[PATCH v2 0/8] System updates based on systemd-sysupdate

12 Nov 2025

      This implements updates via systemd-sysupdate.  See individual commit
messages for details.

There are major changes to the image build process.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Changes in v2:
- updates-dir-check:
  - Do not check that there is a SHA256SUMS or SHA256SUMS.gpg file in the
    update directory.  systemd-sysupdate will fail if it cannot find a
    manifest or its signature.
  - Follow symlinks in opening the directory.  The path is from a
    trusted source and will always point to a BTRFS snapshot, never a
    symlink.  The only exception is the last component, which is still
    checked to not be a symlink.
- VM:
  - Link SHA256SUMS.sha256.asc to SHA256SUMS.gpg.  Recent
    systemd-sysupdate seems to use the former name.
  - Get update URL from host.
  - Use an execline script instead of a shell script.
- Update script:
  - Unmount shared directory if already mounted.  This avoids errors
    when mounting it again.
  - Delete old snapshot if present.
  - Provide the VM information with a different directory layout.
  - Do not bind-mount the information passed into the VM into the shared
    VM folder.  Instead rely on this folder being read-only to the
    guest.  This is enforced by a read-only bind mount in virtiofs's
    mount namespace.
- Testing:
  - Lots of manual update testing.
  - Disable the test for the live image as it doesn't work anymore.
- Nix:
  - Move validation to a separate low-priority patch.
- Documentation:
  - Document that updating the system is now possible.
- Installer:
  - Remove the "Try Spectrum" button.
- 

- Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251029-updates-v1-0-...

---
Demi Marie Obenour (8):
      host/rootfs: Install all programs from util-linuxMinimal
      host/rootfs: Install systemd-pull
      tools: Add directory checker for updates
      Adjust partition layout to support updates
      release: Create directory with system update
      Support updates via systemd-sysupdate
      Documentation: Update support
      lib/config.nix: Validate configuration parameters

 Documentation/development/build-configuration.adoc |  11 ++
 Documentation/installation/index.adoc              |   3 +-
 Documentation/using-spectrum/index.adoc            |   2 +
 Documentation/using-spectrum/updates.adoc          |  29 +++++
 host/efi.nix                                       |   5 +-
 host/initramfs/Makefile                            |  12 +-
 host/initramfs/default.nix                         |   1 +
 host/initramfs/etc/init                            |  17 +--
 host/initramfs/etc/probe                           |  20 +--
 host/initramfs/shell.nix                           |   2 +
 host/rootfs/Makefile                               |  23 ++--
 host/rootfs/busybox-config                         | 134 +++++++++++++++++++++
 host/rootfs/busybox-config.license                 |   4 +
 host/rootfs/default.nix                            |  82 ++++++++-----
 host/rootfs/file-list.mk                           |   4 +
 host/rootfs/image/etc/fstab                        |   1 +
 .../image/etc/sysupdate.d/50-verity.transfer       |  20 +++
 host/rootfs/image/etc/sysupdate.d/60-root.transfer |  20 +++
 .../image/etc/sysupdate.d/70-kernel.transfer       |  20 +++
 host/rootfs/image/usr/bin/update                   |  89 ++++++++++++++
 host/rootfs/os-release.in                          |  13 ++
 host/rootfs/os-release.in.license                  |   2 +
 host/rootfs/shell.nix                              |   2 +
 host/rootfs/updatevm-url-env                       |   3 +
 host/rootfs/vm-sysupdate.d/50-verity.transfer      |  18 +++
 host/rootfs/vm-sysupdate.d/60-root.transfer        |  18 +++
 host/rootfs/vm-sysupdate.d/70-kernel.transfer      |  18 +++
 img/app/Makefile                                   |   2 +-
 img/app/default.nix                                |   1 +
 lib/config.default.nix                             |   3 +
 lib/config.nix                                     |  41 ++++++-
 lib/fake-update-signing-key.gpg                    |   1 +
 lib/fake-update-signing-key.gpg.license            |   2 +
 lib/kcmdline-utils.mk                              |   5 +
 release.nix                                        |   2 +
 release/checks/integration/try.c                   |   4 +
 release/checks/no-roothash.nix                     |   2 +-
 release/combined/eosimages.nix                     |  14 ++-
 release/combined/grub.cfg.in                       |   5 -
 release/live/Makefile                              |   9 +-
 release/live/default.nix                           |   8 +-
 release/live/shell.nix                             |   4 +-
 release/update.nix                                 |  30 +++++
 scripts/format-uuid.awk                            |  35 ++++++
 scripts/make-gpt.bash                              |  72 +++++++++++
 scripts/make-gpt.sh                                |  67 +----------
 scripts/make-live-image.sh                         |  43 +++++++
 scripts/sfdisk-field.awk                           |   3 +-
 tools/default.nix                                  |   1 +
 tools/meson.build                                  |   4 +
 tools/updates-dir-check.c                          |  78 ++++++++++++
 vm/app/updates.nix                                 |  37 ++++++
 vm/sys/net/Makefile                                |   2 +-
 vm/sys/net/default.nix                             |   1 +
 54 files changed, 895 insertions(+), 154 deletions(-)
---
base-commit: 001037d8841613f2858e79daee83a930799d2f6c
change-id: 20250928-updates-92e99849e231
prerequisite-patch-id: a756e9643d106f5ce5ab1bb713875f9551ba6e2a
prerequisite-patch-id: 33a6c22a2130e94e6d09bafcab75b8263f66ee75

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)