## Purpose The durable upstream ledger for basef: what we carry because upstream can't do it yet (contribution queue), what we watch for release-driven change, what upstream has validated as permanently ours, and what each sweep retired. Full sweep completed 2026-06-09 against every annotated operation in the Containerfile, treefile manifests, and the carmine instance layer (37 items examined; method: extract every deviation, then verify current upstream state per item). ## Contribution queue (ranked by ROI) ### 1. dracut-ng: multicall-symlink install fix systemd 259 made systemd-fstab-generator/systemd-cryptsetup multicall binaries dispatched by symlinks; dracut's `10systemd` module installs them via `inst_multiple -o`, which silently drops the symlinks in chroot/compose builds (target lands, link doesn't), breaking initrd-parse-etc.service with 203/EXEC. We carry an `install_items` drop-in. No upstream issue or PR exists; the mechanism is confirmed in current main, and an adjacent open issue ([dracut-ng#2456](https://github.com/dracut-ng/dracut/issues/2456)) plus unresolved [Fedora field reports](https://discussion.fedoraproject.org/t/entering-dracut-after-upgrade-initrd-parse-etc-service-failed-at-step-exec-spawning-usr-lib-systemd-systemd-sysroot-fstab-check-no-such-file-or-directory/146603) show demand. Shape: file issue + PR fixing symlink resolution in the dracut-install path for sysroot builds. Our highest-value patch; greenfield. ### 2. rpm-ostree: rootless-compose selftest skip `rpm-ostree compose rootfs` runs a bwrap selftest that needs CAP_NET_ADMIN; under rootless podman it fails, forcing our `container=systemd-nspawn` env workaround. [PR #5487](https://github.com/coreos/rpm-ostree/pull/5487) (merged 2025-09) made only the rechunker rootless; releases through v2026.2 carry nothing for compose, and no open issue exists. Shape: file issue referencing #5487 + a small `--no-sandbox-selftest` (or env-skip) PR. Greenfield, small, kills the hack at the source. ### 3. bootc: revive PR #1570 (uid-drift lint) [bootc#1562](https://github.com/bootc-dev/bootc/issues/1562) has a stale lint PR ([#1570](https://github.com/bootc-dev/bootc/pull/1570), untouched since 2025-09) and an explicit maintainer mentoring offer (cgwalters, 2025-08-31) sitting unanswered. Reviving a stalled PR with maintainer support pre-offered is the cheapest credible entry into bootc. Context: maintainer comments in [#1263](https://github.com/bootc-dev/bootc/issues/1263) (2026-01) put the burden on image builders pinning UIDs — i.e. upstream endorses our check-passwd approach as the intended pattern. ### 4. containers/image: push PR #625 over the line (unblocks #15) The keyless-verify gap ([container-libs#388](https://github.com/containers/container-libs/issues/388)) has NOT moved: image v5.37-v5.40 shipped no identity-matcher changes, and jlebon's policy-plugins.d idea remains a comment with fresh maintainer skepticism (mtrmac, 2026-05-25). But [PR #625](https://github.com/containers/container-libs/pull/625) (`buildSignerURI`, OID-based matching) is review-starved, not contested: LGTM'd, awaiting mtrmac since February. Shape: supply our production GitLab Fulcio certificate as a test fixture + nudge for review. A plain `subjectURI` field would likely hit the same semantic objection that killed [containers/image#2235](https://github.com/containers/image/pull/2235); the OID approach in #625 is the defensible path. When it lands and ships, #15's re-enable runbook activates. The old "re-check monthly" ritual in #15 is superseded by this issue's sweep cadence. ### 5. bootc: remount-fs vs composefs Our masked systemd-remount-fs failure ("overlay: No changes allowed in reconfigure") is verbatim [bootc#971](https://github.com/bootc-dev/bootc/issues/971) (open, updated 2026-02). Shape: comment with the composefs repro; a "skip/condition remount-fs when composefs" change to bootc's fixup-etc-fstab generator is a viable mid-size PR. Mask stays until then. ### 6. Fedora: chrony StateDirectory SELinux denial reproducer [BZ 2479883](https://bugzilla.redhat.com/show_bug.cgi?id=2479883) (NEW, filed 2026-05-19 by a third party) confirms the chronyd setattr-on-drift denial reproduces on F44 WITHOUT our uid-orphaning trigger. Shape: comment our reproducer (UID change + StateDirectory chown path) to help triage. Risk + fallback tracked in #11 (operator decision: if chrony keeps fighting F44, drop it for systemd-timesyncd and accept losing NTS). ### 7. Trivial credits - setroubleshoot F44 runtime breakage ("No module named six") is unreported upstream — file the missing-Requires bugzilla. We remove the package regardless (#16). - [openzfs#12641](https://github.com/openzfs/zfs/issues/12641) — kmod-style (non-DKMS) builds for immutable distros; our standing hook if we want the source-build pattern upstreamed. ## Watch list (release-driven) - **OpenZFS vs Fedora kernel — AT THE BOUNDARY.** F44 ships kernel 7.0.x (7.0.11 now; our kmods build against it). OpenZFS 2.4.2's declared ceiling is 7.0 — one Fedora minor-kernel bump to 7.1 exceeds it. Preflight will catch the build break, but expect a window where the kernel must wait for an OpenZFS point release. Watch openzfs releases for 7.1 support. - **bootc base tooling direction**: bootc-native base builds ([PR #2100](https://github.com/bootc-dev/bootc/pull/2100)) closed unmerged 2026-03 — rpm-ostree compose remains the right horse; `bootc-base-imagectl` wraps it and inherits the same manifests. Re-assess if a bootc-native path ships. - **restorecon root causes**: [bootc#1621](https://github.com/bootc-dev/bootc/issues/1621) + [#1622](https://github.com/bootc-dev/bootc/issues/1622) both open, no fix PR; our boot-time restorecon.service stays until they close. - **NVIDIA driver branches**: 610 is the current feature branch (May 2026); 595 maintained and rpmfusion's F44 default. Renovate handles the bump; the expected.txt major gap is #18. - **[fedora-coreos-tracker#1599](https://github.com/coreos/fedora-coreos-tracker/issues/1599)** (nss-altfiles switch) — would change the passwd split assumptions; open. ## Validated as permanently ours (upstream ships the same thing) The sweep confirmed these are not friction to fix but convergence with upstream practice — Fedora's own base-images carry the identical content, and since basef IS a base layer (from-scratch, not FROM fedora-bootc), we must carry them ourselves: - tmp.mount wants-symlink (their minimal/basic-fixes.yaml does the same) - tmpfiles shadow files for home.conf/provision.conf (their tmpfiles.yaml removes/edits the same rules; systemd's refusal to follow symlinks is deliberate, a semantics PR would be rejected) - `rm /etc/systemd/system/* && systemctl preset-all` canonicalization (their systemd-presets.yaml, verbatim, citing [rpm-ostree#1803](https://github.com/projectatomic/rpm-ostree/issues/1803)) - the treefile quad: opt-usrlocal root, machineid-compat, rpmdb-normalize, ignore-removed (their postprocess-conf.yaml sets all four explicitly; none are defaults) - check-passwd/check-groups file-type pinning (their check-passwd.yaml) - finalize.d/01-var.sh (mirrors theirs; NOTE: rpm-ostree executes `<manifest-dir>/finalize.d/*` automatically — the directory is the API, no in-repo reference exists. Removal proven fatal by smoke gate I, pipeline 2589736613.) - bootupd configs.d timeout drop-in (extension point confirmed current) - hostonly=no (dracut auto-detects containers for other knobs, not this) ## Resolved mysteries (no upstream gap) - **homed preset anomaly**: presets by spec never govern alias units, and D-Bus activation starts services regardless of enablement ([systemd#15083](https://github.com/systemd/systemd/issues/15083), closed as use-mask). Our dbus-alias mask is the canonical mechanism, not a workaround. - **`empower` gid 999**: introduced by systemd v259 itself (run0 --empower, sysusers.d/basic.conf.in) — the concrete F43→F44 trigger for the chrony displacement. Allocation stability for image systems is an open discussion ([LWN](https://lwn.net/Articles/1018082/)); local pinning remains correct indefinitely. ## Retired by this sweep (delete from our tree) - smoke.sh `bootc install --help` flag probing — `--karg` and `--root-ssh-authorized-keys` stable since bootc v0.1.8 (2024-03); assert a version floor instead. - `DRACUT_NO_XATTR=1` conf.d line — upstream default since dracut 110 ([PR #1987](https://github.com/dracut-ng/dracut/pull/1987)); F44 carries newer. Both land with the post-tag image batch (#16, #18, #19). ## Cadence Sweep this ledger when bumping the Fedora release, and opportunistically on bootc/rpm-ostree/dracut-ng release notes. Each sweep: re-check queue-item states, move the landed ones to Retired, and refresh the watch list. This issue supersedes the per-issue re-check rituals (notably #15's).