Releases: projectbluefin/dakota
Releases · projectbluefin/dakota
stable-20260620: Stable
no package changes since the previous release. 1 packages total — full inventory below.
📦 Full SPDX package inventory — 1 packages
| Package | Version |
|---|---|
ghcr.io/projectbluefin/dakota |
stable |
Supply chain
This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.
Tools required — install via Homebrew or see links in each section:
brew install cosign oras slsa-verifier1 — Verify the image signature
cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:fa65208a9c8c9908a4848b7e8b7e92ae8dd34ec4334ba11700ab40d8677d5bcbA valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.
2 — Fetch and inspect the SBOM
The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).
# Discover the attached SBOM referrer
oras discover \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/dakota@sha256:fa65208a9c8c9908a4848b7e8b7e92ae8dd34ec4334ba11700ab40d8677d5bcb
# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/dakota@<SBOM_DIGEST>The SBOM is also attached to this release as
dakota.spdx.json.
3 — Verify the SBOM attestation
The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:fa65208a9c8c9908a4848b7e8b7e92ae8dd34ec4334ba11700ab40d8677d5bcb \
| jq -r '.payload | @base64d | fromjson | .predicate.name'4 — Verify SLSA Build L2 provenance
slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.
slsa-verifier verify-image \
ghcr.io/projectbluefin/dakota@sha256:fa65208a9c8c9908a4848b7e8b7e92ae8dd34ec4334ba11700ab40d8677d5bcb \
--source-uri 'github.com/projectbluefin/dakota' \
--source-versioned-tag 'stable-20260620'You can also inspect the raw provenance:
cosign verify-attestation \
--type slsaprovenance1 \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:fa65208a9c8c9908a4848b7e8b7e92ae8dd34ec4334ba11700ab40d8677d5bcb \
| jq -r '.payload | @base64d | fromjson | .predicate'Full changelog and verification guide → https://docs.projectbluefin.io/changelogs
stable-20260619: Stable
no package changes since the previous release. 1 packages total — full inventory below.
📦 Full SPDX package inventory — 1 packages
| Package | Version |
|---|---|
ghcr.io/projectbluefin/dakota |
stable |
Supply chain
This image is signed, attested, and ships a full SPDX-JSON SBOM.
Every artifact below is verifiable without trusting this release page.
Tools required — install via Homebrew or see links in each section:
brew install cosign oras slsa-verifier1 — Verify the image signature
cosign (Sigstore) verifies the keyless
OIDC signature created by GitHub Actions at build time.
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:4793018392ca61b6c5eba81de44afbd83a4c66f56f28d86d9eb1e10cbc010f8bA valid response lists the certificate subject and OIDC issuer. Any tampered
image will produce a verification error.
2 — Fetch and inspect the SBOM
The SBOM (SPDX 2.3 JSON) is attached to the image as an
OCI referrer using
ORAS (CNCF graduated project).
# Discover the attached SBOM referrer
oras discover \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/dakota@sha256:4793018392ca61b6c5eba81de44afbd83a4c66f56f28d86d9eb1e10cbc010f8b
# Pull the SBOM to disk (replace SBOM_DIGEST with the digest from above)
oras pull \
--artifact-type application/vnd.spdx+json \
ghcr.io/projectbluefin/dakota@<SBOM_DIGEST>The SBOM is also attached to this release as
dakota.spdx.json.
3 — Verify the SBOM attestation
The SBOM is also stored as a signed
GitHub SBOM attestation
in the Sigstore transparency log.
cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:4793018392ca61b6c5eba81de44afbd83a4c66f56f28d86d9eb1e10cbc010f8b \
| jq -r '.payload | @base64d | fromjson | .predicate.name'4 — Verify SLSA Build L2 provenance
slsa-verifier (OpenSSF)
checks that this image was built by the expected workflow on the expected
source repository — not on a developer's laptop or a forked CI runner.
slsa-verifier verify-image \
ghcr.io/projectbluefin/dakota@sha256:4793018392ca61b6c5eba81de44afbd83a4c66f56f28d86d9eb1e10cbc010f8b \
--source-uri 'github.com/projectbluefin/dakota' \
--source-versioned-tag 'stable-20260619'You can also inspect the raw provenance:
cosign verify-attestation \
--type slsaprovenance1 \
--certificate-identity-regexp '^https://github\.com/projectbluefin/(dakota|actions)/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/projectbluefin/dakota@sha256:4793018392ca61b6c5eba81de44afbd83a4c66f56f28d86d9eb1e10cbc010f8b \
| jq -r '.payload | @base64d | fromjson | .predicate'Full changelog and verification guide → https://docs.projectbluefin.io/changelogs
stable-20260616: Stable
1 added, 3000 removed since the previous release. 1 packages total — full inventory below.
📦 Full SPDX package inventory — 1 packages
| Package | Version |
|---|---|
ghcr.io/projectbluefin/dakota |
stable |
Package changes
+ 1 added packages
| Package | Version |
|---|---|
ghcr.io/projectbluefin/dakota |
stable |
− 3000 removed packages
| Package | Last version |
|---|---|
03_NotoSansCJK-OTC |
2.004 |
04_NotoSerifCJKOTC |
2.001 |
3.6.2 |
3.6.2 |
3.6.6 |
3.6.6 |
5.1.3 |
5.1.3 |
50-iscsi.preset |
956adbfd3106e63916c74ad37a76fd71e0a031395339fd156faf972174a88192/90 |
50-sysupdate.preset |
fbe7268c83783b47690706fe54bb42aa870bb4d119c7a4cc3c27c3276293dd6b/93 |
5f05f8f83a75caea201f12cc8ea32a2d82ea9732 |
40b90ae087e26546a57961c40ae0cae1926d94140502bafd0f551db9de66e62a |
70-gnomeos-hidraw.rules |
f364b761cd48b2a05a1593188b0eda389295c8529fd227a3e163e57f8371d0ff/97 |
80-libvirt.preset |
2802dcdece9382e39bf49505da8eb09ba3ab49fa5bd4a16177c940fb79b14c6a/92 |
80-pcrlock.preset |
88cc5fe1f92e464d969785da51738b7c8f55daaf491c8d707142462c85894201/92 |
80-solaar.hwdb |
f2e2e4d2f19a0121801f009ffdaddf5ab3dabbb4816f1e1d0c373a63bbab3474/88 |
90-debuginfod.conf |
358fdeba1f9a2edf9567c56074d510dba9e1a6a069a705dd262826dfd9ffbe15/93 |
90-persistent-journal.conf |
7612f8650fcb1faa241a2d36df626877edb731da9a74508d372b43aed4d09f3e/100 |
Authen-SASL |
2.2000 |
CCID |
1.7.1 |
Caladea |
336a529cfad3d103d6527752686f8331d13e820a |
Cargo.lock |
0.10.22 |
Class-Inspector |
1.36 |
DearBindings_v0.17_ImGui_v1.92.5-docking |
1.92.5 |
File-ShareDir |
1.118 |
File-ShareDir-Install |
0.14 |
IO-Socket-SSL |
2.098 |
Intel-Linux-Processor-Microcode-Data-Files |
98f8d817ca3d560c48ae988bd805d1b53b48a631 |
JetBrainsMono |
2.304 |
LibVNCServer |
(unknown) |
Little-CMS |
2.18 |
ModemManager |
1.24.2 |
Module-Build |
0.4234 |
Module-Install |
1.21 |
Module-ScanDeps |
1.37 |
NerdFontsSymbolsOnly |
3.4.0 |
Net-SSLeay |
1.96 |
NetworkManager |
1.56.0 |
NetworkManager-openconnect |
1.2.10 |
NetworkManager-openvpn |
1.12.5 |
NetworkManager-vpnc |
1.4.0 |
OpenSC |
0.27.1 |
PCSC |
2.4.1 |
Parse-Yapp |
1.21 |
Pillow |
11.3.0 |
Pod-Parser |
1.67 |
PyRoaringBitMap |
1.1.0 |
SDL |
3.2.30 |
SDL_image |
3.2.6 |
SDL_mixer |
2.8.2 |
SDL_net |
2.2.0 |
SDL_ttf |
3.2.2 |
SPIRV-Headers |
1.4.321 |
SPIRV-LLVM-Translator |
21.1.3 |
SPIRV-Tools |
1.4.321 |
SVT-AV1 |
3.1.2 |
Vulkan-Headers |
1.4.321 |
Vulkan-Loader |
1.4.321 |
Vulkan-Tools |
1.4.321 |
WavPack |
5.9.0 |
XML-Parser |
2.58 |
YAML-Tiny |
1.76 |
aardvark-dns |
1.17.1 |
abseil-cpp |
20250512.1 |
accountsservice |
26.13.3 |
acl |
2.3.2 |
addr2line |
0.25.1 |
adler |
1.0.2 |
adler2 |
2.0.1 |
adwaita-fonts |
50.0 |
adwaita-icon-theme |
50.0 |
aes |
0.8.4 |
aescts |
2.0.0 |
ahash |
0.8.12 |
aho-corasick |
1.1.4 |
alabaster |
1.0.0 |
aligned |
0.4.3 |
aligned-vec |
0.6.4 |
alloca |
0.4.0 |
allocator-api2 |
0.2.21 |
alsa-lib |
1.2.14 |
alsa-plugins |
1.2.12 |
alsa-ucm-conf |
1.2.15 |
always-ldconfig.conf |
2eb53a57496033f3312c375c7d7e1d623655734114309f21bf244ba04c6a0563/95 |
ambient-authority |
0.0.2 |
android-tzdata |
0.1.1 |
android-udev-rules |
5e7cef34d9e445b4a34d445d164f8cf862efd19a |
android_system_properties |
0.1.5 |
anes |
0.1.6 |
annotate-snippets |
0.12.15 |
ansi-width |
0.1.0 |
ansi_term |
0.12.1 |
anstream |
1.0.0 |
anstyle |
1.0.13 |
anstyle-parse |
1.0.0 |
anstyle-query |
1.1.5 |
anstyle-wincon |
3.0.11 |
anthy |
(unknown) |
anthy-unicode |
1.0.0 |
anyhow |
1.0.101 |
anymap3 |
1.0.1 |
aom |
3.13.3 |
app-indicators |
(unknown) |
apparmor |
4.1.7 |
apparmor-base |
(unknown) |
apparmor-manifest |
(unknown) |
appdirs |
1.4.4 |
approx |
0.5.1 |
appstream |
1.0.6 |
appstream-glib |
0.8.3 |
appstream-minimal |
(unknown) |
ar_archive_writer |
0.5.1 |
arbitrary |
1.4.2 |
arc-swap |
1.7.1 |
arg_enum_proc_macro |
0.3.4 |
argcomplete |
3.6.2 |
arpy |
2.3.0 |
array-init |
2.1.0 |
arrayref |
0.3.9 |
arrayvec |
0.7.6 |
as-slice |
0.2.1 |
asciidoc |
(unknown) |
asciidoc-py |
10.2.1 |
asciidoctor |
2.0.26 |
ash |
0.38.0+1.3.281 |
ashpd |
0.12.1 |
asn1-rs |
0.7.1 |
asn1-rs-derive |
0.6.0 |
asn1-rs-impl |
0.2.0 |
aspell |
0.60.8 |
aspell-de |
0.50 |
aspell-fr |
0.50 |
aspell6-ca |
2.1.5 |
aspell6-de-alt |
2.1 |
aspell6-en |
2020.12.07 |
aspell6-es |
1.11 |
aspell6-fi |
0.7 |
aspell6-it |
2.2 |
assert_cmd |
2.1.2 |
assert_matches |
1.5.0 |
async-broadcast |
0.7.2 |
async-channel |
2.5.0 |
async-compression |
0.4.42 |
async-executor |
1.13.3 |
async-fs |
2.2.0 |
async-global-executor |
3.1.0 |
async-io |
2.6.0 |
async-lock |
3.4.2 |
async-net |
2.0.0 |
async-process |
2.5.0 |
async-recursion |
1.1.1 |
async-signal |
0.2.13 |
async-stream |
0.3.6 |
async-stream-impl |
0.3.6 |
async-task |
4.7.1 |
async-trait |
0.1.89 |
async-tungstenite |
0.34.1 |
at-spi2-core |
2.60.0 |
atomic-waker |
1.1.2 |
atomic_float |
1.1.0 |
atomic_refcell |
0.1.14 |
attr |
2.5.2 |
attrs |
26.1.0 |
atty |
0.2.14 |
audit |
(unknown) |
audit-userspace |
4.1.4 |
autocfg |
1.5.0 |
autoconf |
2.72 |
autoconf-archive |
2024.10.16 |
autoconf2.69 |
(unknown) |
automake |
1.18.1 |
av-data |
0.4.4 |
av-scenechange |
0.14.1 |
av1-grain |
0.2.5 |
avahi |
0.8 |
avahi-base |
(unknown) |
avahi-gobject |
(unknown) |
avahi-libs |
(unknown) |
avahi-manifest |
(unknown) |
avahi.conf |
db37f9793e499834717d4eac580ffdc10e6b8ef28edf0f3dd56aed8f66e5e82a/84 |
aws-config |
1.8.16 |
aws-credential-types |
1.2.14 |
aws-lc-rs |
1.16.2 |
aws-lc-sys |
0.39.0 |
aws-runtime |
1.7.3 |
aws-sdk-kinesisvideo |
1.100.0 |
aws-sdk-kinesisvideosignaling |
1.98.0 |
aws-sdk-polly |
1.106.0 |
aws-sdk-s3 |
1.132.0 |
aws-sdk-sso |
1.98.0 |
aws-sdk-sts |
1.103.0 |
aws-sdk-transcribestreaming |
1.103.0 |
aws-sdk-translate |
1.98.0 |
aws-sigv4 |
1.4.3 |
aws-smithy-async |
1.2.14 |
aws-smithy-checksums |
0.64.7 |
aws-smithy-eventstream |
0.60.20 |
aws-smithy-http |
0.63.6 |
aws-smithy-http-client |
1.1.12 |
aws-smithy-json |
0.62.5 |
aws-smithy-observability |
0.2.6 |
aws-smithy-query |
0.60.15 |
aws-smithy-runtime |
1.11.1 |
aws-smithy-runtime-api |
1.12.0 |
aws-smithy-runtime-api-macros |
1.0.0 |
aws-smithy-types |
1.4.7 |
aws-smithy-xml |
0.60.15 |
aws-types |
1.3.15 |
axum |
0.8.6 |
axum-core |
0.5.5 |
babel |
2.18.0 |
backports.entry_points_selectable |
1.3.0 |
backtrace |
0.3.76 |
baobab |
50.0 |
base16ct |
0.2.0 |
base32 |
0.5.1 |
base64 |
0.22.1 |
base64-serde |
0.8.0 |
base64-simd |
0.8.0 |
base64ct |
1.8.3 |
bash |
5.3 |
bash-completion |
2.17.0 |
bash-config |
(unknown) |
bashrc |
a93bcdb04532b5708a25d74dcaa0c1b5d320d6de5097fc62fbe2bcf8e68eb9bf/81 |
bazaar-companion |
3bb9134985343ffd1993520eb37c90e113bfb09b |
bc |
1.08.2 |
bcvk-qemu |
0.1.0 |
bigdecimal |
0.4.10 |
binary-heap-plus |
0.5.0 |
binary-seed |
(unknown) |
binary-seed-x86_64 |
sha256:ffe607d35125ada82124e45576e4dab3a8444248ba04b6e160411a0483ef7e4d |
bincode |
1.3.3 |
bindfs |
1.18.4 |
bindgen |
0.72.1 |
binutils |
8141779b5219b5b9f27903a2a5911b6ace48f838667dad8033f07b68414c1832 |
binutils-gdb |
2.46 |
binutils-stage1 |
8141779b5219b5b9f27903a2a5911b6ace48f838667dad8033f07b68414c1832 |
bison |
3.8.2 |
bit-set |
0.8.0 |
bit-vec |
0.8.0 |
bit_field |
0.10.3 |
bitflags |
1.3.2 |
bitmaps |
2.1.0 |
bitreader |
0.3.11 |
bitstream-io |
4.10.0 |
bitvec |
1.0.1 |
blackfriday |
2.1.0 |
blake2b_simd |
1.0.4 |
blake3 |
1.8.4 |
blessings |
1.7 |
block |
0.1.6 |
block-buffer |
0.10.4 |
block-padding |
0.3.3 |
block2 |
0.6.2 |
blocking |
1.6.2 |
bluefin |
(unknown) |
bluefin-init-scripts |
(unknown) |
bluefin-runtime |
(unknown) |
bluefin-stack |
(unknown) |
bluefin-wallpapers-gnome |
87fdc6505da615e5df902df408371d5ab34efef6199144925324a564e6801e00 |
blueprint-compiler |
0.20.4 |
bluez |
5.86 |
bluez-base |
(unknown) |
bluez-headers |
(unknown) |
bluez-libs |
(unknown) |
bluez-manifest |
(unknown) |
blur-my-shell |
444df605b34529dfab7be77d0f434bf54a6dd4cc |
bolt |
0.9.11 |
boltd |
(unknown) |
bon |
3.9.0 |
bon-macros |
3.9.0 |
bootc |
1.15.2 |
bootc-config |
(unknown) |
bootc-install |
5eb8a61904542fcb807f38dfccae6f320e4dcc854c0823ebced739bef49092e6/90 |
bootc-install-config |
(unknown) |
bpf |
5d3ebfdaa692b0ed53a7a05ba772fa5e1c72271060ed4c11d9e9dbe7ad2bd218 |
bpf-maybe |
(unknown) |
| `bpf... |
Bluefin Dakota 2026-05-30
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7 \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7Supply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:6ca4b317e092ef767de2526e048b7877205efed7 --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-30
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9 \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9Supply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:69c6fb06542a9f2ca46dcbde82d43b61dc0452c9 --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-30
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2 \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2Supply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:54fdd701cda91f7429f1c46b57e1113a46af6fa2 --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-29
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587e
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587e
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587e
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587e \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587eSupply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:f2984847d43c8db6916a3c84428c111c252d587e --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-29
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebe
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebe
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebe
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebe \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebeSupply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:830d1d9e6361c15a91d5752e303defa1ff08aebe --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-29
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7 \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7Supply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:7e686b61119a520bea6c4a0e08f750e850c792c7 --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs
Bluefin Dakota 2026-05-29
No package changes since last release.
Key component versions
| Component | Version | Change |
|---|---|---|
| Kernel | 7.0.7 |
— |
| GNOME | 50.1 |
— |
| Mesa | 26.1.0 |
— |
| Podman | 5.8.2 |
— |
| bootc | 1.15.2 |
— |
| systemd | 257.13 |
— |
| pipewire | 1.6.1 |
— |
| flatpak | 1.16.6 |
— |
| sudo-rs | 965cd7b9 |
— |
| uutils | (unknown) |
— |
| distrobox | 2.0.0 |
— |
| ghostty | 1.3.1 |
— |
| fish | 4.7.1 |
— |
| common | 2026.05 |
— |
| JetBrains Mono | 2.304 |
— |
| gum | 0.17.0 |
— |
| fzf | 0.73.1 |
— |
| glow | 2.1.2 |
— |
All package changes
No package changes since last release.
Images
ghcr.io/projectbluefin/dakota:latest
ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2
Verify your image
# Requires: cosign oras gh
# Install via Homebrew: brew install cosign oras gh
# 1. Cosign keyless signature
cosign verify \
--certificate-identity-regexp '^https://github\.com/projectbluefin/dakota/\.github/workflows/publish\.yml@refs/heads/(main|gh-readonly-queue/main/.+)$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2
# 2. SBOM OCI referrer
oras discover ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2
# 3. SLSA provenance
gh attestation verify oci://ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2 \
--repo projectbluefin/dakota
# Or all three at once (requires dakota checkout):
just verify ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2Supply chain
- SBOM (SPDX 2.3):
dakota.spdx.jsonattached below - Cosign: keyless, Sigstore OIDC via GitHub Actions
- SLSA provenance:
gh attestation verify oci://ghcr.io/projectbluefin/dakota:3ab2a3e609e5ded8bd5d5a7893578e154ed8a8a2 --repo projectbluefin/dakota
Full changelog → https://docs.projectbluefin.io/changelogs