOARD="$FLAGS_board"
-CPE_NAME="cpe:2.3:o:${BRANDING_OS_ID}-linux:${BRANDING_OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
+CPE_NAME="cpe:2.3:o:${OS_ID}-linux:${OS_ID}_linux:${FLATCAR_VERSION}:*:*:*:*:*:*:*"
 EOF
 sudo ln -sf "../usr/lib/os-release" "${ROOT_FS_DIR}/etc/os-release"
 sudo ln -sf "../../lib/os-release" "${ROOT_FS_DIR}/usr/share/flatcar/os-release"
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@ -3,21 +3,17 @@
 set -euo pipefail
 rootfs="${1}"
 pushd "${rootfs}"
 # No manpages on Flatcar, no need to ship "stress" tool
-rm -rf ./usr/{bin/{containerd-stress,gen-manpages},lib/debug/}
+echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext"
 rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress"
-dir=$(dirname "${BASH_SOURCE[0]}")
+script_root="$(cd "$(dirname "$0")/../"; pwd)"
-files_dir="${dir}/../sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
+files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
 # ATTENTION: don't preserve ownership as repo is owned by sdk user
-cp -vdR --preserve=mode,timestamps "${files_dir}/"* ./
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
-install -D -m0644 /dev/stdin ./usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf <<EOF
+mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
-[Unit]
+{ echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
 Upholds=containerd.service
 EOF
 popd
--- a/build_library/sysext_mangle_flatcar-incus
+++ b/build_library/sysext_mangle_flatcar-incus
@ -5,8 +5,6 @@ rootfs="${1}"
 pushd "${rootfs}"
 rm -rf ./usr/{lib/debug,lib64/pkgconfig,include}/
 pushd ./usr/lib/systemd/system
 mkdir -p "multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=incus.service"; } > "multi-user.target.d/10-incus.conf"
@ -25,3 +23,4 @@ mkdir -p ./usr/lib/userdb/
 echo " " > ./usr/lib/userdb/core:incus-admin.membership
 popd
--- a/build_library/sysext_mangle_flatcar-overlaybd
+++ b/build_library/sysext_mangle_flatcar-overlaybd
@ -1,15 +0,0 @@
 #!/bin/bash
 set -euo pipefail
 rootfs="${1}"
 pushd "${rootfs}"
 rm -rf ./usr/lib/debug/
 pushd ./usr/lib/systemd/system
 mkdir -p "multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=overlaybd-tcmu.service overlaybd-snapshotter.service"; } > "multi-user.target.d/10-overlaybd.conf"
 popd
 popd
--- a/build_library/sysext_mangle_flatcar-podman
+++ b/build_library/sysext_mangle_flatcar-podman
@ -5,7 +5,7 @@ rootfs="${1}"
 pushd "${rootfs}"
-rm -rf ./usr/{lib/debug,lib64/cmake,lib64/pkgconfig,include,share/aclocal,share/fish}/
+rm -rf ./usr/{lib/debug/,lib64/cmake/,lib64/pkgconfig,include/,share/fish,share/aclocal,share/SLSA}
 mkdir -p ./usr/share/podman/etc
 cp -a ./etc/{fuse.conf,containers} ./usr/share/podman/etc/
--- a/build_library/sysext_prod_builder
+++ b/build_library/sysext_prod_builder
@ -63,15 +63,11 @@ create_prod_sysext() {
  # The --install_root_basename="${name}-base-sysext-rootfs" flag is
  # important - it sets the name of a rootfs directory, which is used
  # to determine the package target in coreos/base/profile.bashrc
-  #
+  sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
  # Built-in sysexts are stored in the compressed /usr partition, so we
  # disable compression to avoid double-compression.
  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
            --board="${BOARD}" \
            --image_builddir="${workdir}/sysext-build" \
            --squashfs_base="${base_sysext}" \
            --generate_pkginfo \
            --compression=none \
            --install_root_basename="${name}-base-sysext-rootfs" \
            "${build_sysext_opts[@]}" \
            "${name}" "${grp_pkg[@]}"
@ -103,14 +99,6 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
 sysext_base="${sysext_workdir}/base-os.squashfs"
 function cleanup() {
  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
  # skip the rootfs
  mounted_sysexts=("${mounted_sysexts[@]:1}")
  for sysext in "${mounted_sysexts[@]}"; do
    sudo systemd-dissect --umount --rmdir "$sysext"
  done
  sudo umount "${sysext_mountdir}"/* || true
  rm -rf "${sysext_workdir}" || true
 }
@ -128,7 +116,6 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
 # for combined overlay later.
 prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
 mkdir -p "${sysext_mountdir}"
 for sysext in ${sysexts_list//,/ }; do
  # format is "<name>:<group>/<package>"
  name="${sysext%|*}"
@ -142,21 +129,12 @@ for sysext in ${sysexts_list//,/ }; do
                     "${grp_pkg}" \
                     "${prev_pkginfo}"
-  sudo systemd-dissect \
+  mkdir -p "${sysext_mountdir}/${name}" \
-    --read-only \
+           "${sysext_mountdir}/${name}_pkginfo"
-    --mount \
+  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
-    --mkdir \
+                                    "${sysext_mountdir}/${name}"
-    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
-    "${sysext_output_dir}/${name}.raw" \
+                                    "${sysext_mountdir}/${name}_pkginfo"
    "${sysext_mountdir}/${name}"
  sudo systemd-dissect \
    --read-only \
    --mount \
    --mkdir \
    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
    "${sysext_output_dir}/${name}_pkginfo.raw" \
    "${sysext_mountdir}/${name}_pkginfo"
  sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
  sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"
--- a/build_library/toolchain_util.sh
+++ b/build_library/toolchain_util.sh
@ -490,14 +490,10 @@ binutils_set_latest_profile() {
 # The extra flag can be blank, hardenednopie, and so on. See gcc-config -l
 # Usage: gcc_get_latest_profile chost [extra]
 gcc_get_latest_profile() {
-    local prefix=${1}
+    local prefix="${1}-"
-    local suffix=${2+-${2}}
+    local suffix="${2+-$2}"
    local status
-    NO_COLOR=1 gcc-config --list-profiles | \
+    gcc-config -l | cut -d' ' -f3 | grep "^${prefix}[0-9\\.]*${suffix}$" | tail -n1
        sed -e 's/^\s*//' | \
        cut -d' ' -f2 | \
        grep "^${prefix}-[0-9\\.]*${suffix}$" | \
        tail -n1
    # return 1 if anything in the above pipe failed
    for status in ${PIPESTATUS[@]}; do
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@ -225,11 +225,9 @@ IMG_ami_vmdk_DISK_FORMAT=vmdk_stream
 IMG_ami_vmdk_OEM_USE=ami
 IMG_ami_vmdk_OEM_PACKAGE=common-oem-files
 IMG_ami_vmdk_SYSEXT=oem-ami
 IMG_ami_vmdk_DISK_LAYOUT=vm
 IMG_ami_OEM_USE=ami
 IMG_ami_OEM_PACKAGE=common-oem-files
 IMG_ami_OEM_SYSEXT=oem-ami
 IMG_ami_DISK_LAYOUT=vm
 ## openstack
 IMG_openstack_DISK_FORMAT=qcow2
@ -345,7 +343,6 @@ IMG_kubevirt_OEM_SYSEXT=oem-kubevirt
 IMG_kubevirt_DISK_EXTENSION=qcow2
 ## akamai (Linode)
 IMG_akamai_DISK_LAYOUT=vm
 IMG_akamai_OEM_PACKAGE=common-oem-files
 IMG_akamai_OEM_USE=akamai
 IMG_akamai_OEM_SYSEXT=oem-akamai
@ -568,8 +565,7 @@ install_oem_package() {
    sudo rm -rf "${oem_tmp}"
 }
-# Install the prebuilt OEM sysext file into the OEM partition.
+# Write the OEM sysext file into the OEM partition.
 # The sysext should have been built by 'build_image oem_sysext'.
 install_oem_sysext() {
    local oem_sysext=$(_get_vm_opt OEM_SYSEXT)
@ -577,24 +573,59 @@ install_oem_sysext() {
        return 0
    fi
-    local prebuilt_sysext_filename="${oem_sysext}.raw"
+    local built_sysext_dir="${FLAGS_to}/${oem_sysext}-sysext"
-    local prebuilt_sysext_path="${FLAGS_from}/${prebuilt_sysext_filename}"
+    local built_sysext_filename="${oem_sysext}.raw"
    local built_sysext_path="${built_sysext_dir}/${built_sysext_filename}"
    local version="${FLATCAR_VERSION}"
-
+    local metapkg="coreos-base/${oem_sysext}"
-    if [[ ! -f "${prebuilt_sysext_path}" ]]; then
+    # The --install_root_basename="${name}-oem-sysext-rootfs" flag is
-        die "Prebuilt OEM sysext not found at ${prebuilt_sysext_path}. Run 'build_image oem_sysext' first."
+    # important - it sets the name of a rootfs directory, which is
    # used to determine the package target in
    # coreos/base/profile.bashrc
    local build_sysext_flags=(
        --board="${BOARD}"
        --squashfs_base="${VM_SRC_SYSEXT_IMG}"
        --image_builddir="${built_sysext_dir}"
        --metapkgs="${metapkg}"
        --install_root_basename="${VM_IMG_TYPE}-oem-sysext-rootfs"
    )
    local overlay_path mangle_fs
    overlay_path=$(portageq get_repo_path / coreos-overlay)
    mangle_fs="${overlay_path}/${metapkg}/files/manglefs.sh"
    if [[ -x "${mangle_fs}" ]]; then
        build_sysext_flags+=(
            --manglefs_script="${mangle_fs}"
        )
    fi
    mkdir -p "${built_sysext_dir}"
    sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
    local installed_sysext_oem_dir='/oem/sysext'
    local installed_sysext_file_prefix="${oem_sysext}-${version}"
    local installed_sysext_filename="${installed_sysext_file_prefix}.raw"
    local installed_sysext_abspath="${installed_sysext_oem_dir}/${installed_sysext_filename}"
-
+    info "Installing ${oem_sysext} sysext"
    info "Installing ${oem_sysext} sysext from prebuilt image"
    sudo install -Dpm 0644 \
-         "${prebuilt_sysext_path}" \
+         "${built_sysext_path}" \
         "${VM_TMP_ROOT}${installed_sysext_abspath}" ||
        die "Could not install ${oem_sysext} sysext"
    # Move sysext image and reports to a destination directory to
    # upload them, thus making them available as separate artifacts to
    # download.
    local upload_dir to_move
    upload_dir="$(_dst_dir)"
    for to_move in "${built_sysext_dir}/${oem_sysext}"*; do
        mv "${to_move}" "${upload_dir}/${to_move##*/}"
    done
    # Generate dev-key-signed update payload for testing
    delta_generator \
      -private_key "/usr/share/update_engine/update-payload-key.key.pem" \
      -new_image "${upload_dir}/${built_sysext_filename}" \
      -out_file "${upload_dir}/flatcar_test_update-${oem_sysext}.gz"
    # Remove sysext_dir if building sysext and installing it
    # succeeded.
    rm -rf "${built_sysext_dir}"
    # Mark the installed sysext as active.
    sudo touch "${VM_TMP_ROOT}${installed_sysext_oem_dir}/active-${oem_sysext}"
@ -806,12 +837,12 @@ _write_qemu_common() {
    cat >"${VM_README}" <<EOF
 If you have qemu installed (or in the SDK), you can start the image with:
  cd path/to/image
-  ./$(basename "${script}") -display curses
+  ./$(basename "${script}") -curses
 If you need to use a different ssh key or different ssh port:
-  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -display curses
+  ./$(basename "${script}") -a ~/.ssh/authorized_keys -p 2223 -- -curses
-If you rather you can use the -nographic option instad of '-display curses'. In this
+If you rather you can use the -nographic option instad of -curses. In this
 mode you can switch from the vm to the qemu monitor console with: Ctrl-a c
 See the qemu man page for more details on the monitor console.
@ -890,17 +921,11 @@ _write_qemu_uefi_secure_conf() {
    esac
    # TODO: Remove the temporary flatcar shim signing cert
    local _sb_db_cert="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
    local _sb_extra_db_certs=()
    if [[ -z ${SBSIGN_DB_CERT:-} ]]; then
        # Default behavior: include the temporary dev shim cert alongside DB.crt
        _sb_extra_db_certs=( --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" )
    fi
    virt-fw-vars \
        --input "${flash_in}" \
        --output "$(_dst_dir)/${flash_rw}" \
-        --add-db "${owner}" "${_sb_db_cert}" \
+        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
-        "${_sb_extra_db_certs[@]}"
+        --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
@ -917,7 +942,7 @@ _write_pxe_conf() {
    cat >>"${VM_README}" <<EOF
 You can pass extra kernel parameters with -append, for example:
-  ./$(basename "${script}") -display curses -append 'sshkey="PUT AN SSH KEY HERE"'
+  ./$(basename "${script}") -curses -append 'sshkey="PUT AN SSH KEY HERE"'
 When using -nographic or -serial you must also enable the serial console:
  ./$(basename "${script}") -nographic -append 'console=ttyS0,115200n8'
--- a/101
+++ b/101
@ -118,7 +118,6 @@ fi
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/oem_sysexts.sh" || exit 1
 # Setup all the emerge command/flags.
 EMERGE_FLAGS=( --update --deep --newuse --verbose --backtrack=30 --select )
@ -267,20 +266,13 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
  # lvm2[udev] -> virtual/udev -> systemd[cryptsetup] -> cryptsetup -> lvm2
  # lvm2[systemd] -> systemd[cryptsetup] -> cryptsetup -> lvm2
  # systemd[cryptsetup] -> cryptsetup[udev] -> virtual/udev -> systemd
  # systemd[tpm] -> tpm2-tss -> util-linux[udev] -> virtual/udev -> systemd
  # curl[http2] -> nghttp2[systemd] -> systemd[curl] -> curl
-  # sys-libs/pam[systemd] -> sys-apps/systemd[pam] -> sys-libs/pam
+  break_dep_loop sys-apps/util-linux udev,systemd,cryptsetup \
  #   dropping USE=pam from sys-apps/systemd requires dropping
  #   USE=systemd from sys-auth/pambase
  # sys-auth/pambase[sssd] -> sys-auth/sssd -> sys-apps/shadow[pam] -> sys-auth/pambase
  break_dep_loop sys-apps/util-linux cryptsetup,systemd,udev \
                 sys-fs/cryptsetup udev \
-                 sys-fs/lvm2 systemd,udev \
+                 sys-fs/lvm2 udev,systemd \
-                 sys-apps/systemd cryptsetup,pam,tpm \
+                 sys-apps/systemd cryptsetup,tpm \
                 net-misc/curl http2 \
-                 net-libs/nghttp2 systemd \
+                 net-libs/nghttp2 systemd
                 sys-libs/pam systemd \
                 sys-auth/pambase sssd,systemd
 fi
 if [[ "${FLAGS_only_resolve_circular_deps}" -eq "${FLAGS_TRUE}" ]]; then
@ -291,55 +283,50 @@ fi
 export KBUILD_BUILD_USER="${BUILD_USER:-build}"
 export KBUILD_BUILD_HOST="${BUILD_HOST:-pony-truck.infra.kinvolk.io}"
 # Build sysext packages from an array of sysext definitions.
 # Usage: build_sysext_packages "description" "${SYSEXT_ARRAY[@]}"
 # Array format: "name|packages|useflags|arches"
 build_sysext_packages() {
  local description="$1"
  shift
  local sysexts=("$@")
  info "Merging ${description} packages now"
  for sysext in "${sysexts[@]}"; do
    local sysext_name package_atoms useflags arches
    IFS="|" read -r sysext_name package_atoms useflags arches <<< "$sysext"
    [[ -z ${arches} || ,${arches}, == *,"${ARCH}",* ]] || continue
    info "Building packages for $sysext_name sysext with USE=$useflags"
    IFS=,
    for package in $package_atoms; do
       # --buildpkgonly does not install dependencies, so we install them
       # separately before building the binary package
       sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
         env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
         "${EMERGE_FLAGS[@]}" \
         --quiet \
         --onlydeps \
         --binpkg-respect-use=y \
         "${package}"
       sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
         env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
         "${EMERGE_FLAGS[@]}" \
         --quiet \
         --buildpkgonly \
         --binpkg-respect-use=y \
         "${package}"
    done
    unset IFS
  done
 }
 info "Merging board packages now"
 sudo -E "${EMERGE_CMD[@]}" "${EMERGE_FLAGS[@]}" "$@"
-build_sysext_packages "extra sysexts" "${EXTRA_SYSEXTS[@]}"
+info "Merging sysext packages now"
 for sysext in "${EXTRA_SYSEXTS[@]}"; do
  IFS="|" read -r SYSEXT_NAME PACKAGE_ATOMS USEFLAGS ARCHES <<< "$sysext"
-declare -a oem_sysexts
+  arch_array=("${ARCHES//,/ }")
-get_oem_sysext_matrix "${ARCH}" oem_sysexts
+  if [[ -n $ARCHES ]]; then
-if [[ ${#oem_sysexts[@]} -gt 0 ]]; then
+    should_skip=1
-  build_sysext_packages "OEM sysexts" "${oem_sysexts[@]}"
+    for arch in "${arch_array[@]}"; do
-fi
+      if [[ $arch == "$ARCH" ]]; then
        should_skip=0
      fi
    done
    if [[ $should_skip -eq 1 ]]; then
      continue
    fi
  fi
  info "Building packages for $SYSEXT_NAME sysext with USE=$USEFLAGS"
  IFS=,
  for package in $PACKAGE_ATOMS; do
     # --buildpkgonly does not install dependencies, so we install them
     # separately before building the binary package
     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
       "${EMERGE_FLAGS[@]}" \
       --quiet \
       --onlydeps \
       --binpkg-respect-use=y \
       "${package}"
     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
       "${EMERGE_FLAGS[@]}" \
       --quiet \
       --buildpkgonly \
       --binpkg-respect-use=y \
       "${package}"
  done
  unset IFS
 done
 info "Removing obsolete packages"
 # The return value of emerge is not clearly reliable. It may fail with
--- a/32
+++ b/32
@ -34,7 +34,6 @@ arch="amd64"
 official="0"
 tarball=""
 os_version=""
 logdir=""
 keep="false"
 cleanup=""
@ -58,7 +57,6 @@ usage() {
    echo "                     add a cleanup line to <script> which, when run, will free"
    echo "                     the resource. Useful for CI."
    echo "      -h           - Print this help."
    echo "      -l <dir>     - Put logs in this directory"
    echo
 }
@ -68,7 +66,6 @@ while [ 0 -lt $# ] ; do
    case "$1" in
    -h) usage; exit 0;;
    -k) keep="true";      shift;;
    -l) logdir="${2}";    shift; shift;;
    -v) os_version="$2";  shift; shift;;
    -x) cleanup="$2";     shift; shift;;
    *)  if [ -z "$tarball" ] ;  then
@ -105,10 +102,6 @@ else
    official="0"
 fi
 if [[ -n ${logdir} ]]; then
    mkdir -p "${logdir}"
 fi
 # --
 # import tarball
@ -144,7 +137,7 @@ else
    if [ -n "$cleanup" ] ; then
        echo "$docker image rm -f '${import_image}'" >> "$cleanup"
    fi
-    docker_build -t "$import_image" \
+    $docker build -t "$import_image" \
                 --build-arg VERSION="${docker_vernum}" \
                 -f sdk_lib/Dockerfile.sdk-import \
                 .
@ -177,19 +170,8 @@ else
    if [ -n "$cleanup" ] ; then
        echo "$docker container rm -f '${toolchains_container}'" >> "$cleanup"
    fi
    failed=''
    ./run_sdk_container -C "${import_image}" -n "${toolchains_container}" \
-            sudo ./build_toolchains --seed_tarball="./${tarball}" || failed=x
+            sudo ./build_toolchains --seed_tarball="./${tarball}"
    if [[ -n ${logdir} ]]; then
        if sudo test -d __build__/images/catalyst/log/coreos-toolchains; then
            sudo cp -a __build__/images/catalyst/log/coreos-toolchains "${logdir}/coreos-toolchains"
        fi
        if sudo test -d __build__/images/catalyst/tmp/coreos-toolchains; then
            scavenge_for_configure_logs --use-sudo __build__/images/catalyst/tmp/coreos-toolchains "${logdir}"
        fi
    fi
    if [[ -n ${failed} ]]; then exit 1; fi
    # remove sdk tarball from scripts root so it's not part of the SDK container build context
    if [ -f "${tarball_copied}" ] ; then
@ -226,7 +208,7 @@ else
    if [ -n "$cleanup" ] ; then
        echo "$docker image rm -f '${sdk_build_image}'" >> "$cleanup"
    fi
-    docker_build -t "${sdk_build_image}" \
+    $docker build -t "${sdk_build_image}" \
                 --build-arg VERSION="${docker_vernum}" \
                 --build-arg BINHOST="http://${binhost}" \
                 --build-arg OFFICIAL="${official}" \
@ -234,12 +216,6 @@ else
                 .
    $docker stop "${binhost_container}"
    if [[ -n ${logdir} ]]; then
        $docker run --rm -v "${logdir}:/logdir" "${sdk_build_image}" ./sdk_lib/setup_boards.sh finish /logdir
    else
        $docker run --rm "${sdk_build_image}" ./sdk_lib/setup_boards.sh finish
    fi
 fi
 # --
@ -255,7 +231,7 @@ for a in all arm64 amd64; do
        arm64) rmarch="amd64-usr"; rmcross="x86_64-cros-linux-gnu";;
        amd64) rmarch="arm64-usr"; rmcross="aarch64-cros-linux-gnu";;
    esac
-    docker_build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
+    $docker build -t "$sdk_container_common_registry/flatcar-sdk-${a}:${docker_vernum}" \
                 --build-arg VERSION="${docker_vernum}" \
                 --build-arg RMARCH="${rmarch}" \
                 --build-arg RMCROSS="${rmcross}" \
--- a/57
+++ b/57
@ -35,10 +35,10 @@ DEFINE_boolean generate_pkginfo "${FLAGS_FALSE}" \
  "Generate an additional squashfs '<sysext_name>_pkginfo.raw' with portage package meta-information (/var/db ...). Useful for creating sysext dependencies; see 'base_pkginfo' below."
 DEFINE_string base_pkginfo "" \
  "Colon-separated list of pkginfo squashfs paths / files generated via 'generate_pkginfo' to base this sysext on. The corresponding base sysexts are expected to be merged with the sysext generated."
-DEFINE_string compression "lz4hc" \
+DEFINE_string compression "zstd" \
-  "Compression to use for sysext EROFS image. Options: 'lz4', 'lz4hc', 'zstd', or 'none'. Default is 'lz4hc'."
+  "Compression to use for sysext squashfs. One of 'gzip', 'lzo', 'lz4', 'xz', or 'zstd'. Must be supported by the Flatcar squashfs kernel module in order for the sysext to work."
-DEFINE_string mkerofs_opts "" \
+DEFINE_string mksquashfs_opts "" \
-  "Additional mkfs.erofs options to pass via SYSTEMD_REPART_MKFS_OPTIONS_EROFS. If not specified, defaults are used based on compression type."
+  "Additional command line options to pass to mksquashfs. See 'man 1 mksquashfs'. If <compression> is 'zstd' (the default), this option defaults to '-Xcompression-level 22 -b 512K'. Otherwise the default is empty."
 DEFINE_boolean ignore_version_mismatch "${FLAGS_FALSE}" \
  "Ignore version mismatch between SDK board packages and base squashfs. DANGEROUS."
 DEFINE_string install_root_basename "${default_install_root_basename}" \
@ -112,6 +112,10 @@ fi
 BUILD_DIR=$(realpath "${FLAGS_image_builddir}")
 mkdir -p "${BUILD_DIR}"
 if [[ "${FLAGS_compression}" = "zstd" && -z "${FLAGS_mksquashfs_opts}" ]] ; then
    FLAGS_mksquashfs_opts="-Xcompression-level 22 -b 512k"
 fi
 source "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 source "${BUILD_LIBRARY_DIR}/reports_util.sh" || exit 1
@ -216,7 +220,7 @@ if [[ ${#} -lt 1 ]]; then
   show_help_if_requested -h
 fi
-info "Building '${SYSEXTNAME}' sysext with (meta-)packages '${@}' in '${BUILD_DIR}' using '${FLAGS_compression}' compression".
+info "Building '${SYSEXTNAME}' squashfs with (meta-)packages '${@}' in '${BUILD_DIR}' using '${FLAGS_compression}' compression".
 for package; do
  echo "Installing package into sysext image: $package"
@ -244,11 +248,11 @@ if [[ "$FLAGS_generate_pkginfo" = "${FLAGS_TRUE}" ]] ; then
  mkdir -p "${BUILD_DIR}/img-pkginfo/var/db"
  cp -R "${BUILD_DIR}/${FLAGS_install_root_basename}/var/db/pkg" "${BUILD_DIR}/img-pkginfo/var/db/"
  mksquashfs "${BUILD_DIR}/img-pkginfo" "${BUILD_DIR}/${SYSEXTNAME}_pkginfo.raw" \
-              -noappend -xattrs-exclude '^btrfs.' -comp zstd -Xcompression-level 22 -b 512k
+              -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 fi
 info "Writing ${SYSEXTNAME}_packages.txt"
-ROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" PORTAGE_CONFIGROOT="/build/${FLAGS_board}" \
+ROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" PORTAGE_CONFIGROOT="${BUILD_DIR}/${FLAGS_install_root_basename}" \
      equery --no-color list --format '$cpv::$repo' '*' > "${BUILD_DIR}/${SYSEXTNAME}_packages.txt"
@ -288,7 +292,6 @@ all_fields=(
  'ID=flatcar'
  "${version_field}"
  "ARCHITECTURE=${ARCH}"
  "EXTENSION_RELOAD_MANAGER=1"
 )
 printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/${FLAGS_install_root_basename}/usr/lib/extension-release.d/extension-release.${SYSEXTNAME}"
@ -301,44 +304,14 @@ if [[ -n "${invalid_files}" ]]; then
  die "Invalid file ownership: ${invalid_files}"
 fi
-# Set up EROFS compression options based on compression type
+mksquashfs "${BUILD_DIR}/${FLAGS_install_root_basename}" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
-if [[ "${FLAGS_compression}" != "none" ]]; then
+               -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
  export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="-z${FLAGS_compression}"
  if [[ -n "${FLAGS_mkerofs_opts}" ]]; then
    # User provided custom options
    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS} ${FLAGS_mkerofs_opts}"
  elif [[ "${FLAGS_compression}" = "lz4hc" ]]; then
    # Default options for lz4hc
    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},12 -C65536 -Efragments,ztailpacking"
  elif [[ "${FLAGS_compression}" = "zstd" ]]; then
    # Default options for zstd
    export SYSTEMD_REPART_MKFS_OPTIONS_EROFS="${SYSTEMD_REPART_MKFS_OPTIONS_EROFS},level=22 -C524288 -Efragments,ztailpacking"
  fi
  info "Building sysext with ${FLAGS_compression} compression"
 else
  info "Building sysext without compression (built-in sysexts)"
 fi
 systemd-repart \
  --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
  --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
  --make-ddi=sysext \
  --copy-source="${BUILD_DIR}/${FLAGS_install_root_basename}" \
  "${BUILD_DIR}/${SYSEXTNAME}.raw"
 rm -rf "${BUILD_DIR}"/{fs-root,"${FLAGS_install_root_basename}",workdir}
 # Generate reports
 mkdir "${BUILD_DIR}/img-rootfs"
-systemd-dissect --read-only \
+mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs"
  --mount \
  --mkdir \
  --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
  "${BUILD_DIR}/${SYSEXTNAME}.raw" \
  "${BUILD_DIR}/img-rootfs"
 write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt"
 write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt"
 write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt"
-systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs"
+umount "${BUILD_DIR}/img-rootfs"
--- a/changelog/bugfixes/2025-10-01-overlaybd-autostart.md
+++ b/changelog/bugfixes/2025-10-01-overlaybd-autostart.md
@ -1 +0,0 @@
 - Configured the services in the overlaybd sysext to start automatically like the other sysexts. Note that the sysext must be enabled at boot time for this to happen, otherwise you need to call `systemd-tmpfiles --create` and `systemctl daemon-reload` first.
--- a/changelog/bugfixes/2025-10-28-initrd-module-warning.md
+++ b/changelog/bugfixes/2025-10-28-initrd-module-warning.md
@ -1 +0,0 @@
 - Fixed a kernel boot warning when loading an explicit list of kernel modules in the minimal first-stage initrd ([Flatcar#1934](https://github.com/flatcar/Flatcar/issues/1934))
--- a/changelog/bugfixes/2025-10-31-fix-input-xml.md
+++ b/changelog/bugfixes/2025-10-31-fix-input-xml.md
@ -1 +0,0 @@
 - Alpha only: Fixed systemd-sysext payload handling for air-gapped/self-hosted updates which was a known bug for 4487.0.0 ([ue-rs#93](https://github.com/flatcar/ue-rs/pull/93))
--- a/changelog/bugfixes/2025-11-07-initrd-fusion-drivers.md
+++ b/changelog/bugfixes/2025-11-07-initrd-fusion-drivers.md
@ -1 +0,0 @@
 - Alpha only: Added Fusion SCSI disk drivers back to the initrd after they got lost in the rework ([Flatcar#1924](https://github.com/flatcar/Flatcar/issues/1924))
--- a/changelog/bugfixes/2025-11-11-sysext-no-debug.md
+++ b/changelog/bugfixes/2025-11-11-sysext-no-debug.md
@ -1 +0,0 @@
 - Dropped debug symbols from containerd, incus, and overlaybd system extensions to reduce download size.
--- a/changelog/bugfixes/2025-11-12-sssd.md
+++ b/changelog/bugfixes/2025-11-12-sssd.md
@ -1 +0,0 @@
 - Fixed SSSD startup failure by adding back LDB modules into the image, which got lost after a Samba update ([Flatcar#1919](https://github.com/flatcar/Flatcar/issues/1919))
--- a/changelog/bugfixes/2026-02-10-sssd.md
+++ b/changelog/bugfixes/2026-02-10-sssd.md
@ -1 +0,0 @@
 - Enabled back PAM sssd support for LDAP authentication ([scripts#3696](https://github.com/flatcar/scripts/pull/3696))
--- a/changelog/bugfixes/2026-02-23-terminfo.md
+++ b/changelog/bugfixes/2026-02-23-terminfo.md
@ -1 +0,0 @@
 - Added full terminfo database to support modern terminals like foot and Alacritty.
--- a/changelog/bugfixes/2026-03-03-pxe-oem.md
+++ b/changelog/bugfixes/2026-03-03-pxe-oem.md
@ -1 +0,0 @@
 - Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. ([Flatcar#2023](https://github.com/flatcar/Flatcar/issues/2023))
--- a/changelog/bugfixes/2026-03-25-ignition-oem.md
+++ b/changelog/bugfixes/2026-03-25-ignition-oem.md
@ -1 +0,0 @@
 - Fixed loading Ignition config from the initrd with `ignition.config.url=oem:///myconf.ign`. This was broken since moving to the minimal initrd. ([scripts#3853](https://github.com/flatcar/scripts/pull/3853))
--- a/changelog/changes/2025-09-19-minimal-initrd.md
+++ b/changelog/changes/2025-09-19-minimal-initrd.md
@ -1 +0,0 @@
 - Reduced the kernel+initrd size on `/boot` by half. Flatcar now uses a minimal first stage initrd just to access the `/usr` partition and then switches to the full initrd that does the full system preparation as before. Since this means that the set of kernel modules available in the first initrd is reduced, please report any impact.
--- a/changelog/changes/2025-10-09-partition-sizes.md
+++ b/changelog/changes/2025-10-09-partition-sizes.md
@ -1 +0,0 @@
 - Increased all partition sizes: `/boot` to 1 GB, the two `/usr` partitions to 2 GB, `/oem` to 1 GB so that we can use more space in a few years when we can assume that most nodes run the new partition layout - existing nodes can still update for the next years ([scripts#3027](https://github.com/flatcar/scripts/pull/3027))
--- a/changelog/changes/2025-10-13-custom-release-server.md
+++ b/changelog/changes/2025-10-13-custom-release-server.md
@ -1 +0,0 @@
 - Added support for the kernel cmdline parameters `flatcar.release_file_server_url` and `flatcar.dev_file_server_url` to specify custom servers where Flatcar extensions should be downloaded on boot ([bootengine#112](https://github.com/flatcar/bootengine/pull/112))
--- a/changelog/changes/2025-10-30-kmod-build.md
+++ b/changelog/changes/2025-10-30-kmod-build.md
@ -1 +0,0 @@
 - The way that files for building custom kernel modules are installed has changed from a Ubuntu-inspired method to the standard upstream kernel method. In the unlikely event that this breaks your module builds, please let the Flatcar team know immediately.
--- a/changelog/changes/2025-11-03-azure-size.md
+++ b/changelog/changes/2025-11-03-azure-size.md
@ -1 +0,0 @@
 - Alpha only: Reduced Azure image size again to 30 GB as before by shrinking the root partition to compensate for the growth of the other partitions ([scripts#3460](https://github.com/flatcar/scripts/pull/3460))
--- a/changelog/changes/2025-11-04-enable-amd-gpu-module.md
+++ b/changelog/changes/2025-11-04-enable-amd-gpu-module.md
@ -1 +0,0 @@
 - Build AMD GPU driver as module ([#3461](https://github.com/flatcar/scripts/pull/3461))
--- a/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
+++ b/changelog/changes/2025-11-05-signed-os-dependent-sysexts.md
@ -1 +0,0 @@
 - OS-dependent sysexts (e.g., docker-flatcar, containerd-flatcar, podman, zfs, nvidia) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). OEM sysexts (e.g., oem-azure, oem-gce) are now also signed and built during the image phase to ensure consistent signing with the same ephemeral key. ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))
--- a/changelog/changes/2025-11-28-weekly-updates.md
+++ b/changelog/changes/2025-11-28-weekly-updates.md
@ -1 +0,0 @@
 - `/etc/shadow`, `/etc/gshadow` are now owned by the `shadow` group, `/usr/bin/unix_chkpwd`, `/usr/bin/chage` and `/usr/bin/expiry` are now also owned by the `shadow` group with a sticky bit enabled.
--- a/changelog/changes/2025-12-01-netkit.md
+++ b/changelog/changes/2025-12-01-netkit.md
@ -1 +0,0 @@
 - Enabled netkit module ([scripts#3524](https://github.com/flatcar/scripts/pull/3524))
--- a/changelog/changes/2025-12-12-default-systemd-confext.md
+++ b/changelog/changes/2025-12-12-default-systemd-confext.md
@ -1,2 +0,0 @@
 - Switched `/etc/` from a custom overlayfs for A/B updates to using a systemd-confext extension providing the default contents by using systemd-confext in the mutable mode where `/etc/` gets used as upperdir [scripts#3555](https://github.com/flatcar/scripts/pull/3555)
 - Moved systemd-sysext image mounting into the initrd, so that system extensions can better define the behavior of the final system at boot without workarounds to apply settings late at boot. This means `.wants` symlinks for systemd units work as expected now and, therefore, we dropped the `ensure-sysext.service` workaround. We still recommend extensions to keep their workarounds, e.g., using `.upholds` instead of `.wants`, to better support live reloading. A skipping logic prevents an extension refresh late at boot but only if no changes were found. For extensions that are not stored on a custom filesystem, such as a separate `/var` partition, the new extension mounting from the initrd won't be able to load them early but they will be picked up late at boot through the extension refresh. This is another case where it's good if extensions keep workarounds for late loading.
--- a/changelog/changes/2026-01-02-sshd-config.md
+++ b/changelog/changes/2026-01-02-sshd-config.md
@ -1 +0,0 @@
 - Dropped Ciphers, MACs, and KexAlgorithms from the sshd configuration so that the OpenSSH upstream defaults are used. This introduces post-quantum key exchange algorithms for better security. ([Flatcar#1921](https://github.com/flatcar/Flatcar/issues/1921)). Users requiring legacy Ciphers, MACs, and/or KexAlgos can override / re-enable this by deploying a custom drop-in config  to `/etc/ssh/sshd_config.d/`.
--- a/changelog/changes/2026-02-23-oklo-codename.md
+++ b/changelog/changes/2026-02-23-oklo-codename.md
@ -1 +0,0 @@
 - Dropped the "Oklo" release codename as it was never updated in a meaningful way.
--- a/changelog/changes/2026-02-4-enable-tracer-on-arm.md
+++ b/changelog/changes/2026-02-4-enable-tracer-on-arm.md
@ -1 +0,0 @@
 - Function tracer (ftrace) enabled in ARM64 builds. (Enables CONFIG_FUNCTION_TRACER & CONFIG_DYNAMIC_FTRACE for observability and security tools) ([flatcar/scripts#3685](https://github.com/flatcar/scripts/pull/3685))
--- a/changelog/changes/2026-03-25-erofs-tools.md
+++ b/changelog/changes/2026-03-25-erofs-tools.md
@ -1 +0,0 @@
 - Add EROFS tools for containerd ([Flatcar#2047](https://github.com/flatcar/Flatcar/issues/2047))
--- a/changelog/changes/2026-04-15-ignition-oem.md
+++ b/changelog/changes/2026-04-15-ignition-oem.md
@ -1 +0,0 @@
 - Reworked how the OEM partition is mounted at boot time so that Ignition no longer has to handle this by itself, thereby requiring less patching. This should not affect any existing usage, but it is a significant underlying change, so it needs to be called out. Please report any unexpected issues. ([flatcar/script#3934](https://github.com/flatcar/scripts/pull/3934))
--- a/changelog/changes/2026-04-28-enable-vnc-console-logs-on-arm.md
+++ b/changelog/changes/2026-04-28-enable-vnc-console-logs-on-arm.md
@ -1 +0,0 @@
 - Enable VNC console serial logs on ARM64 QEMU/KVM instances ([flatcar/scripts#2359](https://github.com/flatcar/scripts/pull/2359))
--- a/changelog/security/2025-09-16-weekly-updates.md
+++ b/changelog/security/2025-09-16-weekly-updates.md
@ -1,4 +0,0 @@
 - libpcre2 ([CVE-2025-58050](https://www.cve.org/CVERecord?id=CVE-2025-58050))
 - libxml2 ([libxml2-20250908](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9))
 - libxslt ([CVE-2025-7424](https://www.cve.org/CVERecord?id=CVE-2025-7424), [CVE-2025-7425](https://www.cve.org/CVERecord?id=CVE-2025-7425))
 - net-tools ([CVE-2025-46836](https://www.cve.org/CVERecord?id=CVE-2025-46836))
--- a/changelog/security/2025-09-24-weekly-updates.md
+++ b/changelog/security/2025-09-24-weekly-updates.md
@ -1,3 +0,0 @@
 - binutils ([CVE-2025-5244](https://www.cve.org/CVERecord?id=CVE-2025-5244), [CVE-2025-5245](https://www.cve.org/CVERecord?id=CVE-2025-5245) [CVE-2025-8225](https://www.cve.org/CVERecord?id=CVE-2025-8225))
 - curl ([CVE-2025-9086](https://www.cve.org/CVERecord?id=CVE-2025-9086), [CVE-2025-10148](https://www.cve.org/CVERecord?id=CVE-2025-10148))
 - go ([CVE-2025-47910](https://www.cve.org/CVERecord?id=CVE-2025-47910))
--- a/changelog/security/2025-10-14-weekly-updates.md
+++ b/changelog/security/2025-10-14-weekly-updates.md
@ -1,5 +0,0 @@
 - expat ([CVE-2025-59375](https://www.cve.org/CVERecord?id=CVE-2025-59375))
 - intel-microcode ([CVE-2024-28956](https://www.cve.org/CVERecord?id=CVE-2024-28956), [CVE-2024-43420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43420), [CVE-2024-45332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45332), [CVE-2025-20012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20012), [CVE-2025-20054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20054), [CVE-2025-20103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20103), [CVE-2025-20623](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20623), [CVE-2025-24495](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24495), [CVE-2025-20053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20053), [CVE-2025-20109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20109), [CVE-2025-22839](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22839), [CVE-2025-22840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22840), [CVE-2025-22889](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22889), [CVE-2025-26403](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26403))
 - nvidia-drivers ([CVE-2025-23280](https://www.cve.org/CVERecord?id=CVE-2025-23280), [CVE-2025-23282](https://www.cve.org/CVERecord?id=CVE-2025-23282), [CVE-2025-23300](https://www.cve.org/CVERecord?id=CVE-2025-23300), [CVE-2025-23330](https://www.cve.org/CVERecord?id=CVE-2025-23330), [CVE-2025-23332](https://www.cve.org/CVERecord?id=CVE-2025-23332), [CVE-2025-23345](https://www.cve.org/CVERecord?id=CVE-2025-23345))
 - openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))
 - openssl ([CVE-2025-9230](https://www.cve.org/CVERecord?id=CVE-2025-9230), [CVE-2025-9231](https://www.cve.org/CVERecord?id=CVE-2025-9231), [CVE-2025-9232](https://www.cve.org/CVERecord?id=CVE-2025-9232))
--- a/changelog/security/2025-10-29-pam.md
+++ b/changelog/security/2025-10-29-pam.md
@ -1 +0,0 @@
 - pam ([CVE-2024-22365](https://nvd.nist.gov/vuln/detail/CVE-2024-22365), [CVE-2024-10041](https://nvd.nist.gov/vuln/detail/CVE-2024-10041), [CVE-2024-10963](https://nvd.nist.gov/vuln/detail/CVE-2024-10963), [CVE-2025-6020](https://nvd.nist.gov/vuln/detail/CVE-2025-6020))
--- a/changelog/security/2025-11-05-weekly-updates.md
+++ b/changelog/security/2025-11-05-weekly-updates.md
@ -1,2 +0,0 @@
 - coreutils ([CVE-2025-5278](https://www.cve.org/CVERecord?id=CVE-2025-5278))
 - go ([CVE-2025-47912](https://www.cve.org/CVERecord?id=CVE-2025-47912), [CVE-2025-58183](https://www.cve.org/CVERecord?id=CVE-2025-58183), [CVE-2025-58185](https://www.cve.org/CVERecord?id=CVE-2025-58185), [CVE-2025-58186](https://www.cve.org/CVERecord?id=CVE-2025-58186), [CVE-2025-58187](https://www.cve.org/CVERecord?id=CVE-2025-58187), [CVE-2025-58188](https://www.cve.org/CVERecord?id=CVE-2025-58188), [CVE-2025-58189](https://www.cve.org/CVERecord?id=CVE-2025-58189), [CVE-2025-61723](https://www.cve.org/CVERecord?id=CVE-2025-61723), [CVE-2025-61724](https://www.cve.org/CVERecord?id=CVE-2025-61724), [CVE-2025-61725](https://www.cve.org/CVERecord?id=CVE-2025-61725))
--- a/changelog/security/2026-01-23-gnupg.md
+++ b/changelog/security/2026-01-23-gnupg.md
@ -1 +0,0 @@
 - gnupg ([CVE-2025-68972](https://www.cve.org/CVERecord/?id=CVE-2025-68972), [CVE-2025-68973](https://www.cve.org/CVERecord/?id=CVE-2025-68973), [gnupg-20251228-notdash](https://gpg.fail/notdash))
--- a/changelog/security/2026-02-12-openssh.md
+++ b/changelog/security/2026-02-12-openssh.md
@ -0,0 +1 @@
 - openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))
--- a/changelog/security/2026-02-20-weekly-updates.md
+++ b/changelog/security/2026-02-20-weekly-updates.md
@ -1,6 +0,0 @@
 - bind ([CVE-2025-40778](https://www.cve.org/CVERecord?id=CVE-2025-40778), [CVE-2025-40780](https://www.cve.org/CVERecord?id=CVE-2025-40780), [CVE-2025-8677](https://www.cve.org/CVERecord?id=CVE-2025-8677))
 - gnutls ([CVE-2025-9820](https://www.cve.org/CVERecord?id=CVE-2025-9820))
 - go ([CVE-2025-61727](https://www.cve.org/CVERecord?id=CVE-2025-61727), [CVE-2025-61729](https://www.cve.org/CVERecord?id=CVE-2025-61729))
 - libarchive ([CVE-2025-60753](https://www.cve.org/CVERecord?id=CVE-2025-60753))
 - podman ([CVE-2025-9566](https://www.cve.org/CVERecord?id=CVE-2025-9566), [CVE-2025-52881](https://www.cve.org/CVERecord?id=CVE-2025-52881))
 - urllib3 ([CVE-2025-66418](https://www.cve.org/CVERecord?id=CVE-2025-66418), [CVE-2025-66471](https://www.cve.org/CVERecord?id=CVE-2025-66471))
--- a/changelog/security/2026-03-04-weekly-updates.md
+++ b/changelog/security/2026-03-04-weekly-updates.md
@ -1,17 +0,0 @@
 - c-ares ([CVE-2025-62408](https://www.cve.org/CVERecord?id=CVE-2025-62408))
 - curl ([CVE-2025-13034](https://www.cve.org/CVERecord?id=CVE-2025-13034), [CVE-2025-14017](https://www.cve.org/CVERecord?id=CVE-2025-14017), [CVE-2025-14524](https://www.cve.org/CVERecord?id=CVE-2025-14524), [CVE-2025-14819](https://www.cve.org/CVERecord?id=CVE-2025-14819), [CVE-2025-15079](https://www.cve.org/CVERecord?id=CVE-2025-15079), [CVE-2025-15224](https://www.cve.org/CVERecord?id=CVE-2025-15224))
 - expat ([CVE-2026-24515](https://www.cve.org/CVERecord?id=CVE-2026-24515), [CVE-2026-25210](https://www.cve.org/CVERecord?id=CVE-2026-25210))
 - glib ([CVE-2025-13601](https://www.cve.org/CVERecord?id=CVE-2025-13601), [CVE-2025-14087](https://www.cve.org/CVERecord?id=CVE-2025-14087))
 - glibc ([CVE-2026-0861](https://www.cve.org/CVERecord?id=CVE-2026-0861), [CVE-2026-0915](https://www.cve.org/CVERecord?id=CVE-2026-0915), [CVE-2025-15281](https://www.cve.org/CVERecord?id=CVE-2025-15281))
 - gnupg ([CVE-2026-24881](https://www.cve.org/CVERecord?id=CVE-2026-24881), [CVE-2026-24882](https://www.cve.org/CVERecord?id=CVE-2026-24882), [CVE-2026-24883](https://www.cve.org/CVERecord?id=CVE-2026-24883))
 - gnutls ([CVE-2025-14831](https://www.cve.org/CVERecord?id=CVE-2025-14831), [CVE-2026-1584](https://www.cve.org/CVERecord?id=CVE-2026-1584))
 - incus ([CVE-2026-23953](https://www.cve.org/CVERecord?id=CVE-2026-23953))
 - intel-microcode ([CVE-2025-31648](https://www.cve.org/CVERecord?id=CVE-2025-31648))
 - libpcap ([CVE-2025-11961](https://www.cve.org/CVERecord?id=CVE-2025-11961), [CVE-2025-11964](https://www.cve.org/CVERecord?id=CVE-2025-11964))
 - libtasn1 ([CVE-2025-13151](https://www.cve.org/CVERecord?id=CVE-2025-13151))
 - libxslt ([CVE-2025-10911](https://www.cve.org/CVERecord?id=CVE-2025-10911), [CVE-2025-11731](https://www.cve.org/CVERecord?id=CVE-2025-9714))
 - nvidia-drivers ([CVE-2025-33219](https://www.cve.org/CVERecord?id=CVE-2025-33219))
 - p11-kit ([CVE-2026-2100](https://www.cve.org/CVERecord?id=CVE-2026-2100))
 - rsync ([CVE-2025-10158](https://www.cve.org/CVERecord?id=CVE-2025-10158))
 - sssd ([CVE-2025-11561](https://www.cve.org/CVERecord?id=CVE-2025-11561))
 - util-linux ([CVE-2025-14104](https://www.cve.org/CVERecord?id=CVE-2025-14104))
--- a/changelog/updates/2025-09-16-weekly-updates.md
+++ b/changelog/updates/2025-09-16-weekly-updates.md
@ -1,12 +0,0 @@
 - SDK: azure-core ([1.16.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-core_1.16.1))
 - SDK: azure-identity ([1.13.1](https://github.com/Azure/azure-sdk-for-cpp/releases/tag/azure-identity_1.13.1))
 - base, dev: coreutils ([9.7](https://lists.gnu.org/archive/html/info-gnu/2025-04/msg00006.html) (includes [9.6](https://savannah.gnu.org/news/?id=10715)))
 - base, dev: libffi ([3.5.2](https://github.com/libffi/libffi/releases/tag/v3.5.2))
 - base, dev: libnftnl ([1.3.0](https://lwn.net/Articles/1032725/))
 - base, dev: libxml2 ([2.13.9](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9))
 - base, dev: ncurses ([6.5_p20250802](https://invisible-island.net/ncurses/NEWS.html#t20250802))
 - base, dev: nftables ([1.1.4](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.4.txt))
 - dev, sysext-incus: squashfs-tools ([4.7.2](https://github.com/plougher/squashfs-tools/releases/tag/4.7.2) (includes [4.7.1](https://github.com/plougher/squashfs-tools/releases/tag/4.7.1)))
 - sysext-podman: gpgme ([2.0.0](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=NEWS;h=cd0e093bf83fe47b6773fb478fced07d8409fbe0;hb=e17ba578861905857da0a514b4fc9b88a57f7346))
 - sysext-python: charset-normalizer ([3.4.3](https://github.com/jawah/charset_normalizer/releases/tag/3.4.3))
 - sysext-python: pip ([25.2](https://raw.githubusercontent.com/pypa/pip/refs/tags/25.2/NEWS.rst))
--- a/changelog/updates/2025-09-18-linux-firmware-20250917-update.md
+++ b/changelog/updates/2025-09-18-linux-firmware-20250917-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20250917](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20250917))
--- a/changelog/updates/2025-09-22-ca-certificates-3.116-update.md
+++ b/changelog/updates/2025-09-22-ca-certificates-3.116-update.md
--- a/changelog/updates/2025-09-24-weekly-updates.md
+++ b/changelog/updates/2025-09-24-weekly-updates.md
@ -1,21 +0,0 @@
 - SDK: go ([1.24.7](https://go.dev/doc/devel/release#go1.24.minor))
 - SDK: pkgcheck ([0.10.37](https://github.com/pkgcore/pkgcheck/releases/tag/v0.10.37))
 - SDK: rust ([1.89.0](https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/))
 - base, dev: bash ([5.3_p3](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
 - base, dev: btrfs-progs ([6.16](https://github.com/kdave/btrfs-progs/releases/tag/v6.16))
 - base, dev: cryptsetup ([2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/raw/v2.8.1/docs/v2.8.1-ReleaseNotes))
 - base, dev: curl ([8.16.0](https://curl.se/ch/8.16.0.html))
 - base, dev: expat ([2.7.2](https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes))
 - base, dev: gcc ([14.3.1_p20250801](https://gcc.gnu.org/pipermail/gcc/2025-May/246078.html))
 - base, dev: hwdata ([0.398](https://github.com/vcrhonek/hwdata/releases/tag/v0.398))
 - base, dev: readline ([8.3_p1](https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00005.html))
 - base, dev: samba ([4.22.3](https://www.samba.org/samba/history/samba-4.22.3.html) (includes [4.22.2](https://www.samba.org/samba/history/samba-4.22.2.html), [4.22.1](https://www.samba.org/samba/history/samba-4.22.1.html), [4.22.0](https://www.samba.org/samba/history/samba-4.22.0.html), [4.21.0](https://www.samba.org/samba/history/samba-4.21.0.html)))
 - base, dev: talloc ([2.4.3](https://gitlab.com/samba-team/samba/-/commit/77229f73c20af69ab0f3c96efbb229ff64a9dfe4))
 - base, dev: tdb ([1.4.13](https://gitlab.com/samba-team/samba/-/commit/70a8c7a89a6d62d2ff172d79b5f4e6439300b88d))
 - base, dev: tevent ([0.16.2](https://gitlab.com/samba-team/samba/-/commit/8d398acbbb7fdc0ff50fe6ba80433deaf92515c6))
 - dev: binutils ([2.45](https://lists.gnu.org/archive/html/info-gnu/2025-07/msg00009.html))
 - sysext-incus, sysext-podman, vmware: fuse ([3.17.4](https://github.com/libfuse/libfuse/releases/tag/fuse-3.17.4))
 - sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers (570.190)
 - sysext-python: jaraco-functools ([4.3.0](https://raw.githubusercontent.com/jaraco/jaraco.functools/refs/tags/v4.3.0/NEWS.rst))
 - sysext-python: markdown-it-py ([4.0.0](https://github.com/executablebooks/markdown-it-py/releases/tag/v4.0.0))
 - sysext-python: requests ([2.32.5](https://github.com/psf/requests/releases/tag/v2.32.5))
--- a/changelog/updates/2025-09-26-linux-6.12.49-update.md
+++ b/changelog/updates/2025-09-26-linux-6.12.49-update.md
@ -1 +0,0 @@
 - Linux ([6.12.49](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.49))
--- a/changelog/updates/2025-10-01-open-vm-tools-13.0.5-update.md
+++ b/changelog/updates/2025-10-01-open-vm-tools-13.0.5-update.md
@ -1 +0,0 @@
 - open-vm-tools ([13.0.5](https://github.com/vmware/open-vm-tools/releases/tag/stable-13.0.5))
--- a/changelog/updates/2025-10-03-linux-6.12.50-update.md
+++ b/changelog/updates/2025-10-03-linux-6.12.50-update.md
@ -1 +0,0 @@
 - Linux ([6.12.50](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.50))
--- a/changelog/updates/2025-10-07-linux-6.12.51-update.md
+++ b/changelog/updates/2025-10-07-linux-6.12.51-update.md
@ -1 +1 @@
- Linux ([6.12.51](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.51))
+- Linux ([6.12.51](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.51) (includes [6.12.50](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.50), [6.12.49](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.49)))
--- a/changelog/updates/2025-10-09-afterburn-5.10.md
+++ b/changelog/updates/2025-10-09-afterburn-5.10.md
@ -1 +0,0 @@
 - Afterburn ([5.10.0](https://coreos.github.io/afterburn/release-notes/#afterburn-5100))
--- a/changelog/updates/2025-10-14-weekly-updates.md
+++ b/changelog/updates/2025-10-14-weekly-updates.md
@ -1,26 +0,0 @@
 - SDK: cmake ([3.31.9](https://cmake.org/cmake/help/v3.31/release/3.31.html#id1))
 - SDK: go ([1.25.1](https://go.dev/doc/devel/release#go1.25.minor) (includes [1.25](https://go.dev/doc/go1.25)))
 - SDK: qemu ([10.0.5](https://wiki.qemu.org/ChangeLog/10.0))
 - azure, dev: inotify-tools ([4.25.9.0](https://github.com/inotify-tools/inotify-tools/releases/tag/4.25.9.0))
 - azure, stackit: chrony ([4.8](https://gitlab.com/chrony/chrony/-/raw/4.8/NEWS))
 - base, dev: bind ([9.18.38](https://bind9.readthedocs.io/en/v9.18.38/notes.html#notes-for-bind-9-18-38))
 - base, dev: bpftool ([7.6.0](https://github.com/libbpf/bpftool/releases/tag/v7.6.0))
 - base, dev: btrfs-progs ([6.16.1](https://github.com/kdave/btrfs-progs/releases/tag/v6.16.1))
 - base, dev: expat ([2.7.3](https://raw.githubusercontent.com/libexpat/libexpat/refs/tags/R_2_7_3/expat/Changes))
 - base, dev: gettext ([0.23.2](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=a5cc8a63eb4f06e4a1171afda862812feb67d693;hb=e8e6cb71aec0de1f5758ac21327bb8cd69e33731) (includes [0.23.1](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=4aafedf9b10a66891838e1f35c7af020c6124ee0;hb=d9b0432a825bfe3fc72f9a081d295a9528cd8aac), [0.23.0](https://gitweb.git.savannah.gnu.org/gitweb/?p=gettext.git;a=blob_plain;f=NEWS;h=9d87d45408f510d15856a1dda8a9376573f0a9c5;hb=c12b25dc82104691ca80c4da1cbc538fcab42bf5)))
 - base, dev: git ([2.51.0](https://github.com/git/git/blob/v2.51.0/Documentation/RelNotes/2.51.0.adoc) (includes [2.50.0](https://github.com/git/git/blob/v2.50.0/Documentation/RelNotes/2.50.0.adoc)))
 - base, dev: intel-microcode ([20250812](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812) (includes [20250512](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512)))
 - base, dev: libxml2 ([2.14.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.6) (includes [2.14.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5), [2.14.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4), [2.14.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.3), [2.14.2](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.2), [2.14.1](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.1), [2.14.0](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.0)))
 - base, dev: nftables ([1.1.5](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.5.txt))
 - base, dev: nvidia-drivers-service (amd64) ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
 - base, dev: nvidia-drivers-service (arm64) ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
 - base, dev: openssh ([10.2_p1](https://www.openssh.com/txt/release-10.2) (includes [10.1](https://www.openssh.com/txt/release-10.1)))
 - base, dev: openssl ([3.4.3](https://github.com/openssl/openssl/releases/tag/openssl-3.4.3))
 - base, dev: xfsprogs ([6.16.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.16.0) (includes [6.15.0](https://web.git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/tree/doc/CHANGES?h=v6.15.0)))
 - sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers ([535.274.02](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-274-02/index.html))
 - sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers ([570.195.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-195-03/index.html))
 - sysext-podman: crun ([1.21](https://github.com/containers/crun/releases/tag/1.21))
 - sysext-podman: netavark ([1.15.2](https://github.com/containers/netavark/releases/tag/v1.15.2) (includes [1.15.1](https://github.com/containers/netavark/releases/tag/v1.15.1), [1.15.0](https://github.com/containers/netavark/releases/tag/v1.15.0)))
 - sysext-podman: passt ([2025.06.11](https://archives.passt.top/passt-user/20250611175947.7d540ddc@elisabeth/T/#u))
 - sysext-python: platformdirs ([4.4.0](https://github.com/tox-dev/platformdirs/releases/tag/4.4.0))
 - sysext-python: typing-extensions ([4.15.0](https://raw.githubusercontent.com/python/typing_extensions/refs/tags/4.15.0/CHANGELOG.md))
--- a/changelog/updates/2025-10-16-linux-firmware-20251011-update.md
+++ b/changelog/updates/2025-10-16-linux-firmware-20251011-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20251011](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251011))
--- a/changelog/updates/2025-10-20-linux-6.12.54-update.md
+++ b/changelog/updates/2025-10-20-linux-6.12.54-update.md
--- a/changelog/updates/2025-10-23-linux-firmware-20251021-update.md
+++ b/changelog/updates/2025-10-23-linux-firmware-20251021-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20251021](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251021))
--- a/changelog/updates/2025-10-29-pam.md
+++ b/changelog/updates/2025-10-29-pam.md
@ -1,2 +0,0 @@
 - base, dev: pam ([1.7.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1) (includes [1.7.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.7.0), [1.6.1](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.1), [1.6.0](https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0)))
 - base, dev: pambase ([20251013](https://gitweb.gentoo.org/proj/pambase.git/log/?h=pambase-20251013))
--- a/changelog/updates/2025-10-29-systemd-update.md
+++ b/changelog/updates/2025-10-29-systemd-update.md
@ -1 +0,0 @@
 - systemd (257.9)
--- a/changelog/updates/2025-10-30-containerd.md
+++ b/changelog/updates/2025-10-30-containerd.md
@ -1,2 +0,0 @@
 - sysext-containerd: runc ([1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1))
 - sysext-containerd: containerd ([2.1.4](https://github.com/containerd/containerd/releases/tag/v2.1.4))
--- a/changelog/updates/2025-11-05-weekly-updates.md
+++ b/changelog/updates/2025-11-05-weekly-updates.md
@ -1,19 +0,0 @@
 - SDK: cmake ([4.1.2](https://cmake.org/cmake/help/v4.1/release/4.1.html#id22) (includes [4.1.1](https://cmake.org/cmake/help/v4.1/release/4.1.html#id21), [4.1](https://cmake.org/cmake/help/v4.1/release/4.1.html), [4.0](https://cmake.org/cmake/help/v4.0/release/4.0.html)))
 - SDK: go ([1.25.3](https://go.dev/doc/devel/release#go1.25.minor))
 - base, dev: btrfs-progs ([6.17](https://github.com/kdave/btrfs-progs/releases/tag/v6.17))
 - base, dev: cifs-utils ([7.4](https://lwn.net/Articles/1024956/))
 - base, dev: coreutils ([9.8](https://lists.gnu.org/archive/html/info-gnu/2025-09/msg00005.html))
 - base, dev: hwdata ([0.399](https://github.com/vcrhonek/hwdata/releases/tag/v0.399))
 - base, dev: inih ([62](https://github.com/benhoyt/inih/releases/tag/r62) (includes [61](https://github.com/benhoyt/inih/releases/tag/r61)))
 - base, dev: iproute2 ([6.17.0](https://lore.kernel.org/all/20250929095042.48200315@hermes.local/))
 - base, dev: kbd ([2.9.0](https://github.com/legionus/kbd/releases/tag/v2.9.0))
 - base, dev: libtirpc ([1.3.7](https://git.linux-nfs.org/?p=steved/libtirpc.git;a=log;h=refs/tags/libtirpc-1-3-7))
 - base, dev: samba ([4.22.5](https://www.samba.org/samba/history/samba-4.22.5.html) (includes [4.22.4](https://www.samba.org/samba/history/samba-4.22.4.html)))
 - base, dev: strace ([6.17](https://github.com/strace/strace/releases/tag/v6.17))
 - base, dev: util-linux ([2.41.2](https://github.com/util-linux/util-linux/blob/v2.41.2/Documentation/releases/v2.41.2-ReleaseNotes))
 - dev: portage ([3.0.69.3](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.3) (includes [3.0.69.2](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.2), [3.0.69.1](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69.1), [3.0.69](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.69)))
 - sysext-overlaybd: overlaybd ([1.0.16](https://github.com/containerd/overlaybd/releases/tag/v1.0.16))
 - sysext-podman: netavark ([1.16.1](https://github.com/containers/netavark/releases/tag/v1.16.1) (includes [1.16.0](https://github.com/containers/netavark/releases/tag/v1.16.0)))
 - sysext-python: more-itertools ([10.8.0](https://github.com/more-itertools/more-itertools/releases/tag/v10.8.0))
 - sysext-python: setuptools-scm ([9.2.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.2.0) (includes [9.1.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.1.0), [9.0.0](https://github.com/pypa/setuptools-scm/releases/tag/v9.0.0)))
 - sysext-python: trove-classifiers ([2025.9.11.17](https://github.com/pypa/trove-classifiers/releases/tag/2025.9.11.17) (includes (2025.9.9.12)[https://github.com/pypa/trove-classifiers/releases/tag/2025.9.9.12], [2025.9.8.13](https://github.com/pypa/trove-classifiers/releases/tag/2025.9.8.13)))
--- a/changelog/updates/2025-11-07-runc-containerd.md
+++ b/changelog/updates/2025-11-07-runc-containerd.md
@ -1,2 +1,2 @@
- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2)))
+- runc ([1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3) (includes [1.3.2](https://github.com/opencontainers/runc/releases/tag/v1.3.2), [1.3.1](https://github.com/opencontainers/runc/releases/tag/v1.3.1), [1.3.0](https://github.com/opencontainers/runc/releases/tag/v1.3.0)))
- containerd ([2.1.5](https://github.com/containerd/containerd/releases/tag/v2.1.5))
+- containerd ([2.0.7](https://github.com/containerd/containerd/releases/tag/v2.0.7) (includes [2.0.6](https://github.com/containerd/containerd/releases/tag/v2.0.6)))
--- a/changelog/updates/2025-11-13-linux-firmware-20251111-update.md
+++ b/changelog/updates/2025-11-13-linux-firmware-20251111-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20251111](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251111))
--- a/changelog/updates/2025-11-24-weekly-updates.md
+++ b/changelog/updates/2025-11-24-weekly-updates.md
@ -1,13 +0,0 @@
 - SDK: meson ([1.9.1](https://mesonbuild.com/Release-notes-for-1-9-0.html) (includes [1.8.0](https://mesonbuild.com/Release-notes-for-1-8-0.html)))
 - SDK: nasm ([3.01](https://www.nasm.us/docs/3.01/nasmac.html) (includes [3.00](https://www.nasm.us/docs/3.00/nasmac.html)))
 - base, dev: hwdata ([0.400](https://github.com/vcrhonek/hwdata/releases/tag/v0.400))
 - base, dev: intel-microcode ([20251111_p20251112](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20251111))
 - base, dev: jose ([14](https://github.com/latchset/jose/releases/tag/v14) (includes [13](https://github.com/latchset/jose/releases/tag/v13)))
 - base, dev: less ([685](https://greenwoodsoftware.com/less/news.685.html))
 - base, dev: libgpg-error ([1.56](https://github.com/gpg/libgpg-error/releases/tag/libgpg-error-1.56))
 - base, dev: openssl ([3.5.4](https://github.com/openssl/openssl/releases/tag/openssl-3.5.4) (includes [3.5.3](https://github.com/openssl/openssl/releases/tag/openssl-3.5.3), [3.5.2](https://github.com/openssl/openssl/releases/tag/openssl-3.5.2), [3.5.1](https://github.com/openssl/openssl/releases/tag/openssl-3.5.1), [3.5.0](https://github.com/openssl/openssl/releases/tag/openssl-3.5.0)))
 - base, dev: thin-provisioning-tools ([1.3.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.3.0/CHANGES) (includes [1.2.2](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.2/CHANGES), [1.2.1](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.1/CHANGES), [1.2.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.2.0/CHANGES), [1.1.0](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.1.0/CHANGES), [1.0.14](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.14/CHANGES), [1.0.13](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.13/CHANGES), [1.0.12](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.12/CHANGES), [1.0.11](https://raw.githubusercontent.com/device-mapper-utils/thin-provisioning-tools/refs/tags/v1.0.11/CHANGES)))
 - sysext-podman: aardvark-dns ([1.15.0](https://github.com/containers/aardvark-dns/releases/tag/v1.15.0))
 - sysext-python: platformdirs ([4.5.0](https://github.com/tox-dev/platformdirs/releases/tag/4.5.0))
 - sysext-python: resolvelib ([1.2.1](https://raw.githubusercontent.com/sarugaku/resolvelib/refs/tags/1.2.1/CHANGELOG.rst))
 - sysext-python: rich ([14.2.0](https://github.com/Textualize/rich/releases/tag/v14.2.0))
--- a/changelog/updates/2025-11-27-linux-firmware-20251125-update.md
+++ b/changelog/updates/2025-11-27-linux-firmware-20251125-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20251125](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20251125))
--- a/changelog/updates/2025-12-02-linux-6.12.60-update.md
+++ b/changelog/updates/2025-12-02-linux-6.12.60-update.md
@ -1 +1 @@
- Linux ([6.12.60](https://lwn.net/Articles/1048757))
+- Linux ([6.12.60](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tag/?h=v6.12.60))
--- a/changelog/updates/2025-12-03-ignition.md
+++ b/changelog/updates/2025-12-03-ignition.md
@ -1 +0,0 @@
 - Ignition ([2.24.0](https://coreos.github.io/ignition/release-notes/#ignition-2240-2024-10-14))
--- a/changelog/updates/2025-12-08-update-systemd.md
+++ b/changelog/updates/2025-12-08-update-systemd.md
@ -1 +0,0 @@
 - systemd (258.2)
--- a/changelog/updates/2025-12-11-etcdctl.md
+++ b/changelog/updates/2025-12-11-etcdctl.md
@ -1 +0,0 @@
 - etcdctl ([3.5.18](https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3518-2025-01-24))
--- a/changelog/updates/2026-01-06-draacut-109.md
+++ b/changelog/updates/2026-01-06-draacut-109.md
@ -1 +0,0 @@
 - dracut ([109](https://github.com/dracut-ng/dracut-ng/releases/tag/109) (includes [108](https://github.com/dracut-ng/dracut-ng/releases/tag/108), [107](https://github.com/dracut-ng/dracut-ng/releases/tag/107)))
--- a/changelog/updates/2026-01-07-python-bump.md
+++ b/changelog/updates/2026-01-07-python-bump.md
@ -1 +0,0 @@
 - python ([3.12.12](https://www.python.org/downloads/release/python-31212/) (includes [3.12.0](https://www.python.org/downloads/release/python-3120/)))
--- a/changelog/updates/2026-01-15-linux-firmware-20260110-update.md
+++ b/changelog/updates/2026-01-15-linux-firmware-20260110-update.md
@ -1 +0,0 @@
 - Linux Firmware ([20260110](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tag/?h=20260110))
--- a/changelog/updates/2026-01-23-gnupg.md
+++ b/changelog/updates/2026-01-23-gnupg.md
@ -1,3 +0,0 @@
 - base, dev: gnupg ([2.5.16](https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html https://lists.gnupg.org/pipermail/gnupg-announce/2024q3/000484.html) (includes [2.5](https://lists.gnu.org/archive/html/info-gnu/2024-07/msg00005.html)))
 - base, dev: libgpg-error ([1.57](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob_plain;f=NEWS;h=52ac1464a0c0af091a3d69e8c5f2f3afa2cc3c9f;hb=39d7b85a7d69975f1dfec5a0add10b4d57dcfc9e))
 - sysext-podman: gpgme ([2.0.1](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=blob_plain;f=NEWS;h=1fd34dbd9143829e9163d402ab0191a9fc6adab2;hb=e4adebe020b07bc47e583817576ce98ca93e9711))
--- a/changelog/updates/2026-01-28-open-vm-tools-13.0.10-update.md
+++ b/changelog/updates/2026-01-28-open-vm-tools-13.0.10-update.md
@ -1 +0,0 @@
 - open-vm-tools ([13.0.10](https://github.com/vmware/open-vm-tools/releases/tag/stable-13.0.10))
--- a/Show More
+++ b/Show More
		`@ -1 +0,0 @@`
			- Configured the services in the overlaybd sysext to start automatically like the other sysexts. Note that the sysext must be enabled at boot time for this to happen, otherwise you need to call `systemd-tmpfiles --create` and `systemctl daemon-reload` first.
		`@ -1 +0,0 @@`
			`- Fixed a kernel boot warning when loading an explicit list of kernel modules in the minimal first-stage initrd ([Flatcar#1934](https://github.com/flatcar/Flatcar/issues/1934))`
		`@ -1 +0,0 @@`
			`- Alpha only: Fixed systemd-sysext payload handling for air-gapped/self-hosted updates which was a known bug for 4487.0.0 ([ue-rs#93](https://github.com/flatcar/ue-rs/pull/93))`
		`@ -1 +0,0 @@`
			`- Alpha only: Added Fusion SCSI disk drivers back to the initrd after they got lost in the rework ([Flatcar#1924](https://github.com/flatcar/Flatcar/issues/1924))`
		`@ -1 +0,0 @@`
			`- Dropped debug symbols from containerd, incus, and overlaybd system extensions to reduce download size.`
		`@ -1 +0,0 @@`
			`- Fixed SSSD startup failure by adding back LDB modules into the image, which got lost after a Samba update ([Flatcar#1919](https://github.com/flatcar/Flatcar/issues/1919))`
		`@ -1 +0,0 @@`
			`- Enabled back PAM sssd support for LDAP authentication ([scripts#3696](https://github.com/flatcar/scripts/pull/3696))`
		`@ -1 +0,0 @@`
			`- Added full terminfo database to support modern terminals like foot and Alacritty.`
		`@ -1 +0,0 @@`
			`- Restored the ability to customize PXE images with OEM data. This was broken since moving to the minimal initrd. ([Flatcar#2023](https://github.com/flatcar/Flatcar/issues/2023))`
		`@ -1 +0,0 @@`
			- Fixed loading Ignition config from the initrd with `ignition.config.url=oem:///myconf.ign`. This was broken since moving to the minimal initrd. ([scripts#3853](https://github.com/flatcar/scripts/pull/3853))