flatcar · github-actions · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -3,8 +3,8 @@ EXTRA_SYSEXTS=(
   "incus|app-containers/incus"
   "nvidia-drivers-535|x11-drivers/nvidia-drivers:0/535|-kernel-open persistenced|amd64"
   "nvidia-drivers-535-open|x11-drivers/nvidia-drivers:0/535|kernel-open persistenced|amd64"
-  "nvidia-drivers-550|x11-drivers/nvidia-drivers:0/550|-kernel-open persistenced|amd64"
-  "nvidia-drivers-550-open|x11-drivers/nvidia-drivers:0/550|kernel-open persistenced|amd64"
+  "nvidia-drivers-550|x11-drivers/old-nvidia-drivers:0/550|-kernel-open persistenced|amd64"
+  "nvidia-drivers-550-open|x11-drivers/old-nvidia-drivers:0/550|kernel-open persistenced|amd64"
   "nvidia-drivers-570|x11-drivers/nvidia-drivers:0/570|-kernel-open persistenced|amd64"
   "nvidia-drivers-570-open|x11-drivers/nvidia-drivers:0/570|kernel-open persistenced|amd64"
   "podman|app-containers/podman,net-misc/passt"

@@ -0,0 +1,2 @@
+- nvidia-drivers ([CVE-2025-23277](https://www.cve.org/CVERecord?id=CVE-2025-23277), [CVE-2025-23278](https://www.cve.org/CVERecord?id=CVE-2025-23278), [CVE-2025-23279](https://www.cve.org/CVERecord?id=CVE-2025-23279), [CVE-2025-23286](https://www.cve.org/CVERecord?id=CVE-2025-23286))
+- python ([CVE-2025-6069](https://www.cve.org/CVERecord?id=CVE-2025-6069), [CVE-2025-8194](https://www.cve.org/CVERecord?id=CVE-2025-8194))
@@ -0,0 +1,7 @@
+- azure, dev, gce, sysext-python: python (3.11.13_p1)
+- base, dev: curl ([8.14.1](https://curl.se/ch/8.14.1.html) (includes [8.14.0](https://curl.se/ch/8.14.0.html)))
+- base, dev: nvidia-drivers-service (amd64) ([535.261.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-261-03/index.html))
+- base, dev: nvidia-drivers-service (arm64) ([570.172.08](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-172-08/index.html))
+- sysext-nvidia-drivers-535, sysext-nvidia-drivers-535-open: nvidia-drivers ([535.261.03](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-535-261-03/index.html))
+- sysext-nvidia-drivers-570, sysext-nvidia-drivers-570-open: nvidia-drivers ([570.172.08](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-570-172-08/index.html))
+- sysext-python: distlib ([0.4.0](https://github.com/pypa/distlib/blob/0.4.0/CHANGES.rst#040))
@@ -0,0 +1 @@
+nvidia-drivers
@@ -78,9 +78,6 @@ dev-cpp/azure-security-keyvault-keys
 # Keep versions on both arches in sync.
 =dev-util/xdelta-3.0.11-r1 ~arm64
 
-# Needed to address CVE-2024-11187, CVE-2024-12705
-=net-dns/bind-9.18.37-r1 ~arm64
-
 # Keep versions on both arches in sync.
 =net-firewall/conntrack-tools-1.4.8-r1 ~arm64
 
@@ -90,6 +87,7 @@ dev-cpp/azure-security-keyvault-keys
 # Keep versions on both arches in sync.
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
+=net-misc/curl-8.14.1 ~arm64
 
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the

@@ -196,3 +196,7 @@ sys-libs/libcap static-libs
 
 # do not force a dependency on llvm-core/llvm yet
 dev-lang/rust -system-llvm
+
+# disable mpfr in gawk, this ends up being pulled into initrd, making
+# it grow by another 2mb
+sys-apps/gawk -mpfr
@@ -34,3 +34,4 @@ app-emulation/qemu X
 
 # disable all tools for NVIDIA driver, keep just kmods
 x11-drivers/nvidia-drivers tools X static-libs
+x11-drivers/old-nvidia-drivers tools X static-libs
@@ -0,0 +1,8 @@
+DIST NVIDIA-Linux-aarch64-550.163.01.run 236409124 BLAKE2B 21c79346f6b739f44d7ed2d4955129613f51e1329ff15948ef50a9a06b82975ad890d6142e5dfb163e7b0da19bf5c26029cf507d120037f8a76abc177a286403 SHA512 0ef4ab4aae308ec0cfb5458cef34a1503ac1a85f0e1d0c9f061d8e28f939b15784e3862d96d83e93123d9eb56807a6804318ce230ee68917fb75e363011f8304
+DIST NVIDIA-Linux-x86_64-550.163.01.run 307143336 BLAKE2B 256106bcd3bace402289e60aca4cd3b447d0fd8ec3dabd50e2bb303c5e866f8da5c28f9b578d95775bf69158f100d68a91d20d9a91426285a8e799817f21db6b SHA512 676b1de35d21e80091528a49080c114e0870ea90b3f3721265ae8071abbc2183c851e6f11ba96a332c743fedfaf4ec9a014ad6ceed586fdbb03d94d33405e356
+DIST NVIDIA-kernel-module-source-550.163.01.tar.xz 13552400 BLAKE2B e1fd753127d10097c5f1d3c90d95c7eb0934c0d5e1df0a371aed2a0d7669960b67c46eed20eec3c42ca41c0f34bf6d7d3d2a77a94308c9f86d4f5d831da19363 SHA512 c9f4ce2890db3fdc66dd080da4d6802a8bc3b18feba96be5d33641b02cca637b1bcd2a3748f36f93a32f26ba57eb352156314f139688b0d3a102efdfde6c32ba
+DIST nvidia-installer-550.163.01.tar.bz2 155861 BLAKE2B 662064b3ceb4aadebde419057d85c6b4e28b91944bd5bab241bcba9b3c9a105e507afc7651b17fff01e1cccb78d66fdc6789597ce059f882a6f322b08f28e832 SHA512 f8df7a0eccdecb7d4d4f47d96050cdbefff91289b29550b061358614845648451d4b161d9bdbfbf5a9a87ce650d272cb3b795e6d2ed4d0274844a56db097bd15
+DIST nvidia-modprobe-550.163.01.tar.bz2 41448 BLAKE2B 23e567d612e669ec6ae9f389651c9e1cebe7ba59ee95bb5961e5071952697860df77f02026040e29135338eb7cf96bba0015b3d94548297235fb5214f35bec48 SHA512 0f5b59468a6e5e95dcdef1d938ea78f4ce09a0c9784e3c70d83f1c3b1bd52e8055b6b332147316445c3be714abab3629320d6117878d50aa7a2d7d2d9b9b6485
+DIST nvidia-persistenced-550.163.01.tar.bz2 61450 BLAKE2B 1a11cb89981b88f8d14558227d9493f1f8a81ccb5502002c436e9311a38c9c8fe0402c65eac1517a2893985eec07699b2e7bc7a81aa14dc0d52198ac85a2cd1b SHA512 f17dbcafa917b5b450f7665f98fd24f06ad99e6bcd1fcf42ef95aa9337b55561b7b16eaad8fa408110d08ee7e6d812444792cccbb9c92865099891832da779ce
+DIST nvidia-settings-550.163.01.tar.bz2 1099317 BLAKE2B 25419c1796deeea238b3e44fd8d648a8627272565be40cb0745132cef1c16e0c422242a1e6369745d577e674a68bf9dfc3c009e281a84ba58db5429d97ac9cff SHA512 5306ab05f284ba06852d7c96ff62ded7b8b615d3a002009cd5d781fdad716db37f53d1c8a43337ada60d524b4f7d183d98ad2673f40a5ca1ca4c5112bb913e74
+DIST nvidia-xconfig-550.163.01.tar.bz2 111149 BLAKE2B d19ef0427e3432798e674dc66447090e8fb8fcb549ebe27aaee19aa38294cf178e175a067b2da5313342c93ea2aebef35861d05cc4cc0ee2c3eae955b3ddbbb3 SHA512 35f95d85928c82bc5de8e462ca5e90a6d8fe03e5b5367b9cdaadddc1e956f0d26b6dc42e716ae7c88512afdfb98cc841fe9b22846f6d6acc578c5dba4d0a16e1
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/nvidia-settings --load-config-only
@@ -0,0 +1,12 @@
+Create /dev/nvidia-uvm* by respecting nvidia.conf's permissions.
+--- a/nvidia-modprobe/modprobe-utils/nvidia-modprobe-utils.c
++++ b/nvidia-modprobe/modprobe-utils/nvidia-modprobe-utils.c
+@@ -742,6 +742,6 @@
+     }
+
+-    return mknod_helper(major, base_minor, NV_UVM_DEVICE_NAME, NULL) &&
+-           mknod_helper(major, base_minor + 1, NV_UVM_TOOLS_DEVICE_NAME, NULL);
++    return mknod_helper(major, base_minor, NV_UVM_DEVICE_NAME, NV_PROC_REGISTRY_PATH) &&
++           mknod_helper(major, base_minor + 1, NV_UVM_TOOLS_DEVICE_NAME, NV_PROC_REGISTRY_PATH);
+ }
+
@@ -0,0 +1,7 @@
+# configuration file for /etc/init.d/nvidia-persistenced
+
+# NVPD_USER: user to run as, needs access to /dev/nvidia* (video group)
+NVPD_USER="nvpd"
+
+# ARGS: additional arguments, see nvidia-persistenced(1)
+ARGS=""
@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+# SPDX-License-Identifier: MIT
+
+description="Maintain persistent software state in the NVIDIA driver"
+command="nvidia-persistenced"
+command_args="${NVPD_USER:+--user ${NVPD_USER}} ${ARGS}"
+pidfile="/var/run/nvidia-persistenced/nvidia-persistenced.pid"
+
+stop_post() {
+	rmdir "${pidfile%/*}" 2>/dev/null || true
+}
@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+# SPDX-License-Identifier: MIT
+
+description="Support for NVIDIA Dynamic Boost (only for use with specific laptops)"
+command="nvidia-powerd"
+command_background=true
+pidfile="/var/run/nvidia-powerd.pid"
+
+depend() {
+	need dbus
+}
@@ -0,0 +1,11 @@
+These __PLACEHOLDER__ are replaced by nvidia-installer which we don't use.
+--- a/nvidia-settings/doc/nvidia-settings.desktop
++++ b/nvidia-settings/doc/nvidia-settings.desktop
+@@ -5,5 +5,5 @@
+ Comment=Configure NVIDIA X Server Settings
+-Exec=__UTILS_PATH__/nvidia-settings
++Exec=nvidia-settings
+ Icon=nvidia-settings
+-Categories=__NVIDIA_SETTINGS_DESKTOP_CATEGORIES__
++Categories=System;HardwareSettings;
+
@@ -0,0 +1,7 @@
+#!/bin/sh
+case ${1-} in
+	pre)	nvidia-sleep.sh suspend;;
+	# run in background given resume is flaky if elogind did not finish
+	post)	nvidia-sleep.sh resume &;;
+	*)	exit 1;;
+esac
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>[email protected]</email>
+		<name>The Flatcar Container Linux Maintainers</name>
+	</maintainer>
+	<use>
+		<flag name="kernel-open">
+			Use the open source variant of the drivers (only
+			works for Turing/Ampere or newer GPUs, aka GTX 1650+
+			-- recommended with >=560.xx drivers if usable and
+			is *required* for 50xx Blackwell or newer GPUs)
+		</flag>
+		<flag name="persistenced">Install the persistence daemon for keeping devices state when unused (e.g. for headless)</flag>
+		<flag name="powerd">Install the NVIDIA dynamic boost support daemon (only useful with specific laptops, ignore if unsure)</flag>
+		<flag name="static-libs">Install the XNVCtrl static library for accessing sensors and other features</flag>
+		<flag name="tools">Install additional tools such as nvidia-settings</flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:nvidia:gpu_driver</remote-id>
+		<remote-id type="github">NVIDIA/nvidia-installer</remote-id>
+		<remote-id type="github">NVIDIA/nvidia-modprobe</remote-id>
+		<remote-id type="github">NVIDIA/nvidia-persistenced</remote-id>
+		<remote-id type="github">NVIDIA/nvidia-settings</remote-id>
+		<remote-id type="github">NVIDIA/nvidia-xconfig</remote-id>
+		<remote-id type="github">NVIDIA/open-gpu-kernel-modules</remote-id>
+	</upstream>
+	<slots>
+		<subslots>
+			Subslot is primarily used to identify branches, at most
+			rebuilding reverse dependencies on bumps would only be
+			for the static library (not essential to) given other
+			headers are provided by nvidia-cuda-toolkit instead.
+		</subslots>
+	</slots>
+</pkgmetadata>
@@ -1,2 +1,4 @@
 DIST sudo-1.9.17p1.tar.gz 5449076 BLAKE2B 21771348a8de392767c366bb938951327dcc64a4cedee716a802435899e5135c218468271833a9e3ab9d90bda29e36c0870e27dd333d3a5c64fb8e3a5ebbff58 SHA512 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc
 DIST sudo-1.9.17p1.tar.gz.sig 566 BLAKE2B b6380c84b82740455a28388925d27bdf9296ddef943653c1883af3c7684ab53571053ef333ac9747ee11330b06fd23adf477856f70bd5fcaa6dbda1c9e432675 SHA512 714ce7c613683689e9d166171b04c03220e21d06f2e66d800f2d075927830014447611933d7293d9c763beeea66fc02255d8175c9ac8cba6d62166750aab50a6
+DIST sudo-1.9.17p2.tar.gz 5451682 BLAKE2B dd42ff4fd571ba8489cc59d71a09c7e0483d21daf9faf7e697beedc04d9f170b01e60446af179c949a3da115b616fbec07aff8fbf8b7d502161c24d1b35b7a69 SHA512 c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93
+DIST sudo-1.9.17p2.tar.gz.sig 566 BLAKE2B b778061533cd2778eec1093fc37e89f45ea4b2a5e97a71f85fc00fbfc1b550a194e4faa410bc072e3ecbd233a3834f004d7451e020d2be148a36336b35d462e5 SHA512 7ca1949a7ffe0481d7c0f9215fdeae54fff34f0156f06c72a090515b1a97d052e63ce94cffe5a92ca23a723ddd0b0186fabc957cdc22120482c6f9f87d65a5f6
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- nvidia-drivers ([CVE-2025-23277](https://www.cve.org/CVERecord?id=CVE-2025-23277), [CVE-2025-23278](https://www.cve.org/CVERecord?id=CVE-2025-23278), [CVE-2025-23279](https://www.cve.org/CVERecord?id=CVE-2025-23279), [CVE-2025-23286](https://www.cve.org/CVERecord?id=CVE-2025-23286))
		- python ([CVE-2025-6069](https://www.cve.org/CVERecord?id=CVE-2025-6069), [CVE-2025-8194](https://www.cve.org/CVERecord?id=CVE-2025-8194))
Original file line number	Diff line number	Diff line change
Expand Up		@@ -34,3 +34,4 @@ app-emulation/qemu X

		# disable all tools for NVIDIA driver, keep just kmods
		x11-drivers/nvidia-drivers tools X static-libs
		x11-drivers/old-nvidia-drivers tools X static-libs
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/sh
		/usr/bin/nvidia-settings --load-config-only