What's Changed

• ci: Bump afterburn version by @cgwalters in #5463
• rechunker: Recursively add directories with user.component xattr by @ckyrouac in #5457
• ci: Update for coreos-assembler API break by @cgwalters in #5470
• fsutil.rs: Make is_dir return correct information by @marcoh00 in #5452
• ci: Drop NEVRA override testing by @cgwalters in #5473
• compose: sort packages before rpmtsOrder() by @champtar in #5469
• treefile: merge 'repo-metadata' config by @champtar in #5471
• compose: Add --lockfile to rpm-ostree compose rootfs by @jlebon in #5475
• compose: allow write-lockfile-to / lockfile / lockfile-strict together by @champtar in #5476
• build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 by @dependabot[bot] in #5477
• Docs for new rechunker features and a test for recursively setting user.component xattr by @ckyrouac in #5448
• treefile,compose: add advisories-metadata option by @champtar in #5474
• rechunker: Parse specific components into (path, checksum) by @ckyrouac in #5465
• compose: Add --label for build-chunked-oci by @jlebon in #5454
• doc:update index.md by @ningmingxiao in #5484
• Fix selinux aliases for /usr/etc/systemd/system by @alexlarsson in #5485
• Release 2025.11 by @jmarrero in #5486

New Contributors

• @marcoh00 made their first contribution in #5452
• @ningmingxiao made their first contribution in #5484

Full Changelog: v2025.10...v2025.11

What's Changed

• rechunk: Use previous-build-manifest if output image is chunked by @ckyrouac in #5434
• Many patches for stderr by @cgwalters in #5439
• rechunker: Support exclusive layers by @ckyrouac in #5431
• rechunker: Use open_image when transport is oci-archive by @ckyrouac in #5445
• Release 2025.10 by @cgwalters in #5446

New Contributors

• @ckyrouac made their first contribution in #5434

Full Changelog: v2025.9...v2025.10

What's Changed

• postprocess: Don't hardcode "targeted" policy by @alexlarsson in #5382
• rust/bwrap: child_wait_check: let gio check status by @dustymabe in #5387
• docs: Describe how to map container -> ostree by @cgwalters in #5385
• rust/bwrap: don't swallow STDERR when running commands by @dustymabe in #5388
• main: Silence SELinux log spam by @cgwalters in #5352
• tests/override-replace-2: increase reliability of selinux override by @dustymabe in #5389
• compose: Cache RPMs if cache dir on separate filesystem by @jlebon in #5391
• libpriv/kernel: Pass through DRACUT_NO_XATTR when running dracut by @jlebon in #5397
• passwd: Prep work for fixing #5365 by @cgwalters in #5398
• libpriv/kernel: Pass through DRACUT_NO_XATTR more cleanly by @jlebon in #5404
• fix(compose): move usermod sysusers.d fragments to correct directory by @cgwalters in #5394
• rust/src/compose: add --write-lockfile-to / --lockfile-strict by @champtar in #5412
• scripts: suppress error about glibc.posttrans scriptlet by @keszybz in #5415
• Update to bootc 1.3.0 by @cgwalters in #5410
• rechunker: Add --format-version=2 by @jeckersb in #5421
• core: Run sysusers after doing passwd/group layering dance by @jlebon in #5403
• Add support for skipping lua scripts via a magic comment by @cgwalters in #5425
• Sync repo templates ⚙ by @coreosbot-releng in #5426
• kernel: Drop check for ostree-container by @cgwalters in #5430
• Un-hide finalization APIs by @cgwalters in #5424
• treefile: Add sysusers: knob by @jlebon in #5427
• Release 2025.9 by @cgwalters in #5432

New Contributors

• @champtar made their first contribution in #5412

Full Changelog: v2025.8...v2025.9

What's Changed

• Various enhancements and tweaks for OCP node image build by @jlebon in #5351
• core: Process ostree layers before running sysusers by @jlebon in #5354
• ci: Update the cargo-deny-action by @jmarrero in #5359
• core: Ignore replaced files in rpmdb write transaction by @jlebon in #5368
• rust/src/compose: Add max-layers opt to compose image by @travier in #5369
• daemon/transaction-types: pass an empty dictionary instead of NULL to… by @IainCollins262 in #5371
• Release 2025.8 by @jmarrero in #5375

Colin Walters (7):
      tree-wide: Run clang-format with clang 20.1.3
      test-container: Update for F42
      tests: Drop testing of ostree-container
      tests/container-image: Rework to handle container base
      tests/cached-sigs: Fix to handle container refspec by default
      tests: Drop override-kernel
      tests/override-replace-2: Update to support f42

Iain Collins (1):
      daemon/transaction-types: pass an empty dictionary instead of NULL to change_origin_refspec

Jonathan Lebon (19):
      treefile: Support inlined conditional includes
      treefile-apply: Add `--var` option
      treefile-apply: Handle `repos` key
      treefile-apply: Enable versionlock plugin when running dnf
      treefile-apply: Tweak `versionlock` hack
      core: Move sysusers docstring to the Rust side
      rust/core: Drop unnecessary Vec
      core: Process ostree layers before running sysusers
      core: Ignore replaced files in rpmdb write transaction
      core: Drop unused variable
      tests/compose: Bump f-c-c commit to f42
      tests/compose: Disable basic test
      tests/compose: Adapt for latest alternatives changes
      tests/compose: Temporarily disable ima test
      tests/compose: Better override opt-usrlocal
      rust/treefile: Fix edition defaulting
      testutils: Stop trying to mutate binaries in /usr/sbin
      libvm: Handle container case when changing refspec to vmcheck
      tests/kolainst: update client-layering-upgrade for f42

Joseph Marrero Corchado (3):
      ci: update cargo-deny-action
      deny.toml: allow LGPL-2.1-or-later WITH GCC-exception-2.0
      Release 2025.8

Timothée Ravier (2):
      rust/src/compose: Show full comment in command line help
      rust/src/compose: Add max-layers opt to compose image

New Contributors

• @IainCollins262 made their first contribution in 5c789dc

Full Changelog: v2025.7...v2025.8

Core

• rpmostree-core: Emulate new %sysusers RPM scriplet by @travier in #5334

Client side

• daemon,app: Support rebasing/deploying specific digests in OCI path by @jlebon in #5325
• app: Hide --os and add --stateroot alias by @jlebon in #5345

Building

• compose-rootfs: Fix perms for / by @cgwalters in #5322
• compose: Stabilize compose build-chunked-oci by @jeckersb in #5326
• docs: expand on chunked images by @jeckersb in #5332
• compose: Ensure tempdir is dropped after commit by @cgwalters in #5339
• README.md: Effectively revert deprecation notice by @cgwalters in #5331
• compose-rootfs: Ensure we don't emit user.ostreemeta by @cgwalters in #5341
• build-chunked-oci: Handle multi-arch, perserve labels by @cgwalters in #5343
• Release 2025.7 by @cgwalters in #5347

New Contributors

• @jeckersb made their first contribution in #5326

Full Changelog: v2025.6...v2025.7

This release stabilizes a new compose rootfs build workflow which is intended for use in container multi-stage builds; for more see its use in fedora-bootc.

There are also some minor tweaks for the rechunking tooling. The existing rechunking done as part of rpm-ostree compose image is stable, but we aim to stabilize the "separate rechunker" currently exposed via rpm-ostree experimental build-chunked-oci in a later release.

What's Changed

• compose-rootfs: Fix gpgkey= with Fedora examples by @cgwalters in #5293
• build-chunked-oci: Propagate creation timestamp with --from by @cgwalters in #5297
• build(deps): bump cxx from 1.0.137 to 1.0.141 by @dependabot in #5300
• build(deps): bump cxx-build from 1.0.136 to 1.0.141 by @dependabot in #5298
• compose: Stabilize compose rootfs by @cgwalters in #5296
• container-encapsulate: Two patches by @cgwalters in #5301
• chunking: Add some error context by @cgwalters in #5305
• chunking: Fix working as rootful by @cgwalters in #5306
• compose-rootfs: Also set xattrs on target root by @cgwalters in #5308
• Bump to latest bootc by @cgwalters in #5309
• chunking: two minor patches by @cgwalters in #5312
• treefile: Set RPMOSTREE_WORKDIR for finalize.d by @cgwalters in #5313
• compose-rootfs: Don't output ostree-container format by @cgwalters in #5315
• compose: Add compose install --postprocess by @cgwalters in #5316
• Release 2025.6 by @cgwalters in #5321

Full Changelog: v2025.5...v2025.6

This release introduces a new experimental command, treefile-apply (#5274). The rpm-ostree compose-rootfs now has a new option, --source-root-rw, which addresses issue #5285. Support for Buildah was also introduced for rpm-ostree compose (#5283). See below for a more complete list of changes:

What's Changed

• compose: More error context for container-encapsulate by @cgwalters in #5267
• chunked-oci: Rework to support --from too by @cgwalters in #5268
• treefile: Add error context for finalize.d by @cgwalters in #5272
• core: Ignore xattrs in copyup for rpmfi overrides by @cgwalters in #5277
• Update bootc by @cgwalters in #5278
• rust: Rename BuildChunkedOCI struct to BuildChunkedOCIOpts by @jlebon in #5273
• ci/prow: Add a Dockerfile for build_root by @cgwalters in #5281
• postprocess: Remove boot/loader by @cgwalters in #5279
• Add experimental compose rootfs by @cgwalters in #5275
• build(deps): bump openssl from 0.10.68 to 0.10.70 by @dependabot in #5271
• build(deps): bump tempfile from 3.15.0 to 3.16.0 by @dependabot in #5270
• build(deps): bump rustix from 0.38.43 to 0.38.44 by @dependabot in #5256
• compose: Support buildah too by @cgwalters in #5283
• build(deps): bump serde_json from 1.0.135 to 1.0.138 by @dependabot in #5269
• Add new treefile-apply experimental command by @jlebon in #5274
• ci/test-container.sh: Make it easier to execute locally and run treefile-apply test earlier by @jlebon in #5286
• core: Use source root for repos if set by @cgwalters in #5284
• Release 2025.5 by @jmarrero in #5292

Full Changelog: v2025.4...v2025.5

This is a bugfix release with fixes for kernel-install integration and rpmdb cleanup.

When running on package mode systems now we will avoid calling into rpm-ostree kernel-install #5259 and when rpm-ostree kernel-install is called we will check if we are cli wrapping systemctl and unwrap it to allow the initramfs to be created correctly.

When running rpmdb cleanup now we make sure to close any open connection to the rpmdb. #5247

Colin Walters (2):
      container: Do rpmdb cleanup in outer scope
      build-sys: Bump version to 2025.3

Joseph Marrero Corchado (3):
      05-rpmostree.install: check for layout=ostree and install.conf presence
      kernel_install: unwrap systemd if it's wrapped
      packaging/spec: remove kernel_install conditional

Full Changelog: v2025.3...v2025.4

What's Changed

The main goal of this release is to fix #5251

• ci: Run Rust unit tests by @cgwalters in #5245
• compose: Drop rpmdb sqlite journaling files if rpmdb-normalize by @cgwalters in #5244
• tmpfiles: Misc cleanup patches by @cgwalters in #5248
• Update bootc by @cgwalters in #5253
• Release 2025.3 by @cgwalters in #5258

Full Changelog: v2025.2...v2025.3

This release introduces an experimental feature build-chunked-oci which allows composes to output chunked OCI images #5222. Rpm-ostree also now prints OSTree signature verification text when pulling OCI images. #5223 signature. A significant bug was fixed on #5241 which fixes a bug introduced on #5135 which always wrapped kernel-install.

On top of these main changes, this release includes enhancements to packaging and CI.

Colin Walters (7):
      libpriv/rpm: Always copy rpmdb even in user mode checkouts
      Use ostree-ext from bootc
      spec: Add version conditionals
      experimental: Add `build-chunked-oci`
      core/cliwrap: Fix is_ostree_layout() in unit tests
      tests/compose: Canonicalize perms for root
      compose: Move tmpfiles generation into tmpfiles module

Jonathan Lebon (1):
      daemon/upgrader: Print OSTree signature verification text when pulling OCI

Joseph Marrero Corchado (1):
      Release 2025.2

Timothée Ravier (1):
      scripts: Skip kernel-16k posttrans scripts

Xiaofeng Wang (1):
      copr: fix "No matching package to install: 'rust-packaging'" in RHEL and CentOS Stream package building

Full Changelog: v2025.1...v2025.2