Aurora gap catchup — Jan–Mar 2026 #255
Description
Aurora gap catchup — Jan–Mar 2026
The cone people never slow down, so I did an analysis of where we're behind and sent a bunch of PRs/fixes to bluefin. I wanted to file it here on the board so it lands in the reports:
Work items
| Priority | Item | Domain | Status |
|---|---|---|---|
| p0 | fix: remove sssd-passkey to fix silent ostree update failures | packages | merged — upstream PR 4356 |
| p1 | feat(ci): add DNF package cache to reusable build workflow | gha | merged — upstream PR 4359 |
| p1 | feat(ci): enable zstd:chunked OCI compression | gha | closed — already present in upstream |
| p1 | chore(ci): add Sigstore build attestations to all build workflows | gha | merged — upstream PR 4369 |
| p1 | feat(security): commit cosign public keys locally | security | pending |
| p2 | feat(ci): add validate-just workflow for Justfile syntax checking | gha | closed — already present in upstream |
| p2 | feat(packages): add gvfs and gvfs-fuse | packages | closed — already present in upstream |
| p2 | feat(ci): upload OCI archive artifact for PR contributor testing | gha | open — upstream PR 4379 |
| p2 | feat(packages): add fcitx5-chewing and fcitx5-m17n | packages | closed — not applicable to Bluefin |
| p2 | fix(packages): remove ROCm from nvidia-dx images / add autofs | packages | merged — upstream PR 4370 |
| p2 | chore(just): remove SUDO_DISPLAY from Justfile | just | open — upstream PR 4377 |
| p2 | fix: clear all versionlocks in clean-stage.sh | build | open — upstream PR 4376 |
| p2 | chore: remove framework-laptop kmod install | build | open — upstream PR 4378 |
| p3 | fix(ci): grant contents:write to generate-release jobs | gha | merged — upstream PR 4371 |
| p3 | chore: remove obsolete ublue-fix-hostname service | oci | closed — already absent in upstream |
Cut items (out of scope)
/run /tmpleak fix — Bluefin clean-stage.sh already handles/tmp; Aurora fix is entangled withContainerfile.in(CPP preprocessor) which Bluefin does not use.- Scorecard hardening — both files are functionally identical; only cosmetic cron/digest differences.
- Artifact retention — lands as part of the OCI archive upload item above.
bash-preexectypo fix (Aurora PR 1955) — Bluefin does not fetch bash-preexec; not applicable.rpm-ostreed.confworkaround (Aurora PR 1873) — Bluefin already shipssystem_files/shared/etc/rpm-ostreed.conf; revisit if the same issue appears.- tesseract-devel (Aurora PR 1788) — excluded per maintainer decision.