From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 664FB21473; Thu, 13 Nov 2025 20:25:34 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 4401521460; Thu, 13 Nov 2025 20:25:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb12a.google.com (mail-yx1-xb12a.google.com [IPv6:2607:f8b0:4864:20::b12a]) by atuin.qyliss.net (Postfix) with ESMTPS id 74806214A2 for ; Thu, 13 Nov 2025 20:25:29 +0000 (UTC) Received: by mail-yx1-xb12a.google.com with SMTP id 956f58d0204a3-63f996d4e1aso1151749d50.0 for ; Thu, 13 Nov 2025 12:25:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763065528; x=1763670328; darn=spectrum-os.org; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=9hAtPG2im7QZ7nIsluBVKZTn5jN6WFEUMV0zsGykgcM=; b=Hw/8UHCu5gZPzWc0J3L7IdpJjUIdGgQlAK0dXUR/cf/lgE7Yy2oYahjSE08SDwd9eK 5241/jxpoQxOKJXKM1JQtVhrzBWEVovYZad3sEucfKsZC7bMIvGKxpiikkSSGrNun3fN g+wgD0IjRoIFhf6enfNb5XayXgoI+4cQwNEJ5tYGMv60lN66y8l+bdf2kdCLY1f57kyy ISAU/3CqD7vXeZyxYjpB4jpVqnt5veUx1lBIQTP3scdyXdZLrDQAaA3D2P9farNm6sez X2mXTaJFjVdwI+3+fdX7xgHSIEaxsH3RTpu0zF80eZCR7Chjiuv5ihFfXe7cKg+kVc7J nQ6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763065528; x=1763670328; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9hAtPG2im7QZ7nIsluBVKZTn5jN6WFEUMV0zsGykgcM=; b=KKGeCmqnC1IBm06AU/46OaFqKmIR9yjlzEw1rJSRCMfyyCB9LIq6rEl/jrG2grbNQe MY/lkx6yUfmRYkfkuYU/nZbaQ/55xej2A+yP5b/I5IIGzWHF/SBesGW6ggdrTTuk/ASv wOZC6HapFixe0Z/i34XYpLA2ANAzraiK1L86ttG9Z87p5e8r7XeOQ6m6wpeWq+v2spu9 DTLIFFfrwaKappYspjk7i1VhvAgoPu6o/dwVM6qXjk1fuf6lb5cCu+gDf7h11g59fKYw FaSctbRjb1Wka8dozdYYlL5aMDaQpHlDIj4YXRYU+TKXjwHIMmpav4ekwujBNtlkPfl9 dChQ== X-Gm-Message-State: AOJu0YxVo4FQzNTBRQOqYHW6g6llG/LSR4vjGz8XINjCOs1XumXuTLQ5 Nhz0pNBbKg5uYT8vMOqGAv9RpkCkWDRC3C3K6jKZ/9uOKooeFrtx+vhz X-Gm-Gg: ASbGncuLR5ixTNq0hp4hn2xfijgkpMVMUZHR0EYZsUraJrUCEPApBx7gkO419FH69Hm nIB1WxQx0e1hgMePObFtMAYEloLB0XQKneiN3Ftv51njoaOMROIzdZ5r3LJMDRfA8gnEbT3Lgvf jWYhWNMpwjSXdg7S6FQIZDVw5BPW6rwp2ruDdkrPyw20s61aVZ4YzhnHx0gWH0H6SpczyJe38sZ f0nZ5egL3qzTFQIlrUH6UTr5/s7q9+ux+B0Su/9v9cMAvED0UQSOPTFC3Dr6i/ISqjPC1A1T/ni f5Jk1ez+GK0lx4IMqrvh2L1s8EiVlUuLJyoHy9hwIDtvNjEd+RVCuY6c72mPM1O0RbjqU8amPHE TU9LhFPamLLPL2XLsfzbGvVgASAU4/3PLseCfCsWGJFZIqUziIZcEJmU0avzcWeVqQrrcwWvBKA E+VbPVM6UnHuMTqDh2QKANXtE8OobvjUlecNvbflgJnZosbSxPbilUIKUe4JHvO+6H2ZJ7kbwF+ S4jIoeoDHPukAJmf/aG8HmRNu4= X-Google-Smtp-Source: AGHT+IEvzKHZuKfgmcjp7jXNE/d5owKoxLcRqNg1BDasQVvIOHQCoX8r3nczo/OnIbXeEhxkQwwt6Q== X-Received: by 2002:a05:690c:9a0a:b0:786:6e9e:5b48 with SMTP id 00721157ae682-78929f056b5mr5812657b3.51.1763065527261; Thu, 13 Nov 2025 12:25:27 -0800 (PST) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 00721157ae682-78822179d40sm9472347b3.54.2025.11.13.12.25.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Nov 2025 12:25:26 -0800 (PST) Message-ID: <154426ab-f42b-4c5e-9f0e-8a91abbe7596@gmail.com> Date: Thu, 13 Nov 2025 15:25:21 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 6/8] Support updates via systemd-sysupdate To: Alyssa Ross References: <20251112-updates-v2-0-88d96bf81b79@gmail.com> <20251112-updates-v2-6-88d96bf81b79@gmail.com> <87tsyxc26t.fsf@alyssa.is> Content-Language: en-US From: Demi Marie Obenour Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT In-Reply-To: <87tsyxc26t.fsf@alyssa.is> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------eDTb2rvbwd5m3a05udpG7n0i" Message-ID-Hash: 2OG7UPAZFAOWTFRMTN6MXMJ3VFC2B73Y X-Message-ID-Hash: 2OG7UPAZFAOWTFRMTN6MXMJ3VFC2B73Y X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------eDTb2rvbwd5m3a05udpG7n0i Content-Type: multipart/mixed; boundary="------------q08fYRkyxvr5bBVe0YU0mlPL"; protected-headers="v1" From: Demi Marie Obenour To: Alyssa Ross Cc: Spectrum OS Development Message-ID: <154426ab-f42b-4c5e-9f0e-8a91abbe7596@gmail.com> Subject: Re: [PATCH v2 6/8] Support updates via systemd-sysupdate References: <20251112-updates-v2-0-88d96bf81b79@gmail.com> <20251112-updates-v2-6-88d96bf81b79@gmail.com> <87tsyxc26t.fsf@alyssa.is> In-Reply-To: <87tsyxc26t.fsf@alyssa.is> Autocrypt-Gossip: addr=hi@alyssa.is; keydata= xsFNBFpSgoYBEAC4xkCYidG2JlRWulUkTWcx0pHFDf3oSbb6Q872Kb3iDChWgluNVz43hva1 3xfDo9foV0GoyfGl/ycSCkXX5hlQr7ir/5FN38E7H/yY6tH8+l68iDgIOcb1qY0OYaxyg+Lz WesfFQedrmwNTbF4L1BtWzrTR5PflDdhDo5VWSguHGJFSclchcr/6UmMb/gOUN+2ElBC2TE2 EKY099phZ6DJZ2aZCsclwKIdCpZzXlEmXPAeaH5om6xo90JYv5+sFji40R0Plqec3WC+jTxy lGca6IbPdOminuUF+GvsR86eVsgh/0XNK7/zus7gyc4PuMUA1rCoeHcWOBDPgmelgCQyJGXd /bXeKuUsGoge58uc7/YNvOh1vfpD3AaEMqAyXfmmUwBnIicml74+2eOpH3Oljfs01g+DhkOB MtpVSZSgaIDvP0WG6cbAxImoUasnmNxEDNskfVmI8bsajPW9bt4z5hiP5Q9G3vE0D5HcIFdM adOz81PpOwNiUXcjtYV1PWZQ56jbSTOf8EBvsB71WwB+XgVWcPzIlY8hAykiHIO87oV3o71U JTAn1Foj7mjSADnY0deleOmar/K5jrK3wvKKM1XlB7PXcGBdkorJC+cbxVsw0ADzMw0c7bVc wEE7OFvHjQiIK1lO+lb1cvGBBY3IZxjsjZdA/VsFHFdAeYlzNQARAQABzRpBbHlzc2EgUm9z cyA8aGlAYWx5c3NhLmlzPsLBlwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZ ARYhBHVzVtd5u7iIdz5BXnNszfnvUb2XBQJpALHXBQkPJNZRAAoJEHNszfnvUb2X2jEP/AqQ aafKiC7ormevgoCH4QinAKJoXAqiwOIdRK55HOvyhGWjnlzqoK4JTUFVRMR4Vat/APlkjOUk LPXKk+DCn4loFyl7BCLvsk4Xwy7WmXyfSPqjdik8/cjTv/Q4AHTYTpnx7GMC5eTS7ULmUvcf mD/JRr7NM2273Z7dkL3gOeZdnXYOQaGAIIox91qCtmnQhn+V7s3uxvcRl8I2/Qnn3S2veV03 LXSugAXSTdKRa7LBrcSm9TtC/D3qY9kStHiaiB/eAJsOQ0l5yRfax5INorE2DQgBKjbiBcnQ mTX7Rl9LW+U0ibHmKOFG8Zs+zKlmItek49cmqoGOv66RAY6dGUOHoEQgP0EUDJ8xGwActToC lOGZrzcXfrfx0CYlgqYE1VEWgSmtbTW1DBXiZIPKUMLJGhgaIHSKEjYujHd+vGytAMGKQsVQ OwgOMHYWyzAIB/Y6hZGNK8y5fxr468zX876mDdXhYo4dKA7UEOeQOlAIGobTXDRFEC7B/UAj qYbP+qmnyUohCy/Pf04cF0ucpWW2Z00sBL83lauhyQHiLze5OznvOeEkEeXQ6DsJOY0dmrsi 0NJZ1QoyYewXOPmPBNc7IesY1MjrpAnHgeAt1rgEPwTkt4NrRASsPe5JowJcc7CpIdR8eOrG hrw+bEMyoyjk7fN6Hs6MK+hVihMNhUwMzjgEZyd/yxIKKwYBBAGXVQEFAQEHQCVxoiHOlsEo NDKGCbxg4nL3E1CV0MRQCU1hPowd77h3AwEIB8LBfAQYAQoAJgIbDBYhBHVzVtd5u7iIdz5B XnNszfnvUb2XBQJpALHQBQkCT9j5AAoJEHNszfnvUb2XhSMP/0gStw42LjpjVLh+0HKWafs3 T9NJxtefYRbyu4wkkO0dss2pkl9gekZnvgktD0SzIe8AiMszs1rUWMG8zPXVWdMi7tSNm/IR WPa0XZDIoDwJY4T342nCvHeDsfoJnGg8o0nreI2djwO8sc9aeSevm60MQ9AouFBpS6Qw7f/Z LalXH4aWCCtvAO1o95lQXEoH4Lg4qnS6GxYMYi1u3IzrYdUu0By/Ccc5+AOOICgbJnpOoYQI bVDbdjMkj18JxxmpN5amOkPdiDndpzWkWm+oNhGUITYp6EuP1esRb35MgOmFGouvt5UdKpEl Egs2y5h9oR+kiiu9DhrC0UFL2CQ/HdiukCAxADKX3RE9m+mprSbvw7CsYmXUTH6WzPpvxpGx wQq7m2O7uy85u0HyVYkiWQiAfwCbEr1vrFU7gscBW+FcrLIODauovA9eZgA4d+cHRXfzsdKW u/QuVHsABh78LLIq008GcqJChSe4KHrJ5PUjkLnyp/Sshrmuyoy+DwqYky0KK4NtkaWa2o0B TFp+Kk2VCxWA8i/azPvTMzXOWNwqogISp5SwljiEx0hkyf0HvSb3gHfuGbZ+eGfWB+qy2pTD x/YriV5EfqkP+4+1cqXjasrQxyZUW0ULRke0j92Cgt+J722PIcOAb8vdSGF4AXczO+KMtNn9 wGxvGU7TX5ou --------------q08fYRkyxvr5bBVe0YU0mlPL Content-Type: multipart/mixed; boundary="------------8NuhcYRW5tIA61u2h3bKxFww" --------------8NuhcYRW5tIA61u2h3bKxFww Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/13/25 11:44, Alyssa Ross wrote: > Demi Marie Obenour writes: >=20 >> Include a new 'update' command to update the system. This works as >> follows: >> >> 1. Take a global, system-wide lock. >> 2. Create a BTRFS subvolume for the sys.updates VM to write the update= s. >> 3. Bind-mount this subvolume into the VM's shared directory. >> 4. Start sys.appvm-updates to get the updates. >> 5. Wait for the VM to shut down. >> 6. Take a BTRFS snapshot of the subvolume. >> 7. Call syncfs() to flush all of the data on the subvolume. >> 8. Inspect the contents of the subvolume. >> Check that everything is a regular file and that the names are reas= onable. >> Check that SHA256SUMS and SHA256SUMS.gpg are present. >=20 > Not any more. Will fix. >> 9. Call systemd-sysupdate to run the actual update. >> >> sys.appvm-updates uses host-provided information to fetch the update. >> This allows editing files on the host to change the update URL and >> signing key. >> >> Signed-off-by: Demi Marie Obenour >> --- >> host/rootfs/Makefile | 2 + >> host/rootfs/default.nix | 28 ++++++- >> host/rootfs/file-list.mk | 4 + >> host/rootfs/image/etc/fstab | 1 + >> .../image/etc/sysupdate.d/50-verity.transfer | 20 +++++ >> host/rootfs/image/etc/sysupdate.d/60-root.transfer | 20 +++++ >> .../image/etc/sysupdate.d/70-kernel.transfer | 20 +++++ >> host/rootfs/image/usr/bin/update | 89 +++++++++++++= +++++++++ >> host/rootfs/os-release.in | 13 ++++ >> host/rootfs/os-release.in.license | 2 + >> host/rootfs/updatevm-url-env | 3 + >> host/rootfs/vm-sysupdate.d/50-verity.transfer | 18 +++++ >> host/rootfs/vm-sysupdate.d/60-root.transfer | 18 +++++ >> host/rootfs/vm-sysupdate.d/70-kernel.transfer | 18 +++++ >> lib/config.default.nix | 2 + >> lib/config.nix | 11 ++- >> lib/fake-update-signing-key.gpg | 1 + >> lib/fake-update-signing-key.gpg.license | 2 + >> release/live/default.nix | 4 +- >> release/live/shell.nix | 3 +- >> vm/app/updates.nix | 37 +++++++++ >> 21 files changed, 309 insertions(+), 7 deletions(-) >=20 >> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix >> index b574b8ddf5858867156507429a55b7f537e3c485..0a7638f8d78cf36592c272= 1d059bc867b04f233c 100644 >> --- a/host/rootfs/default.nix >> +++ b/host/rootfs/default.nix >> @@ -5,6 +5,7 @@ >> import ../../lib/call-package.nix ( >> { callSpectrumPackage, spectrum-build-tools, src >> , pkgsMusl, pkgsStatic, linux_latest >> +, config >> }: >> pkgsStatic.callPackage ( >> =20 >> @@ -13,6 +14,7 @@ pkgsStatic.callPackage ( >> , busybox, cloud-hypervisor, cryptsetup, dbus, execline, inkscape >> , iproute2, inotify-tools, jq, mdevd, s6, s6-linux-init, socat >> , util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-hos= t >> +, btrfs-progs >> }: >> =20 >> let >> @@ -36,6 +38,7 @@ let >> cloud-hypervisor cryptsetup dbus execline inotify-tools iproute2 >> jq mdevd s6 s6-linux-init s6-rc socat spectrum-host-tools >> virtiofsd xdg-desktop-portal-spectrum-host >> + btrfs-progs >=20 > Let's keep this sorted. Will fix. >> @@ -79,11 +82,24 @@ let >> appvm-firefox =3D callSpectrumPackage ../../vm/app/firefox.nix {}= ; >> appvm-foot =3D callSpectrumPackage ../../vm/app/foot.nix {}; >> appvm-gnome-text-editor =3D callSpectrumPackage ../../vm/app/gnom= e-text-editor.nix {}; >> + appvm-updates =3D callSpectrumPackage ../../vm/app/updates.nix {}= ; >=20 > I think appvm-sysupdate or appvm-systemd-sysupdate would be clearer. Will fix. >> }; >> =20 >> packagesSysroot =3D runCommand "packages-sysroot" { >> depsBuildBuild =3D [ inkscape ]; >> nativeBuildInputs =3D [ xorg.lndir ]; >> + env =3D { >> + VERSION =3D config.version; >> + UPDATE_URL =3D config.update-url; >> + }; >> + src =3D fileset.toSource { >> + root =3D ./.; >> + fileset =3D fileset.intersection src (fileset.unions [ >> + ./vm-sysupdate.d >> + ./os-release.in >> + ./updatevm-url-env >> + ]); >> + }; >> } '' >> mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \ >> $out/usr/share/icons/hicolor/20x20/apps >> @@ -95,8 +111,7 @@ let >> done >> =20 >> # If systemd-pull is missing systemd-sysupdate will fail with a >> - # very confusing error message. If systemd-sysupdate doesn't wor= k, >> - # users will not be able to receive an update that fixes the prob= lem. >> + # very confusing error message. >> for i in sysupdate pull; do >> if ! cat -- "$out/usr/lib/systemd/systemd-$i" > /dev/null; th= en >> echo "link to systemd-$i didn't get installed" >&2 >> @@ -118,6 +133,14 @@ let >> ln -st $out/usr/share/dbus-1/services \ >> ${pkgsGui.xdg-desktop-portal-gtk}/share/dbus-1/services/org.f= reedesktop.impl.portal.desktop.gtk.service >> =20 >> + mkdir -p -- "$out/etc/updatevm/sysupdate.d" >> + substitute "$src/os-release.in" "$out/etc/os-release" --subst-var= VERSION >> + for d in "$src/vm-sysupdate.d"/*.transfer; do >> + result_file=3D''${d#"$src/vm-sysupdate.d/"} >> + substitute "$d" "$out/etc/updatevm/sysupdate.d/$result_file" --= subst-var UPDATE_URL >> + done >> + substitute "$src/updatevm-url-env" "$out/etc/updatevm/url-env" --= subst-var UPDATE_URL >> + >=20 > I think it would make more sense to do these at the Make layer. It > handles other generated files, so I don't see why it can't handle these= > too, and then if I add something to os-release I don't have to rebuild > any Nix stuff. Will fix. >> diff --git a/host/rootfs/image/etc/fstab b/host/rootfs/image/etc/fstab= >> index 6a82ecc85090a37b13603b29f74ca6e554a28c33..78cec99f29dda993ad9704= 8771097121a0e42622 100644 >> --- a/host/rootfs/image/etc/fstab >> +++ b/host/rootfs/image/etc/fstab >> @@ -4,3 +4,4 @@ proc /proc proc defaults 0 0 >> devpts /dev/pts devpts defaults,gid=3D4,mode=3D620 0 0 >> tmpfs /dev/shm tmpfs defaults 0 0 >> sysfs /sys sysfs defaults 0 0 >> +tmpfs /tmp tmpfs defaults,mode=3D0700 0 0 >=20 > Is this used? No. >> diff --git a/host/rootfs/image/usr/bin/update b/host/rootfs/image/usr/= bin/update >> new file mode 100755 >> index 0000000000000000000000000000000000000000..cbbf8ad8634a7771a0a5f7= d6586ee88cdc0672a8 >> --- /dev/null >> +++ b/host/rootfs/image/usr/bin/update >> @@ -0,0 +1,89 @@ >> +#!/bin/execlineb -WS1 >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +# Steps: >> +# >> +# 1. Take a global, system-wide lock. >> +# 2. Create a BTRFS subvolume for the sys.updates VM to write the upd= ates. >> +# 3. Bind-mount this subvolume into the VM's shared directory. >> +# 4. Start sys.updates to get the updates. >> +# 5. Wait for the VM to shut down. >> +# 6. Take a BTRFS snapshot of the subvolume. >> +# 7. Call syncfs() to flush all of the data on the subvolume. >> +# 8. Inspect the contents of the subvolume. >> +# Check that everything is a regular file and that the names are r= easonable. >> +# Check that SHA256SUMS and SHA256SUMS.gpg are present. >=20 > Not any more. Will fix in v3. >> +# 9. Call systemd-sysupdate to run the actual update. >> + >> +if { mkdir -p -m 0700 /run/updater } >> +s6-setlock /run/update-lock >> +foreground { redirfd -w 2 /dev/null rmdir -- $1 } >> +if { umask 0077 mkdir -p -- $1 } >> +cd $1 >> +foreground { >> + # If this exists already that is okay. >> + foreground { redirfd -w 2 /dev/null btrfs subvolume create -- share= d } >> + >=20 > Wouldn't it break if there's already stuff in it? No, it works fine in this case. I checked :). > I'd do >=20 > foreground { redirfd -w 2 /dev/null btrfs subvolume delete -- shared }= > if { btrfs subvolume create -- shared } >=20 > and then you know you've got an empty subvolume. An empty subvolume isn't good: it means that systemd-sysupdate will redownload an update even when it isn't needed. >> + # Snapshot directory may have files or directories with untrusted n= ames. >> + # Redirect its output to /dev/null to avoid printing them to the co= nsole. >> + ifelse -n { redirfd -w 2 /dev/null rm -rf -- snapshot } { >> + foreground { redirfd -w 2 echo "Cannot remove snapshot directory"= } >> + exit 1 >> + } >=20 > Why not btrfs subvolume delete? It's faster and won't print names. It doesn't distinguish "subvolume doesn't exist" from "problem deleting subvolume". A better solution is to call `rm -f` if `btrfs subvolume delete` failed. That ignores "does not exist" errors, but not other errors. >> + >> + backtick -E update_vm_id_ { >> + backtick -E id_path { readlink /run/vm/by-name/sys.appvm-updates = } >> + basename -- $id_path >> + } >> + >> + multisubstitute { >> + define fsdir /run/vm/by-id/${update_vm_id_}/fs >> + define update_vm_id ${update_vm_id_} >=20 > Why? Avoiding serial substitution. >> + define svcdir /run/service/vmm/instance/${update_vm_id_} >=20 > Can also use /run/vm/by-name/sys.appvm-updates/fs and > /run/vm/by-name/sys.appvm-updates/service if you prefer, although you > need to look up the ID for vm-start anyway currently. I have a patch for that coming up. >> + } >> + >> + # $fsdir is read-only to the guest, but read-write to the host. >> + # Directories bind-mounted into it are read-write to the guest. >> + # See etc/s6-linux-init/run-image/service/vhost-user-fs/template/ru= n >> + # for details. >> + >> + # Set up /etc with what the VM needs. The VM will overlay this >> + # on its own /etc. >> + if { rm -rf -- ${fsdir}/etc } >> + if { umask 022 mkdir -p -- ${fsdir}/updates ${fsdir}/etc/systemd } >> + if { cp -R -- /etc/updatevm/sysupdate.d /etc/updatevm/url-env ${fsd= ir}/etc } >> + if { cp -- /etc/systemd/import-pubring.gpg ${fsdir}/etc/systemd } >=20 > Why copy rather than bind mount? Target does not exist and I didn't want to bind-mount all of /etc/systemd= =2E >> + >> + # If the directory is already mounted, unmount it. This prevents a= >> + # confusing error from mount. >> + foreground { redirfd -w 2 /dev/null umount -- ${fsdir}/updates } >> + >> + # Share the update directory with the VM. >> + if { mount --bind -- shared ${fsdir}/updates } >> + >> + # Start the update VM. >> + if { vm-start $update_vm_id } >> + >> + # Wait for the VM to exit. >> + if { s6-svwait -D ${svcdir} } >> + >=20 > It might be more robust to use a transient VM, like we use for > AppImages, so that nothing can restart it. Transient VMs are still > developing though, so it's also fine to say we'll do it this way for no= w > and adapt it later. This would also save all the filesystem resetting > you're needing to do here. The path to the update directory is user-provided. It's not from the VM's persistent storage. >> diff --git a/host/rootfs/os-release.in.license b/host/rootfs/os-releas= e.in.license >> new file mode 100644 >> index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855= 749a7524ac3871dda4 >> --- /dev/null >> +++ b/host/rootfs/os-release.in.license >> @@ -0,0 +1,2 @@ >> +SPDX-License-Identifier: CC0-1.0 >> +SPDX-FileCopyrightText: 2025 Demi Marie Obenour >=20 > os-release files can have comments, so no need for a separate license > file here. >=20 >> diff --git a/lib/config.nix b/lib/config.nix >> index 01bcfa2bb2d5c412e212f5a60d9032e89c8a7442..5b6b95013734202b7e2e01= d5ffce313080658006 100644 >> --- a/lib/config.nix >> +++ b/lib/config.nix >> @@ -1,5 +1,6 @@ >> -# SPDX-FileCopyrightText: 2023 Alyssa Ross >> # SPDX-License-Identifier: MIT >> +# SPDX-FileCopyrightText: 2024 Alyssa Ross >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >=20 > Why have I changed from 2023 to 2024? Mistake =F0=9F=99=82 >> =20 >> let >> customConfigPath =3D builtins.tryEval ; >> @@ -17,5 +18,11 @@ let >> callConfig =3D config: if builtins.typeOf config =3D=3D "lambda" th= en config { >> inherit default; >> } else config; >> + finalConfig =3D default // callConfig config; >> in >> - default // callConfig config; >> + finalConfig // { >> + update-signing-key =3D builtins.path { >> + name =3D "signing-key"; >> + path =3D finalConfig.update-signing-key; >> + }; >> + } >=20 > What does this do? This ensures that the Nix store path doesn't depend on the name of the update signing key, only its contents. >> diff --git a/lib/fake-update-signing-key.gpg b/lib/fake-update-signing= -key.gpg >> new file mode 100644 >> index 0000000000000000000000000000000000000000..b4c15467614ee15deef02a= f05f4c6554a1f7a013 >> --- /dev/null >> +++ b/lib/fake-update-signing-key.gpg >> @@ -0,0 +1 @@ >> +NOT A VALID KEY - UPDATES WILL NOT WORK >> diff --git a/lib/fake-update-signing-key.gpg.license b/lib/fake-update= -signing-key.gpg.license >> new file mode 100644 >> index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855= 749a7524ac3871dda4 >> --- /dev/null >> +++ b/lib/fake-update-signing-key.gpg.license >> @@ -0,0 +1,2 @@ >> +SPDX-License-Identifier: CC0-1.0 >> +SPDX-FileCopyrightText: 2025 Demi Marie Obenour >=20 > Given it's not a valid key anyway might as well just put this in the fi= le. >=20 >> diff --git a/release/live/default.nix b/release/live/default.nix >> index dc649732ffa46a998a4a66360aa8ff7ef6bccae0..581420da9acf855d4b3d9e= cecc1ef406f742fd75 100644 >> --- a/release/live/default.nix >> +++ b/release/live/default.nix >> @@ -7,7 +7,7 @@ import ../../lib/call-package.nix ( >> { callSpectrumPackage, spectrum-build-tools, rootfs, src >> , lib, pkgsStatic, stdenvNoCC >> , cryptsetup, dosfstools, jq, mtools, util-linux >> -, systemdUkify, version, efi >> +, systemdUkify, config, efi >> }: >> =20 >> let >> @@ -49,7 +49,7 @@ stdenv.mkDerivation { >> SYSTEMD_BOOT_EFI =3D "${efi.systemd}/lib/systemd/boot/efi/systemd= -boot${efiArch}.efi"; >> EFI_IMAGE =3D efi; >> EFINAME =3D "BOOT${toUpper efiArch}.EFI"; >> - VERSION =3D version; >> + VERSION =3D config.version; >> }; >> =20 >> buildFlags =3D [ "dest=3D$(out)" ]; >=20 > Maybe this should be squashed into an earlier patch? Correct. >> diff --git a/vm/app/updates.nix b/vm/app/updates.nix >> new file mode 100644 >> index 0000000000000000000000000000000000000000..d2c1e5fcb35b37c7ed8a17= 3f19b97894a36a7f0c >> --- /dev/null >> +++ b/vm/app/updates.nix >> @@ -0,0 +1,37 @@ >> +# SPDX-License-Identifier: MIT >> +# SPDX-FileCopyrightText: 2023 Alyssa Ross >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +import ../../lib/call-package.nix ( >> +{ callSpectrumPackage, config, curl, lib, src >> +, runCommand, systemd, writeScript >> +}: >> + >> +let >> + update-url =3D config.update-url; >> + mountpoint =3D "/run/virtiofs/virtiofs0"; >> + sysupdate-path =3D "${systemd}/lib/systemd/systemd-sysupdate"; >> + runner =3D writeScript "update-run-script" >> + '' >> + #!/usr/bin/execlineb -P >> + if { mount -toverlay -olowerdir=3D${mountpoint}/etc:/etc -- overl= ay /etc } >> + envfile ${mountpoint}/etc/url-env >=20 > Seems like overkill to use an envfile for a single URL? It is indeed overkill, but I'm not aware of a simpler option. There is backtick + cat but that's two programs rather than one. >> + importas -i update_url UPDATE_URL >> + if { ${sysupdate-path} update } >> + if { ${curl}/bin/curl -L --proto =3Dhttp,https >> + -o ${mountpoint}/updates/SHA256SUMS.gpg ''${update_url}/SHA256= SUMS.gpg } >> + # systemd-sysupdate recently went from needing SHA256SUMS.gpg to = SHA256SUMS.sha256.asc. >> + # I (Demi) have no need if this is intentional or a bug. I also = have no idea if this >> + # behavior will stay unchanged in the future. Therefore, create = both files and let >> + # systemd-sysupdate ignore the one it isn't interested in. >> + if { ln -f ${mountpoint}/updates/SHA256SUMS.gpg ${mountpoint}/upd= ates/SHA256SUMS.sha256.asc } >=20 > Would be good to figure out why that happened. If we add a comment lik= e > this it's very unlikely to ever get cleaned up. https://github.com/systemd/systemd/issues/39273 >> + ${curl}/bin/curl -L --proto =3Dhttp,https >> + -o ${mountpoint}/updates/SHA256SUMS ''${update_url}/SHA256SUMS= >> + ''; >> +in >> + >> +callSpectrumPackage ../make-vm.nix {} { >> + providers.net =3D [ "sys.netvm" ]; >> + type =3D "nix"; >> + run =3D "${runner}"; >=20 > Might as well inline this. I chose to keep it separate to improve readability. >> +}) (_: {}) >> >> --=20 >> 2.51.2 --=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------8NuhcYRW5tIA61u2h3bKxFww Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------8NuhcYRW5tIA61u2h3bKxFww-- --------------q08fYRkyxvr5bBVe0YU0mlPL-- --------------eDTb2rvbwd5m3a05udpG7n0i Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmkWPrIACgkQszaHOrMp 8lOqtg/6Any1ZQKt9TZI1ryJvkWfhdLLEh/oO0l6NFeczzRsa1GazAFJ4Qdh5okH zHYxVCBsY9uH47sWDKaN8FPu067iDjvPBv5Kdoj2C4HzDsbhSNssCSBkuP5s7M+X G/V71uat7pMqySIbybIcexBH7u74+W2bEPZE2igNz9ciiOKLvHMLnYcT7qvFbUbP ikpa4ab2MDDJSDakNPPqZ/i/MHpSNNVQJ9ulDzWWBa1Fq8oAXkF8lyv1DtQlfFmQ rynijwyJZzVY97E6H88W1CyVn50D0sbLxxGf8ctH/6PCVB2RMjeXWXcclhfeQ2ku rRF4rxxgforJqh9kowe9bZUuo68JlI6xBr0iNZ5Y+VKA0E1haPmUZpORoh7SzUw8 d/bSe5nowGjMwubV6gCx3JHAzvFT+AqvTYJwvpiO+Jb7Dqk15fctUMB0Uns1y1lm 9kcx/eLnE+kFm9cnTkPdcbhVEYiag3aGp0qSMwPjrAQlmKjRo4WPUinbpoGk4otL /O/eumM3ZpuZB8IVSGY8tjn4uJNmE0X+Qdi8tqNN6dBuOkb9OwLEocdFfvnFvlId gFk8enSj9zyeMJyVpBlgsGXirnhz9FyE2JkuyiEDpVd/4ExpM09BqagP6cqCTOy8 dnbiGivtEYbjUPIsEODOpNLaWiC0n93NgjndK6LEjTHNGMhCY2I= =vk1p -----END PGP SIGNATURE----- --------------eDTb2rvbwd5m3a05udpG7n0i--