Aurora gap catchup — Jan–Mar 2026
The cone people never slow down, so I did an analysis of where we're behind and sent a bunch of PRs/fixes to bluefin. I wanted to file it here on the board so it lands in the reports:
Work items
| Priority |
Item |
Domain |
Status |
| p0 |
fix: remove sssd-passkey to fix silent ostree update failures |
packages |
merged — upstream PR 4356 |
| p1 |
feat(ci): add DNF package cache to reusable build workflow |
gha |
merged — upstream PR 4359 |
| p1 |
feat(ci): enable zstd:chunked OCI compression |
gha |
closed — already present in upstream |
| p1 |
chore(ci): add Sigstore build attestations to all build workflows |
gha |
merged — upstream PR 4369 |
| p1 |
feat(security): commit cosign public keys locally |
security |
pending |
| p2 |
feat(ci): add validate-just workflow for Justfile syntax checking |
gha |
closed — already present in upstream |
| p2 |
feat(packages): add gvfs and gvfs-fuse |
packages |
closed — already present in upstream |
| p2 |
feat(ci): upload OCI archive artifact for PR contributor testing |
gha |
open — upstream PR 4379 |
| p2 |
feat(packages): add fcitx5-chewing and fcitx5-m17n |
packages |
closed — not applicable to Bluefin |
| p2 |
fix(packages): remove ROCm from nvidia-dx images / add autofs |
packages |
merged — upstream PR 4370 |
| p2 |
chore(just): remove SUDO_DISPLAY from Justfile |
just |
open — upstream PR 4377 |
| p2 |
fix: clear all versionlocks in clean-stage.sh |
build |
open — upstream PR 4376 |
| p2 |
chore: remove framework-laptop kmod install |
build |
open — upstream PR 4378 |
| p3 |
fix(ci): grant contents:write to generate-release jobs |
gha |
merged — upstream PR 4371 |
| p3 |
chore: remove obsolete ublue-fix-hostname service |
oci |
closed — already absent in upstream |
Cut items (out of scope)
/run /tmp leak fix — Bluefin clean-stage.sh already handles /tmp; Aurora fix is entangled with Containerfile.in (CPP preprocessor) which Bluefin does not use.- Scorecard hardening — both files are functionally identical; only cosmetic cron/digest differences.
- Artifact retention — lands as part of the OCI archive upload item above.
bash-preexec typo fix (Aurora PR 1955) — Bluefin does not fetch bash-preexec; not applicable.rpm-ostreed.conf workaround (Aurora PR 1873) — Bluefin already ships system_files/shared/etc/rpm-ostreed.conf; revisit if the same issue appears.- tesseract-devel (Aurora PR 1788) — excluded per maintainer decision.
Aurora gap catchup — Jan–Mar 2026
The cone people never slow down, so I did an analysis of where we're behind and sent a bunch of PRs/fixes to bluefin. I wanted to file it here on the board so it lands in the reports:
Work items
Cut items (out of scope)
/run /tmpleak fix — Bluefin clean-stage.sh already handles/tmp; Aurora fix is entangled withContainerfile.in(CPP preprocessor) which Bluefin does not use.bash-preexectypo fix (Aurora PR 1955) — Bluefin does not fetch bash-preexec; not applicable.rpm-ostreed.confworkaround (Aurora PR 1873) — Bluefin already shipssystem_files/shared/etc/rpm-ostreed.conf; revisit if the same issue appears.